| 1 | config defaults |
| 2 | option syn_flood 1 |
| 3 | option input ACCEPT |
| 4 | option output ACCEPT |
| 5 | option forward REJECT |
| 6 | # Uncomment this line to disable ipv6 rules |
| 7 | # option disable_ipv6 1 |
| 8 | |
| 9 | config zone |
| 10 | option name lan |
| 11 | option input ACCEPT |
| 12 | option output ACCEPT |
| 13 | option forward REJECT |
| 14 | |
| 15 | config zone |
| 16 | option name wan |
| 17 | option input REJECT |
| 18 | option output ACCEPT |
| 19 | option forward REJECT |
| 20 | option masq 1 |
| 21 | option mtu_fix 1 |
| 22 | |
| 23 | config forwarding |
| 24 | option src lan |
| 25 | option dest wan |
| 26 | |
| 27 | # We need to accept udp packets on port 68, |
| 28 | # see https://dev.openwrt.org/ticket/4108 |
| 29 | config rule |
| 30 | option src wan |
| 31 | option proto udp |
| 32 | option dest_port 68 |
| 33 | option target ACCEPT |
| 34 | option family ipv4 |
| 35 | |
| 36 | #Allow ping |
| 37 | config rule |
| 38 | option src wan |
| 39 | option proto icmp |
| 40 | option icmp_type echo-request |
| 41 | option target ACCEPT |
| 42 | |
| 43 | # include a file with users custom iptables rules |
| 44 | config include |
| 45 | option path /etc/firewall.user |
| 46 | |
| 47 | |
| 48 | ### EXAMPLE CONFIG SECTIONS |
| 49 | # do not allow a specific ip to access wan |
| 50 | #config rule |
| 51 | # option src lan |
| 52 | # option src_ip 192.168.45.2 |
| 53 | # option dest wan |
| 54 | # option proto tcp |
| 55 | # option target REJECT |
| 56 | |
| 57 | # block a specific mac on wan |
| 58 | #config rule |
| 59 | # option dest wan |
| 60 | # option src_mac 00:11:22:33:44:66 |
| 61 | # option target REJECT |
| 62 | |
| 63 | # block incoming ICMP traffic on a zone |
| 64 | #config rule |
| 65 | # option src lan |
| 66 | # option proto ICMP |
| 67 | # option target DROP |
| 68 | |
| 69 | # port redirect port coming in on wan to lan |
| 70 | #config redirect |
| 71 | # option src wan |
| 72 | # option src_dport 80 |
| 73 | # option dest lan |
| 74 | # option dest_ip 192.168.16.235 |
| 75 | # option dest_port 80 |
| 76 | # option proto tcp |
| 77 | |
| 78 | |
| 79 | ### FULL CONFIG SECTIONS |
| 80 | #config rule |
| 81 | # option src lan |
| 82 | # option src_ip 192.168.45.2 |
| 83 | # option src_mac 00:11:22:33:44:55 |
| 84 | # option src_port 80 |
| 85 | # option dest wan |
| 86 | # option dest_ip 194.25.2.129 |
| 87 | # option dest_port 120 |
| 88 | # option proto tcp |
| 89 | # option target REJECT |
| 90 | |
| 91 | #config redirect |
| 92 | # option src lan |
| 93 | # option src_ip 192.168.45.2 |
| 94 | # option src_mac 00:11:22:33:44:55 |
| 95 | # option src_port 1024 |
| 96 | # option src_dport 80 |
| 97 | # option dest_ip 194.25.2.129 |
| 98 | # option dest_port 120 |
| 99 | # option proto tcp |
| 100 | |
