Home Explore Help
Sign In
OpenWrt
/
openwrt
mirror of https://github.com/openwrt/openwrt.git
2
0
Fork 0
Files Issues 0 Wiki
Tree: cdc70d84ce
Branches Tags
openwrt
/
package
/
firewall
/
files
/
firewall.config

firewall.config 2.9 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139 
  1. config defaults
    2. 

  2. 	option syn_flood	1
    3. 

  3. 	option input		ACCEPT
    4. 

  4. 	option output		ACCEPT 
    5. 

  5. 	option forward		REJECT
    6. 

  6. # Uncomment this line to disable ipv6 rules
    7. 

  7. #	option disable_ipv6	1
    8. 

  8. 

  9. config zone
    10. 

  10. 	option name		lan
    11. 

  11. 	option network		'lan'
    12. 

  12. 	option input		ACCEPT 
    13. 

  13. 	option output		ACCEPT 
    14. 

  14. 	option forward		REJECT
    15. 

  15. 

  16. config zone
    17. 

  17. 	option name		wan
    18. 

  18. 	option network		'wan'
    19. 

  19. 	option input		REJECT
    20. 

  20. 	option output		ACCEPT 
    21. 

  21. 	option forward		REJECT
    22. 

  22. 	option masq		1 
    23. 

  23. 	option mtu_fix		1
    24. 

  24. 

  25. config forwarding 
    26. 

  26. 	option src      	lan
    27. 

  27. 	option dest     	wan
    28. 

  28. 

  29. # We need to accept udp packets on port 68,
    30. 

  30. # see https://dev.openwrt.org/ticket/4108
    31. 

  31. config rule
    32. 

  32. 	option src		wan
    33. 

  33. 	option proto		udp
    34. 

  34. 	option dest_port	68
    35. 

  35. 	option target		ACCEPT
    36. 

  36. 	option family		ipv4
    37. 

  37. 

  38. # Allow IPv4 ping
    39. 

  39. config rule
    40. 

  40. 	option src		wan
    41. 

  41. 	option proto		icmp
    42. 

  42. 	option icmp_type	echo-request
    43. 

  43. 	option family		ipv4
    44. 

  44. 	option target		ACCEPT
    45. 

  45. 

  46. # Allow essential incoming IPv6 ICMP traffic
    47. 

  47. config rule                                   
    48. 

  48. 	option src		wan
    49. 

  49. 	option dest		*
    50. 

  50. 	option proto		icmp
    51. 

  51. 	list icmp_type		echo-request
    52. 

  52. 	list icmp_type		destination-unreachable
    53. 

  53. 	list icmp_type		packet-too-big
    54. 

  54. 	list icmp_type		time-exceeded
    55. 

  55. 	list icmp_type		bad-header
    56. 

  56. 	list icmp_type		unknown-header-type
    57. 

  57. 	option limit		1000/sec
    58. 

  58. 	option family		ipv6
    59. 

  59. 	option target		ACCEPT
    60. 

  60. 

  61. # include a file with users custom iptables rules
    62. 

  62. config include
    63. 

  63. 	option path /etc/firewall.user
    64. 

  64. 

  65. 

  66. ### EXAMPLE CONFIG SECTIONS
    67. 

  67. # do not allow a specific ip to access wan
    68. 

  68. #config rule
    69. 

  69. #	option src		lan
    70. 

  70. #	option src_ip	192.168.45.2
    71. 

  71. #	option dest		wan
    72. 

  72. #	option proto	tcp
    73. 

  73. #	option target	REJECT 
    74. 

  74. 

  75. # block a specific mac on wan
    76. 

  76. #config rule
    77. 

  77. #	option dest		wan
    78. 

  78. #	option src_mac	00:11:22:33:44:66
    79. 

  79. #	option target	REJECT 
    80. 

  80. 

  81. # block incoming ICMP traffic on a zone
    82. 

  82. #config rule
    83. 

  83. #	option src		lan
    84. 

  84. #	option proto	ICMP
    85. 

  85. #	option target	DROP
    86. 

  86. 

  87. # port redirect port coming in on wan to lan
    88. 

  88. #config redirect
    89. 

  89. #	option src			wan
    90. 

  90. #	option src_dport	80
    91. 

  91. #	option dest			lan
    92. 

  92. #	option dest_ip		192.168.16.235
    93. 

  93. #	option dest_port	80 
    94. 

  94. #	option proto		tcp
    95. 

  95. 

  96. # port redirect of remapped ssh port (22001) on wan
    97. 

  97. #config redirect
    98. 

  98. #	option src		wan
    99. 

  99. #	option src_dport	22001
    100. 

  100. #	option dest		lan
    101. 

  101. #	option dest_port	22
    102. 

  102. #	option proto		tcp
    103. 

  103. 

  104. # allow IPsec/ESP and ISAKMP passthrough
    105. 

  105. #config rule
    106. 

  106. #	option src		wan
    107. 

  107. #	option dest		lan
    108. 

  108. #	option protocol		esp
    109. 

  109. #	option target		ACCEPT
    110. 

  110. 

  111. #config rule
    112. 

  112. #	option src		wan
    113. 

  113. #	option dest		lan
    114. 

  114. #	option src_port		500
    115. 

  115. #	option dest_port	500
    116. 

  116. #	option proto		udp
    117. 

  117. #	option target		ACCEPT
    118. 

  118. 

  119. ### FULL CONFIG SECTIONS
    120. 

  120. #config rule
    121. 

  121. #	option src		lan
    122. 

  122. #	option src_ip	192.168.45.2
    123. 

  123. #	option src_mac	00:11:22:33:44:55
    124. 

  124. #	option src_port	80
    125. 

  125. #	option dest		wan
    126. 

  126. #	option dest_ip	194.25.2.129
    127. 

  127. #	option dest_port	120
    128. 

  128. #	option proto	tcp
    129. 

  129. #	option target	REJECT 
    130. 

  130. 

  131. #config redirect
    132. 

  132. #	option src		lan
    133. 

  133. #	option src_ip	192.168.45.2
    134. 

  134. #	option src_mac	00:11:22:33:44:55
    135. 

  135. #	option src_port		1024
    136. 

  136. #	option src_dport	80
    137. 

  137. #	option dest_ip	194.25.2.129
    138. 

  138. #	option dest_port	120
    139. 

  139. #	option proto	tcp
    140.