Guest User

OpenWrt

a guest
Mar 13th, 2021
34
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. login as: root
  2. root@192.168.2.12's password:
  3.  
  4.  
  5. BusyBox v1.30.1 () built-in shell (ash)
  6.  
  7. _______ ________ __
  8. | |.-----.-----.-----.| | | |.----.| |_
  9. | - || _ | -__| || | | || _|| _|
  10. |_______|| __|_____|__|__||________||__| |____|
  11. |__| W I R E L E S S F R E E D O M
  12. -----------------------------------------------------
  13. OpenWrt 19.07.6, r11278-8055e38794
  14. -----------------------------------------------------
  15. root@OpenWrt:~# ubus call system board; uci show network; uci show firewall; cro
  16. ntab -l; \
  17. > wg show; ip address show; ip route show table all; ip rule show; iptables-save
  18. {
  19. "kernel": "4.14.215",
  20. "hostname": "OpenWrt",
  21. "system": "xRX200 rev 1.2",
  22. "model": "BT Home Hub 5A",
  23. "board_name": "bt,homehub-v5a",
  24. "release": {
  25. "distribution": "OpenWrt",
  26. "version": "19.07.6",
  27. "revision": "r11278-8055e38794",
  28. "target": "lantiq/xrx200",
  29. "description": "OpenWrt 19.07.6 r11278-8055e38794"
  30. }
  31. }
  32. network.loopback=interface
  33. network.loopback.ifname='lo'
  34. network.loopback.proto='static'
  35. network.loopback.ipaddr='127.0.0.1'
  36. network.loopback.netmask='255.0.0.0'
  37. network.globals=globals
  38. network.globals.ula_prefix='fded:1e16:3d60::/48'
  39. network.atm=atm-bridge
  40. network.atm.vpi='1'
  41. network.atm.vci='32'
  42. network.atm.encaps='llc'
  43. network.atm.payload='bridged'
  44. network.atm.nameprefix='dsl'
  45. network.atm.unit='root'
  46. network.dsl=dsl
  47. network.dsl.annex='a'
  48. network.dsl.tone='av'
  49. network.dsl.ds_snr_offset='0'
  50. network.lan=interface
  51. network.lan.type='bridge'
  52. network.lan.ifname='eth0.1'
  53. network.lan.proto='static'
  54. network.lan.netmask='255.255.255.0'
  55. network.lan.ip6assign='60'
  56. network.lan.ipaddr='192.168.2.12'
  57. network.lan_eth0_1_dev=device
  58. network.lan_eth0_1_dev.name='eth0.1'
  59. network.lan_eth0_1_dev.macaddr='00:37:b7:19:ef:1a'
  60. network.wan=interface
  61. network.wan.ifname='eth0.2'
  62. network.wan.proto='dhcp'
  63. network.wan.peerdns='0'
  64. network.wan.dns='10.100.0.1'
  65. network.wan.metric='100'
  66. network.wan_dsl0_dev=device
  67. network.wan_dsl0_dev.name='dsl0'
  68. network.wan_dsl0_dev.macaddr='00:37:b7:19:ef:1b'
  69. network.wan6=interface
  70. network.wan6.ifname='@wan'
  71. network.wan6.proto='dhcpv6'
  72. network.wan6.reqprefix='auto'
  73. network.wan6.reqaddress='try'
  74. network.wan6.metric='100'
  75. network.@switch[0]=switch
  76. network.@switch[0].name='switch0'
  77. network.@switch[0].reset='1'
  78. network.@switch[0].enable_vlan='1'
  79. network.@switch_vlan[0]=switch_vlan
  80. network.@switch_vlan[0].device='switch0'
  81. network.@switch_vlan[0].vlan='1'
  82. network.@switch_vlan[0].ports='0 1 2 4 6t'
  83. network.@switch_vlan[1]=switch_vlan
  84. network.@switch_vlan[1].device='switch0'
  85. network.@switch_vlan[1].vlan='2'
  86. network.@switch_vlan[1].ports='5 6t'
  87. network.VPNUnlimited=interface
  88. network.VPNUnlimited.proto='wireguard'
  89. network.VPNUnlimited.private_key='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX='
  90. network.VPNUnlimited.listen_port='51820'
  91. network.VPNUnlimited.addresses='10.XXX.XXX.XXX/32'
  92. network.@wireguard_VPNUnlimited[0]=wireguard_VPNUnlimited
  93. network.@wireguard_VPNUnlimited[0].persistent_keepalive='25'
  94. network.@wireguard_VPNUnlimited[0].public_key='/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxxxxxxxxxxx='
  95. network.@wireguard_VPNUnlimited[0].description='VPN'
  96. network.@wireguard_VPNUnlimited[0].preshared_key='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX='
  97. network.@wireguard_VPNUnlimited[0].route_allowed_ips='1'
  98. network.@wireguard_VPNUnlimited[0].endpoint_port='51820'
  99. network.@wireguard_VPNUnlimited[0].endpoint_host='XXX.X.XX.16'
  100. network.@wireguard_VPNUnlimited[0].allowed_ips='0.0.0.0/0' '::0/0' '0.0.0.0/1' ' 128.0.0.0/1'
  101. firewall.@defaults[0]=defaults
  102. firewall.@defaults[0].input='ACCEPT'
  103. firewall.@defaults[0].output='ACCEPT'
  104. firewall.@defaults[0].forward='REJECT'
  105. firewall.@defaults[0].synflood_protect='1'
  106. firewall.@zone[0]=zone
  107. firewall.@zone[0].name='lan'
  108. firewall.@zone[0].input='ACCEPT'
  109. firewall.@zone[0].output='ACCEPT'
  110. firewall.@zone[0].forward='ACCEPT'
  111. firewall.@zone[0].network='lan'
  112. firewall.@zone[0].masq='1'
  113. firewall.@zone[1]=zone
  114. firewall.@zone[1].name='wan'
  115. firewall.@zone[1].input='REJECT'
  116. firewall.@zone[1].output='ACCEPT'
  117. firewall.@zone[1].forward='REJECT'
  118. firewall.@zone[1].masq='1'
  119. firewall.@zone[1].mtu_fix='1'
  120. firewall.@zone[1].network='wan wan6'
  121. firewall.@forwarding[0]=forwarding
  122. firewall.@forwarding[0].src='lan'
  123. firewall.@forwarding[0].dest='wan'
  124. firewall.@rule[0]=rule
  125. firewall.@rule[0].name='Allow-DHCP-Renew'
  126. firewall.@rule[0].src='wan'
  127. firewall.@rule[0].proto='udp'
  128. firewall.@rule[0].dest_port='68'
  129. firewall.@rule[0].target='ACCEPT'
  130. firewall.@rule[0].family='ipv4'
  131. firewall.@rule[1]=rule
  132. firewall.@rule[1].name='Allow-Ping'
  133. firewall.@rule[1].src='wan'
  134. firewall.@rule[1].proto='icmp'
  135. firewall.@rule[1].icmp_type='echo-request'
  136. firewall.@rule[1].family='ipv4'
  137. firewall.@rule[1].target='ACCEPT'
  138. firewall.@rule[2]=rule
  139. firewall.@rule[2].name='Allow-IGMP'
  140. firewall.@rule[2].src='wan'
  141. firewall.@rule[2].proto='igmp'
  142. firewall.@rule[2].family='ipv4'
  143. firewall.@rule[2].target='ACCEPT'
  144. firewall.@rule[3]=rule
  145. firewall.@rule[3].name='Allow-DHCPv6'
  146. firewall.@rule[3].src='wan'
  147. firewall.@rule[3].proto='udp'
  148. firewall.@rule[3].src_ip='fc00::/6'
  149. firewall.@rule[3].dest_ip='fc00::/6'
  150. firewall.@rule[3].dest_port='546'
  151. firewall.@rule[3].family='ipv6'
  152. firewall.@rule[3].target='ACCEPT'
  153. firewall.@rule[4]=rule
  154. firewall.@rule[4].name='Allow-MLD'
  155. firewall.@rule[4].src='wan'
  156. firewall.@rule[4].proto='icmp'
  157. firewall.@rule[4].src_ip='fe80::/10'
  158. firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
  159. firewall.@rule[4].family='ipv6'
  160. firewall.@rule[4].target='ACCEPT'
  161. firewall.@rule[5]=rule
  162. firewall.@rule[5].name='Allow-ICMPv6-Input'
  163. firewall.@rule[5].src='wan'
  164. firewall.@rule[5].proto='icmp'
  165. firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable ' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-so licitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertise ment'
  166. firewall.@rule[5].limit='1000/sec'
  167. firewall.@rule[5].family='ipv6'
  168. firewall.@rule[5].target='ACCEPT'
  169. firewall.@rule[6]=rule
  170. firewall.@rule[6].name='Allow-ICMPv6-Forward'
  171. firewall.@rule[6].src='wan'
  172. firewall.@rule[6].dest='*'
  173. firewall.@rule[6].proto='icmp'
  174. firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable ' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
  175. firewall.@rule[6].limit='1000/sec'
  176. firewall.@rule[6].family='ipv6'
  177. firewall.@rule[6].target='ACCEPT'
  178. firewall.@rule[7]=rule
  179. firewall.@rule[7].name='Allow-IPSec-ESP'
  180. firewall.@rule[7].src='wan'
  181. firewall.@rule[7].dest='lan'
  182. firewall.@rule[7].proto='esp'
  183. firewall.@rule[7].target='ACCEPT'
  184. firewall.@rule[8]=rule
  185. firewall.@rule[8].name='Allow-ISAKMP'
  186. firewall.@rule[8].src='wan'
  187. firewall.@rule[8].dest='lan'
  188. firewall.@rule[8].dest_port='500'
  189. firewall.@rule[8].proto='udp'
  190. firewall.@rule[8].target='ACCEPT'
  191. firewall.@include[0]=include
  192. firewall.@include[0].path='/etc/firewall.user'
  193. firewall.@rule[9]=rule
  194. firewall.@rule[9].dest_port='500'
  195. firewall.@rule[9].src='wan'
  196. firewall.@rule[9].name='IPSec-IKE'
  197. firewall.@rule[9].dest='lan'
  198. firewall.@rule[9].target='ACCEPT'
  199. firewall.@rule[9].proto='udp'
  200. firewall.@rule[10]=rule
  201. firewall.@rule[10].dest_port='55545'
  202. firewall.@rule[10].target='ACCEPT'
  203. firewall.@rule[10].proto='udp'
  204. firewall.@rule[10].name='Wireguard'
  205. firewall.@rule[10].src='Wireguard'
  206. firewall.@rule[10].dest='lan'
  207. firewall.@zone[2]=zone
  208. firewall.@zone[2].network='VPNUnlimited'
  209. firewall.@zone[2].name='Wireguard'
  210. firewall.@zone[2].mtu_fix='1'
  211. firewall.@zone[2].input='ACCEPT'
  212. firewall.@zone[2].masq='1'
  213. firewall.@zone[2].output='ACCEPT'
  214. firewall.@zone[2].forward='ACCEPT'
  215. firewall.@forwarding[1]=forwarding
  216. firewall.@forwarding[1].dest='wan'
  217. firewall.@forwarding[1].src='Wireguard'
  218. firewall.@forwarding[2]=forwarding
  219. firewall.@forwarding[2].dest='Wireguard'
  220. firewall.@forwarding[2].src='lan'
  221. * * * * * /usr/bin/wireguard_watchdog
  222. * * * * * date -s 2030-01-01; /etc/init.d/sysntpd restart
  223. interface: VPNUnlimited
  224. public key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
  225. private key: (hidden)
  226. listening port: 51820
  227.  
  228. peer: /XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
  229. preshared key: (hidden)
  230. endpoint: XXX.X.XXX.XX:518XX
  231. allowed ips: 0.0.0.0/0, ::/0, 0.0.0.0/1, 128.0.0.0/1
  232. latest handshake: 1 minute, 12 seconds ago
  233. transfer: 17.70 MiB received, 5.00 MiB sent
  234. persistent keepalive: every 25 seconds
  235. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group defaul t qlen 1000
  236. link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  237. inet 127.0.0.1/8 scope host lo
  238. valid_lft forever preferred_lft forever
  239. inet6 ::1/128 scope host
  240. valid_lft forever preferred_lft forever
  241. 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP grou p default qlen 1000
  242. link/ether 0a:23:df:81:6c:6d brd ff:ff:ff:ff:ff:ff
  243. inet6 fe80::823:dfff:fe81:6c6d/64 scope link
  244. valid_lft forever preferred_lft forever
  245. 5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP gro up default qlen 1000
  246. link/ether 00:37:b7:19:ef:1a brd ff:ff:ff:ff:ff:ff
  247. inet 192.168.2.12/24 brd 192.168.2.255 scope global br-lan
  248. valid_lft forever preferred_lft forever
  249. inet6 fded:1e16:3d60::1/60 scope global noprefixroute
  250. valid_lft forever preferred_lft forever
  251. inet6 fe80::237:b7ff:fe19:ef1a/64 scope link
  252. valid_lft forever preferred_lft forever
  253. 6: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
  254. link/ether 00:37:b7:19:ef:1a brd ff:ff:ff:ff:ff:ff
  255. 7: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state U P group default qlen 1000
  256. link/ether 0a:23:df:81:6c:6d brd ff:ff:ff:ff:ff:ff
  257. inet 192.168.1.149/24 brd 192.168.1.255 scope global eth0.2
  258. valid_lft forever preferred_lft forever
  259. inet6 fdb9:f7b7:5624:0:823:dfff:fe81:6c6d/64 scope global noprefixroute
  260. valid_lft forever preferred_lft forever
  261. inet6 fdb9:f7b7:5624::d30/128 scope global noprefixroute
  262. valid_lft forever preferred_lft forever
  263. inet6 fe80::823:dfff:fe81:6c6d/64 scope link
  264. valid_lft forever preferred_lft forever
  265. 9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
  266. link/ether 00:37:b7:19:ef:1d brd ff:ff:ff:ff:ff:ff
  267. inet6 fe80::237:b7ff:fe19:ef1d/64 scope link
  268. valid_lft forever preferred_lft forever
  269. 10: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-la n state UP group default qlen 1000
  270. link/ether 00:37:b7:19:ef:1c brd ff:ff:ff:ff:ff:ff
  271. inet6 fe80::237:b7ff:fe19:ef1c/64 scope link
  272. valid_lft forever preferred_lft forever
  273. 11: VPNUnlimited: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state U NKNOWN group default qlen 1000
  274. link/none
  275. inet 10.100.12.160/32 brd 255.255.255.255 scope global VPNUnlimited
  276. valid_lft forever preferred_lft forever
  277. default via 192.168.1.11 dev eth0.2 table wan
  278. 192.168.2.0/24 dev br-lan table wan proto kernel scope link src 192.168.2.12
  279. default via 10.100.12.160 dev VPNUnlimited table VPNUnlimited
  280. 192.168.2.0/24 dev br-lan table VPNUnlimited proto kernel scope link src 192.168 .2.12
  281. 0.0.0.0/1 dev VPNUnlimited proto static scope link
  282. default dev VPNUnlimited proto static scope link
  283. default via 192.168.1.11 dev eth0.2 proto static src 192.168.1.149 metric 100
  284. 128.0.0.0/1 dev VPNUnlimited proto static scope link
  285. 190.2.132.16 via 192.168.1.11 dev eth0.2 proto static metric 100
  286. 192.168.1.0/24 dev eth0.2 proto static scope link metric 100
  287. 192.168.2.0/24 dev br-lan proto kernel scope link src 192.168.2.12
  288. local XX.XX.XX.160 dev VPNUnlimited table local proto kernel scope host src 10. 100.12.160
  289. broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
  290. local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
  291. local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
  292. broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0 .1
  293. broadcast 192.168.1.0 dev eth0.2 table local proto kernel scope link src 192.168 .1.149
  294. local 192.168.1.149 dev eth0.2 table local proto kernel scope host src 192.168.1 .149
  295. broadcast 192.168.1.255 dev eth0.2 table local proto kernel scope link src 192.1 68.1.149
  296. broadcast 192.168.2.0 dev br-lan table local proto kernel scope link src 192.168 .2.12
  297. local 192.168.2.12 dev br-lan table local proto kernel scope host src 192.168.2. 12
  298. broadcast 192.168.2.255 dev br-lan table local proto kernel scope link src 192.1 68.2.12
  299. fdb9:f7b7:5624::/48 from fdb9:f7b7:5624::d30 via fe80::ca91:f9ff:fe59:2a86 dev e th0.2 table wan proto static metric 512 pref medium
  300. fdb9:f7b7:5624::/48 from fdb9:f7b7:5624::/64 via fe80::ca91:f9ff:fe59:2a86 dev e th0.2 table wan proto static metric 512 pref medium
  301. fdb9:f7b7:5624::/64 dev eth0.2 table wan proto static metric 256 pref medium
  302. fe80::/64 dev eth0.2 table wan proto kernel metric 256 pref medium
  303. unreachable default dev lo table VPNUnlimited metric 1024 error 4294967148 pref medium
  304. fdb9:f7b7:5624::/48 from fdb9:f7b7:5624::d30 via fe80::ca91:f9ff:fe59:2a86 dev e th0.2 proto static metric 512 pref medium
  305. fdb9:f7b7:5624::/48 from fdb9:f7b7:5624::/64 via fe80::ca91:f9ff:fe59:2a86 dev e th0.2 proto static metric 512 pref medium
  306. fdb9:f7b7:5624::/64 dev eth0.2 proto static metric 256 pref medium
  307. fded:1e16:3d60::/64 dev br-lan proto static metric 1024 pref medium
  308. unreachable fded:1e16:3d60::/48 dev lo proto static metric 2147483647 error 4294 967148 pref medium
  309. fe80::/64 dev eth0 proto kernel metric 256 pref medium
  310. fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
  311. fe80::/64 dev br-lan proto kernel metric 256 pref medium
  312. fe80::/64 dev wlan1 proto kernel metric 256 pref medium
  313. fe80::/64 dev wlan0 proto kernel metric 256 pref medium
  314. default dev VPNUnlimited proto static metric 1024 pref medium
  315. local ::1 dev lo table local proto kernel metric 0 pref medium
  316. anycast fdb9:f7b7:5624:: dev eth0.2 table local proto kernel metric 0 pref mediu m
  317. local fdb9:f7b7:5624::d30 dev eth0.2 table local proto kernel metric 0 pref medi um
  318. local fdb9:f7b7:5624:0:823:dfff:fe81:6c6d dev eth0.2 table local proto kernel me tric 0 pref medium
  319. anycast fded:1e16:3d60:: dev br-lan table local proto kernel metric 0 pref mediu m
  320. local fded:1e16:3d60::1 dev br-lan table local proto kernel metric 0 pref medium
  321. anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
  322. anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
  323. anycast fe80:: dev eth0.2 table local proto kernel metric 0 pref medium
  324. anycast fe80:: dev wlan1 table local proto kernel metric 0 pref medium
  325. anycast fe80:: dev wlan0 table local proto kernel metric 0 pref medium
  326. local fe80::237:b7ff:fe19:ef1a dev br-lan table local proto kernel metric 0 pref medium
  327. local fe80::237:b7ff:fe19:ef1c dev wlan1 table local proto kernel metric 0 pref medium
  328. local fe80::237:b7ff:fe19:ef1d dev wlan0 table local proto kernel metric 0 pref medium
  329. local fe80::823:dfff:fe81:6c6d dev eth0 table local proto kernel metric 0 pref m edium
  330. local fe80::823:dfff:fe81:6c6d dev eth0.2 table local proto kernel metric 0 pref medium
  331. ff00::/8 dev br-lan table local metric 256 pref medium
  332. ff00::/8 dev eth0 table local metric 256 pref medium
  333. ff00::/8 dev eth0.2 table local metric 256 pref medium
  334. ff00::/8 dev wlan1 table local metric 256 pref medium
  335. ff00::/8 dev VPNUnlimited table local metric 256 pref medium
  336. ff00::/8 dev wlan0 table local metric 256 pref medium
  337. 0: from all lookup local
  338. 32762: from all fwmark 0x20000/0xff0000 lookup VPNUnlimited
  339. 32763: from all fwmark 0x10000/0xff0000 lookup wan
  340. 32766: from all lookup main
  341. 32767: from all lookup default
  342. # Generated by iptables-save v1.8.3 on Sat Mar 13 23:00:47 2021
  343. *nat
  344. :PREROUTING ACCEPT [3720:355660]
  345. :INPUT ACCEPT [2263:158456]
  346. :OUTPUT ACCEPT [911:67704]
  347. :POSTROUTING ACCEPT [197:13459]
  348. :postrouting_Wireguard_rule - [0:0]
  349. :postrouting_lan_rule - [0:0]
  350. :postrouting_rule - [0:0]
  351. :postrouting_wan_rule - [0:0]
  352. :prerouting_Wireguard_rule - [0:0]
  353. :prerouting_lan_rule - [0:0]
  354. :prerouting_rule - [0:0]
  355. :prerouting_wan_rule - [0:0]
  356. :zone_Wireguard_postrouting - [0:0]
  357. :zone_Wireguard_prerouting - [0:0]
  358. :zone_lan_postrouting - [0:0]
  359. :zone_lan_prerouting - [0:0]
  360. :zone_wan_postrouting - [0:0]
  361. :zone_wan_prerouting - [0:0]
  362. -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prero uting_rule
  363. -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
  364. -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
  365. -A PREROUTING -i VPNUnlimited -m comment --comment "!fw3" -j zone_Wireguard_prer outing
  366. -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j pos trouting_rule
  367. -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
  368. -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
  369. -A POSTROUTING -o VPNUnlimited -m comment --comment "!fw3" -j zone_Wireguard_pos trouting
  370. -A zone_Wireguard_postrouting -m comment --comment "!fw3: Custom Wireguard postr outing rule chain" -j postrouting_Wireguard_rule
  371. -A zone_Wireguard_postrouting -m comment --comment "!fw3" -j MASQUERADE
  372. -A zone_Wireguard_prerouting -m comment --comment "!fw3: Custom Wireguard prerou ting rule chain" -j prerouting_Wireguard_rule
  373. -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
  374. -A zone_lan_postrouting -m comment --comment "!fw3" -j MASQUERADE
  375. -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule ch ain" -j prerouting_lan_rule
  376. -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
  377. -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
  378. -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule ch ain" -j prerouting_wan_rule
  379. COMMIT
  380. # Completed on Sat Mar 13 23:00:47 2021
  381. # Generated by iptables-save v1.8.3 on Sat Mar 13 23:00:47 2021
  382. *mangle
  383. :PREROUTING ACCEPT [28591:15671401]
  384. :INPUT ACCEPT [12575:7373335]
  385. :FORWARD ACCEPT [15833:8254934]
  386. :OUTPUT ACCEPT [9803:2643242]
  387. :POSTROUTING ACCEPT [25636:10898176]
  388. :VPR_MARK0x010000 - [0:0]
  389. :VPR_MARK0x020000 - [0:0]
  390. :VPR_PREROUTING - [0:0]
  391. -A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
  392. -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
  393. -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
  394. -A FORWARD -o VPNUnlimited -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --co mment "!fw3: Zone Wireguard MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
  395. -A FORWARD -i VPNUnlimited -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --co mment "!fw3: Zone Wireguard MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
  396. -A VPR_MARK0x010000 -j MARK --set-xmark 0x10000/0xff0000
  397. -A VPR_MARK0x010000 -j RETURN
  398. -A VPR_MARK0x020000 -j MARK --set-xmark 0x20000/0xff0000
  399. -A VPR_MARK0x020000 -j RETURN
  400. -A VPR_PREROUTING -m set --match-set VPNUnlimited dst -g VPR_MARK0x020000
  401. -A VPR_PREROUTING -m set --match-set wan dst -g VPR_MARK0x010000
  402. -A VPR_PREROUTING -s 192.168.2.149/32 -d 192.168.2.0/24 -m comment --comment Osm iniplus -g VPR_MARK0x010000
  403. COMMIT
  404. # Completed on Sat Mar 13 23:00:47 2021
  405. # Generated by iptables-save v1.8.3 on Sat Mar 13 23:00:47 2021
  406. *filter
  407. :INPUT ACCEPT [2:111]
  408. :FORWARD DROP [0:0]
  409. :OUTPUT ACCEPT [0:0]
  410. :forwarding_Wireguard_rule - [0:0]
  411. :forwarding_lan_rule - [0:0]
  412. :forwarding_rule - [0:0]
  413. :forwarding_wan_rule - [0:0]
  414. :input_Wireguard_rule - [0:0]
  415. :input_lan_rule - [0:0]
  416. :input_rule - [0:0]
  417. :input_wan_rule - [0:0]
  418. :output_Wireguard_rule - [0:0]
  419. :output_lan_rule - [0:0]
  420. :output_rule - [0:0]
  421. :output_wan_rule - [0:0]
  422. :reject - [0:0]
  423. :syn_flood - [0:0]
  424. :zone_Wireguard_dest_ACCEPT - [0:0]
  425. :zone_Wireguard_forward - [0:0]
  426. :zone_Wireguard_input - [0:0]
  427. :zone_Wireguard_output - [0:0]
  428. :zone_Wireguard_src_ACCEPT - [0:0]
  429. :zone_lan_dest_ACCEPT - [0:0]
  430. :zone_lan_forward - [0:0]
  431. :zone_lan_input - [0:0]
  432. :zone_lan_output - [0:0]
  433. :zone_lan_src_ACCEPT - [0:0]
  434. :zone_wan_dest_ACCEPT - [0:0]
  435. :zone_wan_dest_REJECT - [0:0]
  436. :zone_wan_forward - [0:0]
  437. :zone_wan_input - [0:0]
  438. :zone_wan_output - [0:0]
  439. :zone_wan_src_REJECT - [0:0]
  440. -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
  441. -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
  442. -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  443. -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw 3" -j syn_flood
  444. -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
  445. -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
  446. -A INPUT -i VPNUnlimited -m comment --comment "!fw3" -j zone_Wireguard_input
  447. -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwardi ng_rule
  448. -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3 " -j ACCEPT
  449. -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
  450. -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
  451. -A FORWARD -i VPNUnlimited -m comment --comment "!fw3" -j zone_Wireguard_forward
  452. -A FORWARD -m comment --comment "!fw3" -j reject
  453. -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
  454. -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
  455. -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  456. -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
  457. -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
  458. -A OUTPUT -o VPNUnlimited -m comment --comment "!fw3" -j zone_Wireguard_output
  459. -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
  460. -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreacha ble
  461. -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/s ec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
  462. -A syn_flood -m comment --comment "!fw3" -j DROP
  463. -A zone_Wireguard_dest_ACCEPT -o VPNUnlimited -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
  464. -A zone_Wireguard_dest_ACCEPT -o VPNUnlimited -m comment --comment "!fw3" -j ACC EPT
  465. -A zone_Wireguard_forward -m comment --comment "!fw3: Custom Wireguard forwardin g rule chain" -j forwarding_Wireguard_rule
  466. -A zone_Wireguard_forward -p udp -m udp --dport 55545 -m comment --comment "!fw3 : Wireguard" -j zone_lan_dest_ACCEPT
  467. -A zone_Wireguard_forward -m comment --comment "!fw3: Zone Wireguard to wan forw arding policy" -j zone_wan_dest_ACCEPT
  468. -A zone_Wireguard_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3 : Accept port forwards" -j ACCEPT
  469. -A zone_Wireguard_forward -m comment --comment "!fw3" -j zone_Wireguard_dest_ACC EPT
  470. -A zone_Wireguard_input -m comment --comment "!fw3: Custom Wireguard input rule chain" -j input_Wireguard_rule
  471. -A zone_Wireguard_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  472. -A zone_Wireguard_input -m comment --comment "!fw3" -j zone_Wireguard_src_ACCEPT
  473. -A zone_Wireguard_output -m comment --comment "!fw3: Custom Wireguard output rul e chain" -j output_Wireguard_rule
  474. -A zone_Wireguard_output -m comment --comment "!fw3" -j zone_Wireguard_dest_ACCE PT
  475. -A zone_Wireguard_src_ACCEPT -i VPNUnlimited -m conntrack --ctstate NEW,UNTRACKE D -m comment --comment "!fw3" -j ACCEPT
  476. -A zone_lan_dest_ACCEPT -o br-lan -m conntrack --ctstate INVALID -m comment --co mment "!fw3: Prevent NAT leakage" -j DROP
  477. -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
  478. -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain " -j forwarding_lan_rule
  479. -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding polic y" -j zone_wan_dest_ACCEPT
  480. -A zone_lan_forward -m comment --comment "!fw3: Zone lan to Wireguard forwarding policy" -j zone_Wireguard_dest_ACCEPT
  481. -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Acce pt port forwards" -j ACCEPT
  482. -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
  483. -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j in put_lan_rule
  484. -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  485. -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
  486. -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
  487. -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
  488. -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
  489. -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --co mment "!fw3: Prevent NAT leakage" -j DROP
  490. -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
  491. -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
  492. -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain " -j forwarding_wan_rule
  493. -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_ lan_dest_ACCEPT
  494. -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow- ISAKMP" -j zone_lan_dest_ACCEPT
  495. -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: IPSec- IKE" -j zone_lan_dest_ACCEPT
  496. -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Acce pt port forwards" -j ACCEPT
  497. -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
  498. -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j in put_wan_rule
  499. -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHC P-Renew" -j ACCEPT
  500. -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allo w-Ping" -j ACCEPT
  501. -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
  502. -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  503. -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
  504. -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
  505. -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
  506. -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
  507. COMMIT
  508. # Completed on Sat Mar 13 23:00:47 2021
  509. root@OpenWrt:~#
RAW Paste Data Copied