100200300400500600
  
 
 

Firewall

Well, you know my attitude to the wierd "complex" stuff guys are tending to make from pure, clean and perfect by itself iptables rules. I really can't get it. So here it is.

files/etc/init.d/iptables
#!/bin/sh /etc/rc.common
# Copyright (C) 2008-2010 OpenWrt.org
# Copyright (C) 2011 ruslan.n.marchenko me(o)ruff.mobi

START=45

start() {
        test -f /etc/config/iptables &&\
	 /usr/sbin/iptables-restore < /etc/config/iptables
        test -f /etc/config/ip6tables &&\
	 /usr/sbin/ip6tables-restore < /etc/config/ip6tables
}

stop() {
        /usr/sbin/iptables -F
        /usr/sbin/iptables -F -t nat
        /usr/sbin/iptables -F -t mangle
        /usr/sbin/ip6tables -F
        /usr/sbin/ip6tables -F -t mangle
}

restart() {
        start
}

reload() {
        start
}

And rules themselves - example below assumes internal network 172.16.0.0/24 behind dhcp configured IPv4 wan, published services, which are DNATed towards internal server. This is minimalistic ruleset and of course you can extend it with icmp rate protection and other bells and whistles:

files/etc/config/iptables
*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT
-A PREROUTING -i br-wan -p tcp -m multiport --dport 25,53,80,143,443\
 -j DNAT --to-destination 172.16.0.1
-A PREROUTING -i br-wan -p udp -m multiport --dport 53,4569,5060\
 -j DNAT --to-destination 172.16.0.1
-A POSTROUTING -s 172.16.0.0/24 ! -o br-lan -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
# Terminate sit tunnel
-A INPUT -p ipv6                                        -j ACCEPT
# Local permits
-A INPUT -i br-lan                                      -j ACCEPT
-A INPUT -i lo                                          -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED     -j ACCEPT
-A INPUT -j DROP
# Published services
-A FORWARD -p udp -m multiport --dport 53,4569,5060     -j ACCEPT
-A FORWARD -p tcp -m multiport --dport 25,53,80,143,443 -j ACCEPT
-A FORWARD -d 232.0.0.0/6                               -j ACCEPT
# Outbound
-A FORWARD -o br-lan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-lan -j DROP
COMMIT
Sun Feb 21 18:10:52 2010 Upd.: Sat Dec 22 21:51:27 2012
Tags:
 
 
© ruff 2011