| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206 |
- config defaults
- option syn_flood 1
- option input REJECT
- option output ACCEPT
- option forward REJECT
- # Uncomment this line to disable ipv6 rules
- # option disable_ipv6 1
- config zone
- option name lan
- list network 'lan'
- option input ACCEPT
- option output ACCEPT
- option forward ACCEPT
- config zone
- option name wan
- list network 'wan'
- list network 'wan6'
- option input REJECT
- option output ACCEPT
- option forward REJECT
- option masq 1
- option mtu_fix 1
- config forwarding
- option src lan
- option dest wan
- # We need to accept udp packets on port 68,
- # see https://dev.openwrt.org/ticket/4108
- config rule
- option name Allow-DHCP-Renew
- option src wan
- option proto udp
- option dest_port 68
- option target ACCEPT
- option family ipv4
- # Allow IPv4 ping
- config rule
- option name Allow-Ping
- option src wan
- option proto icmp
- option icmp_type echo-request
- option family ipv4
- option target ACCEPT
- config rule
- option name Allow-IGMP
- option src wan
- option proto igmp
- option family ipv4
- option target ACCEPT
- # Allow DHCPv6 replies
- # see https://github.com/openwrt/openwrt/issues/5066
- config rule
- option name Allow-DHCPv6
- option src wan
- option proto udp
- option dest_port 546
- option family ipv6
- option target ACCEPT
- config rule
- option name Allow-MLD
- option src wan
- option proto icmp
- option src_ip fe80::/10
- list icmp_type '130/0'
- list icmp_type '131/0'
- list icmp_type '132/0'
- list icmp_type '143/0'
- option family ipv6
- option target ACCEPT
- # Allow essential incoming IPv6 ICMP traffic
- config rule
- option name Allow-ICMPv6-Input
- option src wan
- option proto icmp
- list icmp_type echo-request
- list icmp_type echo-reply
- list icmp_type destination-unreachable
- list icmp_type packet-too-big
- list icmp_type time-exceeded
- list icmp_type bad-header
- list icmp_type unknown-header-type
- list icmp_type router-solicitation
- list icmp_type neighbour-solicitation
- list icmp_type router-advertisement
- list icmp_type neighbour-advertisement
- option limit 1000/sec
- option family ipv6
- option target ACCEPT
- # Allow essential forwarded IPv6 ICMP traffic
- config rule
- option name Allow-ICMPv6-Forward
- option src wan
- option dest *
- option proto icmp
- list icmp_type echo-request
- list icmp_type echo-reply
- list icmp_type destination-unreachable
- list icmp_type packet-too-big
- list icmp_type time-exceeded
- list icmp_type bad-header
- list icmp_type unknown-header-type
- option limit 1000/sec
- option family ipv6
- option target ACCEPT
- config rule
- option name Allow-IPSec-ESP
- option src wan
- option dest lan
- option proto esp
- option target ACCEPT
- config rule
- option name Allow-ISAKMP
- option src wan
- option dest lan
- option dest_port 500
- option proto udp
- option target ACCEPT
- # allow interoperability with traceroute classic
- # note that traceroute uses a fixed port range, and depends on getting
- # back ICMP Unreachables. if we're operating in DROP mode, it won't
- # work so we explicitly REJECT packets on these ports.
- config rule
- option name Support-UDP-Traceroute
- option src wan
- option dest_port 33434:33689
- option proto udp
- option family ipv4
- option target REJECT
- option enabled 0
- # include a file with users custom iptables rules
- config include
- option path /etc/firewall.user
- ### EXAMPLE CONFIG SECTIONS
- # do not allow a specific ip to access wan
- #config rule
- # option src lan
- # option src_ip 192.168.45.2
- # option dest wan
- # option proto tcp
- # option target REJECT
- # block a specific mac on wan
- #config rule
- # option dest wan
- # option src_mac 00:11:22:33:44:66
- # option target REJECT
- # block incoming ICMP traffic on a zone
- #config rule
- # option src lan
- # option proto ICMP
- # option target DROP
- # port redirect port coming in on wan to lan
- #config redirect
- # option src wan
- # option src_dport 80
- # option dest lan
- # option dest_ip 192.168.16.235
- # option dest_port 80
- # option proto tcp
- # port redirect of remapped ssh port (22001) on wan
- #config redirect
- # option src wan
- # option src_dport 22001
- # option dest lan
- # option dest_port 22
- # option proto tcp
- ### FULL CONFIG SECTIONS
- #config rule
- # option src lan
- # option src_ip 192.168.45.2
- # option src_mac 00:11:22:33:44:55
- # option src_port 80
- # option dest wan
- # option dest_ip 194.25.2.129
- # option dest_port 120
- # option proto tcp
- # option target REJECT
- #config redirect
- # option src lan
- # option src_ip 192.168.45.2
- # option src_mac 00:11:22:33:44:55
- # option src_port 1024
- # option src_dport 80
- # option dest_ip 194.25.2.129
- # option dest_port 120
- # option proto tcp
|
