Home Explore Help
Register Sign In
wareck
/
openwrt_chaos_calmer
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: c3df3ea581
Branches Tags
openwrt_chaos_c...
/
package
/
network
/
config
/
firewall
/
files
/
firewall.config

firewall.config 4.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195 
  1. config defaults
    2. 

  2. 	option syn_flood	1
    3. 

  3. 	option input		ACCEPT
    4. 

  4. 	option output		ACCEPT
    5. 

  5. 	option forward		REJECT
    6. 

  6. # Uncomment this line to disable ipv6 rules
    7. 

  7. #	option disable_ipv6	1
    8. 

  8. 

  9. config zone
    10. 

  10. 	option name		lan
    11. 

  11. 	list   network		'lan'
    12. 

  12. 	option input		ACCEPT
    13. 

  13. 	option output		ACCEPT
    14. 

  14. 	option forward		ACCEPT
    15. 

  15. 

  16. config zone
    17. 

  17. 	option name		wan
    18. 

  18. 	list   network		'wan'
    19. 

  19. 	list   network		'wan6'
    20. 

  20. 	option input		REJECT
    21. 

  21. 	option output		ACCEPT
    22. 

  22. 	option forward		REJECT
    23. 

  23. 	option masq		1
    24. 

  24. 	option mtu_fix		1
    25. 

  25. 

  26. config forwarding
    27. 

  27. 	option src		lan
    28. 

  28. 	option dest		wan
    29. 

  29. 

  30. # We need to accept udp packets on port 68,
    31. 

  31. # see https://dev.openwrt.org/ticket/4108
    32. 

  32. config rule
    33. 

  33. 	option name		Allow-DHCP-Renew
    34. 

  34. 	option src		wan
    35. 

  35. 	option proto		udp
    36. 

  36. 	option dest_port	68
    37. 

  37. 	option target		ACCEPT
    38. 

  38. 	option family		ipv4
    39. 

  39. 

  40. # Allow IPv4 ping
    41. 

  41. config rule
    42. 

  42. 	option name		Allow-Ping
    43. 

  43. 	option src		wan
    44. 

  44. 	option proto		icmp
    45. 

  45. 	option icmp_type	echo-request
    46. 

  46. 	option family		ipv4
    47. 

  47. 	option target		ACCEPT
    48. 

  48. 

  49. config rule
    50. 

  50. 	option name		Allow-IGMP
    51. 

  51. 	option src		wan
    52. 

  52. 	option proto		igmp
    53. 

  53. 	option family		ipv4
    54. 

  54. 	option target		ACCEPT
    55. 

  55. 

  56. # Allow DHCPv6 replies
    57. 

  57. # see https://dev.openwrt.org/ticket/10381
    58. 

  58. config rule
    59. 

  59. 	option name		Allow-DHCPv6
    60. 

  60. 	option src		wan
    61. 

  61. 	option proto		udp
    62. 

  62. 	option src_ip		fe80::/10
    63. 

  63. 	option src_port		547
    64. 

  64. 	option dest_ip		fe80::/10
    65. 

  65. 	option dest_port	546
    66. 

  66. 	option family		ipv6
    67. 

  67. 	option target		ACCEPT
    68. 

  68. 

  69. config rule
    70. 

  70. 	option name		Allow-MLD
    71. 

  71. 	option src		wan
    72. 

  72. 	option proto		icmp
    73. 

  73. 	option src_ip		fe80::/10
    74. 

  74. 	list icmp_type		'130/0'
    75. 

  75. 	list icmp_type		'131/0'
    76. 

  76. 	list icmp_type		'132/0'
    77. 

  77. 	list icmp_type		'143/0'
    78. 

  78. 	option family		ipv6
    79. 

  79. 	option target		ACCEPT
    80. 

  80. 

  81. # Allow essential incoming IPv6 ICMP traffic
    82. 

  82. config rule
    83. 

  83. 	option name		Allow-ICMPv6-Input
    84. 

  84. 	option src		wan
    85. 

  85. 	option proto	icmp
    86. 

  86. 	list icmp_type		echo-request
    87. 

  87. 	list icmp_type		echo-reply
    88. 

  88. 	list icmp_type		destination-unreachable
    89. 

  89. 	list icmp_type		packet-too-big
    90. 

  90. 	list icmp_type		time-exceeded
    91. 

  91. 	list icmp_type		bad-header
    92. 

  92. 	list icmp_type		unknown-header-type
    93. 

  93. 	list icmp_type		router-solicitation
    94. 

  94. 	list icmp_type		neighbour-solicitation
    95. 

  95. 	list icmp_type		router-advertisement
    96. 

  96. 	list icmp_type		neighbour-advertisement
    97. 

  97. 	option limit		1000/sec
    98. 

  98. 	option family		ipv6
    99. 

  99. 	option target		ACCEPT
    100. 

  100. 

  101. # Allow essential forwarded IPv6 ICMP traffic
    102. 

  102. config rule
    103. 

  103. 	option name		Allow-ICMPv6-Forward
    104. 

  104. 	option src		wan
    105. 

  105. 	option dest		*
    106. 

  106. 	option proto		icmp
    107. 

  107. 	list icmp_type		echo-request
    108. 

  108. 	list icmp_type		echo-reply
    109. 

  109. 	list icmp_type		destination-unreachable
    110. 

  110. 	list icmp_type		packet-too-big
    111. 

  111. 	list icmp_type		time-exceeded
    112. 

  112. 	list icmp_type		bad-header
    113. 

  113. 	list icmp_type		unknown-header-type
    114. 

  114. 	option limit		1000/sec
    115. 

  115. 	option family		ipv6
    116. 

  116. 	option target		ACCEPT
    117. 

  117. 

  118. # include a file with users custom iptables rules
    119. 

  119. config include
    120. 

  120. 	option path /etc/firewall.user
    121. 

  121. 

  122. 

  123. ### EXAMPLE CONFIG SECTIONS
    124. 

  124. # do not allow a specific ip to access wan
    125. 

  125. #config rule
    126. 

  126. #	option src		lan
    127. 

  127. #	option src_ip	192.168.45.2
    128. 

  128. #	option dest		wan
    129. 

  129. #	option proto	tcp
    130. 

  130. #	option target	REJECT
    131. 

  131. 

  132. # block a specific mac on wan
    133. 

  133. #config rule
    134. 

  134. #	option dest		wan
    135. 

  135. #	option src_mac	00:11:22:33:44:66
    136. 

  136. #	option target	REJECT
    137. 

  137. 

  138. # block incoming ICMP traffic on a zone
    139. 

  139. #config rule
    140. 

  140. #	option src		lan
    141. 

  141. #	option proto	ICMP
    142. 

  142. #	option target	DROP
    143. 

  143. 

  144. # port redirect port coming in on wan to lan
    145. 

  145. #config redirect
    146. 

  146. #	option src			wan
    147. 

  147. #	option src_dport	80
    148. 

  148. #	option dest			lan
    149. 

  149. #	option dest_ip		192.168.16.235
    150. 

  150. #	option dest_port	80
    151. 

  151. #	option proto		tcp
    152. 

  152. 

  153. # port redirect of remapped ssh port (22001) on wan
    154. 

  154. #config redirect
    155. 

  155. #	option src		wan
    156. 

  156. #	option src_dport	22001
    157. 

  157. #	option dest		lan
    158. 

  158. #	option dest_port	22
    159. 

  159. #	option proto		tcp
    160. 

  160. 

  161. # allow IPsec/ESP and ISAKMP passthrough
    162. 

  162. config rule
    163. 

  163. 	option src		wan
    164. 

  164. 	option dest		lan
    165. 

  165. 	option proto		esp
    166. 

  166. 	option target		ACCEPT
    167. 

  167. 

  168. config rule
    169. 

  169. 	option src		wan
    170. 

  170. 	option dest		lan
    171. 

  171. 	option dest_port	500
    172. 

  172. 	option proto		udp
    173. 

  173. 	option target		ACCEPT
    174. 

  174. 

  175. ### FULL CONFIG SECTIONS
    176. 

  176. #config rule
    177. 

  177. #	option src		lan
    178. 

  178. #	option src_ip	192.168.45.2
    179. 

  179. #	option src_mac	00:11:22:33:44:55
    180. 

  180. #	option src_port	80
    181. 

  181. #	option dest		wan
    182. 

  182. #	option dest_ip	194.25.2.129
    183. 

  183. #	option dest_port	120
    184. 

  184. #	option proto	tcp
    185. 

  185. #	option target	REJECT
    186. 

  186. 

  187. #config redirect
    188. 

  188. #	option src		lan
    189. 

  189. #	option src_ip	192.168.45.2
    190. 

  190. #	option src_mac	00:11:22:33:44:55
    191. 

  191. #	option src_port		1024
    192. 

  192. #	option src_dport	80
    193. 

  193. #	option dest_ip	194.25.2.129
    194. 

  194. #	option dest_port	120
    195. 

  195. #	option proto	tcp
    196.