OpenWrt Forum Archive

The newer UCI firewall doesn't seem to support protocols, and the original firewall scripts have an apparent bug wherein they flush the rules in firewall.user after running rules from the init script. Here are corrected scripts based on what I'm using with my work routers.

----- WHITE RUSSIAN /etc/init.d/S35firewall -----
#!/bin/sh

## Please make changes in /etc/firewall.user
## Modified 12-24-2008 by madams@ezrac.com w/new flush rules

. /etc/functions.sh
WAN="$(nvram get wan_ifname)"
WANDEV="$(nvram get wan_device)"
LAN="$(nvram get lan_ifname)"

## CLEAR TABLES
iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -F input_wan
iptables -F forwarding_wan
for T in filter nat; do
iptables -t $T -F
iptables -t $T -X
done

## NEW RULES
iptables -N input_rule
iptables -N input_wan
iptables -N output_rule
iptables -N forwarding_rule
iptables -N forwarding_wan

## NEW NAT RULES
iptables -t nat -N NEW
iptables -t nat -N prerouting_wan
iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule

## Promiscious LAN access
iptables -N LAN_ACCEPT
[ -z "$WAN" ] || iptables -A LAN_ACCEPT -i "$WAN" -j RETURN
[ -z "$WANDEV" -o "$WANDEV" = "$WAN" ] || iptables -A LAN_ACCEPT -i "$WANDEV" -j RETURN
iptables -A LAN_ACCEPT -j ACCEPT

### INPUT
### (connections with the router as destination)

# base case
iptables -P INPUT DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP

#
# insert accept rule or to jump to new accept-check table here
#
iptables -A INPUT -j input_rule
iptables -A INPUT -i $WAN -j input_wan

# allow
iptables -A INPUT -j LAN_ACCEPT # allow from lan/wifi interfaces
iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
iptables -A INPUT -p gre -j ACCEPT # allow GRE

# reject (what to do with anything not allowed earlier)
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable

### OUTPUT
### (connections with the router as source)

# base case
iptables -P OUTPUT DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#
# insert accept rule or to jump to new accept-check table here
#
iptables -A OUTPUT -j output_rule

# allow
iptables -A OUTPUT -j ACCEPT #allow everything out

# reject (what to do with anything not allowed earlier)
iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable

### FORWARDING
### (connections routed through the router)

# base case
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

#
# insert accept rule or to jump to new accept-check table here
#
iptables -A FORWARD -j forwarding_rule
iptables -A FORWARD -i $WAN -j forwarding_wan

# allow
iptables -A FORWARD -i $LAN -o $LAN -j ACCEPT
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT

# reject (what to do with anything not allowed earlier)
# uses the default -P DROP

### MASQ
iptables -t nat -A PREROUTING -m state --state NEW -j NEW
iptables -t nat -A PREROUTING -j prerouting_rule
iptables -t nat -A PREROUTING -i $WAN -j prerouting_wan

iptables -t nat -A POSTROUTING -j postrouting_rule
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

iptables -t nat -A NEW -m limit --limit 50 --limit-burst 100 -j RETURN && \
iptables -t nat -A NEW -j DROP

## USER RULES
[ -f /etc/firewall.user ] && . /etc/firewall.user
[ -e /etc/config/firewall ] && {
awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/config/firewall | ash
}

----- KAMIKAZE /etc/init.d/firewall -----
#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org
# Modified 12-24-2008 by madams@ezrac.com

## Please make changes in /etc/firewall.user
START=45
start() {
include /lib/network
scan_interfaces
config_load /var/state/network

config_get WAN wan ifname
config_get WANDEV wan device
config_get LAN lan ifname

iptables -N input_rule
iptables -N input_wan
iptables -N output_rule
iptables -N forwarding_rule
iptables -N forwarding_wan

iptables -t nat -N NEW
iptables -t nat -N prerouting_rule
iptables -t nat -N prerouting_wan
iptables -t nat -N postrouting_rule

iptables -N LAN_ACCEPT
[ -z "$WAN" ] || iptables -A LAN_ACCEPT -i "$WAN" -j RETURN
[ -z "$WANDEV" -o "$WANDEV" = "$WAN" ] || iptables -A LAN_ACCEPT -i "$WANDEV" -j RETURN
iptables -A LAN_ACCEPT -j ACCEPT

### INPUT
### (connections with the router as destination)

#
# insert accept rule or to jump to new accept-check table here
#
iptables -A INPUT -j input_rule
[ -z "$WAN" ] || iptables -A INPUT -i $WAN -j input_wan

# allow
iptables -A INPUT -j LAN_ACCEPT # allow from lan/wifi interfaces
iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
iptables -A INPUT -p gre -j ACCEPT # allow GRE

# reject (what to do with anything not allowed earlier)
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable

### OUTPUT
### (connections with the router as source)

# base case
iptables -P OUTPUT DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#
# insert accept rule or to jump to new accept-check table here
#
iptables -A OUTPUT -j output_rule

# allow
iptables -A OUTPUT -j ACCEPT #allow everything out

# reject (what to do with anything not allowed earlier)
iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable

### FORWARDING
### (connections routed through the router)

#
# insert accept rule or to jump to new accept-check table here
#
iptables -A FORWARD -j forwarding_rule
[ -z "$WAN" ] || iptables -A FORWARD -i $WAN -j forwarding_wan

# allow
iptables -A FORWARD -i $LAN -o $LAN -j ACCEPT
[ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT

# reject (what to do with anything not allowed earlier)
# uses the default -P DROP

### MASQ
iptables -t nat -A PREROUTING -m state --state NEW -p tcp -j NEW
iptables -t nat -A PREROUTING -j prerouting_rule
[ -z "$WAN" ] || iptables -t nat -A PREROUTING -i "$WAN" -j prerouting_wan
iptables -t nat -A POSTROUTING -j postrouting_rule
[ -z "$WAN" ] || iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

iptables -t nat -A NEW -m limit --limit 50 --limit-burst 100 -j RETURN && \
iptables -t nat -A NEW -j DROP

## USER RULES
[ -f /etc/firewall.user ] && . /etc/firewall.user
[ -n "$WAN" -a -e /etc/config/firewall ] && {
export WAN
awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/config/firewall | ash
}
}

stop() {
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t nat -X
}

----- /etc/firewall.user -----
#!/bin/sh
# Copyright (C) 2006 OpenWrt.org
# Modified 12-24-2008 by madams@ezrac.com

#Open web and SSH ports
iptables -t nat -A prerouting_wan -p tcp --dport 22 -j ACCEPT
iptables -A input_wan -p tcp --dport 22 -j ACCEPT
iptables -t nat -A prerouting_wan -p tcp --dport 80 -j ACCEPT
iptables -A input_wan -p tcp --dport 80 -j ACCEPT

#Allow OSPF
iptables -A input_rule --protocol 89 -j ACCEPT
iptables -A OUTPUT --protocol 89 -j ACCEPT
iptables -A FORWARD --protocol 89 -j ACCEPT

#Access to tinc on router
iptables -A input_rule -p tcp --dport 655 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 655 -j ACCEPT
iptables -A input_rule -p udp --dport 655 -j ACCEPT
iptables -A OUTPUT -p udp --dport 655 -j ACCEPT

-----