forked from freifunk-franken/firmware
wan-firewall: fix and clean up
- use -A (append) instead of -I (insert) This makes shure the rule order is correct. This fixes #421. - use uci to determine the correct wan interface This is the reason, why #421 was only on wr1043. Now the firewall rule applies to all router. - remove old and not used rules Signed-off-by: Tim Niemeyer <tim.niemeyer@mastersword.de>
This commit is contained in:
parent
92593b44cf
commit
3622ea8cb5
|
@ -1,50 +1,11 @@
|
|||
#!/bin/sh
|
||||
#iptables -F
|
||||
#
|
||||
#iptables -P INPUT DROP
|
||||
#iptables -P OUTPUT DROP
|
||||
#iptables -P FORWARD DROP
|
||||
#
|
||||
#for proto in tcp udp
|
||||
#do
|
||||
# for port in 53 666 655
|
||||
# do
|
||||
# iptables -A OUTPUT -p $proto --dport $port -j ACCEPT
|
||||
# iptables -A OUTPUT -p $proto --sport $port -j ACCEPT
|
||||
# iptables -A INPUT -p $proto --dport $port -j ACCEPT
|
||||
# iptables -A INPUT -p $proto --sport $port -j ACCEPT
|
||||
# done
|
||||
#done
|
||||
#
|
||||
#iptables -A OUTPUT -p icmp -j ACCEPT
|
||||
#iptables -A INPUT -p icmp -j ACCEPT
|
||||
#
|
||||
#iptables -A INPUT -p tcp --dport 22 -j ACCEPT
|
||||
#iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
|
||||
#
|
||||
#
|
||||
#iptables -A OUTPUT -p tcp --sport 1024: -j ACCEPT
|
||||
#iptables -A OUTPUT -p udp --sport 1024: -j ACCEPT
|
||||
|
||||
# mastersword.de
|
||||
#iptables -A OUTPUT -p tcp -d 78.46.215.78 -j ACCEPT
|
||||
#iptables -A INPUT -p tcp -s 78.46.215.78 -j ACCEPT
|
||||
|
||||
# gw1.freifunk-ol.de
|
||||
#iptables -A OUTPUT -p tcp -d 178.33.33.102 -j ACCEPT
|
||||
#iptables -A INPUT -p tcp -s 178.33.33.102 -j ACCEPT
|
||||
|
||||
# freifunk-ol.de
|
||||
#iptables -A OUTPUT -p tcp -d 178.33.33.208 -j ACCEPT
|
||||
#iptables -A INPUT -p tcp -s 178.33.33.208 -j ACCEPT
|
||||
|
||||
#Masquerade interface for gateway
|
||||
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
||||
|
||||
#solves MTU problem with bad ISP´s
|
||||
iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
||||
|
||||
# Wenn ein router direkt am Netz hängt, ist er auch ssh Angriffen ausgesetzt.
|
||||
# Das wirkt bei kleinen Geräten wir ein DOS
|
||||
iptables -I INPUT -i eth0.2 -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
iptables -I INPUT -i eth0.2 -j DROP
|
||||
WAN=$(uci get network.wan.ifname)
|
||||
iptables -A INPUT -i $WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
iptables -A INPUT -i $WAN -j REJECT
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user