From 3622ea8cb5399654e341467e64ff0c8dd995f21a Mon Sep 17 00:00:00 2001
From: Tim Niemeyer <tim.niemeyer@mastersword.de>
Date: Sat, 17 Nov 2012 18:16:33 +0100
Subject: [PATCH] wan-firewall: fix and clean up

- use -A (append) instead of -I (insert)
This makes shure the rule order is correct. This fixes #421.
- use uci to determine the correct wan interface
This is the reason, why #421 was only on wr1043. Now the firewall rule
applies to all router.
- remove old and not used rules

Signed-off-by: Tim Niemeyer <tim.niemeyer@mastersword.de>
---
 .../root_file_system/etc/firewall.user        | 47 ++-----------------
 1 file changed, 4 insertions(+), 43 deletions(-)

diff --git a/bsp/default/root_file_system/etc/firewall.user b/bsp/default/root_file_system/etc/firewall.user
index 8dfa515..d6a1931 100755
--- a/bsp/default/root_file_system/etc/firewall.user
+++ b/bsp/default/root_file_system/etc/firewall.user
@@ -1,50 +1,11 @@
 #!/bin/sh
-#iptables -F
-#
-#iptables -P INPUT   DROP
-#iptables -P OUTPUT  DROP
-#iptables -P FORWARD DROP
-#
-#for proto in tcp udp
-#do
-#  for port in 53 666 655
-#  do
-#    iptables -A OUTPUT -p $proto --dport $port -j ACCEPT
-#    iptables -A OUTPUT -p $proto --sport $port -j ACCEPT
-#    iptables -A INPUT  -p $proto --dport $port -j ACCEPT
-#    iptables -A INPUT  -p $proto --sport $port -j ACCEPT
-#  done
-#done
-#
-#iptables -A OUTPUT -p icmp -j ACCEPT
-#iptables -A INPUT  -p icmp -j ACCEPT
-#
-#iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-#iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-#
-#
-#iptables -A OUTPUT -p tcp --sport 1024: -j ACCEPT
-#iptables -A OUTPUT -p udp --sport 1024: -j ACCEPT
-
-# mastersword.de
-#iptables -A OUTPUT -p tcp -d 78.46.215.78 -j ACCEPT
-#iptables -A INPUT  -p tcp -s 78.46.215.78 -j ACCEPT
-
-# gw1.freifunk-ol.de
-#iptables -A OUTPUT -p tcp -d 178.33.33.102 -j ACCEPT
-#iptables -A INPUT  -p tcp -s 178.33.33.102 -j ACCEPT
-
-# freifunk-ol.de
-#iptables -A OUTPUT -p tcp -d 178.33.33.208 -j ACCEPT
-#iptables -A INPUT  -p tcp -s 178.33.33.208 -j ACCEPT
-
-#Masquerade interface for gateway
-#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 
 #solves MTU problem with bad ISP´s
 iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 
 # Wenn ein router direkt am Netz hängt, ist er auch ssh Angriffen ausgesetzt.
 # Das wirkt bei kleinen Geräten wir ein DOS
-iptables -I INPUT -i eth0.2 -m state --state RELATED,ESTABLISHED -j ACCEPT
-iptables -I INPUT -i eth0.2 -j DROP
+WAN=$(uci get network.wan.ifname)
+iptables -A INPUT -i $WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+iptables -A INPUT -i $WAN -j REJECT
+