| 1 | config defaults |
| 2 | option syn_flood 1 |
| 3 | option input ACCEPT |
| 4 | option output ACCEPT |
| 5 | option forward REJECT |
| 6 | |
| 7 | config zone |
| 8 | option name lan |
| 9 | option input ACCEPT |
| 10 | option output ACCEPT |
| 11 | option forward REJECT |
| 12 | |
| 13 | config zone |
| 14 | option name wan |
| 15 | option input REJECT |
| 16 | option output ACCEPT |
| 17 | option forward REJECT |
| 18 | option masq 1 |
| 19 | option mtu_fix 1 |
| 20 | |
| 21 | config forwarding |
| 22 | option src lan |
| 23 | option dest wan |
| 24 | |
| 25 | # We need to accept udp packets on port 68, |
| 26 | # see https://dev.openwrt.org/ticket/4108 |
| 27 | config rule |
| 28 | option src wan |
| 29 | option proto udp |
| 30 | option dest_port 68 |
| 31 | option target ACCEPT |
| 32 | |
| 33 | #Allow ping |
| 34 | config rule |
| 35 | option src wan |
| 36 | option proto icmp |
| 37 | option icmp_type echo-request |
| 38 | option target ACCEPT |
| 39 | |
| 40 | # include a file with users custom iptables rules |
| 41 | config include |
| 42 | option path /etc/firewall.user |
| 43 | |
| 44 | |
| 45 | ### EXAMPLE CONFIG SECTIONS |
| 46 | # do not allow a specific ip to access wan |
| 47 | #config rule |
| 48 | # option src lan |
| 49 | # option src_ip 192.168.45.2 |
| 50 | # option dest wan |
| 51 | # option proto tcp |
| 52 | # option target REJECT |
| 53 | |
| 54 | # block a specific mac on wan |
| 55 | #config rule |
| 56 | # option dest wan |
| 57 | # option src_mac 00:11:22:33:44:66 |
| 58 | # option target REJECT |
| 59 | |
| 60 | # block incoming ICMP traffic on a zone |
| 61 | #config rule |
| 62 | # option src lan |
| 63 | # option proto ICMP |
| 64 | # option target DROP |
| 65 | |
| 66 | # port redirect port coming in on wan to lan |
| 67 | #config redirect |
| 68 | # option src wan |
| 69 | # option src_dport 80 |
| 70 | # option dest lan |
| 71 | # option dest_ip 192.168.16.235 |
| 72 | # option dest_port 80 |
| 73 | # option proto tcp |
| 74 | |
| 75 | |
| 76 | ### FULL CONFIG SECTIONS |
| 77 | #config rule |
| 78 | # option src lan |
| 79 | # option src_ip 192.168.45.2 |
| 80 | # option src_mac 00:11:22:33:44:55 |
| 81 | # option src_port 80 |
| 82 | # option dest wan |
| 83 | # option dest_ip 194.25.2.129 |
| 84 | # option dest_port 120 |
| 85 | # option proto tcp |
| 86 | # option target REJECT |
| 87 | |
| 88 | #config redirect |
| 89 | # option src lan |
| 90 | # option src_ip 192.168.45.2 |
| 91 | # option src_mac 00:11:22:33:44:55 |
| 92 | # option src_port 1024 |
| 93 | # option src_dport 80 |
| 94 | # option dest_ip 194.25.2.129 |
| 95 | # option dest_port 120 |
| 96 | # option proto tcp |
| 97 | |
