Advertisement
Guest User

Untitled

a guest
Nov 10th, 2019
208
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 30.18 KB | None | 0 0
  1. https://openwrt.org/docs/guide-user/services/dns/intercept
  2.  
  3. Firewall:
  4. Warning: Unable to locate ipset utility, disabling ipset support
  5. * Flushing IPv4 filter table
  6. * Flushing IPv4 nat table
  7. * Flushing IPv4 mangle table
  8. * Flushing IPv6 filter table
  9. * Flushing IPv6 nat table
  10. * Flushing IPv6 mangle table
  11. * Flushing conntrack table ...
  12. * Populating IPv4 filter table
  13. * Rule 'Allow-DHCP-Renew'
  14. * Rule 'Allow-Ping'
  15. * Rule 'Allow-IGMP'
  16. * Rule 'Allow-IPSec-ESP'
  17. * Rule 'Allow-ISAKMP'
  18. * Redirect 'Intercept-DNS'
  19. * Forward 'lan' -> 'wan'
  20. * Zone 'lan'
  21. * Zone 'wan'
  22. * Populating IPv4 nat table
  23. * Redirect 'Intercept-DNS'
  24. * Zone 'lan'
  25. * Zone 'wan'
  26. * Populating IPv4 mangle table
  27. * Zone 'lan'
  28. * Zone 'wan'
  29. * Populating IPv6 filter table
  30. * Rule 'Allow-DHCPv6'
  31. * Rule 'Allow-MLD'
  32. * Rule 'Allow-ICMPv6-Input'
  33. * Rule 'Allow-ICMPv6-Forward'
  34. * Rule 'Allow-IPSec-ESP'
  35. * Rule 'Allow-ISAKMP'
  36. * Forward 'lan' -> 'wan'
  37. * Zone 'lan'
  38. * Zone 'wan'
  39. * Populating IPv6 nat table
  40. Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule'
  41. Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule'
  42. Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule'
  43. Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule'
  44. Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule'
  45. Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'
  46. * Zone 'lan'
  47. * Zone 'wan'
  48. * Populating IPv6 mangle table
  49. * Zone 'lan'
  50. * Zone 'wan'
  51. * Set tcp_ecn to off
  52. * Set tcp_syncookies to on
  53. * Set tcp_window_scaling to on
  54. * Running script '/etc/firewall.user'
  55. * Running script '/etc/firewall.nat6'
  56.  
  57.  
  58. NAT6:
  59. Warning: Unable to locate ipset utility, disabling ipset support
  60. * Flushing IPv4 filter table
  61. * Flushing IPv4 nat table
  62. * Flushing IPv4 mangle table
  63. * Flushing IPv6 filter table
  64. * Flushing IPv6 nat table
  65. * Flushing IPv6 mangle table
  66. * Flushing conntrack table ...
  67. * Populating IPv4 filter table
  68. * Rule 'Allow-DHCP-Renew'
  69. * Rule 'Allow-Ping'
  70. * Rule 'Allow-IGMP'
  71. * Rule 'Allow-IPSec-ESP'
  72. * Rule 'Allow-ISAKMP'
  73. * Redirect 'Intercept-DNS'
  74. * Forward 'lan' -> 'wan'
  75. * Zone 'lan'
  76. * Zone 'wan'
  77. * Populating IPv4 nat table
  78. * Redirect 'Intercept-DNS'
  79. * Zone 'lan'
  80. * Zone 'wan'
  81. * Populating IPv4 mangle table
  82. * Zone 'lan'
  83. * Zone 'wan'
  84. * Populating IPv6 filter table
  85. * Rule 'Allow-DHCPv6'
  86. * Rule 'Allow-MLD'
  87. * Rule 'Allow-ICMPv6-Input'
  88. * Rule 'Allow-ICMPv6-Forward'
  89. * Rule 'Allow-IPSec-ESP'
  90. * Rule 'Allow-ISAKMP'
  91. * Forward 'lan' -> 'wan'
  92. * Zone 'lan'
  93. * Zone 'wan'
  94. * Populating IPv6 nat table
  95. Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule'
  96. Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule'
  97. Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule'
  98. Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule'
  99. Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule'
  100. Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'
  101. * Zone 'lan'
  102. * Zone 'wan'
  103. * Populating IPv6 mangle table
  104. * Zone 'lan'
  105. * Zone 'wan'
  106. * Set tcp_ecn to off
  107. * Set tcp_syncookies to on
  108. * Set tcp_window_scaling to on
  109. * Running script '/etc/firewall.user'
  110. * Running script '/etc/firewall.nat6'
  111.  
  112. firewall restart:
  113. /etc/init.d/firewall restart
  114. Warning: Unable to locate ipset utility, disabling ipset support
  115. * Flushing IPv4 filter table
  116. * Flushing IPv4 nat table
  117. * Flushing IPv4 mangle table
  118. * Flushing IPv6 filter table
  119. * Flushing IPv6 nat table
  120. * Flushing IPv6 mangle table
  121. * Flushing conntrack table ...
  122. * Populating IPv4 filter table
  123. * Rule 'Allow-DHCP-Renew'
  124. * Rule 'Allow-Ping'
  125. * Rule 'Allow-IGMP'
  126. * Rule 'Allow-IPSec-ESP'
  127. * Rule 'Allow-ISAKMP'
  128. * Redirect 'Intercept-DNS'
  129. * Forward 'lan' -> 'wan'
  130. * Zone 'lan'
  131. * Zone 'wan'
  132. * Populating IPv4 nat table
  133. * Redirect 'Intercept-DNS'
  134. * Zone 'lan'
  135. * Zone 'wan'
  136. * Populating IPv4 mangle table
  137. * Zone 'lan'
  138. * Zone 'wan'
  139. * Populating IPv6 filter table
  140. * Rule 'Allow-DHCPv6'
  141. * Rule 'Allow-MLD'
  142. * Rule 'Allow-ICMPv6-Input'
  143. * Rule 'Allow-ICMPv6-Forward'
  144. * Rule 'Allow-IPSec-ESP'
  145. * Rule 'Allow-ISAKMP'
  146. * Forward 'lan' -> 'wan'
  147. * Zone 'lan'
  148. * Zone 'wan'
  149. * Populating IPv6 nat table
  150. Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule'
  151. Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule'
  152. Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule'
  153. Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule'
  154. Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule'
  155. Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'
  156. * Zone 'lan'
  157. * Zone 'wan'
  158. * Populating IPv6 mangle table
  159. * Zone 'lan'
  160. * Zone 'wan'
  161. * Set tcp_ecn to off
  162. * Set tcp_syncookies to on
  163. * Set tcp_window_scaling to on
  164. * Running script '/etc/firewall.user'
  165. * Running script '/etc/firewall.nat6'
  166.  
  167. iptables-save:
  168. # Generated by iptables-save v1.6.2 on Sun Nov 10 07:02:06 2019
  169. *nat
  170. :PREROUTING ACCEPT [100:9439]
  171. :INPUT ACCEPT [103:6805]
  172. :OUTPUT ACCEPT [20:1360]
  173. :POSTROUTING ACCEPT [2:160]
  174. :postrouting_lan_rule - [0:0]
  175. :postrouting_rule - [0:0]
  176. :postrouting_wan_rule - [0:0]
  177. :prerouting_lan_rule - [0:0]
  178. :prerouting_rule - [0:0]
  179. :prerouting_wan_rule - [0:0]
  180. :zone_lan_postrouting - [0:0]
  181. :zone_lan_prerouting - [0:0]
  182. :zone_wan_postrouting - [0:0]
  183. :zone_wan_prerouting - [0:0]
  184. -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
  185. -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
  186. -A PREROUTING -i br-wan -m comment --comment "!fw3" -j zone_wan_prerouting
  187. -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
  188. -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
  189. -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
  190. -A POSTROUTING -o br-wan -m comment --comment "!fw3" -j zone_wan_postrouting
  191. -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
  192. -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
  193. -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
  194. -A zone_lan_prerouting -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Intercept-DNS" -j REDIRECT --to-ports 53
  195. -A zone_lan_prerouting -p udp -m udp --dport 53 -m comment --comment "!fw3: Intercept-DNS" -j REDIRECT --to-ports 53
  196. -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
  197. -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
  198. -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
  199. COMMIT
  200. # Completed on Sun Nov 10 07:02:06 2019
  201. # Generated by iptables-save v1.6.2 on Sun Nov 10 07:02:06 2019
  202. *mangle
  203. :PREROUTING ACCEPT [801:151133]
  204. :INPUT ACCEPT [309:30331]
  205. :FORWARD ACCEPT [472:119970]
  206. :OUTPUT ACCEPT [312:48140]
  207. :POSTROUTING ACCEPT [775:167750]
  208. -A FORWARD -o br-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
  209. -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
  210. COMMIT
  211. # Completed on Sun Nov 10 07:02:06 2019
  212. # Generated by iptables-save v1.6.2 on Sun Nov 10 07:02:06 2019
  213. *filter
  214. :INPUT ACCEPT [0:0]
  215. :FORWARD DROP [0:0]
  216. :OUTPUT ACCEPT [0:0]
  217. :forwarding_lan_rule - [0:0]
  218. :forwarding_rule - [0:0]
  219. :forwarding_wan_rule - [0:0]
  220. :input_lan_rule - [0:0]
  221. :input_rule - [0:0]
  222. :input_wan_rule - [0:0]
  223. :output_lan_rule - [0:0]
  224. :output_rule - [0:0]
  225. :output_wan_rule - [0:0]
  226. :reject - [0:0]
  227. :syn_flood - [0:0]
  228. :zone_lan_dest_ACCEPT - [0:0]
  229. :zone_lan_forward - [0:0]
  230. :zone_lan_input - [0:0]
  231. :zone_lan_output - [0:0]
  232. :zone_lan_src_ACCEPT - [0:0]
  233. :zone_wan_dest_ACCEPT - [0:0]
  234. :zone_wan_dest_REJECT - [0:0]
  235. :zone_wan_forward - [0:0]
  236. :zone_wan_input - [0:0]
  237. :zone_wan_output - [0:0]
  238. :zone_wan_src_REJECT - [0:0]
  239. -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
  240. -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
  241. -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  242. -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
  243. -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
  244. -A INPUT -i br-wan -m comment --comment "!fw3" -j zone_wan_input
  245. -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
  246. -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
  247. -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  248. -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
  249. -A FORWARD -i br-wan -m comment --comment "!fw3" -j zone_wan_forward
  250. -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
  251. -A FORWARD -m comment --comment "!fw3" -j reject
  252. -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
  253. -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
  254. -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  255. -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
  256. -A OUTPUT -o br-wan -m comment --comment "!fw3" -j zone_wan_output
  257. -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
  258. -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
  259. -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
  260. -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
  261. -A syn_flood -m comment --comment "!fw3" -j DROP
  262. -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
  263. -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
  264. -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
  265. -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  266. -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
  267. -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
  268. -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  269. -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
  270. -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
  271. -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
  272. -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
  273. -A zone_wan_dest_ACCEPT -o br-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
  274. -A zone_wan_dest_ACCEPT -o br-wan -m comment --comment "!fw3" -j ACCEPT
  275. -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
  276. -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
  277. -A zone_wan_dest_REJECT -o br-wan -m comment --comment "!fw3" -j reject
  278. -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
  279. -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
  280. -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
  281. -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
  282. -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  283. -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
  284. -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
  285. -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
  286. -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
  287. -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
  288. -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  289. -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
  290. -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
  291. -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
  292. -A zone_wan_src_REJECT -i br-wan -m comment --comment "!fw3" -j reject
  293. -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
  294. COMMIT
  295. # Completed on Sun Nov 10 07:02:06 2019
  296.  
  297. ip6tables-save:
  298. # Generated by ip6tables-save v1.6.2 on Sun Nov 10 07:02:51 2019
  299. *nat
  300. :PREROUTING ACCEPT [14:4830]
  301. :INPUT ACCEPT [35:3045]
  302. :OUTPUT ACCEPT [2:286]
  303. :POSTROUTING ACCEPT [2:286]
  304. :postrouting_lan_rule - [0:0]
  305. :postrouting_rule - [0:0]
  306. :postrouting_wan_rule - [0:0]
  307. :prerouting_lan_rule - [0:0]
  308. :prerouting_rule - [0:0]
  309. :prerouting_wan_rule - [0:0]
  310. :zone_lan_postrouting - [0:0]
  311. :zone_lan_prerouting - [0:0]
  312. :zone_wan_postrouting - [0:0]
  313. :zone_wan_prerouting - [0:0]
  314. -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
  315. -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
  316. -A PREROUTING -i br-wan -m comment --comment "!fw3" -j zone_wan_prerouting
  317. -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
  318. -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
  319. -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
  320. -A POSTROUTING -o br-wan -m comment --comment "!fw3" -j zone_wan_postrouting
  321. -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
  322. -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
  323. -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
  324. -A zone_lan_prerouting -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Intercept-DNS" -j REDIRECT --to-ports 53
  325. -A zone_lan_prerouting -p udp -m udp --dport 53 -m comment --comment "!fw3: Intercept-DNS" -j REDIRECT --to-ports 53
  326. -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
  327. -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
  328. COMMIT
  329. # Completed on Sun Nov 10 07:02:51 2019
  330. # Generated by ip6tables-save v1.6.2 on Sun Nov 10 07:02:51 2019
  331. *mangle
  332. :PREROUTING ACCEPT [76:9921]
  333. :INPUT ACCEPT [52:4271]
  334. :FORWARD ACCEPT [0:0]
  335. :OUTPUT ACCEPT [52:9562]
  336. :POSTROUTING ACCEPT [52:9562]
  337. -A FORWARD -o br-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
  338. -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
  339. COMMIT
  340. # Completed on Sun Nov 10 07:02:51 2019
  341. # Generated by ip6tables-save v1.6.2 on Sun Nov 10 07:02:51 2019
  342. *filter
  343. :INPUT ACCEPT [0:0]
  344. :FORWARD DROP [0:0]
  345. :OUTPUT ACCEPT [0:0]
  346. :forwarding_lan_rule - [0:0]
  347. :forwarding_rule - [0:0]
  348. :forwarding_wan_rule - [0:0]
  349. :input_lan_rule - [0:0]
  350. :input_rule - [0:0]
  351. :input_wan_rule - [0:0]
  352. :output_lan_rule - [0:0]
  353. :output_rule - [0:0]
  354. :output_wan_rule - [0:0]
  355. :reject - [0:0]
  356. :syn_flood - [0:0]
  357. :zone_lan_dest_ACCEPT - [0:0]
  358. :zone_lan_forward - [0:0]
  359. :zone_lan_input - [0:0]
  360. :zone_lan_output - [0:0]
  361. :zone_lan_src_ACCEPT - [0:0]
  362. :zone_wan_dest_ACCEPT - [0:0]
  363. :zone_wan_dest_REJECT - [0:0]
  364. :zone_wan_forward - [0:0]
  365. :zone_wan_input - [0:0]
  366. :zone_wan_output - [0:0]
  367. :zone_wan_src_REJECT - [0:0]
  368. -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
  369. -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
  370. -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  371. -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
  372. -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
  373. -A INPUT -i br-wan -m comment --comment "!fw3" -j zone_wan_input
  374. -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
  375. -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
  376. -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  377. -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
  378. -A FORWARD -i br-wan -m comment --comment "!fw3" -j zone_wan_forward
  379. -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
  380. -A FORWARD -m comment --comment "!fw3" -j reject
  381. -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
  382. -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
  383. -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  384. -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
  385. -A OUTPUT -o br-wan -m comment --comment "!fw3" -j zone_wan_output
  386. -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
  387. -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
  388. -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
  389. -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
  390. -A syn_flood -m comment --comment "!fw3" -j DROP
  391. -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
  392. -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
  393. -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
  394. -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
  395. -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
  396. -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
  397. -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
  398. -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
  399. -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
  400. -A zone_wan_dest_ACCEPT -o br-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
  401. -A zone_wan_dest_ACCEPT -o br-wan -m comment --comment "!fw3" -j ACCEPT
  402. -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
  403. -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
  404. -A zone_wan_dest_REJECT -o br-wan -m comment --comment "!fw3" -j reject
  405. -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
  406. -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
  407. -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
  408. -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
  409. -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
  410. -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
  411. -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
  412. -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
  413. -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
  414. -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
  415. -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
  416. -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
  417. -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
  418. -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
  419. -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
  420. -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
  421. -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
  422. -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
  423. -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
  424. -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
  425. -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
  426. -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
  427. -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
  428. -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
  429. -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
  430. -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
  431. -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
  432. -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
  433. -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
  434. -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
  435. -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
  436. -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
  437. -A zone_wan_src_REJECT -i br-wan -m comment --comment "!fw3" -j reject
  438. -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
  439. COMMIT
  440. # Completed on Sun Nov 10 07:02:51 2019
  441.  
  442. uci show firewall:
  443. root@OpenWrt:~# uci show firewall
  444. firewall.@defaults[0]=defaults
  445. firewall.@defaults[0].syn_flood='1'
  446. firewall.@defaults[0].input='ACCEPT'
  447. firewall.@defaults[0].output='ACCEPT'
  448. firewall.@defaults[0].forward='REJECT'
  449. firewall.@zone[0]=zone
  450. firewall.@zone[0].name='lan'
  451. firewall.@zone[0].network='lan'
  452. firewall.@zone[0].input='ACCEPT'
  453. firewall.@zone[0].output='ACCEPT'
  454. firewall.@zone[0].forward='ACCEPT'
  455. firewall.@zone[1]=zone
  456. firewall.@zone[1].name='wan'
  457. firewall.@zone[1].network='wan' 'wan6'
  458. firewall.@zone[1].input='REJECT'
  459. firewall.@zone[1].output='ACCEPT'
  460. firewall.@zone[1].forward='REJECT'
  461. firewall.@zone[1].masq='1'
  462. firewall.@zone[1].mtu_fix='1'
  463. firewall.@forwarding[0]=forwarding
  464. firewall.@forwarding[0].src='lan'
  465. firewall.@forwarding[0].dest='wan'
  466. firewall.@rule[0]=rule
  467. firewall.@rule[0].name='Allow-DHCP-Renew'
  468. firewall.@rule[0].src='wan'
  469. firewall.@rule[0].proto='udp'
  470. firewall.@rule[0].dest_port='68'
  471. firewall.@rule[0].target='ACCEPT'
  472. firewall.@rule[0].family='ipv4'
  473. firewall.@rule[1]=rule
  474. firewall.@rule[1].name='Allow-Ping'
  475. firewall.@rule[1].src='wan'
  476. firewall.@rule[1].proto='icmp'
  477. firewall.@rule[1].icmp_type='echo-request'
  478. firewall.@rule[1].family='ipv4'
  479. firewall.@rule[1].target='ACCEPT'
  480. firewall.@rule[2]=rule
  481. firewall.@rule[2].name='Allow-IGMP'
  482. firewall.@rule[2].src='wan'
  483. firewall.@rule[2].proto='igmp'
  484. firewall.@rule[2].family='ipv4'
  485. firewall.@rule[2].target='ACCEPT'
  486. firewall.@rule[3]=rule
  487. firewall.@rule[3].name='Allow-DHCPv6'
  488. firewall.@rule[3].src='wan'
  489. firewall.@rule[3].proto='udp'
  490. firewall.@rule[3].src_ip='fc00::/6'
  491. firewall.@rule[3].dest_ip='fc00::/6'
  492. firewall.@rule[3].dest_port='546'
  493. firewall.@rule[3].family='ipv6'
  494. firewall.@rule[3].target='ACCEPT'
  495. firewall.@rule[4]=rule
  496. firewall.@rule[4].name='Allow-MLD'
  497. firewall.@rule[4].src='wan'
  498. firewall.@rule[4].proto='icmp'
  499. firewall.@rule[4].src_ip='fe80::/10'
  500. firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
  501. firewall.@rule[4].family='ipv6'
  502. firewall.@rule[4].target='ACCEPT'
  503. firewall.@rule[5]=rule
  504. firewall.@rule[5].name='Allow-ICMPv6-Input'
  505. firewall.@rule[5].src='wan'
  506. firewall.@rule[5].proto='icmp'
  507. firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
  508. firewall.@rule[5].limit='1000/sec'
  509. firewall.@rule[5].family='ipv6'
  510. firewall.@rule[5].target='ACCEPT'
  511. firewall.@rule[6]=rule
  512. firewall.@rule[6].name='Allow-ICMPv6-Forward'
  513. firewall.@rule[6].src='wan'
  514. firewall.@rule[6].dest='*'
  515. firewall.@rule[6].proto='icmp'
  516. firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
  517. firewall.@rule[6].limit='1000/sec'
  518. firewall.@rule[6].family='ipv6'
  519. firewall.@rule[6].target='ACCEPT'
  520. firewall.@rule[7]=rule
  521. firewall.@rule[7].name='Allow-IPSec-ESP'
  522. firewall.@rule[7].src='wan'
  523. firewall.@rule[7].dest='lan'
  524. firewall.@rule[7].proto='esp'
  525. firewall.@rule[7].target='ACCEPT'
  526. firewall.@rule[8]=rule
  527. firewall.@rule[8].name='Allow-ISAKMP'
  528. firewall.@rule[8].src='wan'
  529. firewall.@rule[8].dest='lan'
  530. firewall.@rule[8].dest_port='500'
  531. firewall.@rule[8].proto='udp'
  532. firewall.@rule[8].target='ACCEPT'
  533. firewall.@include[0]=include
  534. firewall.@include[0].path='/etc/firewall.user'
  535. firewall.dns_int=redirect
  536. firewall.dns_int.name='Intercept-DNS'
  537. firewall.dns_int.src='lan'
  538. firewall.dns_int.src_dport='53'
  539. firewall.dns_int.family='ipv4'
  540. firewall.dns_int.proto='tcpudp'
  541. firewall.dns_int.target='DNAT'
  542. firewall.nat6=include
  543. firewall.nat6.path='/etc/firewall.nat6'
  544. firewall.nat6.reload='1'
  545. root@OpenWrt:~# uci show firewall
  546. firewall.@defaults[0]=defaults
  547. firewall.@defaults[0].syn_flood='1'
  548. firewall.@defaults[0].input='ACCEPT'
  549. firewall.@defaults[0].output='ACCEPT'
  550. firewall.@defaults[0].forward='REJECT'
  551. firewall.@zone[0]=zone
  552. firewall.@zone[0].name='lan'
  553. firewall.@zone[0].network='lan'
  554. firewall.@zone[0].input='ACCEPT'
  555. firewall.@zone[0].output='ACCEPT'
  556. firewall.@zone[0].forward='ACCEPT'
  557. firewall.@zone[1]=zone
  558. firewall.@zone[1].name='wan'
  559. firewall.@zone[1].network='wan' 'wan6'
  560. firewall.@zone[1].input='REJECT'
  561. firewall.@zone[1].output='ACCEPT'
  562. firewall.@zone[1].forward='REJECT'
  563. firewall.@zone[1].masq='1'
  564. firewall.@zone[1].mtu_fix='1'
  565. firewall.@forwarding[0]=forwarding
  566. firewall.@forwarding[0].src='lan'
  567. firewall.@forwarding[0].dest='wan'
  568. firewall.@rule[0]=rule
  569. firewall.@rule[0].name='Allow-DHCP-Renew'
  570. firewall.@rule[0].src='wan'
  571. firewall.@rule[0].proto='udp'
  572. firewall.@rule[0].dest_port='68'
  573. firewall.@rule[0].target='ACCEPT'
  574. firewall.@rule[0].family='ipv4'
  575. firewall.@rule[1]=rule
  576. firewall.@rule[1].name='Allow-Ping'
  577. firewall.@rule[1].src='wan'
  578. firewall.@rule[1].proto='icmp'
  579. firewall.@rule[1].icmp_type='echo-request'
  580. firewall.@rule[1].family='ipv4'
  581. firewall.@rule[1].target='ACCEPT'
  582. firewall.@rule[2]=rule
  583. firewall.@rule[2].name='Allow-IGMP'
  584. firewall.@rule[2].src='wan'
  585. firewall.@rule[2].proto='igmp'
  586. firewall.@rule[2].family='ipv4'
  587. firewall.@rule[2].target='ACCEPT'
  588. firewall.@rule[3]=rule
  589. firewall.@rule[3].name='Allow-DHCPv6'
  590. firewall.@rule[3].src='wan'
  591. firewall.@rule[3].proto='udp'
  592. firewall.@rule[3].src_ip='fc00::/6'
  593. firewall.@rule[3].dest_ip='fc00::/6'
  594. firewall.@rule[3].dest_port='546'
  595. firewall.@rule[3].family='ipv6'
  596. firewall.@rule[3].target='ACCEPT'
  597. firewall.@rule[4]=rule
  598. firewall.@rule[4].name='Allow-MLD'
  599. firewall.@rule[4].src='wan'
  600. firewall.@rule[4].proto='icmp'
  601. firewall.@rule[4].src_ip='fe80::/10'
  602. firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
  603. firewall.@rule[4].family='ipv6'
  604. firewall.@rule[4].target='ACCEPT'
  605. firewall.@rule[5]=rule
  606. firewall.@rule[5].name='Allow-ICMPv6-Input'
  607. firewall.@rule[5].src='wan'
  608. firewall.@rule[5].proto='icmp'
  609. firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
  610. firewall.@rule[5].limit='1000/sec'
  611. firewall.@rule[5].family='ipv6'
  612. firewall.@rule[5].target='ACCEPT'
  613. firewall.@rule[6]=rule
  614. firewall.@rule[6].name='Allow-ICMPv6-Forward'
  615. firewall.@rule[6].src='wan'
  616. firewall.@rule[6].dest='*'
  617. firewall.@rule[6].proto='icmp'
  618. firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
  619. firewall.@rule[6].limit='1000/sec'
  620. firewall.@rule[6].family='ipv6'
  621. firewall.@rule[6].target='ACCEPT'
  622. firewall.@rule[7]=rule
  623. firewall.@rule[7].name='Allow-IPSec-ESP'
  624. firewall.@rule[7].src='wan'
  625. firewall.@rule[7].dest='lan'
  626. firewall.@rule[7].proto='esp'
  627. firewall.@rule[7].target='ACCEPT'
  628. firewall.@rule[8]=rule
  629. firewall.@rule[8].name='Allow-ISAKMP'
  630. firewall.@rule[8].src='wan'
  631. firewall.@rule[8].dest='lan'
  632. firewall.@rule[8].dest_port='500'
  633. firewall.@rule[8].proto='udp'
  634. firewall.@rule[8].target='ACCEPT'
  635. firewall.@include[0]=include
  636. firewall.@include[0].path='/etc/firewall.user'
  637. firewall.dns_int=redirect
  638. firewall.dns_int.name='Intercept-DNS'
  639. firewall.dns_int.src='lan'
  640. firewall.dns_int.src_dport='53'
  641. firewall.dns_int.family='ipv4'
  642. firewall.dns_int.proto='tcpudp'
  643. firewall.dns_int.target='DNAT'
  644. firewall.nat6=include
  645. firewall.nat6.path='/etc/firewall.nat6'
  646. firewall.nat6.reload='1'
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement