Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Here goes:
- Openwrt1
- uci show network; uci show firewall; uci show dhcp; \
- ip -4 addr ; ip -4 ro ; ip -4 ru; iptables-save
- ```
- root@OpenWrt:~# uci show network; uci show firewall; uci show dhcp; \
- > ip -4 addr ; ip -4 ro ; ip -4 ru; iptables-save;
- network.loopback=interface
- network.loopback.ifname='lo'
- network.loopback.proto='static'
- network.loopback.ipaddr='127.0.0.1'
- network.loopback.netmask='255.0.0.0'
- network.globals=globals
- network.globals.ula_prefix='fd7b:9a54:3d9b::/48'
- network.lan=interface
- network.lan.type='bridge'
- network.lan.proto='static'
- network.lan.ipaddr='192.168.106.1'
- network.lan.netmask='255.255.255.0'
- network.lan.ip6assign='60'
- network.lan.stp='1'
- network.lan.dns='8.8.8.8'
- network.lan.ifname='eth0.55'
- network.wan=interface
- network.wan.proto='dhcp'
- network.wan.metric='10'
- network.wan.ifname='eth0.1074'
- network.@switch[0]=switch
- network.@switch[0].name='switch0'
- network.@switch[0].reset='1'
- network.@switch[0].enable_vlan='1'
- network.@switch_vlan[0]=switch_vlan
- network.@switch_vlan[0].device='switch0'
- network.@switch_vlan[0].vlan='1'
- network.@switch_vlan[0].vid='55'
- network.@switch_vlan[0].ports='4 2t 1t 0t'
- network.@switch_vlan[1]=switch_vlan
- network.@switch_vlan[1].device='switch0'
- network.@switch_vlan[1].vlan='2'
- network.@switch_vlan[1].ports='5 0t'
- network.@switch_vlan[1].vid='1074'
- network.@switch_vlan[2]=switch_vlan
- network.@switch_vlan[2].device='switch0'
- network.@switch_vlan[2].vlan='3'
- network.@switch_vlan[2].vid='3'
- network.@switch_vlan[2].ports='2t 1t 0t'
- network.WLAN=interface
- network.WLAN.ifname='eth0.3'
- network.WLAN.proto='static'
- network.WLAN.ipaddr='192.168.107.1'
- network.WLAN.netmask='255.255.255.0'
- network.WLAN.ip6assign='60'
- network.WLAN.stp='1'
- network.@switch_vlan[3]=switch_vlan
- network.@switch_vlan[3].device='switch0'
- network.@switch_vlan[3].vlan='4'
- network.@switch_vlan[3].vid='4'
- network.@switch_vlan[3].ports='2t 1t 0t'
- network.WAN2=interface
- network.WAN2.proto='static'
- network.WAN2.ifname='eth0.4'
- network.WAN2.ipaddr='192.168.108.1'
- network.WAN2.netmask='255.255.255.0'
- network.WAN2.metric='20'
- network.WAN2.gateway='192.168.108.2'
- network.WAN2.auto='0'
- network.vpn0=interface
- network.vpn0.proto='none'
- network.vpn0.ifname='tun0'
- network.@switch_vlan[4]=switch_vlan
- network.@switch_vlan[4].device='switch0'
- network.@switch_vlan[4].vlan='5'
- network.@switch_vlan[4].vid='56'
- network.@switch_vlan[4].ports='3 0t'
- network.WLAN2=interface
- network.WLAN2.ifname='eth0.56'
- network.WLAN2.proto='static'
- network.WLAN2.broadcast='10.10.10.255'
- network.WLAN2.ipaddr='10.10.10.254'
- network.WLAN2.netmask='255.255.255.0'
- network.WLAN2.auto='0'
- network.@route[0]=route
- network.@route[0].target='10.10.10.0'
- network.@route[0].gateway='10.10.10.2'
- network.@route[0].netmask='255.255.255.0'
- network.@route[0].interface='lan'
- network.@route[0].metric='200'
- network.@route[0].onlink='0'
- firewall.@defaults[0]=defaults
- firewall.@defaults[0].syn_flood='1'
- firewall.@defaults[0].input='ACCEPT'
- firewall.@defaults[0].output='ACCEPT'
- firewall.@defaults[0].forward='REJECT'
- firewall.@defaults[0].drop_invalid='1'
- firewall.@zone[0]=zone
- firewall.@zone[0].name='lan'
- firewall.@zone[0].input='ACCEPT'
- firewall.@zone[0].output='ACCEPT'
- firewall.@zone[0].forward='ACCEPT'
- firewall.@zone[0].device='tun0' 'tun1'
- firewall.@zone[0].network='lan WLAN vpn0 WLAN2'
- firewall.@zone[0].subnet='10.10.10.0/24' '192.168.106.0/24' '192.168.107.0/24' ' 192.168.8.0/24'
- firewall.@zone[0].log_limit='5/minute'
- firewall.@zone[0].log='1'
- firewall.@zone[1]=zone
- firewall.@zone[1].name='wan'
- firewall.@zone[1].input='REJECT'
- firewall.@zone[1].output='ACCEPT'
- firewall.@zone[1].forward='REJECT'
- firewall.@zone[1].masq='1'
- firewall.@zone[1].mtu_fix='1'
- firewall.@zone[1].network='wan wan6 WAN2'
- firewall.@forwarding[0]=forwarding
- firewall.@forwarding[0].src='lan'
- firewall.@forwarding[0].dest='wan'
- firewall.@rule[0]=rule
- firewall.@rule[0].target='ACCEPT'
- firewall.@rule[0].src='wan'
- firewall.@rule[0].proto='tcp'
- firewall.@rule[0].dest_port='9091'
- firewall.@rule[0].name='Transmission Webif'
- firewall.@rule[1]=rule
- firewall.@rule[1].name='Allow-DHCP-Renew'
- firewall.@rule[1].src='wan'
- firewall.@rule[1].proto='udp'
- firewall.@rule[1].dest_port='68'
- firewall.@rule[1].target='ACCEPT'
- firewall.@rule[1].family='ipv4'
- firewall.@rule[2]=rule
- firewall.@rule[2].src='wan'
- firewall.@rule[2].proto='icmp'
- firewall.@rule[2].icmp_type='echo-request'
- firewall.@rule[2].family='ipv4'
- firewall.@rule[2].name='disallow-Ping'
- firewall.@rule[2].target='DROP'
- firewall.@rule[3]=rule
- firewall.@rule[3].name='Allow-IGMP'
- firewall.@rule[3].src='wan'
- firewall.@rule[3].proto='igmp'
- firewall.@rule[3].family='ipv4'
- firewall.@rule[3].target='ACCEPT'
- firewall.@rule[4]=rule
- firewall.@rule[4].name='Allow-DHCPv6'
- firewall.@rule[4].src='wan'
- firewall.@rule[4].proto='udp'
- firewall.@rule[4].src_ip='fc00::/6'
- firewall.@rule[4].dest_ip='fc00::/6'
- firewall.@rule[4].dest_port='546'
- firewall.@rule[4].family='ipv6'
- firewall.@rule[4].target='ACCEPT'
- firewall.@rule[5]=rule
- firewall.@rule[5].name='Allow-MLD'
- firewall.@rule[5].src='wan'
- firewall.@rule[5].proto='icmp'
- firewall.@rule[5].src_ip='fe80::/10'
- firewall.@rule[5].icmp_type='130/0' '131/0' '132/0' '143/0'
- firewall.@rule[5].family='ipv6'
- firewall.@rule[5].target='ACCEPT'
- firewall.@rule[6]=rule
- firewall.@rule[6].name='Allow-ICMPv6-Input'
- firewall.@rule[6].src='wan'
- firewall.@rule[6].proto='icmp'
- firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable ' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-so licitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertise ment'
- firewall.@rule[6].limit='1000/sec'
- firewall.@rule[6].family='ipv6'
- firewall.@rule[6].target='ACCEPT'
- firewall.@rule[7]=rule
- firewall.@rule[7].name='Allow-ICMPv6-Forward'
- firewall.@rule[7].src='wan'
- firewall.@rule[7].dest='*'
- firewall.@rule[7].proto='icmp'
- firewall.@rule[7].icmp_type='echo-request' 'echo-reply' 'destination-unreachable ' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
- firewall.@rule[7].limit='1000/sec'
- firewall.@rule[7].family='ipv6'
- firewall.@rule[7].target='ACCEPT'
- firewall.@rule[8]=rule
- firewall.@rule[8].name='Allow-IPSec-ESP'
- firewall.@rule[8].src='wan'
- firewall.@rule[8].dest='lan'
- firewall.@rule[8].proto='esp'
- firewall.@rule[8].target='ACCEPT'
- firewall.@rule[9]=rule
- firewall.@rule[9].name='Allow-ISAKMP'
- firewall.@rule[9].src='wan'
- firewall.@rule[9].dest='lan'
- firewall.@rule[9].dest_port='500'
- firewall.@rule[9].proto='udp'
- firewall.@rule[9].target='ACCEPT'
- firewall.@include[0]=include
- firewall.@include[0].path='/etc/firewall.user'
- firewall.@rule[10]=rule
- firewall.@rule[10].target='ACCEPT'
- firewall.@rule[10].src='wan'
- firewall.@rule[10].proto='tcp'
- firewall.@rule[10].name='ssh'
- firewall.@rule[10].dest_port='10022'
- firewall.@rule[11]=rule
- firewall.@rule[11].target='ACCEPT'
- firewall.@rule[11].src='wan'
- firewall.@rule[11].proto='tcp'
- firewall.@rule[11].dest_port='443'
- firewall.@rule[11].name='WebIF from the WAN'
- firewall.@redirect[0]=redirect
- firewall.@redirect[0].name='Allow-transparent-Squid'
- firewall.@redirect[0].proto='tcp'
- firewall.@redirect[0].target='DNAT'
- firewall.@redirect[0].src_ip='!192.168.107.1 !192.168.106.250 !102.168.106.251'
- firewall.@redirect[0].src_dip='!192.168.0.0/16'
- firewall.@redirect[0].src_dport='80'
- firewall.@redirect[0].dest_ip='192.168.106.1'
- firewall.@redirect[0].dest_port='3128'
- firewall.@redirect[0].src='lan'
- firewall.@redirect[0].enabled='0'
- firewall.miniupnpd=include
- firewall.miniupnpd.type='script'
- firewall.miniupnpd.path='/usr/share/miniupnpd/firewall.include'
- firewall.miniupnpd.family='any'
- firewall.miniupnpd.reload='1'
- firewall.vpn=rule
- firewall.vpn.name='Allow-OpenVPN'
- firewall.vpn.src='wan'
- firewall.vpn.proto='udp'
- firewall.vpn.target='ACCEPT'
- firewall.vpn.dest_port='1194-1195'
- firewall.@redirect[1]=redirect
- firewall.@redirect[1].target='DNAT'
- firewall.@redirect[1].src='wan'
- firewall.@redirect[1].dest='lan'
- firewall.@redirect[1].proto='tcp udp'
- firewall.@redirect[1].src_dport='14200'
- firewall.@redirect[1].dest_ip='192.168.106.71'
- firewall.@redirect[1].dest_port='14200'
- firewall.@redirect[1].name='uTorrent'
- firewall.@redirect[1].enabled='0'
- firewall.@redirect[2]=redirect
- firewall.@redirect[2].target='DNAT'
- firewall.@redirect[2].dest_ip='192.168.106.1'
- firewall.@redirect[2].src_ip='192.168.0.0/16'
- firewall.@redirect[2].src='wan'
- firewall.@redirect[2].dest='lan'
- firewall.@redirect[2].src_dport='6969'
- firewall.@redirect[2].dest_port='6969'
- firewall.@redirect[2].name='REDIRECT_opentracker_LAN'
- firewall.@redirect[2].proto='tcp udp'
- firewall.@redirect[2].enabled='0'
- firewall.@rule[13]=rule
- firewall.@rule[13].target='ACCEPT'
- firewall.@rule[13].src='wan'
- firewall.@rule[13].proto='tcp udp'
- firewall.@rule[13].dest_port='6969'
- firewall.@rule[13].name='Opentrackerx'
- firewall.@rule[13].enabled='0'
- firewall.@rule[14]=rule
- firewall.@rule[14].target='ACCEPT'
- firewall.@rule[14].src='wan'
- firewall.@rule[14].proto='tcp'
- firewall.@rule[14].dest_port='80'
- firewall.@rule[14].name='Acme'
- firewall.@rule[15]=rule
- firewall.@rule[15].target='ACCEPT'
- firewall.@rule[15].src='wan'
- firewall.@rule[15].proto='tcp udp'
- firewall.@rule[15].dest_port='51413'
- firewall.@rule[15].name='Transmission'
- firewall.@rule[16]=rule
- firewall.@rule[16].proto='all'
- firewall.@rule[16].name='MR200 AntiPing'
- firewall.@rule[16].src_ip='192.168.106.5'
- firewall.@rule[16].dest='wan'
- firewall.@rule[16].target='DROP'
- firewall.@rule[16].src='lan'
- dhcp.@dnsmasq[0]=dnsmasq
- dhcp.@dnsmasq[0].domainneeded='1'
- dhcp.@dnsmasq[0].localise_queries='1'
- dhcp.@dnsmasq[0].rebind_protection='1'
- dhcp.@dnsmasq[0].rebind_localhost='1'
- dhcp.@dnsmasq[0].local='/lan/'
- dhcp.@dnsmasq[0].domain='lan'
- dhcp.@dnsmasq[0].expandhosts='1'
- dhcp.@dnsmasq[0].authoritative='1'
- dhcp.@dnsmasq[0].readethers='1'
- dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
- dhcp.@dnsmasq[0].nonwildcard='1'
- dhcp.@dnsmasq[0].localservice='1'
- dhcp.@dnsmasq[0].enable_tftp='1'
- dhcp.@dnsmasq[0].tftp_root='/mnt/sda1'
- dhcp.@dnsmasq[0].serversfile='/tmp/adb_list.overall'
- dhcp.lan=dhcp
- dhcp.lan.interface='lan'
- dhcp.lan.start='100'
- dhcp.lan.limit='150'
- dhcp.lan.leasetime='12h'
- dhcp.lan.dhcpv6='server'
- dhcp.lan.ra='server'
- dhcp.lan.ra_management='1'
- dhcp.lan.dhcp_option='3,192.168.106.2'
- dhcp.wan=dhcp
- dhcp.wan.interface='wan'
- dhcp.wan.ignore='1'
- dhcp.odhcpd=odhcpd
- dhcp.odhcpd.maindhcp='0'
- dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
- dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
- dhcp.odhcpd.loglevel='4'
- dhcp.WLAN=dhcp
- dhcp.WLAN.start='100'
- dhcp.WLAN.leasetime='12h'
- dhcp.WLAN.limit='150'
- dhcp.WLAN.interface='WLAN'
- dhcp.WLAN.dhcp_option='3,192.168.107.2'
- dhcp.@host[0]=host
- dhcp.@host[0].ip='192.168.106.68'
- dhcp.@host[0].name='NAS'
- dhcp.@host[0].mac='E8:06:88:CC:50:95'
- dhcp.@host[1]=host
- dhcp.@host[1].ip='192.168.106.245'
- dhcp.@host[1].mac='E8:AB:FA:04:62:C8'
- dhcp.@host[1].name='CAM1'
- dhcp.@host[2]=host
- dhcp.@host[2].ip='192.168.106.250'
- dhcp.@host[2].mac='B8:AE:6E:60:D5:86'
- dhcp.@host[2].name='Roku1'
- dhcp.@host[3]=host
- dhcp.@host[3].ip='192.168.106.251'
- dhcp.@host[3].mac='AC:3A:7A:0A:F5:79'
- dhcp.@host[3].name='Roku2'
- dhcp.@domain[0]=domain
- dhcp.@domain[0].name='nas'
- dhcp.@domain[0].ip='192.168.106.68'
- dhcp.@host[4]=host
- dhcp.@host[4].name='Goodwill'
- dhcp.@host[4].dns='1'
- dhcp.@host[4].mac='30:85:A9:8E:83:C8'
- dhcp.@host[4].ip='192.168.106.71'
- dhcp.@host[5]=host
- dhcp.@host[5].name='Kindle1'
- dhcp.@host[5].dns='1'
- dhcp.@host[5].mac='0C:47:C9:B7:CC:8B'
- dhcp.@host[5].ip='192.168.106.253'
- dhcp.@host[6]=host
- dhcp.@host[6].name='Kindle2'
- dhcp.@host[6].dns='1'
- dhcp.@host[6].mac='F0:27:2D:D8:7F:D4'
- dhcp.@host[6].ip='192.168.106.254'
- dhcp.@domain[1]=domain
- dhcp.@domain[1].name='fultonit.r-o-o-t.net'
- dhcp.@domain[1].ip='192.168.106.1'
- dhcp.@host[7]=host
- dhcp.@host[7].name='Jennys-iPad'
- dhcp.@host[7].dns='1'
- dhcp.@host[7].mac='C4:84:66:CE:0E:65'
- dhcp.@host[7].ip='192.168.107.184'
- dhcp.@host[8]=host
- dhcp.@host[8].name='CAM2'
- dhcp.@host[8].dns='1'
- dhcp.@host[8].mac='E8:AB:FA:04:9E:30'
- dhcp.@host[8].ip='192.168.106.244'
- dhcp.@host[9]=host
- dhcp.@host[9].name='CAM3'
- dhcp.@host[9].dns='1'
- dhcp.@host[9].mac='00:B8:FB:01:1A:73'
- dhcp.@host[9].ip='192.168.106.243'
- dhcp.@domain[2]=domain
- dhcp.@domain[2].name='penderit'
- dhcp.@domain[2].ip='192.168.107.208'
- 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group defaul t qlen 1000
- inet 127.0.0.1/8 scope host lo
- valid_lft forever preferred_lft forever
- 10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP gr oup default qlen 1000
- inet 192.168.106.1/24 brd 192.168.106.255 scope global br-lan
- valid_lft forever preferred_lft forever
- 13: eth0.3@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
- inet 192.168.107.1/24 brd 192.168.107.255 scope global eth0.3
- valid_lft forever preferred_lft forever
- 906: eth0.1074@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue st ate UP group default qlen 1000
- inet 66.84.124.116/26 brd 66.84.124.127 scope global eth0.1074
- valid_lft forever preferred_lft forever
- 1181: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel st ate UNKNOWN group default qlen 100
- inet 192.168.8.1/24 brd 192.168.8.255 scope global tun0
- valid_lft forever preferred_lft forever
- default via 66.84.124.65 dev eth0.1074 proto static src 66.84.124.116 metric 10
- 66.84.124.64/26 dev eth0.1074 proto static scope link metric 10
- 192.168.8.0/24 dev tun0 proto kernel scope link src 192.168.8.1
- 192.168.106.0/24 dev br-lan proto kernel scope link src 192.168.106.1
- 192.168.107.0/24 dev eth0.3 proto kernel scope link src 192.168.107.1
- 0: from all lookup local
- 32766: from all lookup main
- 32767: from all lookup default
- # Generated by iptables-save v1.8.3 on Tue Dec 17 08:19:22 2019
- *nat
- :PREROUTING ACCEPT [62396:7279271]
- :INPUT ACCEPT [41074:4613677]
- :OUTPUT ACCEPT [19474:1684716]
- :POSTROUTING ACCEPT [884:227992]
- :postrouting_lan_rule - [0:0]
- :postrouting_rule - [0:0]
- :postrouting_wan_rule - [0:0]
- :prerouting_lan_rule - [0:0]
- :prerouting_rule - [0:0]
- :prerouting_wan_rule - [0:0]
- :zone_lan_postrouting - [0:0]
- :zone_lan_prerouting - [0:0]
- :zone_wan_postrouting - [0:0]
- :zone_wan_prerouting - [0:0]
- -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prero uting_rule
- -A PREROUTING -s 10.10.10.0/24 -i tun1 -m comment --comment "!fw3" -j zone_lan_p rerouting
- -A PREROUTING -s 192.168.106.0/24 -i tun1 -m comment --comment "!fw3" -j zone_la n_prerouting
- -A PREROUTING -s 192.168.107.0/24 -i tun1 -m comment --comment "!fw3" -j zone_la n_prerouting
- -A PREROUTING -s 192.168.8.0/24 -i tun1 -m comment --comment "!fw3" -j zone_lan_ prerouting
- -A PREROUTING -s 10.10.10.0/24 -i br-lan -m comment --comment "!fw3" -j zone_lan _prerouting
- -A PREROUTING -s 192.168.106.0/24 -i br-lan -m comment --comment "!fw3" -j zone_ lan_prerouting
- -A PREROUTING -s 192.168.107.0/24 -i br-lan -m comment --comment "!fw3" -j zone_ lan_prerouting
- -A PREROUTING -s 192.168.8.0/24 -i br-lan -m comment --comment "!fw3" -j zone_la n_prerouting
- -A PREROUTING -s 10.10.10.0/24 -i eth0.3 -m comment --comment "!fw3" -j zone_lan _prerouting
- -A PREROUTING -s 192.168.106.0/24 -i eth0.3 -m comment --comment "!fw3" -j zone_ lan_prerouting
- -A PREROUTING -s 192.168.107.0/24 -i eth0.3 -m comment --comment "!fw3" -j zone_ lan_prerouting
- -A PREROUTING -s 192.168.8.0/24 -i eth0.3 -m comment --comment "!fw3" -j zone_la n_prerouting
- -A PREROUTING -s 10.10.10.0/24 -i tun0 -m comment --comment "!fw3" -j zone_lan_p rerouting
- -A PREROUTING -s 192.168.106.0/24 -i tun0 -m comment --comment "!fw3" -j zone_la n_prerouting
- -A PREROUTING -s 192.168.107.0/24 -i tun0 -m comment --comment "!fw3" -j zone_la n_prerouting
- -A PREROUTING -s 192.168.8.0/24 -i tun0 -m comment --comment "!fw3" -j zone_lan_ prerouting
- -A PREROUTING -s 10.10.10.0/24 -i eth0.56 -m comment --comment "!fw3" -j zone_la n_prerouting
- -A PREROUTING -s 192.168.106.0/24 -i eth0.56 -m comment --comment "!fw3" -j zone _lan_prerouting
- -A PREROUTING -s 192.168.107.0/24 -i eth0.56 -m comment --comment "!fw3" -j zone _lan_prerouting
- -A PREROUTING -s 192.168.8.0/24 -i eth0.56 -m comment --comment "!fw3" -j zone_l an_prerouting
- -A PREROUTING -i eth0.1074 -m comment --comment "!fw3" -j zone_wan_prerouting
- -A PREROUTING -i eth0.4 -m comment --comment "!fw3" -j zone_wan_prerouting
- -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j pos trouting_rule
- -A POSTROUTING -d 10.10.10.0/24 -o tun1 -m comment --comment "!fw3" -j zone_lan_ postrouting
- -A POSTROUTING -d 192.168.106.0/24 -o tun1 -m comment --comment "!fw3" -j zone_l an_postrouting
- -A POSTROUTING -d 192.168.107.0/24 -o tun1 -m comment --comment "!fw3" -j zone_l an_postrouting
- -A POSTROUTING -d 192.168.8.0/24 -o tun1 -m comment --comment "!fw3" -j zone_lan _postrouting
- -A POSTROUTING -d 10.10.10.0/24 -o br-lan -m comment --comment "!fw3" -j zone_la n_postrouting
- -A POSTROUTING -d 192.168.106.0/24 -o br-lan -m comment --comment "!fw3" -j zone _lan_postrouting
- -A POSTROUTING -d 192.168.107.0/24 -o br-lan -m comment --comment "!fw3" -j zone _lan_postrouting
- -A POSTROUTING -d 192.168.8.0/24 -o br-lan -m comment --comment "!fw3" -j zone_l an_postrouting
- -A POSTROUTING -d 10.10.10.0/24 -o eth0.3 -m comment --comment "!fw3" -j zone_la n_postrouting
- -A POSTROUTING -d 192.168.106.0/24 -o eth0.3 -m comment --comment "!fw3" -j zone _lan_postrouting
- -A POSTROUTING -d 192.168.107.0/24 -o eth0.3 -m comment --comment "!fw3" -j zone _lan_postrouting
- -A POSTROUTING -d 192.168.8.0/24 -o eth0.3 -m comment --comment "!fw3" -j zone_l an_postrouting
- -A POSTROUTING -d 10.10.10.0/24 -o tun0 -m comment --comment "!fw3" -j zone_lan_ postrouting
- -A POSTROUTING -d 192.168.106.0/24 -o tun0 -m comment --comment "!fw3" -j zone_l an_postrouting
- -A POSTROUTING -d 192.168.107.0/24 -o tun0 -m comment --comment "!fw3" -j zone_l an_postrouting
- -A POSTROUTING -d 192.168.8.0/24 -o tun0 -m comment --comment "!fw3" -j zone_lan _postrouting
- -A POSTROUTING -d 10.10.10.0/24 -o eth0.56 -m comment --comment "!fw3" -j zone_l an_postrouting
- -A POSTROUTING -d 192.168.106.0/24 -o eth0.56 -m comment --comment "!fw3" -j zon e_lan_postrouting
- -A POSTROUTING -d 192.168.107.0/24 -o eth0.56 -m comment --comment "!fw3" -j zon e_lan_postrouting
- -A POSTROUTING -d 192.168.8.0/24 -o eth0.56 -m comment --comment "!fw3" -j zone_ lan_postrouting
- -A POSTROUTING -o eth0.1074 -m comment --comment "!fw3" -j zone_wan_postrouting
- -A POSTROUTING -o eth0.4 -m comment --comment "!fw3" -j zone_wan_postrouting
- -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
- -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule ch ain" -j prerouting_lan_rule
- -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
- -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
- -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule ch ain" -j prerouting_wan_rule
- COMMIT
- # Completed on Tue Dec 17 08:19:22 2019
- # Generated by iptables-save v1.8.3 on Tue Dec 17 08:19:22 2019
- *raw
- :PREROUTING ACCEPT [1565190:982992213]
- :OUTPUT ACCEPT [254487:47547506]
- :zone_lan_helper - [0:0]
- -A PREROUTING -s 10.10.10.0/24 -i tun1 -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
- -A PREROUTING -s 192.168.106.0/24 -i tun1 -m comment --comment "!fw3: lan CT hel per assignment" -j zone_lan_helper
- -A PREROUTING -s 192.168.107.0/24 -i tun1 -m comment --comment "!fw3: lan CT hel per assignment" -j zone_lan_helper
- -A PREROUTING -s 192.168.8.0/24 -i tun1 -m comment --comment "!fw3: lan CT helpe r assignment" -j zone_lan_helper
- -A PREROUTING -s 10.10.10.0/24 -i br-lan -m comment --comment "!fw3: lan CT help er assignment" -j zone_lan_helper
- -A PREROUTING -s 192.168.106.0/24 -i br-lan -m comment --comment "!fw3: lan CT h elper assignment" -j zone_lan_helper
- -A PREROUTING -s 192.168.107.0/24 -i br-lan -m comment --comment "!fw3: lan CT h elper assignment" -j zone_lan_helper
- -A PREROUTING -s 192.168.8.0/24 -i br-lan -m comment --comment "!fw3: lan CT hel per assignment" -j zone_lan_helper
- -A PREROUTING -s 10.10.10.0/24 -i eth0.3 -m comment --comment "!fw3: lan CT help er assignment" -j zone_lan_helper
- -A PREROUTING -s 192.168.106.0/24 -i eth0.3 -m comment --comment "!fw3: lan CT h elper assignment" -j zone_lan_helper
- -A PREROUTING -s 192.168.107.0/24 -i eth0.3 -m comment --comment "!fw3: lan CT h elper assignment" -j zone_lan_helper
- -A PREROUTING -s 192.168.8.0/24 -i eth0.3 -m comment --comment "!fw3: lan CT hel per assignment" -j zone_lan_helper
- -A PREROUTING -s 10.10.10.0/24 -i tun0 -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
- -A PREROUTING -s 192.168.106.0/24 -i tun0 -m comment --comment "!fw3: lan CT hel per assignment" -j zone_lan_helper
- -A PREROUTING -s 192.168.107.0/24 -i tun0 -m comment --comment "!fw3: lan CT hel per assignment" -j zone_lan_helper
- -A PREROUTING -s 192.168.8.0/24 -i tun0 -m comment --comment "!fw3: lan CT helpe r assignment" -j zone_lan_helper
- -A PREROUTING -s 10.10.10.0/24 -i eth0.56 -m comment --comment "!fw3: lan CT hel per assignment" -j zone_lan_helper
- -A PREROUTING -s 192.168.106.0/24 -i eth0.56 -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
- -A PREROUTING -s 192.168.107.0/24 -i eth0.56 -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
- -A PREROUTING -s 192.168.8.0/24 -i eth0.56 -m comment --comment "!fw3: lan CT he lper assignment" -j zone_lan_helper
- COMMIT
- # Completed on Tue Dec 17 08:19:22 2019
- # Generated by iptables-save v1.8.3 on Tue Dec 17 08:19:22 2019
- *mangle
- :PREROUTING ACCEPT [1560335:980427609]
- :INPUT ACCEPT [297718:38535970]
- :FORWARD ACCEPT [1257240:940805822]
- :OUTPUT ACCEPT [252028:43687198]
- :POSTROUTING ACCEPT [1504539:983902404]
- -A FORWARD -o eth0.1074 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comme nt "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
- -A FORWARD -o eth0.4 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
- COMMIT
- # Completed on Tue Dec 17 08:19:22 2019
- # Generated by iptables-save v1.8.3 on Tue Dec 17 08:19:22 2019
- *filter
- :INPUT ACCEPT [616:347950]
- :FORWARD DROP [0:0]
- :OUTPUT ACCEPT [20:3572]
- :forwarding_lan_rule - [0:0]
- :forwarding_rule - [0:0]
- :forwarding_wan_rule - [0:0]
- :input_lan_rule - [0:0]
- :input_rule - [0:0]
- :input_wan_rule - [0:0]
- :output_lan_rule - [0:0]
- :output_rule - [0:0]
- :output_wan_rule - [0:0]
- :reject - [0:0]
- :syn_flood - [0:0]
- :zone_lan_dest_ACCEPT - [0:0]
- :zone_lan_forward - [0:0]
- :zone_lan_input - [0:0]
- :zone_lan_output - [0:0]
- :zone_lan_src_ACCEPT - [0:0]
- :zone_wan_dest_ACCEPT - [0:0]
- :zone_wan_dest_DROP - [0:0]
- :zone_wan_dest_REJECT - [0:0]
- :zone_wan_forward - [0:0]
- :zone_wan_input - [0:0]
- :zone_wan_output - [0:0]
- :zone_wan_src_REJECT - [0:0]
- -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
- -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
- -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
- -A INPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
- -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw 3" -j syn_flood
- -A INPUT -s 10.10.10.0/24 -i tun1 -m comment --comment "!fw3" -j zone_lan_input
- -A INPUT -s 192.168.106.0/24 -i tun1 -m comment --comment "!fw3" -j zone_lan_inp ut
- -A INPUT -s 192.168.107.0/24 -i tun1 -m comment --comment "!fw3" -j zone_lan_inp ut
- -A INPUT -s 192.168.8.0/24 -i tun1 -m comment --comment "!fw3" -j zone_lan_input
- -A INPUT -s 10.10.10.0/24 -i br-lan -m comment --comment "!fw3" -j zone_lan_inpu t
- -A INPUT -s 192.168.106.0/24 -i br-lan -m comment --comment "!fw3" -j zone_lan_i nput
- -A INPUT -s 192.168.107.0/24 -i br-lan -m comment --comment "!fw3" -j zone_lan_i nput
- -A INPUT -s 192.168.8.0/24 -i br-lan -m comment --comment "!fw3" -j zone_lan_inp ut
- -A INPUT -s 10.10.10.0/24 -i eth0.3 -m comment --comment "!fw3" -j zone_lan_inpu t
- -A INPUT -s 192.168.106.0/24 -i eth0.3 -m comment --comment "!fw3" -j zone_lan_i nput
- -A INPUT -s 192.168.107.0/24 -i eth0.3 -m comment --comment "!fw3" -j zone_lan_i nput
- -A INPUT -s 192.168.8.0/24 -i eth0.3 -m comment --comment "!fw3" -j zone_lan_inp ut
- -A INPUT -s 10.10.10.0/24 -i tun0 -m comment --comment "!fw3" -j zone_lan_input
- -A INPUT -s 192.168.106.0/24 -i tun0 -m comment --comment "!fw3" -j zone_lan_inp ut
- -A INPUT -s 192.168.107.0/24 -i tun0 -m comment --comment "!fw3" -j zone_lan_inp ut
- -A INPUT -s 192.168.8.0/24 -i tun0 -m comment --comment "!fw3" -j zone_lan_input
- -A INPUT -s 10.10.10.0/24 -i eth0.56 -m comment --comment "!fw3" -j zone_lan_inp ut
- -A INPUT -s 192.168.106.0/24 -i eth0.56 -m comment --comment "!fw3" -j zone_lan_ input
- -A INPUT -s 192.168.107.0/24 -i eth0.56 -m comment --comment "!fw3" -j zone_lan_ input
- -A INPUT -s 192.168.8.0/24 -i eth0.56 -m comment --comment "!fw3" -j zone_lan_in put
- -A INPUT -i eth0.1074 -m comment --comment "!fw3" -j zone_wan_input
- -A INPUT -i eth0.4 -m comment --comment "!fw3" -j zone_wan_input
- -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwardi ng_rule
- -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3 " -j ACCEPT
- -A FORWARD -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
- -A FORWARD -s 10.10.10.0/24 -i tun1 -m comment --comment "!fw3" -j zone_lan_forw ard
- -A FORWARD -s 192.168.106.0/24 -i tun1 -m comment --comment "!fw3" -j zone_lan_f orward
- -A FORWARD -s 192.168.107.0/24 -i tun1 -m comment --comment "!fw3" -j zone_lan_f orward
- -A FORWARD -s 192.168.8.0/24 -i tun1 -m comment --comment "!fw3" -j zone_lan_for ward
- -A FORWARD -s 10.10.10.0/24 -i br-lan -m comment --comment "!fw3" -j zone_lan_fo rward
- -A FORWARD -s 192.168.106.0/24 -i br-lan -m comment --comment "!fw3" -j zone_lan _forward
- -A FORWARD -s 192.168.107.0/24 -i br-lan -m comment --comment "!fw3" -j zone_lan _forward
- -A FORWARD -s 192.168.8.0/24 -i br-lan -m comment --comment "!fw3" -j zone_lan_f orward
- -A FORWARD -s 10.10.10.0/24 -i eth0.3 -m comment --comment "!fw3" -j zone_lan_fo rward
- -A FORWARD -s 192.168.106.0/24 -i eth0.3 -m comment --comment "!fw3" -j zone_lan _forward
- -A FORWARD -s 192.168.107.0/24 -i eth0.3 -m comment --comment "!fw3" -j zone_lan _forward
- -A FORWARD -s 192.168.8.0/24 -i eth0.3 -m comment --comment "!fw3" -j zone_lan_f orward
- -A FORWARD -s 10.10.10.0/24 -i tun0 -m comment --comment "!fw3" -j zone_lan_forw ard
- -A FORWARD -s 192.168.106.0/24 -i tun0 -m comment --comment "!fw3" -j zone_lan_f orward
- -A FORWARD -s 192.168.107.0/24 -i tun0 -m comment --comment "!fw3" -j zone_lan_f orward
- -A FORWARD -s 192.168.8.0/24 -i tun0 -m comment --comment "!fw3" -j zone_lan_for ward
- -A FORWARD -s 10.10.10.0/24 -i eth0.56 -m comment --comment "!fw3" -j zone_lan_f orward
- -A FORWARD -s 192.168.106.0/24 -i eth0.56 -m comment --comment "!fw3" -j zone_la n_forward
- -A FORWARD -s 192.168.107.0/24 -i eth0.56 -m comment --comment "!fw3" -j zone_la n_forward
- -A FORWARD -s 192.168.8.0/24 -i eth0.56 -m comment --comment "!fw3" -j zone_lan_ forward
- -A FORWARD -i eth0.1074 -m comment --comment "!fw3" -j zone_wan_forward
- -A FORWARD -i eth0.4 -m comment --comment "!fw3" -j zone_wan_forward
- -A FORWARD -m comment --comment "!fw3" -j reject
- -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
- -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
- -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
- -A OUTPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
- -A OUTPUT -d 10.10.10.0/24 -o tun1 -m comment --comment "!fw3" -j zone_lan_outpu t
- -A OUTPUT -d 192.168.106.0/24 -o tun1 -m comment --comment "!fw3" -j zone_lan_ou tput
- -A OUTPUT -d 192.168.107.0/24 -o tun1 -m comment --comment "!fw3" -j zone_lan_ou tput
- -A OUTPUT -d 192.168.8.0/24 -o tun1 -m comment --comment "!fw3" -j zone_lan_outp ut
- -A OUTPUT -d 10.10.10.0/24 -o br-lan -m comment --comment "!fw3" -j zone_lan_out put
- -A OUTPUT -d 192.168.106.0/24 -o br-lan -m comment --comment "!fw3" -j zone_lan_ output
- -A OUTPUT -d 192.168.107.0/24 -o br-lan -m comment --comment "!fw3" -j zone_lan_ output
- -A OUTPUT -d 192.168.8.0/24 -o br-lan -m comment --comment "!fw3" -j zone_lan_ou tput
- -A OUTPUT -d 10.10.10.0/24 -o eth0.3 -m comment --comment "!fw3" -j zone_lan_out put
- -A OUTPUT -d 192.168.106.0/24 -o eth0.3 -m comment --comment "!fw3" -j zone_lan_ output
- -A OUTPUT -d 192.168.107.0/24 -o eth0.3 -m comment --comment "!fw3" -j zone_lan_ output
- -A OUTPUT -d 192.168.8.0/24 -o eth0.3 -m comment --comment "!fw3" -j zone_lan_ou tput
- -A OUTPUT -d 10.10.10.0/24 -o tun0 -m comment --comment "!fw3" -j zone_lan_outpu t
- -A OUTPUT -d 192.168.106.0/24 -o tun0 -m comment --comment "!fw3" -j zone_lan_ou tput
- -A OUTPUT -d 192.168.107.0/24 -o tun0 -m comment --comment "!fw3" -j zone_lan_ou tput
- -A OUTPUT -d 192.168.8.0/24 -o tun0 -m comment --comment "!fw3" -j zone_lan_outp ut
- -A OUTPUT -d 10.10.10.0/24 -o eth0.56 -m comment --comment "!fw3" -j zone_lan_ou tput
- -A OUTPUT -d 192.168.106.0/24 -o eth0.56 -m comment --comment "!fw3" -j zone_lan _output
- -A OUTPUT -d 192.168.107.0/24 -o eth0.56 -m comment --comment "!fw3" -j zone_lan _output
- -A OUTPUT -d 192.168.8.0/24 -o eth0.56 -m comment --comment "!fw3" -j zone_lan_o utput
- -A OUTPUT -o eth0.1074 -m comment --comment "!fw3" -j zone_wan_output
- -A OUTPUT -o eth0.4 -m comment --comment "!fw3" -j zone_wan_output
- -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
- -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreacha ble
- -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/s ec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
- -A syn_flood -m comment --comment "!fw3" -j DROP
- -A zone_lan_dest_ACCEPT -d 10.10.10.0/24 -o tun1 -m comment --comment "!fw3" -j ACCEPT
- -A zone_lan_dest_ACCEPT -d 192.168.106.0/24 -o tun1 -m comment --comment "!fw3" -j ACCEPT
- -A zone_lan_dest_ACCEPT -d 192.168.107.0/24 -o tun1 -m comment --comment "!fw3" -j ACCEPT
- -A zone_lan_dest_ACCEPT -d 192.168.8.0/24 -o tun1 -m comment --comment "!fw3" -j ACCEPT
- -A zone_lan_dest_ACCEPT -d 10.10.10.0/24 -o br-lan -m comment --comment "!fw3" - j ACCEPT
- -A zone_lan_dest_ACCEPT -d 192.168.106.0/24 -o br-lan -m comment --comment "!fw3 " -j ACCEPT
- -A zone_lan_dest_ACCEPT -d 192.168.107.0/24 -o br-lan -m comment --comment "!fw3 " -j ACCEPT
- -A zone_lan_dest_ACCEPT -d 192.168.8.0/24 -o br-lan -m comment --comment "!fw3" -j ACCEPT
- -A zone_lan_dest_ACCEPT -d 10.10.10.0/24 -o eth0.3 -m comment --comment "!fw3" - j ACCEPT
- -A zone_lan_dest_ACCEPT -d 192.168.106.0/24 -o eth0.3 -m comment --comment "!fw3 " -j ACCEPT
- -A zone_lan_dest_ACCEPT -d 192.168.107.0/24 -o eth0.3 -m comment --comment "!fw3 " -j ACCEPT
- -A zone_lan_dest_ACCEPT -d 192.168.8.0/24 -o eth0.3 -m comment --comment "!fw3" -j ACCEPT
- -A zone_lan_dest_ACCEPT -d 10.10.10.0/24 -o tun0 -m comment --comment "!fw3" -j ACCEPT
- -A zone_lan_dest_ACCEPT -d 192.168.106.0/24 -o tun0 -m comment --comment "!fw3" -j ACCEPT
- -A zone_lan_dest_ACCEPT -d 192.168.107.0/24 -o tun0 -m comment --comment "!fw3" -j ACCEPT
- -A zone_lan_dest_ACCEPT -d 192.168.8.0/24 -o tun0 -m comment --comment "!fw3" -j ACCEPT
- -A zone_lan_dest_ACCEPT -d 10.10.10.0/24 -o eth0.56 -m comment --comment "!fw3" -j ACCEPT
- -A zone_lan_dest_ACCEPT -d 192.168.106.0/24 -o eth0.56 -m comment --comment "!fw 3" -j ACCEPT
- -A zone_lan_dest_ACCEPT -d 192.168.107.0/24 -o eth0.56 -m comment --comment "!fw 3" -j ACCEPT
- -A zone_lan_dest_ACCEPT -d 192.168.8.0/24 -o eth0.56 -m comment --comment "!fw3" -j ACCEPT
- -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain " -j forwarding_lan_rule
- -A zone_lan_forward -s 192.168.106.5/32 -m comment --comment "!fw3: MR200 AntiPi ng" -j zone_wan_dest_DROP
- -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding polic y" -j zone_wan_dest_ACCEPT
- -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Acce pt port forwards" -j ACCEPT
- -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
- -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j in put_lan_rule
- -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
- -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
- -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
- -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
- -A zone_lan_src_ACCEPT -s 10.10.10.0/24 -i tun1 -m comment --comment "!fw3" -j A CCEPT
- -A zone_lan_src_ACCEPT -s 192.168.106.0/24 -i tun1 -m comment --comment "!fw3" - j ACCEPT
- -A zone_lan_src_ACCEPT -s 192.168.107.0/24 -i tun1 -m comment --comment "!fw3" - j ACCEPT
- -A zone_lan_src_ACCEPT -s 192.168.8.0/24 -i tun1 -m comment --comment "!fw3" -j ACCEPT
- -A zone_lan_src_ACCEPT -s 10.10.10.0/24 -i br-lan -m comment --comment "!fw3" -j ACCEPT
- -A zone_lan_src_ACCEPT -s 192.168.106.0/24 -i br-lan -m comment --comment "!fw3" -j ACCEPT
- -A zone_lan_src_ACCEPT -s 192.168.107.0/24 -i br-lan -m comment --comment "!fw3" -j ACCEPT
- -A zone_lan_src_ACCEPT -s 192.168.8.0/24 -i br-lan -m comment --comment "!fw3" - j ACCEPT
- -A zone_lan_src_ACCEPT -s 10.10.10.0/24 -i eth0.3 -m comment --comment "!fw3" -j ACCEPT
- -A zone_lan_src_ACCEPT -s 192.168.106.0/24 -i eth0.3 -m comment --comment "!fw3" -j ACCEPT
- -A zone_lan_src_ACCEPT -s 192.168.107.0/24 -i eth0.3 -m comment --comment "!fw3" -j ACCEPT
- -A zone_lan_src_ACCEPT -s 192.168.8.0/24 -i eth0.3 -m comment --comment "!fw3" - j ACCEPT
- -A zone_lan_src_ACCEPT -s 10.10.10.0/24 -i tun0 -m comment --comment "!fw3" -j A CCEPT
- -A zone_lan_src_ACCEPT -s 192.168.106.0/24 -i tun0 -m comment --comment "!fw3" - j ACCEPT
- -A zone_lan_src_ACCEPT -s 192.168.107.0/24 -i tun0 -m comment --comment "!fw3" - j ACCEPT
- -A zone_lan_src_ACCEPT -s 192.168.8.0/24 -i tun0 -m comment --comment "!fw3" -j ACCEPT
- -A zone_lan_src_ACCEPT -s 10.10.10.0/24 -i eth0.56 -m comment --comment "!fw3" - j ACCEPT
- -A zone_lan_src_ACCEPT -s 192.168.106.0/24 -i eth0.56 -m comment --comment "!fw3 " -j ACCEPT
- -A zone_lan_src_ACCEPT -s 192.168.107.0/24 -i eth0.56 -m comment --comment "!fw3 " -j ACCEPT
- -A zone_lan_src_ACCEPT -s 192.168.8.0/24 -i eth0.56 -m comment --comment "!fw3" -j ACCEPT
- -A zone_wan_dest_ACCEPT -o eth0.1074 -m conntrack --ctstate INVALID -m comment - -comment "!fw3: Prevent NAT leakage" -j DROP
- -A zone_wan_dest_ACCEPT -o eth0.1074 -m comment --comment "!fw3" -j ACCEPT
- -A zone_wan_dest_ACCEPT -o eth0.4 -m conntrack --ctstate INVALID -m comment --co mment "!fw3: Prevent NAT leakage" -j DROP
- -A zone_wan_dest_ACCEPT -o eth0.4 -m comment --comment "!fw3" -j ACCEPT
- -A zone_wan_dest_DROP -o eth0.1074 -m comment --comment "!fw3" -j DROP
- -A zone_wan_dest_DROP -o eth0.4 -m comment --comment "!fw3" -j DROP
- -A zone_wan_dest_REJECT -o eth0.1074 -m comment --comment "!fw3" -j reject
- -A zone_wan_dest_REJECT -o eth0.4 -m comment --comment "!fw3" -j reject
- -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain " -j forwarding_wan_rule
- -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_ lan_dest_ACCEPT
- -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow- ISAKMP" -j zone_lan_dest_ACCEPT
- -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Acce pt port forwards" -j ACCEPT
- -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
- -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j in put_wan_rule
- -A zone_wan_input -p tcp -m tcp --dport 9091 -m comment --comment "!fw3: Transmi ssion Webif" -j ACCEPT
- -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHC P-Renew" -j ACCEPT
- -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: disa llow-Ping" -j DROP
- -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
- -A zone_wan_input -p tcp -m tcp --dport 10022 -m comment --comment "!fw3: ssh" - j ACCEPT
- -A zone_wan_input -p tcp -m tcp --dport 443 -m comment --comment "!fw3: WebIF fr om the WAN" -j ACCEPT
- -A zone_wan_input -p udp -m udp --dport 1194:1195 -m comment --comment "!fw3: Al low-OpenVPN" -j ACCEPT
- -A zone_wan_input -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Acme" -j ACCEPT
- -A zone_wan_input -p tcp -m tcp --dport 51413 -m comment --comment "!fw3: Transm ission" -j ACCEPT
- -A zone_wan_input -p udp -m udp --dport 51413 -m comment --comment "!fw3: Transm ission" -j ACCEPT
- -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
- -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
- -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
- -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
- -A zone_wan_src_REJECT -i eth0.1074 -m comment --comment "!fw3" -j reject
- -A zone_wan_src_REJECT -i eth0.4 -m comment --comment "!fw3" -j reject
- COMMIT
- # Completed on Tue Dec 17 08:19:22 2019
- ```
- Openwrt2
- uci show network; uci show firewall; uci show dhcp; \
- ip -4 addr ; ip -4 ro ; ip -4 ru; iptables-save
- ```
- network.loopback=interface
- network.loopback.ifname='lo'
- network.loopback.proto='static'
- network.loopback.ipaddr='127.0.0.1'
- network.loopback.netmask='255.0.0.0'
- network.globals=globals
- network.globals.ula_prefix='fda0:a5d8:8ecc::/48'
- network.lan=interface
- network.lan.type='bridge'
- network.lan.proto='static'
- network.lan.ipaddr='10.10.10.1'
- network.lan.netmask='255.255.255.0'
- network.lan.ip6assign='60'
- network.lan.dns='8.8.8.8 8.8.4.4'
- network.lan.ifname='eth0.56'
- network.wan=interface
- network.wan.proto='dhcp'
- network.wan.ifname='eth0.1074'
- network.wan6=interface
- network.wan6.proto='dhcpv6'
- network.wan6.ifname='eth0.1074'
- network.@switch[0]=switch
- network.@switch[0].name='switch0'
- network.@switch[0].reset='1'
- network.@switch[0].enable_vlan='1'
- network.@switch_vlan[0]=switch_vlan
- network.@switch_vlan[0].device='switch0'
- network.@switch_vlan[0].vlan='1'
- network.@switch_vlan[0].vid='56'
- network.@switch_vlan[0].ports='0t 1t 2t 3t 4t'
- network.@switch_vlan[1]=switch_vlan
- network.@switch_vlan[1].device='switch0'
- network.@switch_vlan[1].vlan='2'
- network.@switch_vlan[1].ports='0t 5'
- network.@switch_vlan[1].vid='1074'
- network.vpn0=interface
- network.vpn0.proto='none'
- network.vpn0.ifname='tun0'
- network.vpn0.auto='0'
- network.@route[0]=route
- network.@route[0].interface='lan'
- network.@route[0].target='192.168.106.0'
- network.@route[0].netmask='255.255.255.0'
- network.@route[0].gateway='192.168.106.2'
- network.@route[0].metric='20'
- network.@route[1]=route
- network.@route[1].interface='lan'
- network.@route[1].target='192.168.107.0'
- network.@route[1].netmask='255.255.255.0'
- network.@route[1].gateway='192.168.107.2'
- network.@route[1].metric='20'
- firewall.@defaults[0]=defaults
- firewall.@defaults[0].syn_flood='1'
- firewall.@defaults[0].input='ACCEPT'
- firewall.@defaults[0].output='ACCEPT'
- firewall.@defaults[0].forward='REJECT'
- firewall.@zone[0]=zone
- firewall.@zone[0].name='lan'
- firewall.@zone[0].input='ACCEPT'
- firewall.@zone[0].output='ACCEPT'
- firewall.@zone[0].forward='ACCEPT'
- firewall.@zone[0].masq_src='192.168.106.0/24' '192.168.107.0/24' '10.10.10.0/24'
- firewall.@zone[0].network='lan vpn0'
- firewall.@zone[1]=zone
- firewall.@zone[1].name='wan'
- firewall.@zone[1].input='REJECT'
- firewall.@zone[1].output='ACCEPT'
- firewall.@zone[1].forward='REJECT'
- firewall.@zone[1].masq='1'
- firewall.@zone[1].mtu_fix='1'
- firewall.@zone[1].network='wan wan6'
- firewall.@forwarding[0]=forwarding
- firewall.@forwarding[0].src='lan'
- firewall.@forwarding[0].dest='wan'
- firewall.@rule[0]=rule
- firewall.@rule[0].name='Allow-DHCP-Renew'
- firewall.@rule[0].src='wan'
- firewall.@rule[0].proto='udp'
- firewall.@rule[0].dest_port='68'
- firewall.@rule[0].target='ACCEPT'
- firewall.@rule[0].family='ipv4'
- firewall.@rule[1]=rule
- firewall.@rule[1].name='Allow-Ping'
- firewall.@rule[1].src='wan'
- firewall.@rule[1].proto='icmp'
- firewall.@rule[1].icmp_type='echo-request'
- firewall.@rule[1].family='ipv4'
- firewall.@rule[1].target='ACCEPT'
- firewall.@rule[2]=rule
- firewall.@rule[2].name='Allow-IGMP'
- firewall.@rule[2].src='wan'
- firewall.@rule[2].proto='igmp'
- firewall.@rule[2].family='ipv4'
- firewall.@rule[2].target='ACCEPT'
- firewall.@rule[3]=rule
- firewall.@rule[3].name='Allow-DHCPv6'
- firewall.@rule[3].src='wan'
- firewall.@rule[3].proto='udp'
- firewall.@rule[3].src_ip='fc00::/6'
- firewall.@rule[3].dest_ip='fc00::/6'
- firewall.@rule[3].dest_port='546'
- firewall.@rule[3].family='ipv6'
- firewall.@rule[3].target='ACCEPT'
- firewall.@rule[4]=rule
- firewall.@rule[4].name='Allow-MLD'
- firewall.@rule[4].src='wan'
- firewall.@rule[4].proto='icmp'
- firewall.@rule[4].src_ip='fe80::/10'
- firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
- firewall.@rule[4].family='ipv6'
- firewall.@rule[4].target='ACCEPT'
- firewall.@rule[5]=rule
- firewall.@rule[5].name='Allow-ICMPv6-Input'
- firewall.@rule[5].src='wan'
- firewall.@rule[5].proto='icmp'
- firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable ' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-so licitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertise ment'
- firewall.@rule[5].limit='1000/sec'
- firewall.@rule[5].family='ipv6'
- firewall.@rule[5].target='ACCEPT'
- firewall.@rule[6]=rule
- firewall.@rule[6].name='Allow-ICMPv6-Forward'
- firewall.@rule[6].src='wan'
- firewall.@rule[6].dest='*'
- firewall.@rule[6].proto='icmp'
- firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable ' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
- firewall.@rule[6].limit='1000/sec'
- firewall.@rule[6].family='ipv6'
- firewall.@rule[6].target='ACCEPT'
- firewall.@rule[7]=rule
- firewall.@rule[7].name='Allow-IPSec-ESP'
- firewall.@rule[7].src='wan'
- firewall.@rule[7].dest='lan'
- firewall.@rule[7].proto='esp'
- firewall.@rule[7].target='ACCEPT'
- firewall.@rule[8]=rule
- firewall.@rule[8].name='Allow-ISAKMP'
- firewall.@rule[8].src='wan'
- firewall.@rule[8].dest='lan'
- firewall.@rule[8].dest_port='500'
- firewall.@rule[8].proto='udp'
- firewall.@rule[8].target='ACCEPT'
- firewall.@include[0]=include
- firewall.@include[0].path='/etc/firewall.user'
- firewall.@rule[9]=rule
- firewall.@rule[9].target='ACCEPT'
- firewall.@rule[9].src='wan'
- firewall.@rule[9].proto='udp'
- firewall.@rule[9].dest_port='1195'
- firewall.@rule[9].name='ovpn'
- firewall.@rule[10]=rule
- firewall.@rule[10].target='ACCEPT'
- firewall.@rule[10].src='wan'
- firewall.@rule[10].proto='tcp'
- firewall.@rule[10].dest_port='443'
- firewall.@rule[10].name='https'
- firewall.@rule[11]=rule
- firewall.@rule[11].target='ACCEPT'
- firewall.@rule[11].src='wan'
- firewall.@rule[11].proto='tcp'
- firewall.@rule[11].dest_port='22'
- firewall.@rule[11].name='22'
- dhcp.@dnsmasq[0]=dnsmasq
- dhcp.@dnsmasq[0].domainneeded='1'
- dhcp.@dnsmasq[0].boguspriv='1'
- dhcp.@dnsmasq[0].filterwin2k='0'
- dhcp.@dnsmasq[0].localise_queries='1'
- dhcp.@dnsmasq[0].rebind_protection='1'
- dhcp.@dnsmasq[0].rebind_localhost='1'
- dhcp.@dnsmasq[0].local='/lan/'
- dhcp.@dnsmasq[0].domain='lan'
- dhcp.@dnsmasq[0].expandhosts='1'
- dhcp.@dnsmasq[0].nonegcache='0'
- dhcp.@dnsmasq[0].authoritative='1'
- dhcp.@dnsmasq[0].readethers='1'
- dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
- dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
- dhcp.@dnsmasq[0].nonwildcard='1'
- dhcp.@dnsmasq[0].localservice='1'
- dhcp.lan=dhcp
- dhcp.lan.interface='lan'
- dhcp.lan.start='100'
- dhcp.lan.limit='150'
- dhcp.lan.leasetime='12h'
- dhcp.lan.dhcpv6='server'
- dhcp.lan.ra='server'
- dhcp.lan.ra_management='1'
- dhcp.lan.dhcp_option='3,10.10.10.2'
- dhcp.wan=dhcp
- dhcp.wan.interface='wan'
- dhcp.wan.ignore='1'
- dhcp.odhcpd=odhcpd
- dhcp.odhcpd.maindhcp='0'
- dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
- dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
- dhcp.odhcpd.loglevel='4'
- 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
- inet 127.0.0.1/8 scope host lo
- valid_lft forever preferred_lft forever
- 4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qle n 1000
- inet 10.10.10.1/24 brd 10.10.10.255 scope global br-lan
- valid_lft forever preferred_lft forever
- 6: eth0.1074@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue stat e UP qlen 1000
- inet 66.84.124.105/26 brd 66.84.124.127 scope global eth0.1074
- valid_lft forever preferred_lft forever
- default via 66.84.124.65 dev eth0.1074 src 66.84.124.105
- 10.10.10.0/24 dev br-lan scope link src 10.10.10.1
- 66.84.124.64/26 dev eth0.1074 scope link src 66.84.124.105
- 0: from all lookup local
- 32766: from all lookup main
- 32767: from all lookup default
- # Generated by iptables-save v1.6.2 on Tue Dec 17 08:22:30 2019
- *nat
- :PREROUTING ACCEPT [9:1821]
- :INPUT ACCEPT [4:208]
- :OUTPUT ACCEPT [0:0]
- :POSTROUTING ACCEPT [0:0]
- :postrouting_lan_rule - [0:0]
- :postrouting_rule - [0:0]
- :postrouting_wan_rule - [0:0]
- :prerouting_lan_rule - [0:0]
- :prerouting_rule - [0:0]
- :prerouting_wan_rule - [0:0]
- :zone_lan_postrouting - [0:0]
- :zone_lan_prerouting - [0:0]
- :zone_wan_postrouting - [0:0]
- :zone_wan_prerouting - [0:0]
- -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prero uting_rule
- -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
- -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_lan_prerouting
- -A PREROUTING -i eth0.1074 -m comment --comment "!fw3" -j zone_wan_prerouting
- -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j pos trouting_rule
- -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
- -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_lan_postrouting
- -A POSTROUTING -o eth0.1074 -m comment --comment "!fw3" -j zone_wan_postrouting
- -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
- -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule ch ain" -j prerouting_lan_rule
- -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
- -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
- -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule ch ain" -j prerouting_wan_rule
- COMMIT
- # Completed on Tue Dec 17 08:22:30 2019
- # Generated by iptables-save v1.6.2 on Tue Dec 17 08:22:30 2019
- *mangle
- :PREROUTING ACCEPT [91:10224]
- :INPUT ACCEPT [87:8788]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [112:55222]
- :POSTROUTING ACCEPT [112:55222]
- -A FORWARD -o eth0.1074 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comme nt "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
- COMMIT
- # Completed on Tue Dec 17 08:22:30 2019
- # Generated by iptables-save v1.6.2 on Tue Dec 17 08:22:30 2019
- *filter
- :INPUT ACCEPT [0:0]
- :FORWARD DROP [0:0]
- :OUTPUT ACCEPT [0:0]
- :forwarding_lan_rule - [0:0]
- :forwarding_rule - [0:0]
- :forwarding_wan_rule - [0:0]
- :input_lan_rule - [0:0]
- :input_rule - [0:0]
- :input_wan_rule - [0:0]
- :output_lan_rule - [0:0]
- :output_rule - [0:0]
- :output_wan_rule - [0:0]
- :reject - [0:0]
- :syn_flood - [0:0]
- :zone_lan_dest_ACCEPT - [0:0]
- :zone_lan_forward - [0:0]
- :zone_lan_input - [0:0]
- :zone_lan_output - [0:0]
- :zone_lan_src_ACCEPT - [0:0]
- :zone_wan_dest_ACCEPT - [0:0]
- :zone_wan_dest_REJECT - [0:0]
- :zone_wan_forward - [0:0]
- :zone_wan_input - [0:0]
- :zone_wan_output - [0:0]
- :zone_wan_src_REJECT - [0:0]
- -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
- -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
- -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
- -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw 3" -j syn_flood
- -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
- -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_lan_input
- -A INPUT -i eth0.1074 -m comment --comment "!fw3" -j zone_wan_input
- -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwardi ng_rule
- -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3 " -j ACCEPT
- -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
- -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_lan_forward
- -A FORWARD -i eth0.1074 -m comment --comment "!fw3" -j zone_wan_forward
- -A FORWARD -m comment --comment "!fw3" -j reject
- -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
- -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
- -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
- -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
- -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_lan_output
- -A OUTPUT -o eth0.1074 -m comment --comment "!fw3" -j zone_wan_output
- -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
- -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreacha ble
- -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/s ec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
- -A syn_flood -m comment --comment "!fw3" -j DROP
- -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
- -A zone_lan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
- -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain " -j forwarding_lan_rule
- -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding polic y" -j zone_wan_dest_ACCEPT
- -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Acce pt port forwards" -j ACCEPT
- -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
- -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j in put_lan_rule
- -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
- -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
- -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
- -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
- -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
- -A zone_lan_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment - -comment "!fw3" -j ACCEPT
- -A zone_wan_dest_ACCEPT -o eth0.1074 -m conntrack --ctstate INVALID -m comment - -comment "!fw3: Prevent NAT leakage" -j DROP
- -A zone_wan_dest_ACCEPT -o eth0.1074 -m comment --comment "!fw3" -j ACCEPT
- -A zone_wan_dest_REJECT -o eth0.1074 -m comment --comment "!fw3" -j reject
- -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain " -j forwarding_wan_rule
- -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_ lan_dest_ACCEPT
- -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow- ISAKMP" -j zone_lan_dest_ACCEPT
- -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Acce pt port forwards" -j ACCEPT
- -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
- -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j in put_wan_rule
- -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHC P-Renew" -j ACCEPT
- -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allo w-Ping" -j ACCEPT
- -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
- -A zone_wan_input -p udp -m udp --dport 1195 -m comment --comment "!fw3: ovpn" - j ACCEPT
- -A zone_wan_input -p tcp -m tcp --dport 443 -m comment --comment "!fw3: https" - j ACCEPT
- -A zone_wan_input -p tcp -m tcp --dport 22 -m comment --comment "!fw3: 22" -j AC CEPT
- -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
- -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
- -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
- -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
- -A zone_wan_src_REJECT -i eth0.1074 -m comment --comment "!fw3" -j reject
- COMMIT
- # Completed on Tue Dec 17 08:22:30 2019
- ```
- 3750 stuff
- ```
- Cat#sh ip int br (Removed gi1/0/xx interfaces that are just access ports)
- Interface IP-Address OK? Method Status Protocol
- Vlan1 unassigned YES manual administratively down down
- Vlan3 192.168.107.2 YES NVRAM up up
- Vlan4 unassigned YES unset up up
- Vlan55 192.168.106.2 YES manual up up
- Vlan56 10.10.10.2 YES manual up up
- Cat#sh ip ro
- Gateway of last resort is 192.168.106.1 to network 0.0.0.0
- S* 0.0.0.0/0 [1/0] via 192.168.106.1
- 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
- C 10.10.10.0/24 is directly connected, Vlan56
- L 10.10.10.2/32 is directly connected, Vlan56
- 192.168.106.0/24 is variably subnetted, 2 subnets, 2 masks
- C 192.168.106.0/24 is directly connected, Vlan55
- L 192.168.106.2/32 is directly connected, Vlan55
- 192.168.107.0/24 is variably subnetted, 2 subnets, 2 masks
- C 192.168.107.0/24 is directly connected, Vlan3
- L 192.168.107.2/32 is directly connected, Vlan3
- Cat#sh access-list (Nothing)
- Cat#
- ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
