API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Nov 26th, 2020
48
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 18.71 KB | None | 0 0
raw download clone embed print report
  1. ###
  2. ### uci config
  3. ###
  4.  
  5. config defaults
  6. option input 'ACCEPT'
  7. option output 'ACCEPT'
  8. option forward 'REJECT'
  9. option syn_flood '1'
  10. option synflood_rate '55/s'
  11. option synflood_protect '1'
  12.  
  13. config zone
  14. option name 'lan'
  15. option input 'ACCEPT'
  16. option output 'ACCEPT'
  17. option forward 'ACCEPT'
  18. option network 'lan vpn'
  19.  
  20. config zone
  21. option name 'wan'
  22. option input 'REJECT'
  23. option output 'ACCEPT'
  24. option forward 'REJECT'
  25. option masq '1'
  26. option mtu_fix '1'
  27. option masq_allow_invalid '1'
  28. option network 'wan wan6'
  29. option log 0
  30.  
  31. config zone
  32. option name 'foo'
  33. option input 'ACCEPT'
  34. option output 'ACCEPT'
  35. option forward 'ACCEPT'
  36. option extra_src '-i foo'
  37. option extra_dest '-o foo'
  38. option subnet '192.168.123.123/24'
  39. option network 'wg'
  40.  
  41. config forwarding
  42. option src 'lan'
  43. option dest 'wan'
  44.  
  45. config rule
  46. option name 'Allow-DHCP-Renew'
  47. option src 'wan'
  48. option proto 'udp'
  49. option dest_port '68'
  50. option target 'ACCEPT'
  51. option family 'ipv4'
  52.  
  53. config rule
  54. option name 'Allow-Ping'
  55. option src 'wan'
  56. option proto 'icmp'
  57. list icmp_type 'echo-request'
  58. option family 'ipv4'
  59. option target 'ACCEPT'
  60.  
  61. config rule
  62. option name 'Allow-DHCPv6'
  63. option src 'wan'
  64. option proto 'udp'
  65. option src_ip 'fe80::/10'
  66. option src_port '547'
  67. option dest_ip 'fe80::/10'
  68. option dest_port '546'
  69. option family 'ipv6'
  70. option target 'ACCEPT'
  71.  
  72. config rule
  73. option name 'Allow-ICMPv6-Input'
  74. option src 'wan'
  75. option proto 'icmp'
  76. list icmp_type 'echo-request'
  77. list icmp_type 'echo-reply'
  78. list icmp_type 'destination-unreachable'
  79. list icmp_type 'packet-too-big'
  80. list icmp_type 'time-exceeded'
  81. list icmp_type 'bad-header'
  82. list icmp_type 'unknown-header-type'
  83. list icmp_type 'router-solicitation'
  84. list icmp_type 'neighbour-solicitation'
  85. list icmp_type 'router-advertisement'
  86. list icmp_type 'neighbour-advertisement'
  87. option limit '1000/sec'
  88. option family 'ipv6'
  89. option target 'ACCEPT'
  90.  
  91. config rule
  92. option name 'Allow-ICMPv6-Forward'
  93. option src 'wan'
  94. option dest '*'
  95. option proto 'icmp'
  96. list icmp_type 'echo-request'
  97. list icmp_type 'echo-reply'
  98. list icmp_type 'destination-unreachable'
  99. list icmp_type 'packet-too-big'
  100. list icmp_type 'time-exceeded'
  101. list icmp_type 'bad-header'
  102. list icmp_type 'unknown-header-type'
  103. option limit '1000/sec'
  104. option family 'ipv6'
  105. option target 'ACCEPT'
  106.  
  107. config include
  108. option path '/etc/firewall.user'
  109.  
  110. config rule
  111. option target 'ACCEPT'
  112. option src 'wan'
  113. option proto 'tcp'
  114. option dest_port '22'
  115. option name 'SSH'
  116.  
  117. config rule
  118. option target 'ACCEPT'
  119. option src 'wan'
  120. option dest 'lan'
  121. option name 'SSH via IPv6'
  122. option family 'ipv6'
  123. option proto 'tcp'
  124. option dest_port '22'
  125.  
  126. config ipset
  127. option name 'domain-filter-ipv4'
  128. option match 'dest_ip'
  129. option storage 'hash'
  130. option family 'IPv4'
  131.  
  132. config ipset
  133. option name 'domain-filter-ipv6'
  134. option match 'dest_ip'
  135. option storage 'hash'
  136. option family 'IPv6'
  137.  
  138. config rule
  139. option src 'lan'
  140. option target 'MARK'
  141. option set_mark '0x1'
  142. option name 'Tag Domain Filter Traffic'
  143. option family 'IPv4'
  144. option ipset 'domain-filter-ipv4'
  145. option proto 'tcp udp icmp'
  146.  
  147. config rule
  148. option src 'lan'
  149. option target 'MARK'
  150. option set_mark '0x1'
  151. option name 'Tag Domain Filter Traffic'
  152. option family 'IPv6'
  153. option ipset 'domain-filter-ipv6'
  154. option proto 'tcp udp icmp'
  155.  
  156. config redirect2
  157. option name 'Divert DNS'
  158. option src_dport '53'
  159. option target 'DNAT'
  160. option proto 'udp tcp'
  161. option src 'lan'
  162.  
  163. config redirect
  164. option name 'SSH J400'
  165. option src 'wan'
  166. option dest 'lan'
  167. option src_dport '22014'
  168. option dest_port '22'
  169. option dest_ip '10.11.12.14'
  170. list reflection_zone 'lan'
  171. list reflection_zone 'foo'
  172.  
  173. config redirect
  174. option target 'DNAT'
  175. option src 'wan'
  176. option dest 'lan'
  177. option proto 'tcp udp'
  178. option src_dport '51413'
  179. option dest_ip '10.11.12.14'
  180. option dest_port '51413'
  181. option name 'Transmission Laptop'
  182.  
  183. config redirect
  184. option target 'DNAT'
  185. option src 'wan'
  186. option dest 'lan'
  187. option proto 'tcp udp'
  188. option src_dport '51414'
  189. option dest_port '51414'
  190. option name 'Transmission Desktop'
  191. option dest_ip '10.11.12.7'
  192.  
  193. config include
  194. option path '/etc/firewall.freifunk'
  195.  
  196. config redirect
  197. option target 'DNAT'
  198. option src 'wan'
  199. option dest 'lan'
  200. option proto 'tcp'
  201. option src_dport '22007'
  202. option dest_ip '10.11.12.7'
  203. option dest_port '22'
  204. option name 'SSH J7'
  205.  
  206. config redirect
  207. option dest_port '443'
  208. option src 'wan'
  209. option name 'Mir3G HTTPS'
  210. option src_dport '44377'
  211. option target 'DNAT'
  212. option dest_ip '10.11.12.177'
  213. option dest 'lan'
  214. option proto 'tcp'
  215.  
  216. config redirect
  217. option dest_port '22'
  218. option src 'wan'
  219. option name 'Mir3G SSH'
  220. option src_dport '22177'
  221. option target 'DNAT'
  222. option dest_ip '10.11.12.177'
  223. option dest 'lan'
  224. option proto 'tcp udp'
  225.  
  226. config include 'miniupnpd'
  227. option type 'script'
  228. option path '/usr/share/miniupnpd/firewall.include'
  229. option family 'any'
  230. option reload '1'
  231.  
  232. config redirect
  233. option target 'DNAT'
  234. option name 'Wrt3200ACM'
  235. list proto 'tcp'
  236. option src 'wan'
  237. option src_dport '22032'
  238. option dest 'lan'
  239. option dest_ip '10.11.12.32'
  240. option dest_port '22'
  241.  
  242. config redirect
  243. option target 'DNAT'
  244. option name 'Wrt3200ACM HTTP'
  245. list proto 'tcp'
  246. option src 'wan'
  247. option src_dport '44332'
  248. option dest 'lan'
  249. option dest_ip '10.11.12.32'
  250. option dest_port '443'
  251.  
  252. config redirect 'adblock_dns_53'
  253. option name 'Adblock DNS, port 53'
  254. option src 'lan'
  255. option proto 'tcp udp'
  256. option src_dport '53'
  257. option dest_port '53'
  258. option target 'DNAT'
  259.  
  260. config redirect 'adblock_dns_853'
  261. option name 'Adblock DNS, port 853'
  262. option src 'lan'
  263. option proto 'tcp udp'
  264. option src_dport '853'
  265. option dest_port '853'
  266. option target 'DNAT'
  267.  
  268. config redirect 'adblock_dns_5353'
  269. option name 'Adblock DNS, port 5353'
  270. option src 'lan'
  271. option proto 'tcp udp'
  272. option src_dport '5353'
  273. option dest_port '5353'
  274. option target 'DNAT'
  275.  
  276. config ipset
  277. option name testset
  278. list match ip
  279. list match port
  280. list match ip
  281. list entry '1.1.1.1 22 2.2.2.2'
  282. list entry 'foo'
  283. list entry '4.4.4.4 33 5.0.0.1'
  284.  
  285. config rule
  286. option name SETMATCH
  287. option ipset 'testset dst,dest src'
  288. option proto all
  289. option target accept
  290.  
  291. ###
  292. ### nftables ruleset
  293. ###
  294.  
  295. table inet fw4
  296. flush table inet fw4
  297.  
  298. table inet fw4 {
  299. #
  300. # Set definitions
  301. #
  302.  
  303. set domain-filter-ipv4 {
  304. type ipv4_addr
  305. }
  306.  
  307. set domain-filter-ipv6 {
  308. type ipv6_addr
  309. }
  310.  
  311. set testset {
  312. type ipv4_addr . inet_service . ipv4_addr
  313. elements = {
  314. 1.1.1.1 . 22 . 2.2.2.2,
  315. 4.4.4.4 . 33 . 5.0.0.1,
  316. }
  317. }
  318.  
  319.  
  320. #
  321. # Filter rules
  322. #
  323.  
  324. chain input {
  325. type filter hook input priority filter; policy accept;
  326.  
  327. iifname "lo" accept comment "!fw4: Accept traffic from loopback"
  328.  
  329. ct state established,related accept comment "!fw4: Allow inbound established and related flows"
  330.  
  331.  
  332. tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
  333.  
  334.  
  335. iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
  336. iifname "eth1" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
  337. meta nfproto ipv4 ip saddr 192.168.123.0/24 jump input_foo comment "!fw4: Handle foo IPv4 input traffic"
  338.  
  339. }
  340.  
  341. chain forward {
  342. type filter hook forward priority filter; policy drop;
  343.  
  344. ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
  345.  
  346.  
  347.  
  348. iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
  349. iifname "eth1" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
  350. meta nfproto ipv4 ip saddr 192.168.123.0/24 jump forward_foo comment "!fw4: Handle foo IPv4 forward traffic"
  351.  
  352. jump handle_reject
  353. }
  354.  
  355. chain output {
  356. type filter hook output priority filter; policy accept;
  357.  
  358. oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
  359.  
  360. ct state established,related accept comment "!fw4: Allow outbound established and related flows"
  361.  
  362.  
  363. meta nfproto ipv4 meta l4proto tcp ip daddr . tcp dport . ip saddr @testset accept comment "!fw4: SETMATCH"
  364. meta nfproto ipv4 meta l4proto udp ip daddr . udp dport . ip saddr @testset accept comment "!fw4: SETMATCH"
  365.  
  366. oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
  367. oifname "eth1" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
  368. meta nfproto ipv4 ip daddr 192.168.123.0/24 jump output_foo comment "!fw4: Handle foo IPv4 output traffic"
  369.  
  370. }
  371.  
  372. chain handle_reject {
  373. meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
  374. reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
  375. }
  376.  
  377. chain syn_flood {
  378. tcp flags & (fin | syn | rst | ack) == syn limit rate 55/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
  379. drop comment "!fw4: Drop excess packets"
  380. }
  381.  
  382.  
  383. chain input_lan {
  384. meta nfproto ipv4 meta l4proto igmp accept comment "!fw4: ubus:igmpproxy[instance1] rule 3"
  385. ct status dnat accept comment "!fw4: Accept port redirections"
  386. jump accept_from_lan
  387. }
  388.  
  389. chain output_lan {
  390. jump accept_to_lan
  391. }
  392.  
  393. chain forward_lan {
  394. jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
  395. ct status dnat accept comment "!fw4: Accept port forwards"
  396. jump accept_to_lan
  397. }
  398.  
  399. chain accept_from_lan {
  400. iifname "br-lan" accept comment "!fw4: accept lan IPv4/IPv6 traffic"
  401. }
  402.  
  403. chain accept_to_lan {
  404. oifname "br-lan" accept comment "!fw4: accept lan IPv4/IPv6 traffic"
  405. }
  406.  
  407. chain drop_to_lan {
  408. oifname "br-lan" drop comment "!fw4: drop lan IPv4/IPv6 traffic"
  409. }
  410.  
  411. chain input_wan {
  412. meta nfproto ipv4 meta l4proto igmp accept comment "!fw4: ubus:igmpproxy[instance1] rule 0"
  413. meta nfproto ipv4 udp dport 68 accept comment "!fw4: Allow-DHCP-Renew"
  414. meta nfproto ipv4 icmp type 8 accept comment "!fw4: Allow-Ping"
  415. ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp sport 547 udp dport 546 accept comment "!fw4: Allow-DHCPv6"
  416. meta nfproto ipv6 icmpv6 type { 128, 129, 1, 3, 133, 134 } limit rate 1000/second accept comment "!fw4: Allow-ICMPv6-Input"
  417. meta nfproto ipv6 icmpv6 type . icmpv6 code { 2 . 0, 4 . 0, 4 . 1, 135 . 0, 136 . 0 } limit rate 1000/second accept comment "!fw4: Allow-ICMPv6-Input"
  418. tcp dport 22 accept comment "!fw4: SSH"
  419. ct status dnat accept comment "!fw4: Accept port redirections"
  420. jump reject_from_wan
  421. }
  422.  
  423. chain output_wan {
  424. jump accept_to_wan
  425. }
  426.  
  427. chain forward_wan {
  428. meta l4proto udp ip daddr 239.255.255.250 jump drop_to_lan comment "!fw4: ubus:igmpproxy[instance1] rule 1"
  429. meta l4proto udp ip daddr 224.0.0.0/4 jump accept_to_lan comment "!fw4: ubus:igmpproxy[instance1] rule 2"
  430. meta nfproto ipv6 icmpv6 type { 128, 129, 1, 3 } limit rate 1000/second accept comment "!fw4: Allow-ICMPv6-Forward"
  431. meta nfproto ipv6 icmpv6 type . icmpv6 code { 2 . 0, 4 . 0, 4 . 1 } limit rate 1000/second accept comment "!fw4: Allow-ICMPv6-Forward"
  432. meta nfproto ipv6 tcp dport 22 jump accept_to_lan comment "!fw4: SSH via IPv6"
  433. ct status dnat accept comment "!fw4: Accept port forwards"
  434. jump reject_to_wan
  435. }
  436.  
  437. chain accept_to_wan {
  438. oifname "eth1" accept comment "!fw4: accept wan IPv4/IPv6 traffic"
  439. }
  440.  
  441. chain reject_from_wan {
  442. iifname "eth1" jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
  443. }
  444.  
  445. chain reject_to_wan {
  446. oifname "eth1" jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
  447. }
  448.  
  449. chain input_foo {
  450. jump accept_from_foo
  451. }
  452.  
  453. chain output_foo {
  454. jump accept_to_foo
  455. }
  456.  
  457. chain forward_foo {
  458. jump accept_to_foo
  459. }
  460.  
  461. chain accept_from_foo {
  462. meta nfproto ipv4 ip saddr 192.168.123.0/24 accept comment "!fw4: accept foo IPv4 traffic"
  463. }
  464.  
  465. chain accept_to_foo {
  466. meta nfproto ipv4 ip daddr 192.168.123.0/24 accept comment "!fw4: accept foo IPv4 traffic"
  467. }
  468.  
  469.  
  470.  
  471. #
  472. # NAT rules
  473. #
  474.  
  475. chain dstnat {
  476. type nat hook prerouting priority dstnat; policy accept;
  477.  
  478. iifname "br-lan" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
  479. iifname "eth1" jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic"
  480. }
  481.  
  482. chain srcnat {
  483. type nat hook postrouting priority srcnat; policy accept;
  484.  
  485. iifname "br-lan" jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic"
  486. iifname "eth1" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
  487. }
  488.  
  489. chain dstnat_lan {
  490. ip saddr 192.168.1.0/24 ip daddr 72.1.1.1 tcp dport 22014 dnat 10.11.12.14:22 comment "!fw4: SSH J400 (reflection)"
  491. ip saddr 192.168.1.0/24 ip daddr 72.1.1.1 udp dport 22014 dnat 10.11.12.14:22 comment "!fw4: SSH J400 (reflection)"
  492. ip saddr 192.168.1.0/24 ip daddr 72.1.1.1 tcp dport 51413 dnat 10.11.12.14:51413 comment "!fw4: Transmission Laptop (reflection)"
  493. ip saddr 192.168.1.0/24 ip daddr 72.1.1.1 udp dport 51413 dnat 10.11.12.14:51413 comment "!fw4: Transmission Laptop (reflection)"
  494. ip saddr 192.168.1.0/24 ip daddr 72.1.1.1 tcp dport 51414 dnat 10.11.12.7:51414 comment "!fw4: Transmission Desktop (reflection)"
  495. ip saddr 192.168.1.0/24 ip daddr 72.1.1.1 udp dport 51414 dnat 10.11.12.7:51414 comment "!fw4: Transmission Desktop (reflection)"
  496. ip saddr 192.168.1.0/24 ip daddr 72.1.1.1 tcp dport 22007 dnat 10.11.12.7:22 comment "!fw4: SSH J7 (reflection)"
  497. ip saddr 192.168.1.0/24 ip daddr 72.1.1.1 tcp dport 44377 dnat 10.11.12.177:443 comment "!fw4: Mir3G HTTPS (reflection)"
  498. ip saddr 192.168.1.0/24 ip daddr 72.1.1.1 tcp dport 22177 dnat 10.11.12.177:22 comment "!fw4: Mir3G SSH (reflection)"
  499. ip saddr 192.168.1.0/24 ip daddr 72.1.1.1 udp dport 22177 dnat 10.11.12.177:22 comment "!fw4: Mir3G SSH (reflection)"
  500. ip saddr 192.168.1.0/24 ip daddr 72.1.1.1 tcp dport 22032 dnat 10.11.12.32:22 comment "!fw4: Wrt3200ACM (reflection)"
  501. ip saddr 192.168.1.0/24 ip daddr 72.1.1.1 tcp dport 44332 dnat 10.11.12.32:443 comment "!fw4: Wrt3200ACM HTTP (reflection)"
  502. meta nfproto ipv4 tcp dport 53 redirect to 53 comment "!fw4: Adblock DNS, port 53"
  503. meta nfproto ipv4 udp dport 53 redirect to 53 comment "!fw4: Adblock DNS, port 53"
  504. meta nfproto ipv4 tcp dport 853 redirect to 853 comment "!fw4: Adblock DNS, port 853"
  505. meta nfproto ipv4 udp dport 853 redirect to 853 comment "!fw4: Adblock DNS, port 853"
  506. meta nfproto ipv4 tcp dport 5353 redirect to 5353 comment "!fw4: Adblock DNS, port 5353"
  507. meta nfproto ipv4 udp dport 5353 redirect to 5353 comment "!fw4: Adblock DNS, port 5353"
  508. }
  509.  
  510. chain srcnat_lan {
  511. ip saddr 192.168.1.0/24 ip daddr 10.11.12.14 tcp dport 22 snat 192.168.1.1 comment "!fw4: SSH J400 (reflection)"
  512. ip saddr 192.168.1.0/24 ip daddr 10.11.12.14 udp dport 22 snat 192.168.1.1 comment "!fw4: SSH J400 (reflection)"
  513. ip saddr 192.168.1.0/24 ip daddr 10.11.12.14 tcp dport 51413 snat 192.168.1.1 comment "!fw4: Transmission Laptop (reflection)"
  514. ip saddr 192.168.1.0/24 ip daddr 10.11.12.14 udp dport 51413 snat 192.168.1.1 comment "!fw4: Transmission Laptop (reflection)"
  515. ip saddr 192.168.1.0/24 ip daddr 10.11.12.7 tcp dport 51414 snat 192.168.1.1 comment "!fw4: Transmission Desktop (reflection)"
  516. ip saddr 192.168.1.0/24 ip daddr 10.11.12.7 udp dport 51414 snat 192.168.1.1 comment "!fw4: Transmission Desktop (reflection)"
  517. ip saddr 192.168.1.0/24 ip daddr 10.11.12.7 tcp dport 22 snat 192.168.1.1 comment "!fw4: SSH J7 (reflection)"
  518. ip saddr 192.168.1.0/24 ip daddr 10.11.12.177 tcp dport 443 snat 192.168.1.1 comment "!fw4: Mir3G HTTPS (reflection)"
  519. ip saddr 192.168.1.0/24 ip daddr 10.11.12.177 tcp dport 22 snat 192.168.1.1 comment "!fw4: Mir3G SSH (reflection)"
  520. ip saddr 192.168.1.0/24 ip daddr 10.11.12.177 udp dport 22 snat 192.168.1.1 comment "!fw4: Mir3G SSH (reflection)"
  521. ip saddr 192.168.1.0/24 ip daddr 10.11.12.32 tcp dport 22 snat 192.168.1.1 comment "!fw4: Wrt3200ACM (reflection)"
  522. ip saddr 192.168.1.0/24 ip daddr 10.11.12.32 tcp dport 443 snat 192.168.1.1 comment "!fw4: Wrt3200ACM HTTP (reflection)"
  523. }
  524.  
  525. chain dstnat_wan {
  526. meta nfproto ipv4 tcp dport 22014 dnat 10.11.12.14:22 comment "!fw4: SSH J400"
  527. meta nfproto ipv4 udp dport 22014 dnat 10.11.12.14:22 comment "!fw4: SSH J400"
  528. meta nfproto ipv4 tcp dport 51413 dnat 10.11.12.14:51413 comment "!fw4: Transmission Laptop"
  529. meta nfproto ipv4 udp dport 51413 dnat 10.11.12.14:51413 comment "!fw4: Transmission Laptop"
  530. meta nfproto ipv4 tcp dport 51414 dnat 10.11.12.7:51414 comment "!fw4: Transmission Desktop"
  531. meta nfproto ipv4 udp dport 51414 dnat 10.11.12.7:51414 comment "!fw4: Transmission Desktop"
  532. meta nfproto ipv4 tcp dport 22007 dnat 10.11.12.7:22 comment "!fw4: SSH J7"
  533. meta nfproto ipv4 tcp dport 44377 dnat 10.11.12.177:443 comment "!fw4: Mir3G HTTPS"
  534. meta nfproto ipv4 tcp dport 22177 dnat 10.11.12.177:22 comment "!fw4: Mir3G SSH"
  535. meta nfproto ipv4 udp dport 22177 dnat 10.11.12.177:22 comment "!fw4: Mir3G SSH"
  536. meta nfproto ipv4 tcp dport 22032 dnat 10.11.12.32:22 comment "!fw4: Wrt3200ACM"
  537. meta nfproto ipv4 tcp dport 44332 dnat 10.11.12.32:443 comment "!fw4: Wrt3200ACM HTTP"
  538. }
  539.  
  540. chain srcnat_wan {
  541. meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
  542. }
  543.  
  544.  
  545. #
  546. # Raw rules (notrack & helper)
  547. #
  548.  
  549. chain raw_prerouting {
  550. type filter hook prerouting priority raw; policy accept;
  551.  
  552. iifname "br-lan" jump helper_lan comment "!fw4: lan IPv4/IPv6 CT helper assignment"
  553. meta nfproto ipv4 ip saddr 192.168.123.0/24 jump helper_foo comment "!fw4: foo IPv4 CT helper assignment"
  554. }
  555.  
  556. chain raw_output {
  557. type filter hook output priority raw; policy accept;
  558.  
  559. }
  560.  
  561.  
  562. chain helper_lan {
  563. }
  564.  
  565. chain helper_foo {
  566. }
  567.  
  568.  
  569.  
  570. #
  571. # Mangle rules
  572. #
  573.  
  574. chain mangle_prerouting {
  575. type filter hook prerouting priority mangle; policy accept;
  576.  
  577. meta nfproto ipv4 meta l4proto tcp ip daddr @domain-filter-ipv4 meta mark set 0x1 comment "!fw4: Tag Domain Filter Traffic"
  578. meta nfproto ipv4 meta l4proto udp ip daddr @domain-filter-ipv4 meta mark set 0x1 comment "!fw4: Tag Domain Filter Traffic"
  579. meta nfproto ipv4 meta l4proto icmp ip daddr @domain-filter-ipv4 meta mark set 0x1 comment "!fw4: Tag Domain Filter Traffic"
  580. meta nfproto ipv6 meta l4proto tcp ip6 daddr @domain-filter-ipv6 meta mark set 0x1 comment "!fw4: Tag Domain Filter Traffic"
  581. meta nfproto ipv6 meta l4proto udp ip6 daddr @domain-filter-ipv6 meta mark set 0x1 comment "!fw4: Tag Domain Filter Traffic"
  582. meta nfproto ipv6 meta l4proto ipv6-icmp ip6 daddr @domain-filter-ipv6 meta mark set 0x1 comment "!fw4: Tag Domain Filter Traffic"
  583. }
  584.  
  585. chain mangle_output {
  586. type filter hook output priority mangle; policy accept;
  587.  
  588. }
  589.  
  590. chain mangle_forward {
  591. type filter hook forward priority mangle; policy accept;
  592.  
  593. iifname "eth1" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
  594. oifname "eth1" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
  595. }
  596. }
  597.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!