BusyBox v1.35.0 (2023-04-09 12:27:46 UTC) built-in shell (ash) _______

1.  
2.  
3. BusyBox v1.35.0 (2023-04-09 12:27:46 UTC) built-in shell (ash)
4.  
5. _______ ________ __
6. | |.-----.-----.-----.| | | |.----.| |_
7. | - || _ | -__| || | | || _|| _|
8. |_______|| __|_____|__|__||________||__| |____|
9. |__| W I R E L E S S F R E E D O M
10. -----------------------------------------------------
11. OpenWrt 22.03.4, r20123-38ccc47687
12. -----------------------------------------------------
13. root@GL-X750:~# nft list ruleset
14. table ip filter {
15. chain INPUT {
16. type filter hook input priority filter; policy accept;
17. }
18.  
19. chain FORWARD {
20. type filter hook forward priority filter; policy accept;
21. # xt_set counter packets 0 bytes 0 drop
22. }
23. }
24. table inet fw4 {
25. chain input {
26. type filter hook input priority filter; policy accept;
27. iifname "lo" accept comment "!fw4: Accept traffic from loopback"
28. ct state established,related accept comment "!fw4: Allow inbound established and related flows"
29. tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
30. iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
31. iifname { "eth0", "wwan0" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
32. iifname "wgclient" jump input_wgclient comment "!fw4: Handle wgclient IPv4/IPv6 input traffic"
33. }
34.  
35. chain forward {
36. type filter hook forward priority filter; policy drop;
37. ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
38. iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
39. iifname { "eth0", "wwan0" } jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
40. iifname "wgclient" jump forward_wgclient comment "!fw4: Handle wgclient IPv4/IPv6 forward traffic"
41. jump handle_reject
42. }
43.  
44. chain output {
45. type filter hook output priority filter; policy accept;
46. oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
47. ct state established,related accept comment "!fw4: Allow outbound established and related flows"
48. oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
49. oifname { "eth0", "wwan0" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
50. oifname "wgclient" jump output_wgclient comment "!fw4: Handle wgclient IPv4/IPv6 output traffic"
51. }
52.  
53. chain prerouting {
54. type filter hook prerouting priority filter; policy accept;
55. iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
56. iifname "wgclient" jump helper_wgclient comment "!fw4: Handle wgclient IPv4/IPv6 helper assignment"
57. }
58.  
59. chain handle_reject {
60. meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
61. reject comment "!fw4: Reject any other traffic"
62. }
63.  
64. chain syn_flood {
65. limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
66. drop comment "!fw4: Drop excess packets"
67. }
68.  
69. chain input_guest {
70. udp dport 67-68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP"
71. tcp dport 53 counter packets 0 bytes 0 accept comment "!fw4: Allow-DNS"
72. udp dport 53 counter packets 0 bytes 0 accept comment "!fw4: Allow-DNS"
73. jump accept_from_guest
74. }
75.  
76. chain output_guest {
77. jump accept_to_guest
78. }
79.  
80. chain forward_guest {
81. jump accept_to_wgclient comment "!fw4: Accept guest to wgclient forwarding"
82. jump accept_to_guest
83. }
84.  
85. chain helper_guest {
86. }
87.  
88. chain accept_from_guest {
89. }
90.  
91. chain accept_to_guest {
92. }
93.  
94. chain input_lan {
95. jump accept_from_lan
96. }
97.  
98. chain output_lan {
99. jump accept_to_lan
100. }
101.  
102. chain forward_lan {
103. jump accept_to_wgclient comment "!fw4: Accept lan to wgclient forwarding"
104. jump accept_to_lan
105. }
106.  
107. chain helper_lan {
108. }
109.  
110. chain accept_from_lan {
111. iifname "br-lan" counter packets 205 bytes 14753 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
112. }
113.  
114. chain accept_to_lan {
115. oifname "br-lan" counter packets 20 bytes 2309 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
116. }
117.  
118. chain input_wan {
119. meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
120. meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP"
121. meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
122. ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
123. icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
124. icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
125. jump drop_from_wan
126. }
127.  
128. chain output_wan {
129. jump accept_to_wan
130. }
131.  
132. chain forward_wan {
133. icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
134. icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
135. meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
136. udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
137. jump reject_to_wan
138. }
139.  
140. chain accept_to_wan {
141. oifname { "eth0", "wwan0" } counter packets 124 bytes 10416 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
142. }
143.  
144. chain reject_to_wan {
145. oifname { "eth0", "wwan0" } counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
146. }
147.  
148. chain drop_from_wan {
149. iifname { "eth0", "wwan0" } counter packets 0 bytes 0 drop comment "!fw4: drop wan IPv4/IPv6 traffic"
150. }
151.  
152. chain input_wgclient {
153. jump accept_from_wgclient
154. }
155.  
156. chain output_wgclient {
157. jump accept_to_wgclient
158. }
159.  
160. chain forward_wgclient {
161. jump accept_to_wan comment "!fw4: Accept wgclient to wan forwarding"
162. jump accept_to_lan comment "!fw4: Accept wgclient to lan forwarding"
163. jump accept_to_guest comment "!fw4: Accept wgclient to guest forwarding"
164. jump drop_to_wgclient
165. }
166.  
167. chain helper_wgclient {
168. }
169.  
170. chain accept_from_wgclient {
171. iifname "wgclient" counter packets 52 bytes 2704 accept comment "!fw4: accept wgclient IPv4/IPv6 traffic"
172. }
173.  
174. chain accept_to_wgclient {
175. oifname "wgclient" counter packets 405 bytes 46226 accept comment "!fw4: accept wgclient IPv4/IPv6 traffic"
176. }
177.  
178. chain drop_to_wgclient {
179. oifname "wgclient" counter packets 0 bytes 0 drop comment "!fw4: drop wgclient IPv4/IPv6 traffic"
180. }
181.  
182. chain dstnat {
183. type nat hook prerouting priority dstnat; policy accept;
184. }
185.  
186. chain srcnat {
187. type nat hook postrouting priority srcnat; policy accept;
188. oifname { "eth0", "wwan0" } jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
189. }
190.  
191. chain srcnat_wan {
192. meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
193. }
194.  
195. chain raw_prerouting {
196. type filter hook prerouting priority raw; policy accept;
197. }
198.  
199. chain raw_output {
200. type filter hook output priority raw; policy accept;
201. }
202.  
203. chain mangle_prerouting {
204. type filter hook prerouting priority mangle; policy accept;
205. }
206.  
207. chain mangle_postrouting {
208. type filter hook postrouting priority mangle; policy accept;
209. }
210.  
211. chain mangle_input {
212. type filter hook input priority mangle; policy accept;
213. }
214.  
215. chain mangle_output {
216. type route hook output priority mangle; policy accept;
217. meta skgid 65533 counter packets 0 bytes 0 meta mark set meta mark | 0x00008000
218. ip protocol tcp ct mark & 0x00008000 == 0x00008000 counter packets 0 bytes 0 meta mark set ct mark comment "out_conn_mark_restore"
219. ip protocol udp ct mark & 0x00008000 == 0x00008000 counter packets 0 bytes 0 meta mark set ct mark comment "out_conn_mark_restore"
220. }
221.  
222. chain mangle_forward {
223. type filter hook forward priority mangle; policy accept;
224. iifname { "eth0", "wwan0" } tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
225. oifname { "eth0", "wwan0" } tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
226. iifname "wgclient" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wgclient IPv4/IPv6 ingress MTU fixing"
227. oifname "wgclient" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wgclient IPv4/IPv6 egress MTU fixing"
228. }
229. }
230. table ip mangle {
231. chain PREROUTING {
232. type filter hook prerouting priority mangle; policy accept;
233. counter packets 7244 bytes 4624840 jump mwan3_hook
234. counter packets 6957 bytes 4582956 jump VPN_SER_POLICY
235. }
236.  
237. chain mwan3_ifaces_in {
238. # xt_mark counter packets 839 bytes 104801 jump mwan3_iface_in_modem_1_1_2
239. }
240.  
241. chain mwan3_connected {
242. # xt_set counter packets 1081 bytes 171880 # xt_MARK
243. }
244.  
245. chain mwan3_rules {
246. # xt_mark counter packets 499 bytes 53452 jump mwan3_policy_default_poli
247. }
248.  
249. chain mwan3_hook {
250. counter packets 12354 bytes 6573179 # xt_CONNMARK
251. # xt_mark counter packets 913 bytes 116579 jump mwan3_ifaces_in
252. # xt_mark counter packets 913 bytes 116579 jump mwan3_connected
253. # xt_mark counter packets 564 bytes 61025 jump mwan3_rules
254. counter packets 12354 bytes 6573179 # xt_CONNMARK
255. # xt_mark counter packets 1668 bytes 208666 jump mwan3_connected
256. }
257.  
258. chain OUTPUT {
259. type route hook output priority mangle; policy accept;
260. counter packets 5110 bytes 1948339 jump mwan3_hook
261. counter packets 4744 bytes 1569220 jump ROUTE_POLICY_DNS
262. }
263.  
264. chain mwan3_policy_default_poli {
265. # xt_mark # xt_comment counter packets 499 bytes 53452 # xt_MARK
266. }
267.  
268. chain mwan3_policy_default_poli_v6 {
269. # xt_mark # xt_comment counter packets 0 bytes 0 # xt_MARK
270. }
271.  
272. chain mwan3_iface_in_modem_1_1_2 {
273. iifname "wwan0" # xt_set # xt_mark # xt_comment counter packets 0 bytes 0 # xt_MARK
274. iifname "wwan0" # xt_mark # xt_comment counter packets 0 bytes 0 # xt_MARK
275. }
276.  
277. chain ROUTE_POLICY_DNS {
278. meta l4proto tcp ip daddr 62.87.92.201 # xt_tcp counter packets 0 bytes 0 # xt_MARK
279. meta l4proto udp ip daddr 62.87.92.201 # xt_udp counter packets 0 bytes 0 # xt_MARK
280. meta l4proto tcp ip daddr 212.166.167.71 # xt_tcp counter packets 0 bytes 0 # xt_MARK
281. meta l4proto udp ip daddr 212.166.167.71 # xt_udp counter packets 0 bytes 0 # xt_MARK
282. }
283.  
284. chain VPN_SER_POLICY {
285. }
286. }
287. table ip6 mangle {
288. chain mwan3_ifaces_in {
289. }
290.  
291. chain mwan3_connected {
292. # xt_set counter packets 0 bytes 0 # xt_MARK
293. }
294.  
295. chain mwan3_rules {
296. # xt_mark counter packets 0 bytes 0 jump mwan3_policy_default_poli_v6
297. }
298.  
299. chain mwan3_hook {
300. meta l4proto ipv6-icmp # xt_icmp6 counter packets 0 bytes 0 return
301. meta l4proto ipv6-icmp # xt_icmp6 counter packets 0 bytes 0 return
302. meta l4proto ipv6-icmp # xt_icmp6 counter packets 0 bytes 0 return
303. meta l4proto ipv6-icmp # xt_icmp6 counter packets 0 bytes 0 return
304. meta l4proto ipv6-icmp # xt_icmp6 counter packets 0 bytes 0 return
305. meta l4proto ipv6-icmp # xt_set # xt_icmp6 counter packets 0 bytes 0 return
306. counter packets 40 bytes 4482 # xt_CONNMARK
307. # xt_mark counter packets 40 bytes 4482 jump mwan3_ifaces_in
308. # xt_mark counter packets 40 bytes 4482 jump mwan3_connected
309. # xt_mark counter packets 40 bytes 4482 jump mwan3_rules
310. counter packets 40 bytes 4482 # xt_CONNMARK
311. # xt_mark counter packets 40 bytes 4482 jump mwan3_connected
312. }
313.  
314. chain PREROUTING {
315. type filter hook prerouting priority mangle; policy accept;
316. counter packets 20 bytes 2241 jump mwan3_hook
317. }
318.  
319. chain OUTPUT {
320. type route hook output priority mangle; policy accept;
321. counter packets 20 bytes 2241 jump mwan3_hook
322. }
323.  
324. chain mwan3_policy_default_poli {
325. # xt_mark # xt_comment counter packets 0 bytes 0 # xt_MARK
326. }
327.  
328. chain mwan3_policy_default_poli_v6 {
329. # xt_mark # xt_comment counter packets 0 bytes 0 # xt_MARK
330. }
331. }
332. root@GL-X750:~#
333.