forked from freifunk-franken/firmware
layer3: add option to enable stateful firewall on client network
Add the following option to the client config section in `/etc/config/gateway` to enable a basic stateful firewall: ``` config client option stateful_firewall '1' ``` The firewall will forward icmp mesages and allow any outbound client traffic and related inbound traffic.
This commit is contained in:
parent
8be918ad49
commit
eaa40f7034
|
@ -57,6 +57,12 @@ configure() {
|
||||||
else
|
else
|
||||||
echo "WARNING: No Interface for client specified"
|
echo "WARNING: No Interface for client specified"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# stateful firewall
|
||||||
|
uci -q del network.client.fff_stateful_firewall
|
||||||
|
if [ "$(uci -q get gateway.@client[0].stateful_firewall)" = 1 ]; then
|
||||||
|
uci set network.client.fff_stateful_firewall=1
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
apply() {
|
apply() {
|
||||||
|
|
|
@ -0,0 +1,56 @@
|
||||||
|
[ "$(uci -q get network.client.fff_stateful_firewall)" != 1 ] && return
|
||||||
|
|
||||||
|
nft -f - << EOF
|
||||||
|
table ip filter {
|
||||||
|
chain forward-client {
|
||||||
|
ct state {
|
||||||
|
established,
|
||||||
|
related,
|
||||||
|
} accept \
|
||||||
|
comment "accept traffic originating from clients"
|
||||||
|
|
||||||
|
ip protocol icmp icmp type {
|
||||||
|
echo-reply,
|
||||||
|
destination-unreachable,
|
||||||
|
echo-request,
|
||||||
|
time-exceeded,
|
||||||
|
parameter-problem,
|
||||||
|
} accept \
|
||||||
|
comment "accept icmp"
|
||||||
|
|
||||||
|
counter drop \
|
||||||
|
comment "drop the rest"
|
||||||
|
}
|
||||||
|
chain FORWARD {
|
||||||
|
type filter hook forward priority filter; policy accept;
|
||||||
|
oifname br-client goto forward-client
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
table ip6 filter {
|
||||||
|
chain forward-client {
|
||||||
|
ct state {
|
||||||
|
established,
|
||||||
|
related,
|
||||||
|
} accept \
|
||||||
|
comment "accept traffic originating from clients"
|
||||||
|
|
||||||
|
ip6 nexthdr icmpv6 icmpv6 type {
|
||||||
|
destination-unreachable,
|
||||||
|
packet-too-big,
|
||||||
|
time-exceeded,
|
||||||
|
parameter-problem,
|
||||||
|
echo-request,
|
||||||
|
echo-reply,
|
||||||
|
} accept \
|
||||||
|
comment "accept icmpv6 for basic ipv6 functionality"
|
||||||
|
|
||||||
|
counter drop \
|
||||||
|
comment "drop the rest"
|
||||||
|
}
|
||||||
|
chain FORWARD {
|
||||||
|
type filter hook forward priority filter; policy accept;
|
||||||
|
oifname br-client goto forward-client
|
||||||
|
}
|
||||||
|
}
|
||||||
|
EOF
|
Loading…
Reference in New Issue