McUles/firmware
1
0
Fork 0
forked from freifunk-franken/firmware
Code Issues Pull Requests Projects Releases Wiki Activity
bf9c42a24c
firmware/bsp/default/root_file_system/etc/firewall.user
Tim Niemeyer bf9c42a24c Statefull Inspektion for WAN Interface 
On a router wich is directly connected to the internet, there is lot of traffix
on the WAN port. E.g. ssh bruteforces. That's like a DOS for a small device.

This fixes #395

Signed-off-by: Tim Niemeyer <tim.niemeyer@mastersword.de>
2012-09-30 11:26:11 +02:00

51 lines
1.5 KiB
Bash
Executable File
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/bin/sh
#iptables -F
#
#iptables -P INPUT DROP
#iptables -P OUTPUT DROP
#iptables -P FORWARD DROP
#
#for proto in tcp udp
#do
# for port in 53 666 655
# do
# iptables -A OUTPUT -p $proto --dport $port -j ACCEPT
# iptables -A OUTPUT -p $proto --sport $port -j ACCEPT
# iptables -A INPUT -p $proto --dport $port -j ACCEPT
# iptables -A INPUT -p $proto --sport $port -j ACCEPT
# done
#done
#
#iptables -A OUTPUT -p icmp -j ACCEPT
#iptables -A INPUT -p icmp -j ACCEPT
#
#iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
#
#
#iptables -A OUTPUT -p tcp --sport 1024: -j ACCEPT
#iptables -A OUTPUT -p udp --sport 1024: -j ACCEPT
# mastersword.de
#iptables -A OUTPUT -p tcp -d 78.46.215.78 -j ACCEPT
#iptables -A INPUT -p tcp -s 78.46.215.78 -j ACCEPT
# gw1.freifunk-ol.de
#iptables -A OUTPUT -p tcp -d 178.33.33.102 -j ACCEPT
#iptables -A INPUT -p tcp -s 178.33.33.102 -j ACCEPT
# freifunk-ol.de
#iptables -A OUTPUT -p tcp -d 178.33.33.208 -j ACCEPT
#iptables -A INPUT -p tcp -s 178.33.33.208 -j ACCEPT
#Masquerade interface for gateway
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#solves MTU problem with bad ISP´s
iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# Wenn ein router direkt am Netz hängt, ist er auch ssh Angriffen ausgesetzt.
# Das wirkt bei kleinen Geräten wir ein DOS
iptables -I INPUT -i eth0.2 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT -i eth0.2 -j DROP
Reference in New Issue View Git Blame Copy Permalink