Advertisement
Guest User

Untitled

a guest
Dec 17th, 2019
225
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 110.18 KB | None | 0 0
  1. Here goes:
  2. Openwrt1
  3. uci show network; uci show firewall; uci show dhcp; \
  4. ip -4 addr ; ip -4 ro ; ip -4 ru; iptables-save
  5.  
  6. ```
  7. root@OpenWrt:~# uci show network; uci show firewall; uci show dhcp; \
  8. > ip -4 addr ; ip -4 ro ; ip -4 ru; iptables-save;
  9. network.loopback=interface
  10. network.loopback.ifname='lo'
  11. network.loopback.proto='static'
  12. network.loopback.ipaddr='127.0.0.1'
  13. network.loopback.netmask='255.0.0.0'
  14. network.globals=globals
  15. network.globals.ula_prefix='fd7b:9a54:3d9b::/48'
  16. network.lan=interface
  17. network.lan.type='bridge'
  18. network.lan.proto='static'
  19. network.lan.ipaddr='192.168.106.1'
  20. network.lan.netmask='255.255.255.0'
  21. network.lan.ip6assign='60'
  22. network.lan.stp='1'
  23. network.lan.dns='8.8.8.8'
  24. network.lan.ifname='eth0.55'
  25. network.wan=interface
  26. network.wan.proto='dhcp'
  27. network.wan.metric='10'
  28. network.wan.ifname='eth0.1074'
  29. network.@switch[0]=switch
  30. network.@switch[0].name='switch0'
  31. network.@switch[0].reset='1'
  32. network.@switch[0].enable_vlan='1'
  33. network.@switch_vlan[0]=switch_vlan
  34. network.@switch_vlan[0].device='switch0'
  35. network.@switch_vlan[0].vlan='1'
  36. network.@switch_vlan[0].vid='55'
  37. network.@switch_vlan[0].ports='4 2t 1t 0t'
  38. network.@switch_vlan[1]=switch_vlan
  39. network.@switch_vlan[1].device='switch0'
  40. network.@switch_vlan[1].vlan='2'
  41. network.@switch_vlan[1].ports='5 0t'
  42. network.@switch_vlan[1].vid='1074'
  43. network.@switch_vlan[2]=switch_vlan
  44. network.@switch_vlan[2].device='switch0'
  45. network.@switch_vlan[2].vlan='3'
  46. network.@switch_vlan[2].vid='3'
  47. network.@switch_vlan[2].ports='2t 1t 0t'
  48. network.WLAN=interface
  49. network.WLAN.ifname='eth0.3'
  50. network.WLAN.proto='static'
  51. network.WLAN.ipaddr='192.168.107.1'
  52. network.WLAN.netmask='255.255.255.0'
  53. network.WLAN.ip6assign='60'
  54. network.WLAN.stp='1'
  55. network.@switch_vlan[3]=switch_vlan
  56. network.@switch_vlan[3].device='switch0'
  57. network.@switch_vlan[3].vlan='4'
  58. network.@switch_vlan[3].vid='4'
  59. network.@switch_vlan[3].ports='2t 1t 0t'
  60. network.WAN2=interface
  61. network.WAN2.proto='static'
  62. network.WAN2.ifname='eth0.4'
  63. network.WAN2.ipaddr='192.168.108.1'
  64. network.WAN2.netmask='255.255.255.0'
  65. network.WAN2.metric='20'
  66. network.WAN2.gateway='192.168.108.2'
  67. network.WAN2.auto='0'
  68. network.vpn0=interface
  69. network.vpn0.proto='none'
  70. network.vpn0.ifname='tun0'
  71. network.@switch_vlan[4]=switch_vlan
  72. network.@switch_vlan[4].device='switch0'
  73. network.@switch_vlan[4].vlan='5'
  74. network.@switch_vlan[4].vid='56'
  75. network.@switch_vlan[4].ports='3 0t'
  76. network.WLAN2=interface
  77. network.WLAN2.ifname='eth0.56'
  78. network.WLAN2.proto='static'
  79. network.WLAN2.broadcast='10.10.10.255'
  80. network.WLAN2.ipaddr='10.10.10.254'
  81. network.WLAN2.netmask='255.255.255.0'
  82. network.WLAN2.auto='0'
  83. network.@route[0]=route
  84. network.@route[0].target='10.10.10.0'
  85. network.@route[0].gateway='10.10.10.2'
  86. network.@route[0].netmask='255.255.255.0'
  87. network.@route[0].interface='lan'
  88. network.@route[0].metric='200'
  89. network.@route[0].onlink='0'
  90. firewall.@defaults[0]=defaults
  91. firewall.@defaults[0].syn_flood='1'
  92. firewall.@defaults[0].input='ACCEPT'
  93. firewall.@defaults[0].output='ACCEPT'
  94. firewall.@defaults[0].forward='REJECT'
  95. firewall.@defaults[0].drop_invalid='1'
  96. firewall.@zone[0]=zone
  97. firewall.@zone[0].name='lan'
  98. firewall.@zone[0].input='ACCEPT'
  99. firewall.@zone[0].output='ACCEPT'
  100. firewall.@zone[0].forward='ACCEPT'
  101. firewall.@zone[0].device='tun0' 'tun1'
  102. firewall.@zone[0].network='lan WLAN vpn0 WLAN2'
  103. firewall.@zone[0].subnet='10.10.10.0/24' '192.168.106.0/24' '192.168.107.0/24' ' 192.168.8.0/24'
  104. firewall.@zone[0].log_limit='5/minute'
  105. firewall.@zone[0].log='1'
  106. firewall.@zone[1]=zone
  107. firewall.@zone[1].name='wan'
  108. firewall.@zone[1].input='REJECT'
  109. firewall.@zone[1].output='ACCEPT'
  110. firewall.@zone[1].forward='REJECT'
  111. firewall.@zone[1].masq='1'
  112. firewall.@zone[1].mtu_fix='1'
  113. firewall.@zone[1].network='wan wan6 WAN2'
  114. firewall.@forwarding[0]=forwarding
  115. firewall.@forwarding[0].src='lan'
  116. firewall.@forwarding[0].dest='wan'
  117. firewall.@rule[0]=rule
  118. firewall.@rule[0].target='ACCEPT'
  119. firewall.@rule[0].src='wan'
  120. firewall.@rule[0].proto='tcp'
  121. firewall.@rule[0].dest_port='9091'
  122. firewall.@rule[0].name='Transmission Webif'
  123. firewall.@rule[1]=rule
  124. firewall.@rule[1].name='Allow-DHCP-Renew'
  125. firewall.@rule[1].src='wan'
  126. firewall.@rule[1].proto='udp'
  127. firewall.@rule[1].dest_port='68'
  128. firewall.@rule[1].target='ACCEPT'
  129. firewall.@rule[1].family='ipv4'
  130. firewall.@rule[2]=rule
  131. firewall.@rule[2].src='wan'
  132. firewall.@rule[2].proto='icmp'
  133. firewall.@rule[2].icmp_type='echo-request'
  134. firewall.@rule[2].family='ipv4'
  135. firewall.@rule[2].name='disallow-Ping'
  136. firewall.@rule[2].target='DROP'
  137. firewall.@rule[3]=rule
  138. firewall.@rule[3].name='Allow-IGMP'
  139. firewall.@rule[3].src='wan'
  140. firewall.@rule[3].proto='igmp'
  141. firewall.@rule[3].family='ipv4'
  142. firewall.@rule[3].target='ACCEPT'
  143. firewall.@rule[4]=rule
  144. firewall.@rule[4].name='Allow-DHCPv6'
  145. firewall.@rule[4].src='wan'
  146. firewall.@rule[4].proto='udp'
  147. firewall.@rule[4].src_ip='fc00::/6'
  148. firewall.@rule[4].dest_ip='fc00::/6'
  149. firewall.@rule[4].dest_port='546'
  150. firewall.@rule[4].family='ipv6'
  151. firewall.@rule[4].target='ACCEPT'
  152. firewall.@rule[5]=rule
  153. firewall.@rule[5].name='Allow-MLD'
  154. firewall.@rule[5].src='wan'
  155. firewall.@rule[5].proto='icmp'
  156. firewall.@rule[5].src_ip='fe80::/10'
  157. firewall.@rule[5].icmp_type='130/0' '131/0' '132/0' '143/0'
  158. firewall.@rule[5].family='ipv6'
  159. firewall.@rule[5].target='ACCEPT'
  160. firewall.@rule[6]=rule
  161. firewall.@rule[6].name='Allow-ICMPv6-Input'
  162. firewall.@rule[6].src='wan'
  163. firewall.@rule[6].proto='icmp'
  164. firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable ' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-so licitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertise ment'
  165. firewall.@rule[6].limit='1000/sec'
  166. firewall.@rule[6].family='ipv6'
  167. firewall.@rule[6].target='ACCEPT'
  168. firewall.@rule[7]=rule
  169. firewall.@rule[7].name='Allow-ICMPv6-Forward'
  170. firewall.@rule[7].src='wan'
  171. firewall.@rule[7].dest='*'
  172. firewall.@rule[7].proto='icmp'
  173. firewall.@rule[7].icmp_type='echo-request' 'echo-reply' 'destination-unreachable ' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
  174. firewall.@rule[7].limit='1000/sec'
  175. firewall.@rule[7].family='ipv6'
  176. firewall.@rule[7].target='ACCEPT'
  177. firewall.@rule[8]=rule
  178. firewall.@rule[8].name='Allow-IPSec-ESP'
  179. firewall.@rule[8].src='wan'
  180. firewall.@rule[8].dest='lan'
  181. firewall.@rule[8].proto='esp'
  182. firewall.@rule[8].target='ACCEPT'
  183. firewall.@rule[9]=rule
  184. firewall.@rule[9].name='Allow-ISAKMP'
  185. firewall.@rule[9].src='wan'
  186. firewall.@rule[9].dest='lan'
  187. firewall.@rule[9].dest_port='500'
  188. firewall.@rule[9].proto='udp'
  189. firewall.@rule[9].target='ACCEPT'
  190. firewall.@include[0]=include
  191. firewall.@include[0].path='/etc/firewall.user'
  192. firewall.@rule[10]=rule
  193. firewall.@rule[10].target='ACCEPT'
  194. firewall.@rule[10].src='wan'
  195. firewall.@rule[10].proto='tcp'
  196. firewall.@rule[10].name='ssh'
  197. firewall.@rule[10].dest_port='10022'
  198. firewall.@rule[11]=rule
  199. firewall.@rule[11].target='ACCEPT'
  200. firewall.@rule[11].src='wan'
  201. firewall.@rule[11].proto='tcp'
  202. firewall.@rule[11].dest_port='443'
  203. firewall.@rule[11].name='WebIF from the WAN'
  204. firewall.@redirect[0]=redirect
  205. firewall.@redirect[0].name='Allow-transparent-Squid'
  206. firewall.@redirect[0].proto='tcp'
  207. firewall.@redirect[0].target='DNAT'
  208. firewall.@redirect[0].src_ip='!192.168.107.1 !192.168.106.250 !102.168.106.251'
  209. firewall.@redirect[0].src_dip='!192.168.0.0/16'
  210. firewall.@redirect[0].src_dport='80'
  211. firewall.@redirect[0].dest_ip='192.168.106.1'
  212. firewall.@redirect[0].dest_port='3128'
  213. firewall.@redirect[0].src='lan'
  214. firewall.@redirect[0].enabled='0'
  215. firewall.miniupnpd=include
  216. firewall.miniupnpd.type='script'
  217. firewall.miniupnpd.path='/usr/share/miniupnpd/firewall.include'
  218. firewall.miniupnpd.family='any'
  219. firewall.miniupnpd.reload='1'
  220. firewall.vpn=rule
  221. firewall.vpn.name='Allow-OpenVPN'
  222. firewall.vpn.src='wan'
  223. firewall.vpn.proto='udp'
  224. firewall.vpn.target='ACCEPT'
  225. firewall.vpn.dest_port='1194-1195'
  226. firewall.@redirect[1]=redirect
  227. firewall.@redirect[1].target='DNAT'
  228. firewall.@redirect[1].src='wan'
  229. firewall.@redirect[1].dest='lan'
  230. firewall.@redirect[1].proto='tcp udp'
  231. firewall.@redirect[1].src_dport='14200'
  232. firewall.@redirect[1].dest_ip='192.168.106.71'
  233. firewall.@redirect[1].dest_port='14200'
  234. firewall.@redirect[1].name='uTorrent'
  235. firewall.@redirect[1].enabled='0'
  236. firewall.@redirect[2]=redirect
  237. firewall.@redirect[2].target='DNAT'
  238. firewall.@redirect[2].dest_ip='192.168.106.1'
  239. firewall.@redirect[2].src_ip='192.168.0.0/16'
  240. firewall.@redirect[2].src='wan'
  241. firewall.@redirect[2].dest='lan'
  242. firewall.@redirect[2].src_dport='6969'
  243. firewall.@redirect[2].dest_port='6969'
  244. firewall.@redirect[2].name='REDIRECT_opentracker_LAN'
  245. firewall.@redirect[2].proto='tcp udp'
  246. firewall.@redirect[2].enabled='0'
  247. firewall.@rule[13]=rule
  248. firewall.@rule[13].target='ACCEPT'
  249. firewall.@rule[13].src='wan'
  250. firewall.@rule[13].proto='tcp udp'
  251. firewall.@rule[13].dest_port='6969'
  252. firewall.@rule[13].name='Opentrackerx'
  253. firewall.@rule[13].enabled='0'
  254. firewall.@rule[14]=rule
  255. firewall.@rule[14].target='ACCEPT'
  256. firewall.@rule[14].src='wan'
  257. firewall.@rule[14].proto='tcp'
  258. firewall.@rule[14].dest_port='80'
  259. firewall.@rule[14].name='Acme'
  260. firewall.@rule[15]=rule
  261. firewall.@rule[15].target='ACCEPT'
  262. firewall.@rule[15].src='wan'
  263. firewall.@rule[15].proto='tcp udp'
  264. firewall.@rule[15].dest_port='51413'
  265. firewall.@rule[15].name='Transmission'
  266. firewall.@rule[16]=rule
  267. firewall.@rule[16].proto='all'
  268. firewall.@rule[16].name='MR200 AntiPing'
  269. firewall.@rule[16].src_ip='192.168.106.5'
  270. firewall.@rule[16].dest='wan'
  271. firewall.@rule[16].target='DROP'
  272. firewall.@rule[16].src='lan'
  273. dhcp.@dnsmasq[0]=dnsmasq
  274. dhcp.@dnsmasq[0].domainneeded='1'
  275. dhcp.@dnsmasq[0].localise_queries='1'
  276. dhcp.@dnsmasq[0].rebind_protection='1'
  277. dhcp.@dnsmasq[0].rebind_localhost='1'
  278. dhcp.@dnsmasq[0].local='/lan/'
  279. dhcp.@dnsmasq[0].domain='lan'
  280. dhcp.@dnsmasq[0].expandhosts='1'
  281. dhcp.@dnsmasq[0].authoritative='1'
  282. dhcp.@dnsmasq[0].readethers='1'
  283. dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
  284. dhcp.@dnsmasq[0].nonwildcard='1'
  285. dhcp.@dnsmasq[0].localservice='1'
  286. dhcp.@dnsmasq[0].enable_tftp='1'
  287. dhcp.@dnsmasq[0].tftp_root='/mnt/sda1'
  288. dhcp.@dnsmasq[0].serversfile='/tmp/adb_list.overall'
  289. dhcp.lan=dhcp
  290. dhcp.lan.interface='lan'
  291. dhcp.lan.start='100'
  292. dhcp.lan.limit='150'
  293. dhcp.lan.leasetime='12h'
  294. dhcp.lan.dhcpv6='server'
  295. dhcp.lan.ra='server'
  296. dhcp.lan.ra_management='1'
  297. dhcp.lan.dhcp_option='3,192.168.106.2'
  298. dhcp.wan=dhcp
  299. dhcp.wan.interface='wan'
  300. dhcp.wan.ignore='1'
  301. dhcp.odhcpd=odhcpd
  302. dhcp.odhcpd.maindhcp='0'
  303. dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
  304. dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
  305. dhcp.odhcpd.loglevel='4'
  306. dhcp.WLAN=dhcp
  307. dhcp.WLAN.start='100'
  308. dhcp.WLAN.leasetime='12h'
  309. dhcp.WLAN.limit='150'
  310. dhcp.WLAN.interface='WLAN'
  311. dhcp.WLAN.dhcp_option='3,192.168.107.2'
  312. dhcp.@host[0]=host
  313. dhcp.@host[0].ip='192.168.106.68'
  314. dhcp.@host[0].name='NAS'
  315. dhcp.@host[0].mac='E8:06:88:CC:50:95'
  316. dhcp.@host[1]=host
  317. dhcp.@host[1].ip='192.168.106.245'
  318. dhcp.@host[1].mac='E8:AB:FA:04:62:C8'
  319. dhcp.@host[1].name='CAM1'
  320. dhcp.@host[2]=host
  321. dhcp.@host[2].ip='192.168.106.250'
  322. dhcp.@host[2].mac='B8:AE:6E:60:D5:86'
  323. dhcp.@host[2].name='Roku1'
  324. dhcp.@host[3]=host
  325. dhcp.@host[3].ip='192.168.106.251'
  326. dhcp.@host[3].mac='AC:3A:7A:0A:F5:79'
  327. dhcp.@host[3].name='Roku2'
  328. dhcp.@domain[0]=domain
  329. dhcp.@domain[0].name='nas'
  330. dhcp.@domain[0].ip='192.168.106.68'
  331. dhcp.@host[4]=host
  332. dhcp.@host[4].name='Goodwill'
  333. dhcp.@host[4].dns='1'
  334. dhcp.@host[4].mac='30:85:A9:8E:83:C8'
  335. dhcp.@host[4].ip='192.168.106.71'
  336. dhcp.@host[5]=host
  337. dhcp.@host[5].name='Kindle1'
  338. dhcp.@host[5].dns='1'
  339. dhcp.@host[5].mac='0C:47:C9:B7:CC:8B'
  340. dhcp.@host[5].ip='192.168.106.253'
  341. dhcp.@host[6]=host
  342. dhcp.@host[6].name='Kindle2'
  343. dhcp.@host[6].dns='1'
  344. dhcp.@host[6].mac='F0:27:2D:D8:7F:D4'
  345. dhcp.@host[6].ip='192.168.106.254'
  346. dhcp.@domain[1]=domain
  347. dhcp.@domain[1].name='fultonit.r-o-o-t.net'
  348. dhcp.@domain[1].ip='192.168.106.1'
  349. dhcp.@host[7]=host
  350. dhcp.@host[7].name='Jennys-iPad'
  351. dhcp.@host[7].dns='1'
  352. dhcp.@host[7].mac='C4:84:66:CE:0E:65'
  353. dhcp.@host[7].ip='192.168.107.184'
  354. dhcp.@host[8]=host
  355. dhcp.@host[8].name='CAM2'
  356. dhcp.@host[8].dns='1'
  357. dhcp.@host[8].mac='E8:AB:FA:04:9E:30'
  358. dhcp.@host[8].ip='192.168.106.244'
  359. dhcp.@host[9]=host
  360. dhcp.@host[9].name='CAM3'
  361. dhcp.@host[9].dns='1'
  362. dhcp.@host[9].mac='00:B8:FB:01:1A:73'
  363. dhcp.@host[9].ip='192.168.106.243'
  364. dhcp.@domain[2]=domain
  365. dhcp.@domain[2].name='penderit'
  366. dhcp.@domain[2].ip='192.168.107.208'
  367. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group defaul t qlen 1000
  368. inet 127.0.0.1/8 scope host lo
  369. valid_lft forever preferred_lft forever
  370. 10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP gr oup default qlen 1000
  371. inet 192.168.106.1/24 brd 192.168.106.255 scope global br-lan
  372. valid_lft forever preferred_lft forever
  373. 13: eth0.3@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
  374. inet 192.168.107.1/24 brd 192.168.107.255 scope global eth0.3
  375. valid_lft forever preferred_lft forever
  376. 906: eth0.1074@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue st ate UP group default qlen 1000
  377. inet 66.84.124.116/26 brd 66.84.124.127 scope global eth0.1074
  378. valid_lft forever preferred_lft forever
  379. 1181: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel st ate UNKNOWN group default qlen 100
  380. inet 192.168.8.1/24 brd 192.168.8.255 scope global tun0
  381. valid_lft forever preferred_lft forever
  382. default via 66.84.124.65 dev eth0.1074 proto static src 66.84.124.116 metric 10
  383. 66.84.124.64/26 dev eth0.1074 proto static scope link metric 10
  384. 192.168.8.0/24 dev tun0 proto kernel scope link src 192.168.8.1
  385. 192.168.106.0/24 dev br-lan proto kernel scope link src 192.168.106.1
  386. 192.168.107.0/24 dev eth0.3 proto kernel scope link src 192.168.107.1
  387. 0: from all lookup local
  388. 32766: from all lookup main
  389. 32767: from all lookup default
  390. # Generated by iptables-save v1.8.3 on Tue Dec 17 08:19:22 2019
  391. *nat
  392. :PREROUTING ACCEPT [62396:7279271]
  393. :INPUT ACCEPT [41074:4613677]
  394. :OUTPUT ACCEPT [19474:1684716]
  395. :POSTROUTING ACCEPT [884:227992]
  396. :postrouting_lan_rule - [0:0]
  397. :postrouting_rule - [0:0]
  398. :postrouting_wan_rule - [0:0]
  399. :prerouting_lan_rule - [0:0]
  400. :prerouting_rule - [0:0]
  401. :prerouting_wan_rule - [0:0]
  402. :zone_lan_postrouting - [0:0]
  403. :zone_lan_prerouting - [0:0]
  404. :zone_wan_postrouting - [0:0]
  405. :zone_wan_prerouting - [0:0]
  406. -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prero uting_rule
  407. -A PREROUTING -s 10.10.10.0/24 -i tun1 -m comment --comment "!fw3" -j zone_lan_p rerouting
  408. -A PREROUTING -s 192.168.106.0/24 -i tun1 -m comment --comment "!fw3" -j zone_la n_prerouting
  409. -A PREROUTING -s 192.168.107.0/24 -i tun1 -m comment --comment "!fw3" -j zone_la n_prerouting
  410. -A PREROUTING -s 192.168.8.0/24 -i tun1 -m comment --comment "!fw3" -j zone_lan_ prerouting
  411. -A PREROUTING -s 10.10.10.0/24 -i br-lan -m comment --comment "!fw3" -j zone_lan _prerouting
  412. -A PREROUTING -s 192.168.106.0/24 -i br-lan -m comment --comment "!fw3" -j zone_ lan_prerouting
  413. -A PREROUTING -s 192.168.107.0/24 -i br-lan -m comment --comment "!fw3" -j zone_ lan_prerouting
  414. -A PREROUTING -s 192.168.8.0/24 -i br-lan -m comment --comment "!fw3" -j zone_la n_prerouting
  415. -A PREROUTING -s 10.10.10.0/24 -i eth0.3 -m comment --comment "!fw3" -j zone_lan _prerouting
  416. -A PREROUTING -s 192.168.106.0/24 -i eth0.3 -m comment --comment "!fw3" -j zone_ lan_prerouting
  417. -A PREROUTING -s 192.168.107.0/24 -i eth0.3 -m comment --comment "!fw3" -j zone_ lan_prerouting
  418. -A PREROUTING -s 192.168.8.0/24 -i eth0.3 -m comment --comment "!fw3" -j zone_la n_prerouting
  419. -A PREROUTING -s 10.10.10.0/24 -i tun0 -m comment --comment "!fw3" -j zone_lan_p rerouting
  420. -A PREROUTING -s 192.168.106.0/24 -i tun0 -m comment --comment "!fw3" -j zone_la n_prerouting
  421. -A PREROUTING -s 192.168.107.0/24 -i tun0 -m comment --comment "!fw3" -j zone_la n_prerouting
  422. -A PREROUTING -s 192.168.8.0/24 -i tun0 -m comment --comment "!fw3" -j zone_lan_ prerouting
  423. -A PREROUTING -s 10.10.10.0/24 -i eth0.56 -m comment --comment "!fw3" -j zone_la n_prerouting
  424. -A PREROUTING -s 192.168.106.0/24 -i eth0.56 -m comment --comment "!fw3" -j zone _lan_prerouting
  425. -A PREROUTING -s 192.168.107.0/24 -i eth0.56 -m comment --comment "!fw3" -j zone _lan_prerouting
  426. -A PREROUTING -s 192.168.8.0/24 -i eth0.56 -m comment --comment "!fw3" -j zone_l an_prerouting
  427. -A PREROUTING -i eth0.1074 -m comment --comment "!fw3" -j zone_wan_prerouting
  428. -A PREROUTING -i eth0.4 -m comment --comment "!fw3" -j zone_wan_prerouting
  429. -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j pos trouting_rule
  430. -A POSTROUTING -d 10.10.10.0/24 -o tun1 -m comment --comment "!fw3" -j zone_lan_ postrouting
  431. -A POSTROUTING -d 192.168.106.0/24 -o tun1 -m comment --comment "!fw3" -j zone_l an_postrouting
  432. -A POSTROUTING -d 192.168.107.0/24 -o tun1 -m comment --comment "!fw3" -j zone_l an_postrouting
  433. -A POSTROUTING -d 192.168.8.0/24 -o tun1 -m comment --comment "!fw3" -j zone_lan _postrouting
  434. -A POSTROUTING -d 10.10.10.0/24 -o br-lan -m comment --comment "!fw3" -j zone_la n_postrouting
  435. -A POSTROUTING -d 192.168.106.0/24 -o br-lan -m comment --comment "!fw3" -j zone _lan_postrouting
  436. -A POSTROUTING -d 192.168.107.0/24 -o br-lan -m comment --comment "!fw3" -j zone _lan_postrouting
  437. -A POSTROUTING -d 192.168.8.0/24 -o br-lan -m comment --comment "!fw3" -j zone_l an_postrouting
  438. -A POSTROUTING -d 10.10.10.0/24 -o eth0.3 -m comment --comment "!fw3" -j zone_la n_postrouting
  439. -A POSTROUTING -d 192.168.106.0/24 -o eth0.3 -m comment --comment "!fw3" -j zone _lan_postrouting
  440. -A POSTROUTING -d 192.168.107.0/24 -o eth0.3 -m comment --comment "!fw3" -j zone _lan_postrouting
  441. -A POSTROUTING -d 192.168.8.0/24 -o eth0.3 -m comment --comment "!fw3" -j zone_l an_postrouting
  442. -A POSTROUTING -d 10.10.10.0/24 -o tun0 -m comment --comment "!fw3" -j zone_lan_ postrouting
  443. -A POSTROUTING -d 192.168.106.0/24 -o tun0 -m comment --comment "!fw3" -j zone_l an_postrouting
  444. -A POSTROUTING -d 192.168.107.0/24 -o tun0 -m comment --comment "!fw3" -j zone_l an_postrouting
  445. -A POSTROUTING -d 192.168.8.0/24 -o tun0 -m comment --comment "!fw3" -j zone_lan _postrouting
  446. -A POSTROUTING -d 10.10.10.0/24 -o eth0.56 -m comment --comment "!fw3" -j zone_l an_postrouting
  447. -A POSTROUTING -d 192.168.106.0/24 -o eth0.56 -m comment --comment "!fw3" -j zon e_lan_postrouting
  448. -A POSTROUTING -d 192.168.107.0/24 -o eth0.56 -m comment --comment "!fw3" -j zon e_lan_postrouting
  449. -A POSTROUTING -d 192.168.8.0/24 -o eth0.56 -m comment --comment "!fw3" -j zone_ lan_postrouting
  450. -A POSTROUTING -o eth0.1074 -m comment --comment "!fw3" -j zone_wan_postrouting
  451. -A POSTROUTING -o eth0.4 -m comment --comment "!fw3" -j zone_wan_postrouting
  452. -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
  453. -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule ch ain" -j prerouting_lan_rule
  454. -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
  455. -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
  456. -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule ch ain" -j prerouting_wan_rule
  457. COMMIT
  458. # Completed on Tue Dec 17 08:19:22 2019
  459. # Generated by iptables-save v1.8.3 on Tue Dec 17 08:19:22 2019
  460. *raw
  461. :PREROUTING ACCEPT [1565190:982992213]
  462. :OUTPUT ACCEPT [254487:47547506]
  463. :zone_lan_helper - [0:0]
  464. -A PREROUTING -s 10.10.10.0/24 -i tun1 -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
  465. -A PREROUTING -s 192.168.106.0/24 -i tun1 -m comment --comment "!fw3: lan CT hel per assignment" -j zone_lan_helper
  466. -A PREROUTING -s 192.168.107.0/24 -i tun1 -m comment --comment "!fw3: lan CT hel per assignment" -j zone_lan_helper
  467. -A PREROUTING -s 192.168.8.0/24 -i tun1 -m comment --comment "!fw3: lan CT helpe r assignment" -j zone_lan_helper
  468. -A PREROUTING -s 10.10.10.0/24 -i br-lan -m comment --comment "!fw3: lan CT help er assignment" -j zone_lan_helper
  469. -A PREROUTING -s 192.168.106.0/24 -i br-lan -m comment --comment "!fw3: lan CT h elper assignment" -j zone_lan_helper
  470. -A PREROUTING -s 192.168.107.0/24 -i br-lan -m comment --comment "!fw3: lan CT h elper assignment" -j zone_lan_helper
  471. -A PREROUTING -s 192.168.8.0/24 -i br-lan -m comment --comment "!fw3: lan CT hel per assignment" -j zone_lan_helper
  472. -A PREROUTING -s 10.10.10.0/24 -i eth0.3 -m comment --comment "!fw3: lan CT help er assignment" -j zone_lan_helper
  473. -A PREROUTING -s 192.168.106.0/24 -i eth0.3 -m comment --comment "!fw3: lan CT h elper assignment" -j zone_lan_helper
  474. -A PREROUTING -s 192.168.107.0/24 -i eth0.3 -m comment --comment "!fw3: lan CT h elper assignment" -j zone_lan_helper
  475. -A PREROUTING -s 192.168.8.0/24 -i eth0.3 -m comment --comment "!fw3: lan CT hel per assignment" -j zone_lan_helper
  476. -A PREROUTING -s 10.10.10.0/24 -i tun0 -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
  477. -A PREROUTING -s 192.168.106.0/24 -i tun0 -m comment --comment "!fw3: lan CT hel per assignment" -j zone_lan_helper
  478. -A PREROUTING -s 192.168.107.0/24 -i tun0 -m comment --comment "!fw3: lan CT hel per assignment" -j zone_lan_helper
  479. -A PREROUTING -s 192.168.8.0/24 -i tun0 -m comment --comment "!fw3: lan CT helpe r assignment" -j zone_lan_helper
  480. -A PREROUTING -s 10.10.10.0/24 -i eth0.56 -m comment --comment "!fw3: lan CT hel per assignment" -j zone_lan_helper
  481. -A PREROUTING -s 192.168.106.0/24 -i eth0.56 -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
  482. -A PREROUTING -s 192.168.107.0/24 -i eth0.56 -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
  483. -A PREROUTING -s 192.168.8.0/24 -i eth0.56 -m comment --comment "!fw3: lan CT he lper assignment" -j zone_lan_helper
  484. COMMIT
  485. # Completed on Tue Dec 17 08:19:22 2019
  486. # Generated by iptables-save v1.8.3 on Tue Dec 17 08:19:22 2019
  487. *mangle
  488. :PREROUTING ACCEPT [1560335:980427609]
  489. :INPUT ACCEPT [297718:38535970]
  490. :FORWARD ACCEPT [1257240:940805822]
  491. :OUTPUT ACCEPT [252028:43687198]
  492. :POSTROUTING ACCEPT [1504539:983902404]
  493. -A FORWARD -o eth0.1074 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comme nt "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
  494. -A FORWARD -o eth0.4 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
  495. COMMIT
  496. # Completed on Tue Dec 17 08:19:22 2019
  497. # Generated by iptables-save v1.8.3 on Tue Dec 17 08:19:22 2019
  498. *filter
  499. :INPUT ACCEPT [616:347950]
  500. :FORWARD DROP [0:0]
  501. :OUTPUT ACCEPT [20:3572]
  502. :forwarding_lan_rule - [0:0]
  503. :forwarding_rule - [0:0]
  504. :forwarding_wan_rule - [0:0]
  505. :input_lan_rule - [0:0]
  506. :input_rule - [0:0]
  507. :input_wan_rule - [0:0]
  508. :output_lan_rule - [0:0]
  509. :output_rule - [0:0]
  510. :output_wan_rule - [0:0]
  511. :reject - [0:0]
  512. :syn_flood - [0:0]
  513. :zone_lan_dest_ACCEPT - [0:0]
  514. :zone_lan_forward - [0:0]
  515. :zone_lan_input - [0:0]
  516. :zone_lan_output - [0:0]
  517. :zone_lan_src_ACCEPT - [0:0]
  518. :zone_wan_dest_ACCEPT - [0:0]
  519. :zone_wan_dest_DROP - [0:0]
  520. :zone_wan_dest_REJECT - [0:0]
  521. :zone_wan_forward - [0:0]
  522. :zone_wan_input - [0:0]
  523. :zone_wan_output - [0:0]
  524. :zone_wan_src_REJECT - [0:0]
  525. -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
  526. -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
  527. -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  528. -A INPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
  529. -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw 3" -j syn_flood
  530. -A INPUT -s 10.10.10.0/24 -i tun1 -m comment --comment "!fw3" -j zone_lan_input
  531. -A INPUT -s 192.168.106.0/24 -i tun1 -m comment --comment "!fw3" -j zone_lan_inp ut
  532. -A INPUT -s 192.168.107.0/24 -i tun1 -m comment --comment "!fw3" -j zone_lan_inp ut
  533. -A INPUT -s 192.168.8.0/24 -i tun1 -m comment --comment "!fw3" -j zone_lan_input
  534. -A INPUT -s 10.10.10.0/24 -i br-lan -m comment --comment "!fw3" -j zone_lan_inpu t
  535. -A INPUT -s 192.168.106.0/24 -i br-lan -m comment --comment "!fw3" -j zone_lan_i nput
  536. -A INPUT -s 192.168.107.0/24 -i br-lan -m comment --comment "!fw3" -j zone_lan_i nput
  537. -A INPUT -s 192.168.8.0/24 -i br-lan -m comment --comment "!fw3" -j zone_lan_inp ut
  538. -A INPUT -s 10.10.10.0/24 -i eth0.3 -m comment --comment "!fw3" -j zone_lan_inpu t
  539. -A INPUT -s 192.168.106.0/24 -i eth0.3 -m comment --comment "!fw3" -j zone_lan_i nput
  540. -A INPUT -s 192.168.107.0/24 -i eth0.3 -m comment --comment "!fw3" -j zone_lan_i nput
  541. -A INPUT -s 192.168.8.0/24 -i eth0.3 -m comment --comment "!fw3" -j zone_lan_inp ut
  542. -A INPUT -s 10.10.10.0/24 -i tun0 -m comment --comment "!fw3" -j zone_lan_input
  543. -A INPUT -s 192.168.106.0/24 -i tun0 -m comment --comment "!fw3" -j zone_lan_inp ut
  544. -A INPUT -s 192.168.107.0/24 -i tun0 -m comment --comment "!fw3" -j zone_lan_inp ut
  545. -A INPUT -s 192.168.8.0/24 -i tun0 -m comment --comment "!fw3" -j zone_lan_input
  546. -A INPUT -s 10.10.10.0/24 -i eth0.56 -m comment --comment "!fw3" -j zone_lan_inp ut
  547. -A INPUT -s 192.168.106.0/24 -i eth0.56 -m comment --comment "!fw3" -j zone_lan_ input
  548. -A INPUT -s 192.168.107.0/24 -i eth0.56 -m comment --comment "!fw3" -j zone_lan_ input
  549. -A INPUT -s 192.168.8.0/24 -i eth0.56 -m comment --comment "!fw3" -j zone_lan_in put
  550. -A INPUT -i eth0.1074 -m comment --comment "!fw3" -j zone_wan_input
  551. -A INPUT -i eth0.4 -m comment --comment "!fw3" -j zone_wan_input
  552. -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwardi ng_rule
  553. -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3 " -j ACCEPT
  554. -A FORWARD -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
  555. -A FORWARD -s 10.10.10.0/24 -i tun1 -m comment --comment "!fw3" -j zone_lan_forw ard
  556. -A FORWARD -s 192.168.106.0/24 -i tun1 -m comment --comment "!fw3" -j zone_lan_f orward
  557. -A FORWARD -s 192.168.107.0/24 -i tun1 -m comment --comment "!fw3" -j zone_lan_f orward
  558. -A FORWARD -s 192.168.8.0/24 -i tun1 -m comment --comment "!fw3" -j zone_lan_for ward
  559. -A FORWARD -s 10.10.10.0/24 -i br-lan -m comment --comment "!fw3" -j zone_lan_fo rward
  560. -A FORWARD -s 192.168.106.0/24 -i br-lan -m comment --comment "!fw3" -j zone_lan _forward
  561. -A FORWARD -s 192.168.107.0/24 -i br-lan -m comment --comment "!fw3" -j zone_lan _forward
  562. -A FORWARD -s 192.168.8.0/24 -i br-lan -m comment --comment "!fw3" -j zone_lan_f orward
  563. -A FORWARD -s 10.10.10.0/24 -i eth0.3 -m comment --comment "!fw3" -j zone_lan_fo rward
  564. -A FORWARD -s 192.168.106.0/24 -i eth0.3 -m comment --comment "!fw3" -j zone_lan _forward
  565. -A FORWARD -s 192.168.107.0/24 -i eth0.3 -m comment --comment "!fw3" -j zone_lan _forward
  566. -A FORWARD -s 192.168.8.0/24 -i eth0.3 -m comment --comment "!fw3" -j zone_lan_f orward
  567. -A FORWARD -s 10.10.10.0/24 -i tun0 -m comment --comment "!fw3" -j zone_lan_forw ard
  568. -A FORWARD -s 192.168.106.0/24 -i tun0 -m comment --comment "!fw3" -j zone_lan_f orward
  569. -A FORWARD -s 192.168.107.0/24 -i tun0 -m comment --comment "!fw3" -j zone_lan_f orward
  570. -A FORWARD -s 192.168.8.0/24 -i tun0 -m comment --comment "!fw3" -j zone_lan_for ward
  571. -A FORWARD -s 10.10.10.0/24 -i eth0.56 -m comment --comment "!fw3" -j zone_lan_f orward
  572. -A FORWARD -s 192.168.106.0/24 -i eth0.56 -m comment --comment "!fw3" -j zone_la n_forward
  573. -A FORWARD -s 192.168.107.0/24 -i eth0.56 -m comment --comment "!fw3" -j zone_la n_forward
  574. -A FORWARD -s 192.168.8.0/24 -i eth0.56 -m comment --comment "!fw3" -j zone_lan_ forward
  575. -A FORWARD -i eth0.1074 -m comment --comment "!fw3" -j zone_wan_forward
  576. -A FORWARD -i eth0.4 -m comment --comment "!fw3" -j zone_wan_forward
  577. -A FORWARD -m comment --comment "!fw3" -j reject
  578. -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
  579. -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
  580. -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  581. -A OUTPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
  582. -A OUTPUT -d 10.10.10.0/24 -o tun1 -m comment --comment "!fw3" -j zone_lan_outpu t
  583. -A OUTPUT -d 192.168.106.0/24 -o tun1 -m comment --comment "!fw3" -j zone_lan_ou tput
  584. -A OUTPUT -d 192.168.107.0/24 -o tun1 -m comment --comment "!fw3" -j zone_lan_ou tput
  585. -A OUTPUT -d 192.168.8.0/24 -o tun1 -m comment --comment "!fw3" -j zone_lan_outp ut
  586. -A OUTPUT -d 10.10.10.0/24 -o br-lan -m comment --comment "!fw3" -j zone_lan_out put
  587. -A OUTPUT -d 192.168.106.0/24 -o br-lan -m comment --comment "!fw3" -j zone_lan_ output
  588. -A OUTPUT -d 192.168.107.0/24 -o br-lan -m comment --comment "!fw3" -j zone_lan_ output
  589. -A OUTPUT -d 192.168.8.0/24 -o br-lan -m comment --comment "!fw3" -j zone_lan_ou tput
  590. -A OUTPUT -d 10.10.10.0/24 -o eth0.3 -m comment --comment "!fw3" -j zone_lan_out put
  591. -A OUTPUT -d 192.168.106.0/24 -o eth0.3 -m comment --comment "!fw3" -j zone_lan_ output
  592. -A OUTPUT -d 192.168.107.0/24 -o eth0.3 -m comment --comment "!fw3" -j zone_lan_ output
  593. -A OUTPUT -d 192.168.8.0/24 -o eth0.3 -m comment --comment "!fw3" -j zone_lan_ou tput
  594. -A OUTPUT -d 10.10.10.0/24 -o tun0 -m comment --comment "!fw3" -j zone_lan_outpu t
  595. -A OUTPUT -d 192.168.106.0/24 -o tun0 -m comment --comment "!fw3" -j zone_lan_ou tput
  596. -A OUTPUT -d 192.168.107.0/24 -o tun0 -m comment --comment "!fw3" -j zone_lan_ou tput
  597. -A OUTPUT -d 192.168.8.0/24 -o tun0 -m comment --comment "!fw3" -j zone_lan_outp ut
  598. -A OUTPUT -d 10.10.10.0/24 -o eth0.56 -m comment --comment "!fw3" -j zone_lan_ou tput
  599. -A OUTPUT -d 192.168.106.0/24 -o eth0.56 -m comment --comment "!fw3" -j zone_lan _output
  600. -A OUTPUT -d 192.168.107.0/24 -o eth0.56 -m comment --comment "!fw3" -j zone_lan _output
  601. -A OUTPUT -d 192.168.8.0/24 -o eth0.56 -m comment --comment "!fw3" -j zone_lan_o utput
  602. -A OUTPUT -o eth0.1074 -m comment --comment "!fw3" -j zone_wan_output
  603. -A OUTPUT -o eth0.4 -m comment --comment "!fw3" -j zone_wan_output
  604. -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
  605. -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreacha ble
  606. -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/s ec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
  607. -A syn_flood -m comment --comment "!fw3" -j DROP
  608. -A zone_lan_dest_ACCEPT -d 10.10.10.0/24 -o tun1 -m comment --comment "!fw3" -j ACCEPT
  609. -A zone_lan_dest_ACCEPT -d 192.168.106.0/24 -o tun1 -m comment --comment "!fw3" -j ACCEPT
  610. -A zone_lan_dest_ACCEPT -d 192.168.107.0/24 -o tun1 -m comment --comment "!fw3" -j ACCEPT
  611. -A zone_lan_dest_ACCEPT -d 192.168.8.0/24 -o tun1 -m comment --comment "!fw3" -j ACCEPT
  612. -A zone_lan_dest_ACCEPT -d 10.10.10.0/24 -o br-lan -m comment --comment "!fw3" - j ACCEPT
  613. -A zone_lan_dest_ACCEPT -d 192.168.106.0/24 -o br-lan -m comment --comment "!fw3 " -j ACCEPT
  614. -A zone_lan_dest_ACCEPT -d 192.168.107.0/24 -o br-lan -m comment --comment "!fw3 " -j ACCEPT
  615. -A zone_lan_dest_ACCEPT -d 192.168.8.0/24 -o br-lan -m comment --comment "!fw3" -j ACCEPT
  616. -A zone_lan_dest_ACCEPT -d 10.10.10.0/24 -o eth0.3 -m comment --comment "!fw3" - j ACCEPT
  617. -A zone_lan_dest_ACCEPT -d 192.168.106.0/24 -o eth0.3 -m comment --comment "!fw3 " -j ACCEPT
  618. -A zone_lan_dest_ACCEPT -d 192.168.107.0/24 -o eth0.3 -m comment --comment "!fw3 " -j ACCEPT
  619. -A zone_lan_dest_ACCEPT -d 192.168.8.0/24 -o eth0.3 -m comment --comment "!fw3" -j ACCEPT
  620. -A zone_lan_dest_ACCEPT -d 10.10.10.0/24 -o tun0 -m comment --comment "!fw3" -j ACCEPT
  621. -A zone_lan_dest_ACCEPT -d 192.168.106.0/24 -o tun0 -m comment --comment "!fw3" -j ACCEPT
  622. -A zone_lan_dest_ACCEPT -d 192.168.107.0/24 -o tun0 -m comment --comment "!fw3" -j ACCEPT
  623. -A zone_lan_dest_ACCEPT -d 192.168.8.0/24 -o tun0 -m comment --comment "!fw3" -j ACCEPT
  624. -A zone_lan_dest_ACCEPT -d 10.10.10.0/24 -o eth0.56 -m comment --comment "!fw3" -j ACCEPT
  625. -A zone_lan_dest_ACCEPT -d 192.168.106.0/24 -o eth0.56 -m comment --comment "!fw 3" -j ACCEPT
  626. -A zone_lan_dest_ACCEPT -d 192.168.107.0/24 -o eth0.56 -m comment --comment "!fw 3" -j ACCEPT
  627. -A zone_lan_dest_ACCEPT -d 192.168.8.0/24 -o eth0.56 -m comment --comment "!fw3" -j ACCEPT
  628. -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain " -j forwarding_lan_rule
  629. -A zone_lan_forward -s 192.168.106.5/32 -m comment --comment "!fw3: MR200 AntiPi ng" -j zone_wan_dest_DROP
  630. -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding polic y" -j zone_wan_dest_ACCEPT
  631. -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Acce pt port forwards" -j ACCEPT
  632. -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
  633. -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j in put_lan_rule
  634. -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  635. -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
  636. -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
  637. -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
  638. -A zone_lan_src_ACCEPT -s 10.10.10.0/24 -i tun1 -m comment --comment "!fw3" -j A CCEPT
  639. -A zone_lan_src_ACCEPT -s 192.168.106.0/24 -i tun1 -m comment --comment "!fw3" - j ACCEPT
  640. -A zone_lan_src_ACCEPT -s 192.168.107.0/24 -i tun1 -m comment --comment "!fw3" - j ACCEPT
  641. -A zone_lan_src_ACCEPT -s 192.168.8.0/24 -i tun1 -m comment --comment "!fw3" -j ACCEPT
  642. -A zone_lan_src_ACCEPT -s 10.10.10.0/24 -i br-lan -m comment --comment "!fw3" -j ACCEPT
  643. -A zone_lan_src_ACCEPT -s 192.168.106.0/24 -i br-lan -m comment --comment "!fw3" -j ACCEPT
  644. -A zone_lan_src_ACCEPT -s 192.168.107.0/24 -i br-lan -m comment --comment "!fw3" -j ACCEPT
  645. -A zone_lan_src_ACCEPT -s 192.168.8.0/24 -i br-lan -m comment --comment "!fw3" - j ACCEPT
  646. -A zone_lan_src_ACCEPT -s 10.10.10.0/24 -i eth0.3 -m comment --comment "!fw3" -j ACCEPT
  647. -A zone_lan_src_ACCEPT -s 192.168.106.0/24 -i eth0.3 -m comment --comment "!fw3" -j ACCEPT
  648. -A zone_lan_src_ACCEPT -s 192.168.107.0/24 -i eth0.3 -m comment --comment "!fw3" -j ACCEPT
  649. -A zone_lan_src_ACCEPT -s 192.168.8.0/24 -i eth0.3 -m comment --comment "!fw3" - j ACCEPT
  650. -A zone_lan_src_ACCEPT -s 10.10.10.0/24 -i tun0 -m comment --comment "!fw3" -j A CCEPT
  651. -A zone_lan_src_ACCEPT -s 192.168.106.0/24 -i tun0 -m comment --comment "!fw3" - j ACCEPT
  652. -A zone_lan_src_ACCEPT -s 192.168.107.0/24 -i tun0 -m comment --comment "!fw3" - j ACCEPT
  653. -A zone_lan_src_ACCEPT -s 192.168.8.0/24 -i tun0 -m comment --comment "!fw3" -j ACCEPT
  654. -A zone_lan_src_ACCEPT -s 10.10.10.0/24 -i eth0.56 -m comment --comment "!fw3" - j ACCEPT
  655. -A zone_lan_src_ACCEPT -s 192.168.106.0/24 -i eth0.56 -m comment --comment "!fw3 " -j ACCEPT
  656. -A zone_lan_src_ACCEPT -s 192.168.107.0/24 -i eth0.56 -m comment --comment "!fw3 " -j ACCEPT
  657. -A zone_lan_src_ACCEPT -s 192.168.8.0/24 -i eth0.56 -m comment --comment "!fw3" -j ACCEPT
  658. -A zone_wan_dest_ACCEPT -o eth0.1074 -m conntrack --ctstate INVALID -m comment - -comment "!fw3: Prevent NAT leakage" -j DROP
  659. -A zone_wan_dest_ACCEPT -o eth0.1074 -m comment --comment "!fw3" -j ACCEPT
  660. -A zone_wan_dest_ACCEPT -o eth0.4 -m conntrack --ctstate INVALID -m comment --co mment "!fw3: Prevent NAT leakage" -j DROP
  661. -A zone_wan_dest_ACCEPT -o eth0.4 -m comment --comment "!fw3" -j ACCEPT
  662. -A zone_wan_dest_DROP -o eth0.1074 -m comment --comment "!fw3" -j DROP
  663. -A zone_wan_dest_DROP -o eth0.4 -m comment --comment "!fw3" -j DROP
  664. -A zone_wan_dest_REJECT -o eth0.1074 -m comment --comment "!fw3" -j reject
  665. -A zone_wan_dest_REJECT -o eth0.4 -m comment --comment "!fw3" -j reject
  666. -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain " -j forwarding_wan_rule
  667. -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_ lan_dest_ACCEPT
  668. -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow- ISAKMP" -j zone_lan_dest_ACCEPT
  669. -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Acce pt port forwards" -j ACCEPT
  670. -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
  671. -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j in put_wan_rule
  672. -A zone_wan_input -p tcp -m tcp --dport 9091 -m comment --comment "!fw3: Transmi ssion Webif" -j ACCEPT
  673. -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHC P-Renew" -j ACCEPT
  674. -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: disa llow-Ping" -j DROP
  675. -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
  676. -A zone_wan_input -p tcp -m tcp --dport 10022 -m comment --comment "!fw3: ssh" - j ACCEPT
  677. -A zone_wan_input -p tcp -m tcp --dport 443 -m comment --comment "!fw3: WebIF fr om the WAN" -j ACCEPT
  678. -A zone_wan_input -p udp -m udp --dport 1194:1195 -m comment --comment "!fw3: Al low-OpenVPN" -j ACCEPT
  679. -A zone_wan_input -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Acme" -j ACCEPT
  680. -A zone_wan_input -p tcp -m tcp --dport 51413 -m comment --comment "!fw3: Transm ission" -j ACCEPT
  681. -A zone_wan_input -p udp -m udp --dport 51413 -m comment --comment "!fw3: Transm ission" -j ACCEPT
  682. -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  683. -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
  684. -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
  685. -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
  686. -A zone_wan_src_REJECT -i eth0.1074 -m comment --comment "!fw3" -j reject
  687. -A zone_wan_src_REJECT -i eth0.4 -m comment --comment "!fw3" -j reject
  688. COMMIT
  689. # Completed on Tue Dec 17 08:19:22 2019
  690.  
  691. ```
  692. Openwrt2
  693. uci show network; uci show firewall; uci show dhcp; \
  694. ip -4 addr ; ip -4 ro ; ip -4 ru; iptables-save
  695.  
  696. ```
  697. network.loopback=interface
  698. network.loopback.ifname='lo'
  699. network.loopback.proto='static'
  700. network.loopback.ipaddr='127.0.0.1'
  701. network.loopback.netmask='255.0.0.0'
  702. network.globals=globals
  703. network.globals.ula_prefix='fda0:a5d8:8ecc::/48'
  704. network.lan=interface
  705. network.lan.type='bridge'
  706. network.lan.proto='static'
  707. network.lan.ipaddr='10.10.10.1'
  708. network.lan.netmask='255.255.255.0'
  709. network.lan.ip6assign='60'
  710. network.lan.dns='8.8.8.8 8.8.4.4'
  711. network.lan.ifname='eth0.56'
  712. network.wan=interface
  713. network.wan.proto='dhcp'
  714. network.wan.ifname='eth0.1074'
  715. network.wan6=interface
  716. network.wan6.proto='dhcpv6'
  717. network.wan6.ifname='eth0.1074'
  718. network.@switch[0]=switch
  719. network.@switch[0].name='switch0'
  720. network.@switch[0].reset='1'
  721. network.@switch[0].enable_vlan='1'
  722. network.@switch_vlan[0]=switch_vlan
  723. network.@switch_vlan[0].device='switch0'
  724. network.@switch_vlan[0].vlan='1'
  725. network.@switch_vlan[0].vid='56'
  726. network.@switch_vlan[0].ports='0t 1t 2t 3t 4t'
  727. network.@switch_vlan[1]=switch_vlan
  728. network.@switch_vlan[1].device='switch0'
  729. network.@switch_vlan[1].vlan='2'
  730. network.@switch_vlan[1].ports='0t 5'
  731. network.@switch_vlan[1].vid='1074'
  732. network.vpn0=interface
  733. network.vpn0.proto='none'
  734. network.vpn0.ifname='tun0'
  735. network.vpn0.auto='0'
  736. network.@route[0]=route
  737. network.@route[0].interface='lan'
  738. network.@route[0].target='192.168.106.0'
  739. network.@route[0].netmask='255.255.255.0'
  740. network.@route[0].gateway='192.168.106.2'
  741. network.@route[0].metric='20'
  742. network.@route[1]=route
  743. network.@route[1].interface='lan'
  744. network.@route[1].target='192.168.107.0'
  745. network.@route[1].netmask='255.255.255.0'
  746. network.@route[1].gateway='192.168.107.2'
  747. network.@route[1].metric='20'
  748. firewall.@defaults[0]=defaults
  749. firewall.@defaults[0].syn_flood='1'
  750. firewall.@defaults[0].input='ACCEPT'
  751. firewall.@defaults[0].output='ACCEPT'
  752. firewall.@defaults[0].forward='REJECT'
  753. firewall.@zone[0]=zone
  754. firewall.@zone[0].name='lan'
  755. firewall.@zone[0].input='ACCEPT'
  756. firewall.@zone[0].output='ACCEPT'
  757. firewall.@zone[0].forward='ACCEPT'
  758. firewall.@zone[0].masq_src='192.168.106.0/24' '192.168.107.0/24' '10.10.10.0/24'
  759. firewall.@zone[0].network='lan vpn0'
  760. firewall.@zone[1]=zone
  761. firewall.@zone[1].name='wan'
  762. firewall.@zone[1].input='REJECT'
  763. firewall.@zone[1].output='ACCEPT'
  764. firewall.@zone[1].forward='REJECT'
  765. firewall.@zone[1].masq='1'
  766. firewall.@zone[1].mtu_fix='1'
  767. firewall.@zone[1].network='wan wan6'
  768. firewall.@forwarding[0]=forwarding
  769. firewall.@forwarding[0].src='lan'
  770. firewall.@forwarding[0].dest='wan'
  771. firewall.@rule[0]=rule
  772. firewall.@rule[0].name='Allow-DHCP-Renew'
  773. firewall.@rule[0].src='wan'
  774. firewall.@rule[0].proto='udp'
  775. firewall.@rule[0].dest_port='68'
  776. firewall.@rule[0].target='ACCEPT'
  777. firewall.@rule[0].family='ipv4'
  778. firewall.@rule[1]=rule
  779. firewall.@rule[1].name='Allow-Ping'
  780. firewall.@rule[1].src='wan'
  781. firewall.@rule[1].proto='icmp'
  782. firewall.@rule[1].icmp_type='echo-request'
  783. firewall.@rule[1].family='ipv4'
  784. firewall.@rule[1].target='ACCEPT'
  785. firewall.@rule[2]=rule
  786. firewall.@rule[2].name='Allow-IGMP'
  787. firewall.@rule[2].src='wan'
  788. firewall.@rule[2].proto='igmp'
  789. firewall.@rule[2].family='ipv4'
  790. firewall.@rule[2].target='ACCEPT'
  791. firewall.@rule[3]=rule
  792. firewall.@rule[3].name='Allow-DHCPv6'
  793. firewall.@rule[3].src='wan'
  794. firewall.@rule[3].proto='udp'
  795. firewall.@rule[3].src_ip='fc00::/6'
  796. firewall.@rule[3].dest_ip='fc00::/6'
  797. firewall.@rule[3].dest_port='546'
  798. firewall.@rule[3].family='ipv6'
  799. firewall.@rule[3].target='ACCEPT'
  800. firewall.@rule[4]=rule
  801. firewall.@rule[4].name='Allow-MLD'
  802. firewall.@rule[4].src='wan'
  803. firewall.@rule[4].proto='icmp'
  804. firewall.@rule[4].src_ip='fe80::/10'
  805. firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
  806. firewall.@rule[4].family='ipv6'
  807. firewall.@rule[4].target='ACCEPT'
  808. firewall.@rule[5]=rule
  809. firewall.@rule[5].name='Allow-ICMPv6-Input'
  810. firewall.@rule[5].src='wan'
  811. firewall.@rule[5].proto='icmp'
  812. firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable ' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-so licitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertise ment'
  813. firewall.@rule[5].limit='1000/sec'
  814. firewall.@rule[5].family='ipv6'
  815. firewall.@rule[5].target='ACCEPT'
  816. firewall.@rule[6]=rule
  817. firewall.@rule[6].name='Allow-ICMPv6-Forward'
  818. firewall.@rule[6].src='wan'
  819. firewall.@rule[6].dest='*'
  820. firewall.@rule[6].proto='icmp'
  821. firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable ' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
  822. firewall.@rule[6].limit='1000/sec'
  823. firewall.@rule[6].family='ipv6'
  824. firewall.@rule[6].target='ACCEPT'
  825. firewall.@rule[7]=rule
  826. firewall.@rule[7].name='Allow-IPSec-ESP'
  827. firewall.@rule[7].src='wan'
  828. firewall.@rule[7].dest='lan'
  829. firewall.@rule[7].proto='esp'
  830. firewall.@rule[7].target='ACCEPT'
  831. firewall.@rule[8]=rule
  832. firewall.@rule[8].name='Allow-ISAKMP'
  833. firewall.@rule[8].src='wan'
  834. firewall.@rule[8].dest='lan'
  835. firewall.@rule[8].dest_port='500'
  836. firewall.@rule[8].proto='udp'
  837. firewall.@rule[8].target='ACCEPT'
  838. firewall.@include[0]=include
  839. firewall.@include[0].path='/etc/firewall.user'
  840. firewall.@rule[9]=rule
  841. firewall.@rule[9].target='ACCEPT'
  842. firewall.@rule[9].src='wan'
  843. firewall.@rule[9].proto='udp'
  844. firewall.@rule[9].dest_port='1195'
  845. firewall.@rule[9].name='ovpn'
  846. firewall.@rule[10]=rule
  847. firewall.@rule[10].target='ACCEPT'
  848. firewall.@rule[10].src='wan'
  849. firewall.@rule[10].proto='tcp'
  850. firewall.@rule[10].dest_port='443'
  851. firewall.@rule[10].name='https'
  852. firewall.@rule[11]=rule
  853. firewall.@rule[11].target='ACCEPT'
  854. firewall.@rule[11].src='wan'
  855. firewall.@rule[11].proto='tcp'
  856. firewall.@rule[11].dest_port='22'
  857. firewall.@rule[11].name='22'
  858. dhcp.@dnsmasq[0]=dnsmasq
  859. dhcp.@dnsmasq[0].domainneeded='1'
  860. dhcp.@dnsmasq[0].boguspriv='1'
  861. dhcp.@dnsmasq[0].filterwin2k='0'
  862. dhcp.@dnsmasq[0].localise_queries='1'
  863. dhcp.@dnsmasq[0].rebind_protection='1'
  864. dhcp.@dnsmasq[0].rebind_localhost='1'
  865. dhcp.@dnsmasq[0].local='/lan/'
  866. dhcp.@dnsmasq[0].domain='lan'
  867. dhcp.@dnsmasq[0].expandhosts='1'
  868. dhcp.@dnsmasq[0].nonegcache='0'
  869. dhcp.@dnsmasq[0].authoritative='1'
  870. dhcp.@dnsmasq[0].readethers='1'
  871. dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
  872. dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
  873. dhcp.@dnsmasq[0].nonwildcard='1'
  874. dhcp.@dnsmasq[0].localservice='1'
  875. dhcp.lan=dhcp
  876. dhcp.lan.interface='lan'
  877. dhcp.lan.start='100'
  878. dhcp.lan.limit='150'
  879. dhcp.lan.leasetime='12h'
  880. dhcp.lan.dhcpv6='server'
  881. dhcp.lan.ra='server'
  882. dhcp.lan.ra_management='1'
  883. dhcp.lan.dhcp_option='3,10.10.10.2'
  884. dhcp.wan=dhcp
  885. dhcp.wan.interface='wan'
  886. dhcp.wan.ignore='1'
  887. dhcp.odhcpd=odhcpd
  888. dhcp.odhcpd.maindhcp='0'
  889. dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
  890. dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
  891. dhcp.odhcpd.loglevel='4'
  892. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
  893. inet 127.0.0.1/8 scope host lo
  894. valid_lft forever preferred_lft forever
  895. 4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qle n 1000
  896. inet 10.10.10.1/24 brd 10.10.10.255 scope global br-lan
  897. valid_lft forever preferred_lft forever
  898. 6: eth0.1074@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue stat e UP qlen 1000
  899. inet 66.84.124.105/26 brd 66.84.124.127 scope global eth0.1074
  900. valid_lft forever preferred_lft forever
  901. default via 66.84.124.65 dev eth0.1074 src 66.84.124.105
  902. 10.10.10.0/24 dev br-lan scope link src 10.10.10.1
  903. 66.84.124.64/26 dev eth0.1074 scope link src 66.84.124.105
  904. 0: from all lookup local
  905. 32766: from all lookup main
  906. 32767: from all lookup default
  907. # Generated by iptables-save v1.6.2 on Tue Dec 17 08:22:30 2019
  908. *nat
  909. :PREROUTING ACCEPT [9:1821]
  910. :INPUT ACCEPT [4:208]
  911. :OUTPUT ACCEPT [0:0]
  912. :POSTROUTING ACCEPT [0:0]
  913. :postrouting_lan_rule - [0:0]
  914. :postrouting_rule - [0:0]
  915. :postrouting_wan_rule - [0:0]
  916. :prerouting_lan_rule - [0:0]
  917. :prerouting_rule - [0:0]
  918. :prerouting_wan_rule - [0:0]
  919. :zone_lan_postrouting - [0:0]
  920. :zone_lan_prerouting - [0:0]
  921. :zone_wan_postrouting - [0:0]
  922. :zone_wan_prerouting - [0:0]
  923. -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prero uting_rule
  924. -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
  925. -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_lan_prerouting
  926. -A PREROUTING -i eth0.1074 -m comment --comment "!fw3" -j zone_wan_prerouting
  927. -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j pos trouting_rule
  928. -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
  929. -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_lan_postrouting
  930. -A POSTROUTING -o eth0.1074 -m comment --comment "!fw3" -j zone_wan_postrouting
  931. -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
  932. -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule ch ain" -j prerouting_lan_rule
  933. -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
  934. -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
  935. -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule ch ain" -j prerouting_wan_rule
  936. COMMIT
  937. # Completed on Tue Dec 17 08:22:30 2019
  938. # Generated by iptables-save v1.6.2 on Tue Dec 17 08:22:30 2019
  939. *mangle
  940. :PREROUTING ACCEPT [91:10224]
  941. :INPUT ACCEPT [87:8788]
  942. :FORWARD ACCEPT [0:0]
  943. :OUTPUT ACCEPT [112:55222]
  944. :POSTROUTING ACCEPT [112:55222]
  945. -A FORWARD -o eth0.1074 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comme nt "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
  946. COMMIT
  947. # Completed on Tue Dec 17 08:22:30 2019
  948. # Generated by iptables-save v1.6.2 on Tue Dec 17 08:22:30 2019
  949. *filter
  950. :INPUT ACCEPT [0:0]
  951. :FORWARD DROP [0:0]
  952. :OUTPUT ACCEPT [0:0]
  953. :forwarding_lan_rule - [0:0]
  954. :forwarding_rule - [0:0]
  955. :forwarding_wan_rule - [0:0]
  956. :input_lan_rule - [0:0]
  957. :input_rule - [0:0]
  958. :input_wan_rule - [0:0]
  959. :output_lan_rule - [0:0]
  960. :output_rule - [0:0]
  961. :output_wan_rule - [0:0]
  962. :reject - [0:0]
  963. :syn_flood - [0:0]
  964. :zone_lan_dest_ACCEPT - [0:0]
  965. :zone_lan_forward - [0:0]
  966. :zone_lan_input - [0:0]
  967. :zone_lan_output - [0:0]
  968. :zone_lan_src_ACCEPT - [0:0]
  969. :zone_wan_dest_ACCEPT - [0:0]
  970. :zone_wan_dest_REJECT - [0:0]
  971. :zone_wan_forward - [0:0]
  972. :zone_wan_input - [0:0]
  973. :zone_wan_output - [0:0]
  974. :zone_wan_src_REJECT - [0:0]
  975. -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
  976. -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
  977. -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  978. -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw 3" -j syn_flood
  979. -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
  980. -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_lan_input
  981. -A INPUT -i eth0.1074 -m comment --comment "!fw3" -j zone_wan_input
  982. -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwardi ng_rule
  983. -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3 " -j ACCEPT
  984. -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
  985. -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_lan_forward
  986. -A FORWARD -i eth0.1074 -m comment --comment "!fw3" -j zone_wan_forward
  987. -A FORWARD -m comment --comment "!fw3" -j reject
  988. -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
  989. -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
  990. -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  991. -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
  992. -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_lan_output
  993. -A OUTPUT -o eth0.1074 -m comment --comment "!fw3" -j zone_wan_output
  994. -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
  995. -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreacha ble
  996. -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/s ec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
  997. -A syn_flood -m comment --comment "!fw3" -j DROP
  998. -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
  999. -A zone_lan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
  1000. -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain " -j forwarding_lan_rule
  1001. -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding polic y" -j zone_wan_dest_ACCEPT
  1002. -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Acce pt port forwards" -j ACCEPT
  1003. -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
  1004. -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j in put_lan_rule
  1005. -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  1006. -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
  1007. -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
  1008. -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
  1009. -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
  1010. -A zone_lan_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment - -comment "!fw3" -j ACCEPT
  1011. -A zone_wan_dest_ACCEPT -o eth0.1074 -m conntrack --ctstate INVALID -m comment - -comment "!fw3: Prevent NAT leakage" -j DROP
  1012. -A zone_wan_dest_ACCEPT -o eth0.1074 -m comment --comment "!fw3" -j ACCEPT
  1013. -A zone_wan_dest_REJECT -o eth0.1074 -m comment --comment "!fw3" -j reject
  1014. -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain " -j forwarding_wan_rule
  1015. -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_ lan_dest_ACCEPT
  1016. -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow- ISAKMP" -j zone_lan_dest_ACCEPT
  1017. -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Acce pt port forwards" -j ACCEPT
  1018. -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
  1019. -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j in put_wan_rule
  1020. -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHC P-Renew" -j ACCEPT
  1021. -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allo w-Ping" -j ACCEPT
  1022. -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
  1023. -A zone_wan_input -p udp -m udp --dport 1195 -m comment --comment "!fw3: ovpn" - j ACCEPT
  1024. -A zone_wan_input -p tcp -m tcp --dport 443 -m comment --comment "!fw3: https" - j ACCEPT
  1025. -A zone_wan_input -p tcp -m tcp --dport 22 -m comment --comment "!fw3: 22" -j AC CEPT
  1026. -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  1027. -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
  1028. -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
  1029. -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
  1030. -A zone_wan_src_REJECT -i eth0.1074 -m comment --comment "!fw3" -j reject
  1031. COMMIT
  1032. # Completed on Tue Dec 17 08:22:30 2019
  1033.  
  1034. ```
  1035. 3750 stuff
  1036. ```
  1037. Cat#sh ip int br (Removed gi1/0/xx interfaces that are just access ports)
  1038. Interface IP-Address OK? Method Status Protocol
  1039. Vlan1 unassigned YES manual administratively down down
  1040. Vlan3 192.168.107.2 YES NVRAM up up
  1041. Vlan4 unassigned YES unset up up
  1042. Vlan55 192.168.106.2 YES manual up up
  1043. Vlan56 10.10.10.2 YES manual up up
  1044.  
  1045. Cat#sh ip ro
  1046. Gateway of last resort is 192.168.106.1 to network 0.0.0.0
  1047.  
  1048. S* 0.0.0.0/0 [1/0] via 192.168.106.1
  1049. 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
  1050. C 10.10.10.0/24 is directly connected, Vlan56
  1051. L 10.10.10.2/32 is directly connected, Vlan56
  1052. 192.168.106.0/24 is variably subnetted, 2 subnets, 2 masks
  1053. C 192.168.106.0/24 is directly connected, Vlan55
  1054. L 192.168.106.2/32 is directly connected, Vlan55
  1055. 192.168.107.0/24 is variably subnetted, 2 subnets, 2 masks
  1056. C 192.168.107.0/24 is directly connected, Vlan3
  1057. L 192.168.107.2/32 is directly connected, Vlan3
  1058.  
  1059. Cat#sh access-list (Nothing)
  1060. Cat#
  1061. ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement