Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- login as: root
- root@192.168.2.12's password:
- BusyBox v1.30.1 () built-in shell (ash)
- _______ ________ __
- | |.-----.-----.-----.| | | |.----.| |_
- | - || _ | -__| || | | || _|| _|
- |_______|| __|_____|__|__||________||__| |____|
- |__| W I R E L E S S F R E E D O M
- -----------------------------------------------------
- OpenWrt 19.07.6, r11278-8055e38794
- -----------------------------------------------------
- root@OpenWrt:~# ubus call system board; uci show network; uci show firewall; cro
- ntab -l; \
- > wg show; ip address show; ip route show table all; ip rule show; iptables-save
- {
- "kernel": "4.14.215",
- "hostname": "OpenWrt",
- "system": "xRX200 rev 1.2",
- "model": "BT Home Hub 5A",
- "board_name": "bt,homehub-v5a",
- "release": {
- "distribution": "OpenWrt",
- "version": "19.07.6",
- "revision": "r11278-8055e38794",
- "target": "lantiq/xrx200",
- "description": "OpenWrt 19.07.6 r11278-8055e38794"
- }
- }
- network.loopback=interface
- network.loopback.ifname='lo'
- network.loopback.proto='static'
- network.loopback.ipaddr='127.0.0.1'
- network.loopback.netmask='255.0.0.0'
- network.globals=globals
- network.globals.ula_prefix='fded:1e16:3d60::/48'
- network.atm=atm-bridge
- network.atm.vpi='1'
- network.atm.vci='32'
- network.atm.encaps='llc'
- network.atm.payload='bridged'
- network.atm.nameprefix='dsl'
- network.atm.unit='root'
- network.dsl=dsl
- network.dsl.annex='a'
- network.dsl.tone='av'
- network.dsl.ds_snr_offset='0'
- network.lan=interface
- network.lan.type='bridge'
- network.lan.ifname='eth0.1'
- network.lan.proto='static'
- network.lan.netmask='255.255.255.0'
- network.lan.ip6assign='60'
- network.lan.ipaddr='192.168.2.12'
- network.lan_eth0_1_dev=device
- network.lan_eth0_1_dev.name='eth0.1'
- network.lan_eth0_1_dev.macaddr='00:37:b7:19:ef:1a'
- network.wan=interface
- network.wan.ifname='eth0.2'
- network.wan.proto='dhcp'
- network.wan.peerdns='0'
- network.wan.dns='10.100.0.1'
- network.wan.metric='100'
- network.wan_dsl0_dev=device
- network.wan_dsl0_dev.name='dsl0'
- network.wan_dsl0_dev.macaddr='00:37:b7:19:ef:1b'
- network.wan6=interface
- network.wan6.ifname='@wan'
- network.wan6.proto='dhcpv6'
- network.wan6.reqprefix='auto'
- network.wan6.reqaddress='try'
- network.wan6.metric='100'
- network.@switch[0]=switch
- network.@switch[0].name='switch0'
- network.@switch[0].reset='1'
- network.@switch[0].enable_vlan='1'
- network.@switch_vlan[0]=switch_vlan
- network.@switch_vlan[0].device='switch0'
- network.@switch_vlan[0].vlan='1'
- network.@switch_vlan[0].ports='0 1 2 4 6t'
- network.@switch_vlan[1]=switch_vlan
- network.@switch_vlan[1].device='switch0'
- network.@switch_vlan[1].vlan='2'
- network.@switch_vlan[1].ports='5 6t'
- network.VPNUnlimited=interface
- network.VPNUnlimited.proto='wireguard'
- network.VPNUnlimited.private_key='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX='
- network.VPNUnlimited.listen_port='51820'
- network.VPNUnlimited.addresses='10.XXX.XXX.XXX/32'
- network.@wireguard_VPNUnlimited[0]=wireguard_VPNUnlimited
- network.@wireguard_VPNUnlimited[0].persistent_keepalive='25'
- network.@wireguard_VPNUnlimited[0].public_key='/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxxxxxxxxxxx='
- network.@wireguard_VPNUnlimited[0].description='VPN'
- network.@wireguard_VPNUnlimited[0].preshared_key='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX='
- network.@wireguard_VPNUnlimited[0].route_allowed_ips='1'
- network.@wireguard_VPNUnlimited[0].endpoint_port='51820'
- network.@wireguard_VPNUnlimited[0].endpoint_host='XXX.X.XX.16'
- network.@wireguard_VPNUnlimited[0].allowed_ips='0.0.0.0/0' '::0/0' '0.0.0.0/1' ' 128.0.0.0/1'
- firewall.@defaults[0]=defaults
- firewall.@defaults[0].input='ACCEPT'
- firewall.@defaults[0].output='ACCEPT'
- firewall.@defaults[0].forward='REJECT'
- firewall.@defaults[0].synflood_protect='1'
- firewall.@zone[0]=zone
- firewall.@zone[0].name='lan'
- firewall.@zone[0].input='ACCEPT'
- firewall.@zone[0].output='ACCEPT'
- firewall.@zone[0].forward='ACCEPT'
- firewall.@zone[0].network='lan'
- firewall.@zone[0].masq='1'
- firewall.@zone[1]=zone
- firewall.@zone[1].name='wan'
- firewall.@zone[1].input='REJECT'
- firewall.@zone[1].output='ACCEPT'
- firewall.@zone[1].forward='REJECT'
- firewall.@zone[1].masq='1'
- firewall.@zone[1].mtu_fix='1'
- firewall.@zone[1].network='wan wan6'
- firewall.@forwarding[0]=forwarding
- firewall.@forwarding[0].src='lan'
- firewall.@forwarding[0].dest='wan'
- firewall.@rule[0]=rule
- firewall.@rule[0].name='Allow-DHCP-Renew'
- firewall.@rule[0].src='wan'
- firewall.@rule[0].proto='udp'
- firewall.@rule[0].dest_port='68'
- firewall.@rule[0].target='ACCEPT'
- firewall.@rule[0].family='ipv4'
- firewall.@rule[1]=rule
- firewall.@rule[1].name='Allow-Ping'
- firewall.@rule[1].src='wan'
- firewall.@rule[1].proto='icmp'
- firewall.@rule[1].icmp_type='echo-request'
- firewall.@rule[1].family='ipv4'
- firewall.@rule[1].target='ACCEPT'
- firewall.@rule[2]=rule
- firewall.@rule[2].name='Allow-IGMP'
- firewall.@rule[2].src='wan'
- firewall.@rule[2].proto='igmp'
- firewall.@rule[2].family='ipv4'
- firewall.@rule[2].target='ACCEPT'
- firewall.@rule[3]=rule
- firewall.@rule[3].name='Allow-DHCPv6'
- firewall.@rule[3].src='wan'
- firewall.@rule[3].proto='udp'
- firewall.@rule[3].src_ip='fc00::/6'
- firewall.@rule[3].dest_ip='fc00::/6'
- firewall.@rule[3].dest_port='546'
- firewall.@rule[3].family='ipv6'
- firewall.@rule[3].target='ACCEPT'
- firewall.@rule[4]=rule
- firewall.@rule[4].name='Allow-MLD'
- firewall.@rule[4].src='wan'
- firewall.@rule[4].proto='icmp'
- firewall.@rule[4].src_ip='fe80::/10'
- firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
- firewall.@rule[4].family='ipv6'
- firewall.@rule[4].target='ACCEPT'
- firewall.@rule[5]=rule
- firewall.@rule[5].name='Allow-ICMPv6-Input'
- firewall.@rule[5].src='wan'
- firewall.@rule[5].proto='icmp'
- firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable ' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-so licitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertise ment'
- firewall.@rule[5].limit='1000/sec'
- firewall.@rule[5].family='ipv6'
- firewall.@rule[5].target='ACCEPT'
- firewall.@rule[6]=rule
- firewall.@rule[6].name='Allow-ICMPv6-Forward'
- firewall.@rule[6].src='wan'
- firewall.@rule[6].dest='*'
- firewall.@rule[6].proto='icmp'
- firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable ' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
- firewall.@rule[6].limit='1000/sec'
- firewall.@rule[6].family='ipv6'
- firewall.@rule[6].target='ACCEPT'
- firewall.@rule[7]=rule
- firewall.@rule[7].name='Allow-IPSec-ESP'
- firewall.@rule[7].src='wan'
- firewall.@rule[7].dest='lan'
- firewall.@rule[7].proto='esp'
- firewall.@rule[7].target='ACCEPT'
- firewall.@rule[8]=rule
- firewall.@rule[8].name='Allow-ISAKMP'
- firewall.@rule[8].src='wan'
- firewall.@rule[8].dest='lan'
- firewall.@rule[8].dest_port='500'
- firewall.@rule[8].proto='udp'
- firewall.@rule[8].target='ACCEPT'
- firewall.@include[0]=include
- firewall.@include[0].path='/etc/firewall.user'
- firewall.@rule[9]=rule
- firewall.@rule[9].dest_port='500'
- firewall.@rule[9].src='wan'
- firewall.@rule[9].name='IPSec-IKE'
- firewall.@rule[9].dest='lan'
- firewall.@rule[9].target='ACCEPT'
- firewall.@rule[9].proto='udp'
- firewall.@rule[10]=rule
- firewall.@rule[10].dest_port='55545'
- firewall.@rule[10].target='ACCEPT'
- firewall.@rule[10].proto='udp'
- firewall.@rule[10].name='Wireguard'
- firewall.@rule[10].src='Wireguard'
- firewall.@rule[10].dest='lan'
- firewall.@zone[2]=zone
- firewall.@zone[2].network='VPNUnlimited'
- firewall.@zone[2].name='Wireguard'
- firewall.@zone[2].mtu_fix='1'
- firewall.@zone[2].input='ACCEPT'
- firewall.@zone[2].masq='1'
- firewall.@zone[2].output='ACCEPT'
- firewall.@zone[2].forward='ACCEPT'
- firewall.@forwarding[1]=forwarding
- firewall.@forwarding[1].dest='wan'
- firewall.@forwarding[1].src='Wireguard'
- firewall.@forwarding[2]=forwarding
- firewall.@forwarding[2].dest='Wireguard'
- firewall.@forwarding[2].src='lan'
- * * * * * /usr/bin/wireguard_watchdog
- * * * * * date -s 2030-01-01; /etc/init.d/sysntpd restart
- interface: VPNUnlimited
- public key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
- private key: (hidden)
- listening port: 51820
- peer: /XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
- preshared key: (hidden)
- endpoint: XXX.X.XXX.XX:518XX
- allowed ips: 0.0.0.0/0, ::/0, 0.0.0.0/1, 128.0.0.0/1
- latest handshake: 1 minute, 12 seconds ago
- transfer: 17.70 MiB received, 5.00 MiB sent
- persistent keepalive: every 25 seconds
- 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group defaul t qlen 1000
- link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
- inet 127.0.0.1/8 scope host lo
- valid_lft forever preferred_lft forever
- inet6 ::1/128 scope host
- valid_lft forever preferred_lft forever
- 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP grou p default qlen 1000
- link/ether 0a:23:df:81:6c:6d brd ff:ff:ff:ff:ff:ff
- inet6 fe80::823:dfff:fe81:6c6d/64 scope link
- valid_lft forever preferred_lft forever
- 5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP gro up default qlen 1000
- link/ether 00:37:b7:19:ef:1a brd ff:ff:ff:ff:ff:ff
- inet 192.168.2.12/24 brd 192.168.2.255 scope global br-lan
- valid_lft forever preferred_lft forever
- inet6 fded:1e16:3d60::1/60 scope global noprefixroute
- valid_lft forever preferred_lft forever
- inet6 fe80::237:b7ff:fe19:ef1a/64 scope link
- valid_lft forever preferred_lft forever
- 6: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
- link/ether 00:37:b7:19:ef:1a brd ff:ff:ff:ff:ff:ff
- 7: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state U P group default qlen 1000
- link/ether 0a:23:df:81:6c:6d brd ff:ff:ff:ff:ff:ff
- inet 192.168.1.149/24 brd 192.168.1.255 scope global eth0.2
- valid_lft forever preferred_lft forever
- inet6 fdb9:f7b7:5624:0:823:dfff:fe81:6c6d/64 scope global noprefixroute
- valid_lft forever preferred_lft forever
- inet6 fdb9:f7b7:5624::d30/128 scope global noprefixroute
- valid_lft forever preferred_lft forever
- inet6 fe80::823:dfff:fe81:6c6d/64 scope link
- valid_lft forever preferred_lft forever
- 9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
- link/ether 00:37:b7:19:ef:1d brd ff:ff:ff:ff:ff:ff
- inet6 fe80::237:b7ff:fe19:ef1d/64 scope link
- valid_lft forever preferred_lft forever
- 10: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-la n state UP group default qlen 1000
- link/ether 00:37:b7:19:ef:1c brd ff:ff:ff:ff:ff:ff
- inet6 fe80::237:b7ff:fe19:ef1c/64 scope link
- valid_lft forever preferred_lft forever
- 11: VPNUnlimited: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state U NKNOWN group default qlen 1000
- link/none
- inet 10.100.12.160/32 brd 255.255.255.255 scope global VPNUnlimited
- valid_lft forever preferred_lft forever
- default via 192.168.1.11 dev eth0.2 table wan
- 192.168.2.0/24 dev br-lan table wan proto kernel scope link src 192.168.2.12
- default via 10.100.12.160 dev VPNUnlimited table VPNUnlimited
- 192.168.2.0/24 dev br-lan table VPNUnlimited proto kernel scope link src 192.168 .2.12
- 0.0.0.0/1 dev VPNUnlimited proto static scope link
- default dev VPNUnlimited proto static scope link
- default via 192.168.1.11 dev eth0.2 proto static src 192.168.1.149 metric 100
- 128.0.0.0/1 dev VPNUnlimited proto static scope link
- 190.2.132.16 via 192.168.1.11 dev eth0.2 proto static metric 100
- 192.168.1.0/24 dev eth0.2 proto static scope link metric 100
- 192.168.2.0/24 dev br-lan proto kernel scope link src 192.168.2.12
- local XX.XX.XX.160 dev VPNUnlimited table local proto kernel scope host src 10. 100.12.160
- broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
- local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
- local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
- broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0 .1
- broadcast 192.168.1.0 dev eth0.2 table local proto kernel scope link src 192.168 .1.149
- local 192.168.1.149 dev eth0.2 table local proto kernel scope host src 192.168.1 .149
- broadcast 192.168.1.255 dev eth0.2 table local proto kernel scope link src 192.1 68.1.149
- broadcast 192.168.2.0 dev br-lan table local proto kernel scope link src 192.168 .2.12
- local 192.168.2.12 dev br-lan table local proto kernel scope host src 192.168.2. 12
- broadcast 192.168.2.255 dev br-lan table local proto kernel scope link src 192.1 68.2.12
- fdb9:f7b7:5624::/48 from fdb9:f7b7:5624::d30 via fe80::ca91:f9ff:fe59:2a86 dev e th0.2 table wan proto static metric 512 pref medium
- fdb9:f7b7:5624::/48 from fdb9:f7b7:5624::/64 via fe80::ca91:f9ff:fe59:2a86 dev e th0.2 table wan proto static metric 512 pref medium
- fdb9:f7b7:5624::/64 dev eth0.2 table wan proto static metric 256 pref medium
- fe80::/64 dev eth0.2 table wan proto kernel metric 256 pref medium
- unreachable default dev lo table VPNUnlimited metric 1024 error 4294967148 pref medium
- fdb9:f7b7:5624::/48 from fdb9:f7b7:5624::d30 via fe80::ca91:f9ff:fe59:2a86 dev e th0.2 proto static metric 512 pref medium
- fdb9:f7b7:5624::/48 from fdb9:f7b7:5624::/64 via fe80::ca91:f9ff:fe59:2a86 dev e th0.2 proto static metric 512 pref medium
- fdb9:f7b7:5624::/64 dev eth0.2 proto static metric 256 pref medium
- fded:1e16:3d60::/64 dev br-lan proto static metric 1024 pref medium
- unreachable fded:1e16:3d60::/48 dev lo proto static metric 2147483647 error 4294 967148 pref medium
- fe80::/64 dev eth0 proto kernel metric 256 pref medium
- fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
- fe80::/64 dev br-lan proto kernel metric 256 pref medium
- fe80::/64 dev wlan1 proto kernel metric 256 pref medium
- fe80::/64 dev wlan0 proto kernel metric 256 pref medium
- default dev VPNUnlimited proto static metric 1024 pref medium
- local ::1 dev lo table local proto kernel metric 0 pref medium
- anycast fdb9:f7b7:5624:: dev eth0.2 table local proto kernel metric 0 pref mediu m
- local fdb9:f7b7:5624::d30 dev eth0.2 table local proto kernel metric 0 pref medi um
- local fdb9:f7b7:5624:0:823:dfff:fe81:6c6d dev eth0.2 table local proto kernel me tric 0 pref medium
- anycast fded:1e16:3d60:: dev br-lan table local proto kernel metric 0 pref mediu m
- local fded:1e16:3d60::1 dev br-lan table local proto kernel metric 0 pref medium
- anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
- anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
- anycast fe80:: dev eth0.2 table local proto kernel metric 0 pref medium
- anycast fe80:: dev wlan1 table local proto kernel metric 0 pref medium
- anycast fe80:: dev wlan0 table local proto kernel metric 0 pref medium
- local fe80::237:b7ff:fe19:ef1a dev br-lan table local proto kernel metric 0 pref medium
- local fe80::237:b7ff:fe19:ef1c dev wlan1 table local proto kernel metric 0 pref medium
- local fe80::237:b7ff:fe19:ef1d dev wlan0 table local proto kernel metric 0 pref medium
- local fe80::823:dfff:fe81:6c6d dev eth0 table local proto kernel metric 0 pref m edium
- local fe80::823:dfff:fe81:6c6d dev eth0.2 table local proto kernel metric 0 pref medium
- ff00::/8 dev br-lan table local metric 256 pref medium
- ff00::/8 dev eth0 table local metric 256 pref medium
- ff00::/8 dev eth0.2 table local metric 256 pref medium
- ff00::/8 dev wlan1 table local metric 256 pref medium
- ff00::/8 dev VPNUnlimited table local metric 256 pref medium
- ff00::/8 dev wlan0 table local metric 256 pref medium
- 0: from all lookup local
- 32762: from all fwmark 0x20000/0xff0000 lookup VPNUnlimited
- 32763: from all fwmark 0x10000/0xff0000 lookup wan
- 32766: from all lookup main
- 32767: from all lookup default
- # Generated by iptables-save v1.8.3 on Sat Mar 13 23:00:47 2021
- *nat
- :PREROUTING ACCEPT [3720:355660]
- :INPUT ACCEPT [2263:158456]
- :OUTPUT ACCEPT [911:67704]
- :POSTROUTING ACCEPT [197:13459]
- :postrouting_Wireguard_rule - [0:0]
- :postrouting_lan_rule - [0:0]
- :postrouting_rule - [0:0]
- :postrouting_wan_rule - [0:0]
- :prerouting_Wireguard_rule - [0:0]
- :prerouting_lan_rule - [0:0]
- :prerouting_rule - [0:0]
- :prerouting_wan_rule - [0:0]
- :zone_Wireguard_postrouting - [0:0]
- :zone_Wireguard_prerouting - [0:0]
- :zone_lan_postrouting - [0:0]
- :zone_lan_prerouting - [0:0]
- :zone_wan_postrouting - [0:0]
- :zone_wan_prerouting - [0:0]
- -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prero uting_rule
- -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
- -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
- -A PREROUTING -i VPNUnlimited -m comment --comment "!fw3" -j zone_Wireguard_prer outing
- -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j pos trouting_rule
- -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
- -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
- -A POSTROUTING -o VPNUnlimited -m comment --comment "!fw3" -j zone_Wireguard_pos trouting
- -A zone_Wireguard_postrouting -m comment --comment "!fw3: Custom Wireguard postr outing rule chain" -j postrouting_Wireguard_rule
- -A zone_Wireguard_postrouting -m comment --comment "!fw3" -j MASQUERADE
- -A zone_Wireguard_prerouting -m comment --comment "!fw3: Custom Wireguard prerou ting rule chain" -j prerouting_Wireguard_rule
- -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
- -A zone_lan_postrouting -m comment --comment "!fw3" -j MASQUERADE
- -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule ch ain" -j prerouting_lan_rule
- -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
- -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
- -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule ch ain" -j prerouting_wan_rule
- COMMIT
- # Completed on Sat Mar 13 23:00:47 2021
- # Generated by iptables-save v1.8.3 on Sat Mar 13 23:00:47 2021
- *mangle
- :PREROUTING ACCEPT [28591:15671401]
- :INPUT ACCEPT [12575:7373335]
- :FORWARD ACCEPT [15833:8254934]
- :OUTPUT ACCEPT [9803:2643242]
- :POSTROUTING ACCEPT [25636:10898176]
- :VPR_MARK0x010000 - [0:0]
- :VPR_MARK0x020000 - [0:0]
- :VPR_PREROUTING - [0:0]
- -A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
- -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
- -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
- -A FORWARD -o VPNUnlimited -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --co mment "!fw3: Zone Wireguard MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
- -A FORWARD -i VPNUnlimited -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --co mment "!fw3: Zone Wireguard MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
- -A VPR_MARK0x010000 -j MARK --set-xmark 0x10000/0xff0000
- -A VPR_MARK0x010000 -j RETURN
- -A VPR_MARK0x020000 -j MARK --set-xmark 0x20000/0xff0000
- -A VPR_MARK0x020000 -j RETURN
- -A VPR_PREROUTING -m set --match-set VPNUnlimited dst -g VPR_MARK0x020000
- -A VPR_PREROUTING -m set --match-set wan dst -g VPR_MARK0x010000
- -A VPR_PREROUTING -s 192.168.2.149/32 -d 192.168.2.0/24 -m comment --comment Osm iniplus -g VPR_MARK0x010000
- COMMIT
- # Completed on Sat Mar 13 23:00:47 2021
- # Generated by iptables-save v1.8.3 on Sat Mar 13 23:00:47 2021
- *filter
- :INPUT ACCEPT [2:111]
- :FORWARD DROP [0:0]
- :OUTPUT ACCEPT [0:0]
- :forwarding_Wireguard_rule - [0:0]
- :forwarding_lan_rule - [0:0]
- :forwarding_rule - [0:0]
- :forwarding_wan_rule - [0:0]
- :input_Wireguard_rule - [0:0]
- :input_lan_rule - [0:0]
- :input_rule - [0:0]
- :input_wan_rule - [0:0]
- :output_Wireguard_rule - [0:0]
- :output_lan_rule - [0:0]
- :output_rule - [0:0]
- :output_wan_rule - [0:0]
- :reject - [0:0]
- :syn_flood - [0:0]
- :zone_Wireguard_dest_ACCEPT - [0:0]
- :zone_Wireguard_forward - [0:0]
- :zone_Wireguard_input - [0:0]
- :zone_Wireguard_output - [0:0]
- :zone_Wireguard_src_ACCEPT - [0:0]
- :zone_lan_dest_ACCEPT - [0:0]
- :zone_lan_forward - [0:0]
- :zone_lan_input - [0:0]
- :zone_lan_output - [0:0]
- :zone_lan_src_ACCEPT - [0:0]
- :zone_wan_dest_ACCEPT - [0:0]
- :zone_wan_dest_REJECT - [0:0]
- :zone_wan_forward - [0:0]
- :zone_wan_input - [0:0]
- :zone_wan_output - [0:0]
- :zone_wan_src_REJECT - [0:0]
- -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
- -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
- -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
- -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw 3" -j syn_flood
- -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
- -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
- -A INPUT -i VPNUnlimited -m comment --comment "!fw3" -j zone_Wireguard_input
- -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwardi ng_rule
- -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3 " -j ACCEPT
- -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
- -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
- -A FORWARD -i VPNUnlimited -m comment --comment "!fw3" -j zone_Wireguard_forward
- -A FORWARD -m comment --comment "!fw3" -j reject
- -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
- -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
- -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
- -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
- -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
- -A OUTPUT -o VPNUnlimited -m comment --comment "!fw3" -j zone_Wireguard_output
- -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
- -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreacha ble
- -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/s ec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
- -A syn_flood -m comment --comment "!fw3" -j DROP
- -A zone_Wireguard_dest_ACCEPT -o VPNUnlimited -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
- -A zone_Wireguard_dest_ACCEPT -o VPNUnlimited -m comment --comment "!fw3" -j ACC EPT
- -A zone_Wireguard_forward -m comment --comment "!fw3: Custom Wireguard forwardin g rule chain" -j forwarding_Wireguard_rule
- -A zone_Wireguard_forward -p udp -m udp --dport 55545 -m comment --comment "!fw3 : Wireguard" -j zone_lan_dest_ACCEPT
- -A zone_Wireguard_forward -m comment --comment "!fw3: Zone Wireguard to wan forw arding policy" -j zone_wan_dest_ACCEPT
- -A zone_Wireguard_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3 : Accept port forwards" -j ACCEPT
- -A zone_Wireguard_forward -m comment --comment "!fw3" -j zone_Wireguard_dest_ACC EPT
- -A zone_Wireguard_input -m comment --comment "!fw3: Custom Wireguard input rule chain" -j input_Wireguard_rule
- -A zone_Wireguard_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
- -A zone_Wireguard_input -m comment --comment "!fw3" -j zone_Wireguard_src_ACCEPT
- -A zone_Wireguard_output -m comment --comment "!fw3: Custom Wireguard output rul e chain" -j output_Wireguard_rule
- -A zone_Wireguard_output -m comment --comment "!fw3" -j zone_Wireguard_dest_ACCE PT
- -A zone_Wireguard_src_ACCEPT -i VPNUnlimited -m conntrack --ctstate NEW,UNTRACKE D -m comment --comment "!fw3" -j ACCEPT
- -A zone_lan_dest_ACCEPT -o br-lan -m conntrack --ctstate INVALID -m comment --co mment "!fw3: Prevent NAT leakage" -j DROP
- -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
- -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain " -j forwarding_lan_rule
- -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding polic y" -j zone_wan_dest_ACCEPT
- -A zone_lan_forward -m comment --comment "!fw3: Zone lan to Wireguard forwarding policy" -j zone_Wireguard_dest_ACCEPT
- -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Acce pt port forwards" -j ACCEPT
- -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
- -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j in put_lan_rule
- -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
- -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
- -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
- -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
- -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
- -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --co mment "!fw3: Prevent NAT leakage" -j DROP
- -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
- -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
- -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain " -j forwarding_wan_rule
- -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_ lan_dest_ACCEPT
- -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow- ISAKMP" -j zone_lan_dest_ACCEPT
- -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: IPSec- IKE" -j zone_lan_dest_ACCEPT
- -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Acce pt port forwards" -j ACCEPT
- -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
- -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j in put_wan_rule
- -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHC P-Renew" -j ACCEPT
- -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allo w-Ping" -j ACCEPT
- -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
- -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
- -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
- -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
- -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
- -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
- COMMIT
- # Completed on Sat Mar 13 23:00:47 2021
- root@OpenWrt:~#
Add Comment
Please, Sign In to add comment