API tools faq
paste
Advertisement
Guest User

Wireguard 2nd try

a guest
Mar 7th, 2021
125
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 38.84 KB | None | 0 0
raw download clone embed print report
  1. BusyBox v1.33.0 () built-in shell (ash)
  2.  
  3. _______ ________ __
  4. | |.-----.-----.-----.| | | |.----.| |_
  5. | - || _ | -__| || | | || _|| _|
  6. |_______|| __|_____|__|__||________||__| |____|
  7. |__| W I R E L E S S F R E E D O M
  8. -----------------------------------------------------
  9. OpenWrt SNAPSHOT, r16077-785ab2b62c
  10. -----------------------------------------------------
  11. root@OpenWrt-A:~# ubus call system board; uci show network; uci show firewall; uci show dhcp; uci show vpn-policy-routing; /etc/init.d/vpn-policy-routing support; wg sh
  12. ow; ip address show; ip route show table all; ip rule show; iptables-save; head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
  13. {
  14. "kernel": "5.4.101",
  15. "hostname": "OpenWrt-A",
  16. "system": "MediaTek MT7628AN ver:1 eco:2",
  17. "model": "WAVLINK WL-WN577A2",
  18. "board_name": "wavlink,wl-wn577a2",
  19. "release": {
  20. "distribution": "OpenWrt",
  21. "version": "SNAPSHOT",
  22. "revision": "r16077-785ab2b62c",
  23. "target": "ramips/mt76x8",
  24. "description": "OpenWrt SNAPSHOT r16077-785ab2b62c"
  25. }
  26. }
  27. network.loopback=interface
  28. network.loopback.ifname='lo'
  29. network.loopback.proto='static'
  30. network.loopback.ipaddr='127.0.0.1'
  31. network.loopback.netmask='255.0.0.0'
  32. network.globals=globals
  33. network.globals.ula_prefix='fdb6:1936:f34c::/48'
  34. network.lan=interface
  35. network.lan.type='bridge'
  36. network.lan.ifname='eth0.1'
  37. network.lan.proto='static'
  38. network.lan.ipaddr='192.168.1.1'
  39. network.lan.netmask='255.255.255.0'
  40. network.lan.ip6assign='60'
  41. network.wan=interface
  42. network.wan.ifname='eth0.2'
  43. network.wan.proto='dhcp'
  44. network.wan_eth0_2_dev=device
  45. network.wan_eth0_2_dev.name='eth0.2'
  46. network.wan_eth0_2_dev.macaddr='80:3f:5d:bc:fa:e4'
  47. network.wan6=interface
  48. network.wan6.ifname='eth0.2'
  49. network.wan6.proto='dhcpv6'
  50. network.@switch[0]=switch
  51. network.@switch[0].name='switch0'
  52. network.@switch[0].reset='1'
  53. network.@switch[0].enable_vlan='1'
  54. network.@switch_vlan[0]=switch_vlan
  55. network.@switch_vlan[0].device='switch0'
  56. network.@switch_vlan[0].vlan='1'
  57. network.@switch_vlan[0].ports='3 6t'
  58. network.@switch_vlan[1]=switch_vlan
  59. network.@switch_vlan[1].device='switch0'
  60. network.@switch_vlan[1].vlan='2'
  61. network.@switch_vlan[1].ports='4 6t'
  62. network.wifi1=interface
  63. network.wifi1.proto='static'
  64. network.wifi1.ipaddr='192.168.10.1'
  65. network.wifi1.netmask='255.255.255.0'
  66. network.wifi1.type='bridge'
  67. network.wifi2=interface
  68. network.wifi2.proto='static'
  69. network.wifi2.netmask='255.255.255.0'
  70. network.wifi2.ipaddr='192.168.30.1'
  71. network.wifi2.type='bridge'
  72. network.wg0=interface
  73. network.wg0.proto='wireguard'
  74. network.wg0.private_key='SB35Tx9y9nEo4l7mKbkb4knsdmrmKyK3mXk6meslsUk='
  75. network.wg0.addresses='10.0.0.16/32'
  76. network.@wireguard_wg0[0]=wireguard_wg0
  77. network.@wireguard_wg0[0].public_key='AIO7f10s+pBSiMmsZ+PvhWPI8glDXeMt5VAP37b8um4='
  78. network.@wireguard_wg0[0].endpoint_host='willislan.spdns.de'
  79. network.@wireguard_wg0[0].endpoint_port='51821'
  80. network.@wireguard_wg0[0].persistent_keepalive='25'
  81. network.@wireguard_wg0[0].allowed_ips='0.0.0.0/0' '::/0'
  82. network.wifi1a=interface
  83. network.wifi1a.proto='static'
  84. network.wifi1a.netmask='255.255.255.0'
  85. network.wifi1a.ipaddr='192.168.20.1'
  86. network.wifi1a.type='bridge'
  87. firewall.@defaults[0]=defaults
  88. firewall.@defaults[0].input='ACCEPT'
  89. firewall.@defaults[0].output='ACCEPT'
  90. firewall.@defaults[0].forward='REJECT'
  91. firewall.@defaults[0].synflood_protect='1'
  92. firewall.@zone[0]=zone
  93. firewall.@zone[0].name='lan'
  94. firewall.@zone[0].input='ACCEPT'
  95. firewall.@zone[0].output='ACCEPT'
  96. firewall.@zone[0].forward='ACCEPT'
  97. firewall.@zone[0].network='lan'
  98. firewall.@zone[1]=zone
  99. firewall.@zone[1].name='wifi1a'
  100. firewall.@zone[1].input='ACCEPT'
  101. firewall.@zone[1].output='ACCEPT'
  102. firewall.@zone[1].forward='REJECT'
  103. firewall.@zone[1].network='wifi1a'
  104. firewall.@zone[2]=zone
  105. firewall.@zone[2].name='wifi2'
  106. firewall.@zone[2].input='ACCEPT'
  107. firewall.@zone[2].output='ACCEPT'
  108. firewall.@zone[2].forward='ACCEPT'
  109. firewall.@zone[2].network='wifi2'
  110. firewall.@zone[3]=zone
  111. firewall.@zone[3].name='wan'
  112. firewall.@zone[3].input='REJECT'
  113. firewall.@zone[3].output='ACCEPT'
  114. firewall.@zone[3].forward='REJECT'
  115. firewall.@zone[3].masq='1'
  116. firewall.@zone[3].mtu_fix='1'
  117. firewall.@zone[3].network='wan' 'wan6'
  118. firewall.@forwarding[0]=forwarding
  119. firewall.@forwarding[0].src='lan'
  120. firewall.@forwarding[0].dest='wan'
  121. firewall.@rule[0]=rule
  122. firewall.@rule[0].name='Allow-DHCP-Renew'
  123. firewall.@rule[0].src='wan'
  124. firewall.@rule[0].proto='udp'
  125. firewall.@rule[0].dest_port='68'
  126. firewall.@rule[0].target='ACCEPT'
  127. firewall.@rule[0].family='ipv4'
  128. firewall.@rule[1]=rule
  129. firewall.@rule[1].name='Allow-Ping'
  130. firewall.@rule[1].src='wan'
  131. firewall.@rule[1].proto='icmp'
  132. firewall.@rule[1].icmp_type='echo-request'
  133. firewall.@rule[1].family='ipv4'
  134. firewall.@rule[1].target='ACCEPT'
  135. firewall.@rule[2]=rule
  136. firewall.@rule[2].name='Allow-IGMP'
  137. firewall.@rule[2].src='wan'
  138. firewall.@rule[2].proto='igmp'
  139. firewall.@rule[2].family='ipv4'
  140. firewall.@rule[2].target='ACCEPT'
  141. firewall.@rule[3]=rule
  142. firewall.@rule[3].name='Allow-DHCPv6'
  143. firewall.@rule[3].src='wan'
  144. firewall.@rule[3].proto='udp'
  145. firewall.@rule[3].src_ip='fc00::/6'
  146. firewall.@rule[3].dest_ip='fc00::/6'
  147. firewall.@rule[3].dest_port='546'
  148. firewall.@rule[3].family='ipv6'
  149. firewall.@rule[3].target='ACCEPT'
  150. firewall.@rule[4]=rule
  151. firewall.@rule[4].name='Allow-MLD'
  152. firewall.@rule[4].src='wan'
  153. firewall.@rule[4].proto='icmp'
  154. firewall.@rule[4].src_ip='fe80::/10'
  155. firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
  156. firewall.@rule[4].family='ipv6'
  157. firewall.@rule[4].target='ACCEPT'
  158. firewall.@rule[5]=rule
  159. firewall.@rule[5].name='Allow-ICMPv6-Input'
  160. firewall.@rule[5].src='wan'
  161. firewall.@rule[5].proto='icmp'
  162. firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
  163. firewall.@rule[5].limit='1000/sec'
  164. firewall.@rule[5].family='ipv6'
  165. firewall.@rule[5].target='ACCEPT'
  166. firewall.@rule[6]=rule
  167. firewall.@rule[6].name='Allow-ICMPv6-Forward'
  168. firewall.@rule[6].src='wan'
  169. firewall.@rule[6].dest='*'
  170. firewall.@rule[6].proto='icmp'
  171. firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
  172. firewall.@rule[6].limit='1000/sec'
  173. firewall.@rule[6].family='ipv6'
  174. firewall.@rule[6].target='ACCEPT'
  175. firewall.@rule[7]=rule
  176. firewall.@rule[7].name='Allow-IPSec-ESP'
  177. firewall.@rule[7].src='wan'
  178. firewall.@rule[7].dest='lan'
  179. firewall.@rule[7].proto='esp'
  180. firewall.@rule[7].target='ACCEPT'
  181. firewall.@rule[8]=rule
  182. firewall.@rule[8].name='Allow-ISAKMP'
  183. firewall.@rule[8].src='wan'
  184. firewall.@rule[8].dest='lan'
  185. firewall.@rule[8].dest_port='500'
  186. firewall.@rule[8].proto='udp'
  187. firewall.@rule[8].target='ACCEPT'
  188. firewall.@rule[9]=rule
  189. firewall.@rule[9].name='Support-UDP-Traceroute'
  190. firewall.@rule[9].src='wan'
  191. firewall.@rule[9].dest_port='33434:33689'
  192. firewall.@rule[9].proto='udp'
  193. firewall.@rule[9].family='ipv4'
  194. firewall.@rule[9].target='REJECT'
  195. firewall.@rule[9].enabled='0'
  196. firewall.@include[0]=include
  197. firewall.@include[0].path='/etc/firewall.user'
  198. firewall.@rule[10]=rule
  199. firewall.@rule[10].dest_port='80'
  200. firewall.@rule[10].src='wan'
  201. firewall.@rule[10].name='Allow-Web-WAN'
  202. firewall.@rule[10].target='ACCEPT'
  203. firewall.@rule[11]=rule
  204. firewall.@rule[11].dest_port='443'
  205. firewall.@rule[11].src='wan'
  206. firewall.@rule[11].name='Allow-SSL-WAN'
  207. firewall.@rule[11].target='ACCEPT'
  208. firewall.@rule[12]=rule
  209. firewall.@rule[12].dest_port='22'
  210. firewall.@rule[12].src='wan'
  211. firewall.@rule[12].name='Allow-SSH-WAN'
  212. firewall.@rule[12].target='ACCEPT'
  213. firewall.@zone[4]=zone
  214. firewall.@zone[4].name='wifi1'
  215. firewall.@zone[4].input='ACCEPT'
  216. firewall.@zone[4].output='ACCEPT'
  217. firewall.@zone[4].forward='ACCEPT'
  218. firewall.@zone[4].network='wifi1'
  219. firewall.@forwarding[1]=forwarding
  220. firewall.@forwarding[1].src='wifi2'
  221. firewall.@forwarding[1].dest='wan'
  222. firewall.@zone[5]=zone
  223. firewall.@zone[5].name='wg0'
  224. firewall.@zone[5].input='REJECT'
  225. firewall.@zone[5].output='ACCEPT'
  226. firewall.@zone[5].forward='REJECT'
  227. firewall.@zone[5].network='wg0'
  228. firewall.@zone[5].masq='1'
  229. firewall.@zone[5].mtu_fix='1'
  230. firewall.@forwarding[2]=forwarding
  231. firewall.@forwarding[2].src='wifi1'
  232. firewall.@forwarding[2].dest='wg0'
  233. firewall.@forwarding[3]=forwarding
  234. firewall.@forwarding[3].src='wifi1a'
  235. firewall.@forwarding[3].dest='wan'
  236. dhcp.@dnsmasq[0]=dnsmasq
  237. dhcp.@dnsmasq[0].domainneeded='1'
  238. dhcp.@dnsmasq[0].boguspriv='1'
  239. dhcp.@dnsmasq[0].filterwin2k='0'
  240. dhcp.@dnsmasq[0].localise_queries='1'
  241. dhcp.@dnsmasq[0].rebind_protection='1'
  242. dhcp.@dnsmasq[0].rebind_localhost='1'
  243. dhcp.@dnsmasq[0].local='/lan/'
  244. dhcp.@dnsmasq[0].domain='lan'
  245. dhcp.@dnsmasq[0].expandhosts='1'
  246. dhcp.@dnsmasq[0].nonegcache='0'
  247. dhcp.@dnsmasq[0].authoritative='1'
  248. dhcp.@dnsmasq[0].readethers='1'
  249. dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
  250. dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto'
  251. dhcp.@dnsmasq[0].nonwildcard='1'
  252. dhcp.@dnsmasq[0].localservice='1'
  253. dhcp.@dnsmasq[0].ednspacket_max='1232'
  254. dhcp.lan=dhcp
  255. dhcp.lan.interface='lan'
  256. dhcp.lan.start='100'
  257. dhcp.lan.limit='150'
  258. dhcp.lan.leasetime='12h'
  259. dhcp.lan.dhcpv4='server'
  260. dhcp.lan.dhcpv6='server'
  261. dhcp.lan.ra='server'
  262. dhcp.lan.ra_slaac='1'
  263. dhcp.lan.ra_flags='managed-config' 'other-config'
  264. dhcp.wan=dhcp
  265. dhcp.wan.interface='wan'
  266. dhcp.wan.ignore='1'
  267. dhcp.odhcpd=odhcpd
  268. dhcp.odhcpd.maindhcp='0'
  269. dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
  270. dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
  271. dhcp.odhcpd.loglevel='4'
  272. dhcp.wifi1=dhcp
  273. dhcp.wifi1.interface='wifi1'
  274. dhcp.wifi1.start='100'
  275. dhcp.wifi1.limit='150'
  276. dhcp.wifi1.leasetime='12h'
  277. dhcp.wifi2=dhcp
  278. dhcp.wifi2.interface='wifi2'
  279. dhcp.wifi2.start='100'
  280. dhcp.wifi2.limit='150'
  281. dhcp.wifi2.leasetime='12h'
  282. dhcp.wifi1a=dhcp
  283. dhcp.wifi1a.interface='wifi1a'
  284. dhcp.wifi1a.start='100'
  285. dhcp.wifi1a.limit='150'
  286. dhcp.wifi1a.leasetime='12h'
  287. vpn-policy-routing.config=vpn-policy-routing
  288. vpn-policy-routing.config.verbosity='2'
  289. vpn-policy-routing.config.strict_enforcement='1'
  290. vpn-policy-routing.config.src_ipset='0'
  291. vpn-policy-routing.config.resolver_ipset='dnsmasq.ipset'
  292. vpn-policy-routing.config.ipv6_enabled='0'
  293. vpn-policy-routing.config.ignored_interface='vpnserver wgserver'
  294. vpn-policy-routing.config.boot_timeout='30'
  295. vpn-policy-routing.config.iptables_rule_option='append'
  296. vpn-policy-routing.config.procd_reload_delay='1'
  297. vpn-policy-routing.config.webui_chain_column='0'
  298. vpn-policy-routing.config.webui_show_ignore_target='0'
  299. vpn-policy-routing.config.webui_sorting='1'
  300. vpn-policy-routing.config.webui_supported_protocol='tcp' 'udp' 'tcp udp' 'icmp' 'all'
  301. vpn-policy-routing.config.enabled='1'
  302. vpn-policy-routing.config.webui_enable_column='1'
  303. vpn-policy-routing.config.webui_protocol_column='1'
  304. vpn-policy-routing.@include[0]=include
  305. vpn-policy-routing.@include[0].path='/etc/vpn-policy-routing.netflix.user'
  306. vpn-policy-routing.@include[0].enabled='0'
  307. vpn-policy-routing.@include[1]=include
  308. vpn-policy-routing.@include[1].path='/etc/vpn-policy-routing.aws.user'
  309. vpn-policy-routing.@include[1].enabled='0'
  310. vpn-policy-routing.lan_vpn=policy
  311. vpn-policy-routing.lan_vpn.interface='wg0'
  312. vpn-policy-routing.lan_vpn.src_addr='192.168.10.0/24'
  313. vpn-policy-routing.lan_vpn.dest_addr='!192.168.10.0/24'
  314. vpn-policy-routing 0.3.2-18 running on OpenWrt SNAPSHOT.
  315. ============================================================
  316. Dnsmasq version 2.84 Copyright (c) 2000-2021 Simon Kelley
  317. Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
  318. ============================================================
  319. Routes/IP Rules
  320. default 192.168.0.1 0.0.0.0 UG 0 0 0 eth0.2
  321.  
  322. IPv4 Table 201: default via 192.168.0.1 dev eth0.2
  323. 192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
  324. 192.168.30.0/24 dev br-wifi2 proto kernel scope link src 192.168.30.1
  325. IPv4 Table 201 Rules:
  326. 32765: from all fwmark 0x10000/0xff0000 lookup wan
  327.  
  328. IPv4 Table 202: default via 10.0.0.16 dev wg0
  329. 192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
  330. 192.168.10.0/24 dev br-wifi1 proto kernel scope link src 192.168.10.1
  331. 192.168.30.0/24 dev br-wifi2 proto kernel scope link src 192.168.30.1
  332. IPv4 Table 202 Rules:
  333. 32764: from all fwmark 0x20000/0xff0000 lookup wg0
  334. ============================================================
  335. Mangle IP Table: PREROUTING
  336. -N VPR_PREROUTING
  337. -A VPR_PREROUTING -s 192.168.10.0/24 ! -d 192.168.10.0/24 -m comment --comment blank -c 956 74439 -g VPR_MARK0x020000
  338. ============================================================
  339. Mangle IP Table MARK Chain: VPR_MARK0x010000
  340. -N VPR_MARK0x010000
  341. -A VPR_MARK0x010000 -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
  342. -A VPR_MARK0x010000 -c 0 0 -j RETURN
  343. ============================================================
  344. Mangle IP Table MARK Chain: VPR_MARK0x020000
  345. -N VPR_MARK0x020000
  346. ============================================================
  347. Current ipsets
  348. ============================================================
  349. Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]
  350. interface: wg0
  351. public key: VkNmuLHORx3+cuBR4cZnOoZ++nnh8JXI6Il9nLYgGkQ=
  352. private key: (hidden)
  353. listening port: 60506
  354.  
  355. peer: AIO7f10s+pBSiMmsZ+PvhWPI8glDXeMt5VAP37b8um4=
  356. endpoint: 95.90.25.9:51821
  357. allowed ips: 0.0.0.0/0, ::/0
  358. latest handshake: 2 minutes, 51 seconds ago
  359. transfer: 4.57 KiB received, 2.67 KiB sent
  360. persistent keepalive: every 25 seconds
  361. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
  362. link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  363. inet 127.0.0.1/8 scope host lo
  364. valid_lft forever preferred_lft forever
  365. inet6 ::1/128 scope host
  366. valid_lft forever preferred_lft forever
  367. 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
  368. link/ether 80:3f:5d:bc:fa:e3 brd ff:ff:ff:ff:ff:ff
  369. inet6 fe80::823f:5dff:febc:fae3/64 scope link
  370. valid_lft forever preferred_lft forever
  371. 6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
  372. link/ether 80:3f:5d:bc:fa:e3 brd ff:ff:ff:ff:ff:ff
  373. inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
  374. valid_lft forever preferred_lft forever
  375. inet6 fdb6:1936:f34c::1/60 scope global noprefixroute
  376. valid_lft forever preferred_lft forever
  377. inet6 fe80::823f:5dff:febc:fae3/64 scope link
  378. valid_lft forever preferred_lft forever
  379. 7: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
  380. link/ether 80:3f:5d:bc:fa:e3 brd ff:ff:ff:ff:ff:ff
  381. 8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
  382. link/ether 80:3f:5d:bc:fa:e4 brd ff:ff:ff:ff:ff:ff
  383. inet 192.168.0.171/24 brd 192.168.0.255 scope global eth0.2
  384. valid_lft forever preferred_lft forever
  385. inet6 2a02:810a:900:2390:823f:5dff:febc:fae4/64 scope global dynamic noprefixroute
  386. valid_lft 7126sec preferred_lft 3526sec
  387. inet6 fe80::823f:5dff:febc:fae4/64 scope link
  388. valid_lft forever preferred_lft forever
  389. 9: br-wifi1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
  390. link/ether 80:3f:5d:bc:fa:e5 brd ff:ff:ff:ff:ff:ff
  391. inet 192.168.10.1/24 brd 192.168.10.255 scope global br-wifi1
  392. valid_lft forever preferred_lft forever
  393. inet6 fe80::823f:5dff:febc:fae5/64 scope link
  394. valid_lft forever preferred_lft forever
  395. 10: br-wifi2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
  396. link/ether 80:3f:5d:bc:fa:e6 brd ff:ff:ff:ff:ff:ff
  397. inet 192.168.30.1/24 brd 192.168.30.255 scope global br-wifi2
  398. valid_lft forever preferred_lft forever
  399. inet6 fe80::823f:5dff:febc:fae6/64 scope link
  400. valid_lft forever preferred_lft forever
  401. 11: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
  402. link/none
  403. inet 10.0.0.16/32 brd 255.255.255.255 scope global wg0
  404. valid_lft forever preferred_lft forever
  405. 12: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-wifi1 state UP group default qlen 1000
  406. link/ether 80:3f:5d:bc:fa:e5 brd ff:ff:ff:ff:ff:ff
  407. inet6 fe80::823f:5dff:febc:fae5/64 scope link
  408. valid_lft forever preferred_lft forever
  409. 13: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-wifi2 state UP group default qlen 1000
  410. link/ether 80:3f:5d:bc:fa:e6 brd ff:ff:ff:ff:ff:ff
  411. inet6 fe80::823f:5dff:febc:fae6/64 scope link
  412. valid_lft forever preferred_lft forever
  413. default via 192.168.0.1 dev eth0.2 table wan
  414. 192.168.1.0/24 dev br-lan table wan proto kernel scope link src 192.168.1.1
  415. 192.168.30.0/24 dev br-wifi2 table wan proto kernel scope link src 192.168.30.1
  416. default via 10.0.0.16 dev wg0 table wg0
  417. 192.168.1.0/24 dev br-lan table wg0 proto kernel scope link src 192.168.1.1
  418. 192.168.10.0/24 dev br-wifi1 table wg0 proto kernel scope link src 192.168.10.1
  419. 192.168.30.0/24 dev br-wifi2 table wg0 proto kernel scope link src 192.168.30.1
  420. default via 192.168.0.1 dev eth0.2 proto static src 192.168.0.171
  421. 95.90.25.9 via 192.168.0.1 dev eth0.2 proto static
  422. 192.168.0.0/24 dev eth0.2 proto kernel scope link src 192.168.0.171
  423. 192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
  424. 192.168.10.0/24 dev br-wifi1 proto kernel scope link src 192.168.10.1
  425. 192.168.30.0/24 dev br-wifi2 proto kernel scope link src 192.168.30.1
  426. local 10.0.0.16 dev wg0 table local proto kernel scope host src 10.0.0.16
  427. broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
  428. local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
  429. local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
  430. broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
  431. broadcast 192.168.0.0 dev eth0.2 table local proto kernel scope link src 192.168.0.171
  432. local 192.168.0.171 dev eth0.2 table local proto kernel scope host src 192.168.0.171
  433. broadcast 192.168.0.255 dev eth0.2 table local proto kernel scope link src 192.168.0.171
  434. broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
  435. local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
  436. broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
  437. broadcast 192.168.10.0 dev br-wifi1 table local proto kernel scope link src 192.168.10.1
  438. local 192.168.10.1 dev br-wifi1 table local proto kernel scope host src 192.168.10.1
  439. broadcast 192.168.10.255 dev br-wifi1 table local proto kernel scope link src 192.168.10.1
  440. broadcast 192.168.30.0 dev br-wifi2 table local proto kernel scope link src 192.168.30.1
  441. local 192.168.30.1 dev br-wifi2 table local proto kernel scope host src 192.168.30.1
  442. broadcast 192.168.30.255 dev br-wifi2 table local proto kernel scope link src 192.168.30.1
  443. default from 2a02:810a:900:2390::/64 via fe80::ca0e:14ff:fedd:5e4 dev eth0.2 proto static metric 512 pref medium
  444. 2a02:810a:900:2390::/64 dev eth0.2 proto static metric 256 pref medium
  445. 2a02:810a:900:2390::/64 via fe80::ca0e:14ff:fedd:5e4 dev eth0.2 proto static metric 512 pref medium
  446. unreachable 2a02:810a:900:2390::/64 dev lo proto static metric 2147483647 pref medium
  447. fdb6:1936:f34c::/64 dev br-lan proto static metric 1024 pref medium
  448. unreachable fdb6:1936:f34c::/48 dev lo proto static metric 2147483647 pref medium
  449. fe80::/64 dev eth0 proto kernel metric 256 pref medium
  450. fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
  451. fe80::/64 dev br-lan proto kernel metric 256 pref medium
  452. fe80::/64 dev br-wifi2 proto kernel metric 256 pref medium
  453. fe80::/64 dev wlan1 proto kernel metric 256 pref medium
  454. fe80::/64 dev wlan0 proto kernel metric 256 pref medium
  455. fe80::/64 dev br-wifi1 proto kernel metric 256 pref medium
  456. local ::1 dev lo table local proto kernel metric 0 pref medium
  457. anycast 2a02:810a:900:2390:: dev eth0.2 table local proto kernel metric 0 pref medium
  458. local 2a02:810a:900:2390:823f:5dff:febc:fae4 dev eth0.2 table local proto kernel metric 0 pref medium
  459. anycast fdb6:1936:f34c:: dev br-lan table local proto kernel metric 0 pref medium
  460. local fdb6:1936:f34c::1 dev br-lan table local proto kernel metric 0 pref medium
  461. anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
  462. anycast fe80:: dev eth0.2 table local proto kernel metric 0 pref medium
  463. anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
  464. anycast fe80:: dev br-wifi2 table local proto kernel metric 0 pref medium
  465. anycast fe80:: dev wlan1 table local proto kernel metric 0 pref medium
  466. anycast fe80:: dev br-wifi1 table local proto kernel metric 0 pref medium
  467. anycast fe80:: dev wlan0 table local proto kernel metric 0 pref medium
  468. local fe80::823f:5dff:febc:fae3 dev eth0 table local proto kernel metric 0 pref medium
  469. local fe80::823f:5dff:febc:fae3 dev br-lan table local proto kernel metric 0 pref medium
  470. local fe80::823f:5dff:febc:fae4 dev eth0.2 table local proto kernel metric 0 pref medium
  471. local fe80::823f:5dff:febc:fae5 dev br-wifi1 table local proto kernel metric 0 pref medium
  472. local fe80::823f:5dff:febc:fae5 dev wlan0 table local proto kernel metric 0 pref medium
  473. local fe80::823f:5dff:febc:fae6 dev br-wifi2 table local proto kernel metric 0 pref medium
  474. local fe80::823f:5dff:febc:fae6 dev wlan1 table local proto kernel metric 0 pref medium
  475. multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
  476. multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
  477. multicast ff00::/8 dev eth0.2 table local proto kernel metric 256 pref medium
  478. multicast ff00::/8 dev wg0 table local proto kernel metric 256 pref medium
  479. multicast ff00::/8 dev br-wifi2 table local proto kernel metric 256 pref medium
  480. multicast ff00::/8 dev wlan1 table local proto kernel metric 256 pref medium
  481. multicast ff00::/8 dev wlan0 table local proto kernel metric 256 pref medium
  482. multicast ff00::/8 dev br-wifi1 table local proto kernel metric 256 pref medium
  483. 0: from all lookup local
  484. 32764: from all fwmark 0x20000/0xff0000 lookup wg0
  485. 32765: from all fwmark 0x10000/0xff0000 lookup wan
  486. 32766: from all lookup main
  487. 32767: from all lookup default
  488. # Generated by iptables-save v1.8.7 on Sun Mar 7 10:23:02 2021
  489. *nat
  490. :PREROUTING ACCEPT [2284:264471]
  491. :INPUT ACCEPT [83:6483]
  492. :OUTPUT ACCEPT [221:17336]
  493. :POSTROUTING ACCEPT [884:37344]
  494. :postrouting_lan_rule - [0:0]
  495. :postrouting_rule - [0:0]
  496. :postrouting_wan_rule - [0:0]
  497. :postrouting_wg0_rule - [0:0]
  498. :postrouting_wifi1_rule - [0:0]
  499. :postrouting_wifi1a_rule - [0:0]
  500. :postrouting_wifi2_rule - [0:0]
  501. :prerouting_lan_rule - [0:0]
  502. :prerouting_rule - [0:0]
  503. :prerouting_wan_rule - [0:0]
  504. :prerouting_wg0_rule - [0:0]
  505. :prerouting_wifi1_rule - [0:0]
  506. :prerouting_wifi1a_rule - [0:0]
  507. :prerouting_wifi2_rule - [0:0]
  508. :zone_lan_postrouting - [0:0]
  509. :zone_lan_prerouting - [0:0]
  510. :zone_wan_postrouting - [0:0]
  511. :zone_wan_prerouting - [0:0]
  512. :zone_wg0_postrouting - [0:0]
  513. :zone_wg0_prerouting - [0:0]
  514. :zone_wifi1_postrouting - [0:0]
  515. :zone_wifi1_prerouting - [0:0]
  516. :zone_wifi1a_postrouting - [0:0]
  517. :zone_wifi1a_prerouting - [0:0]
  518. :zone_wifi2_postrouting - [0:0]
  519. :zone_wifi2_prerouting - [0:0]
  520. -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
  521. -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
  522. -A PREROUTING -i br-wifi1a -m comment --comment "!fw3" -j zone_wifi1a_prerouting
  523. -A PREROUTING -i br-wifi2 -m comment --comment "!fw3" -j zone_wifi2_prerouting
  524. -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
  525. -A PREROUTING -i br-wifi1 -m comment --comment "!fw3" -j zone_wifi1_prerouting
  526. -A PREROUTING -i wg0 -m comment --comment "!fw3" -j zone_wg0_prerouting
  527. -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
  528. -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
  529. -A POSTROUTING -o br-wifi1a -m comment --comment "!fw3" -j zone_wifi1a_postrouting
  530. -A POSTROUTING -o br-wifi2 -m comment --comment "!fw3" -j zone_wifi2_postrouting
  531. -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
  532. -A POSTROUTING -o br-wifi1 -m comment --comment "!fw3" -j zone_wifi1_postrouting
  533. -A POSTROUTING -o wg0 -m comment --comment "!fw3" -j zone_wg0_postrouting
  534. -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
  535. -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
  536. -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
  537. -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
  538. -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
  539. -A zone_wg0_postrouting -m comment --comment "!fw3: Custom wg0 postrouting rule chain" -j postrouting_wg0_rule
  540. -A zone_wg0_postrouting -m comment --comment "!fw3" -j MASQUERADE
  541. -A zone_wg0_prerouting -m comment --comment "!fw3: Custom wg0 prerouting rule chain" -j prerouting_wg0_rule
  542. -A zone_wifi1_postrouting -m comment --comment "!fw3: Custom wifi1 postrouting rule chain" -j postrouting_wifi1_rule
  543. -A zone_wifi1_prerouting -m comment --comment "!fw3: Custom wifi1 prerouting rule chain" -j prerouting_wifi1_rule
  544. -A zone_wifi1a_postrouting -m comment --comment "!fw3: Custom wifi1a postrouting rule chain" -j postrouting_wifi1a_rule
  545. -A zone_wifi1a_prerouting -m comment --comment "!fw3: Custom wifi1a prerouting rule chain" -j prerouting_wifi1a_rule
  546. -A zone_wifi2_postrouting -m comment --comment "!fw3: Custom wifi2 postrouting rule chain" -j postrouting_wifi2_rule
  547. -A zone_wifi2_prerouting -m comment --comment "!fw3: Custom wifi2 prerouting rule chain" -j prerouting_wifi2_rule
  548. COMMIT
  549. # Completed on Sun Mar 7 10:23:02 2021
  550. # Generated by iptables-save v1.8.7 on Sun Mar 7 10:23:02 2021
  551. *mangle
  552. :PREROUTING ACCEPT [4305:526704]
  553. :INPUT ACCEPT [2425:316452]
  554. :FORWARD ACCEPT [846:43992]
  555. :OUTPUT ACCEPT [3201:1292765]
  556. :POSTROUTING ACCEPT [3200:1292725]
  557. :VPR_MARK0x010000 - [0:0]
  558. :VPR_MARK0x020000 - [0:0]
  559. :VPR_PREROUTING - [0:0]
  560. -A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
  561. -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
  562. -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
  563. -A FORWARD -o wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wg0 MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
  564. -A FORWARD -i wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wg0 MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
  565. -A VPR_MARK0x010000 -j MARK --set-xmark 0x10000/0xff0000
  566. -A VPR_MARK0x010000 -j RETURN
  567. -A VPR_PREROUTING -s 192.168.10.0/24 ! -d 192.168.10.0/24 -m comment --comment blank -g VPR_MARK0x020000
  568. COMMIT
  569. # Completed on Sun Mar 7 10:23:02 2021
  570. # Generated by iptables-save v1.8.7 on Sun Mar 7 10:23:02 2021
  571. *filter
  572. :INPUT ACCEPT [0:0]
  573. :FORWARD DROP [0:0]
  574. :OUTPUT ACCEPT [0:0]
  575. :forwarding_lan_rule - [0:0]
  576. :forwarding_rule - [0:0]
  577. :forwarding_wan_rule - [0:0]
  578. :forwarding_wg0_rule - [0:0]
  579. :forwarding_wifi1_rule - [0:0]
  580. :forwarding_wifi1a_rule - [0:0]
  581. :forwarding_wifi2_rule - [0:0]
  582. :input_lan_rule - [0:0]
  583. :input_rule - [0:0]
  584. :input_wan_rule - [0:0]
  585. :input_wg0_rule - [0:0]
  586. :input_wifi1_rule - [0:0]
  587. :input_wifi1a_rule - [0:0]
  588. :input_wifi2_rule - [0:0]
  589. :output_lan_rule - [0:0]
  590. :output_rule - [0:0]
  591. :output_wan_rule - [0:0]
  592. :output_wg0_rule - [0:0]
  593. :output_wifi1_rule - [0:0]
  594. :output_wifi1a_rule - [0:0]
  595. :output_wifi2_rule - [0:0]
  596. :reject - [0:0]
  597. :syn_flood - [0:0]
  598. :zone_lan_dest_ACCEPT - [0:0]
  599. :zone_lan_forward - [0:0]
  600. :zone_lan_input - [0:0]
  601. :zone_lan_output - [0:0]
  602. :zone_lan_src_ACCEPT - [0:0]
  603. :zone_wan_dest_ACCEPT - [0:0]
  604. :zone_wan_dest_REJECT - [0:0]
  605. :zone_wan_forward - [0:0]
  606. :zone_wan_input - [0:0]
  607. :zone_wan_output - [0:0]
  608. :zone_wan_src_REJECT - [0:0]
  609. :zone_wg0_dest_ACCEPT - [0:0]
  610. :zone_wg0_dest_REJECT - [0:0]
  611. :zone_wg0_forward - [0:0]
  612. :zone_wg0_input - [0:0]
  613. :zone_wg0_output - [0:0]
  614. :zone_wg0_src_REJECT - [0:0]
  615. :zone_wifi1_dest_ACCEPT - [0:0]
  616. :zone_wifi1_forward - [0:0]
  617. :zone_wifi1_input - [0:0]
  618. :zone_wifi1_output - [0:0]
  619. :zone_wifi1_src_ACCEPT - [0:0]
  620. :zone_wifi1a_dest_ACCEPT - [0:0]
  621. :zone_wifi1a_dest_REJECT - [0:0]
  622. :zone_wifi1a_forward - [0:0]
  623. :zone_wifi1a_input - [0:0]
  624. :zone_wifi1a_output - [0:0]
  625. :zone_wifi1a_src_ACCEPT - [0:0]
  626. :zone_wifi2_dest_ACCEPT - [0:0]
  627. :zone_wifi2_forward - [0:0]
  628. :zone_wifi2_input - [0:0]
  629. :zone_wifi2_output - [0:0]
  630. :zone_wifi2_src_ACCEPT - [0:0]
  631. -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
  632. -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
  633. -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  634. -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
  635. -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
  636. -A INPUT -i br-wifi1a -m comment --comment "!fw3" -j zone_wifi1a_input
  637. -A INPUT -i br-wifi2 -m comment --comment "!fw3" -j zone_wifi2_input
  638. -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
  639. -A INPUT -i br-wifi1 -m comment --comment "!fw3" -j zone_wifi1_input
  640. -A INPUT -i wg0 -m comment --comment "!fw3" -j zone_wg0_input
  641. -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
  642. -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  643. -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
  644. -A FORWARD -i br-wifi1a -m comment --comment "!fw3" -j zone_wifi1a_forward
  645. -A FORWARD -i br-wifi2 -m comment --comment "!fw3" -j zone_wifi2_forward
  646. -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
  647. -A FORWARD -i br-wifi1 -m comment --comment "!fw3" -j zone_wifi1_forward
  648. -A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_wg0_forward
  649. -A FORWARD -m comment --comment "!fw3" -j reject
  650. -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
  651. -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
  652. -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
  653. -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
  654. -A OUTPUT -o br-wifi1a -m comment --comment "!fw3" -j zone_wifi1a_output
  655. -A OUTPUT -o br-wifi2 -m comment --comment "!fw3" -j zone_wifi2_output
  656. -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
  657. -A OUTPUT -o br-wifi1 -m comment --comment "!fw3" -j zone_wifi1_output
  658. -A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_wg0_output
  659. -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
  660. -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
  661. -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
  662. -A syn_flood -m comment --comment "!fw3" -j DROP
  663. -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
  664. -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
  665. -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
  666. -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  667. -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
  668. -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
  669. -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  670. -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
  671. -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
  672. -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
  673. -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
  674. -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
  675. -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
  676. -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
  677. -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
  678. -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
  679. -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
  680. -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  681. -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
  682. -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
  683. -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
  684. -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
  685. -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
  686. -A zone_wan_input -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Allow-Web-WAN" -j ACCEPT
  687. -A zone_wan_input -p udp -m udp --dport 80 -m comment --comment "!fw3: Allow-Web-WAN" -j ACCEPT
  688. -A zone_wan_input -p tcp -m tcp --dport 443 -m comment --comment "!fw3: Allow-SSL-WAN" -j ACCEPT
  689. -A zone_wan_input -p udp -m udp --dport 443 -m comment --comment "!fw3: Allow-SSL-WAN" -j ACCEPT
  690. -A zone_wan_input -p tcp -m tcp --dport 22 -m comment --comment "!fw3: Allow-SSH-WAN" -j ACCEPT
  691. -A zone_wan_input -p udp -m udp --dport 22 -m comment --comment "!fw3: Allow-SSH-WAN" -j ACCEPT
  692. -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  693. -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
  694. -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
  695. -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
  696. -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
  697. -A zone_wg0_dest_ACCEPT -o wg0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
  698. -A zone_wg0_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
  699. -A zone_wg0_dest_REJECT -o wg0 -m comment --comment "!fw3" -j reject
  700. -A zone_wg0_forward -m comment --comment "!fw3: Custom wg0 forwarding rule chain" -j forwarding_wg0_rule
  701. -A zone_wg0_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  702. -A zone_wg0_forward -m comment --comment "!fw3" -j zone_wg0_dest_REJECT
  703. -A zone_wg0_input -m comment --comment "!fw3: Custom wg0 input rule chain" -j input_wg0_rule
  704. -A zone_wg0_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  705. -A zone_wg0_input -m comment --comment "!fw3" -j zone_wg0_src_REJECT
  706. -A zone_wg0_output -m comment --comment "!fw3: Custom wg0 output rule chain" -j output_wg0_rule
  707. -A zone_wg0_output -m comment --comment "!fw3" -j zone_wg0_dest_ACCEPT
  708. -A zone_wg0_src_REJECT -i wg0 -m comment --comment "!fw3" -j reject
  709. -A zone_wifi1_dest_ACCEPT -o br-wifi1 -m comment --comment "!fw3" -j ACCEPT
  710. -A zone_wifi1_forward -m comment --comment "!fw3: Custom wifi1 forwarding rule chain" -j forwarding_wifi1_rule
  711. -A zone_wifi1_forward -m comment --comment "!fw3: Zone wifi1 to wg0 forwarding policy" -j zone_wg0_dest_ACCEPT
  712. -A zone_wifi1_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  713. -A zone_wifi1_forward -m comment --comment "!fw3" -j zone_wifi1_dest_ACCEPT
  714. -A zone_wifi1_input -m comment --comment "!fw3: Custom wifi1 input rule chain" -j input_wifi1_rule
  715. -A zone_wifi1_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  716. -A zone_wifi1_input -m comment --comment "!fw3" -j zone_wifi1_src_ACCEPT
  717. -A zone_wifi1_output -m comment --comment "!fw3: Custom wifi1 output rule chain" -j output_wifi1_rule
  718. -A zone_wifi1_output -m comment --comment "!fw3" -j zone_wifi1_dest_ACCEPT
  719. -A zone_wifi1_src_ACCEPT -i br-wifi1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
  720. -A zone_wifi1a_dest_ACCEPT -o br-wifi1a -m comment --comment "!fw3" -j ACCEPT
  721. -A zone_wifi1a_dest_REJECT -o br-wifi1a -m comment --comment "!fw3" -j reject
  722. -A zone_wifi1a_forward -m comment --comment "!fw3: Custom wifi1a forwarding rule chain" -j forwarding_wifi1a_rule
  723. -A zone_wifi1a_forward -m comment --comment "!fw3: Zone wifi1a to wan forwarding policy" -j zone_wan_dest_ACCEPT
  724. -A zone_wifi1a_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  725. -A zone_wifi1a_forward -m comment --comment "!fw3" -j zone_wifi1a_dest_REJECT
  726. -A zone_wifi1a_input -m comment --comment "!fw3: Custom wifi1a input rule chain" -j input_wifi1a_rule
  727. -A zone_wifi1a_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  728. -A zone_wifi1a_input -m comment --comment "!fw3" -j zone_wifi1a_src_ACCEPT
  729. -A zone_wifi1a_output -m comment --comment "!fw3: Custom wifi1a output rule chain" -j output_wifi1a_rule
  730. -A zone_wifi1a_output -m comment --comment "!fw3" -j zone_wifi1a_dest_ACCEPT
  731. -A zone_wifi1a_src_ACCEPT -i br-wifi1a -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
  732. -A zone_wifi2_dest_ACCEPT -o br-wifi2 -m comment --comment "!fw3" -j ACCEPT
  733. -A zone_wifi2_forward -m comment --comment "!fw3: Custom wifi2 forwarding rule chain" -j forwarding_wifi2_rule
  734. -A zone_wifi2_forward -m comment --comment "!fw3: Zone wifi2 to wan forwarding policy" -j zone_wan_dest_ACCEPT
  735. -A zone_wifi2_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
  736. -A zone_wifi2_forward -m comment --comment "!fw3" -j zone_wifi2_dest_ACCEPT
  737. -A zone_wifi2_input -m comment --comment "!fw3: Custom wifi2 input rule chain" -j input_wifi2_rule
  738. -A zone_wifi2_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
  739. -A zone_wifi2_input -m comment --comment "!fw3" -j zone_wifi2_src_ACCEPT
  740. -A zone_wifi2_output -m comment --comment "!fw3: Custom wifi2 output rule chain" -j output_wifi2_rule
  741. -A zone_wifi2_output -m comment --comment "!fw3" -j zone_wifi2_dest_ACCEPT
  742. -A zone_wifi2_src_ACCEPT -i br-wifi2 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
  743. COMMIT
  744. # Completed on Sun Mar 7 10:23:02 2021
  745. ==> /etc/resolv.conf <==
  746. search lan
  747. nameserver 127.0.0.1
  748. nameserver ::1
  749.  
  750. ==> /tmp/resolv.conf <==
  751. search lan
  752. nameserver 127.0.0.1
  753. nameserver ::1
  754.  
  755. ==> /tmp/resolv.conf.d <==
  756. head: /tmp/resolv.conf.d: I/O error
  757.  
  758. ==> /tmp/resolv.conf.d/resolv.conf.auto <==
  759. # Interface wan
  760. nameserver 192.168.0.1
  761. search fritz.box
  762. # Interface wan6
  763. nameserver fd00::ca0e:14ff:fedd:5e4
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!