| 1 | config defaults |
| 2 | option syn_flood 1 |
| 3 | option input ACCEPT |
| 4 | option output ACCEPT |
| 5 | option forward REJECT |
| 6 | # Uncomment this line to disable ipv6 rules |
| 7 | # option disable_ipv6 1 |
| 8 | |
| 9 | config zone |
| 10 | option name lan |
| 11 | option network 'lan' |
| 12 | option input ACCEPT |
| 13 | option output ACCEPT |
| 14 | option forward REJECT |
| 15 | |
| 16 | config zone |
| 17 | option name wan |
| 18 | option network 'wan' |
| 19 | option input REJECT |
| 20 | option output ACCEPT |
| 21 | option forward REJECT |
| 22 | option masq 1 |
| 23 | option mtu_fix 1 |
| 24 | |
| 25 | config forwarding |
| 26 | option src lan |
| 27 | option dest wan |
| 28 | |
| 29 | # We need to accept udp packets on port 68, |
| 30 | # see https://dev.openwrt.org/ticket/4108 |
| 31 | config rule |
| 32 | option src wan |
| 33 | option proto udp |
| 34 | option dest_port 68 |
| 35 | option target ACCEPT |
| 36 | option family ipv4 |
| 37 | |
| 38 | # Allow IPv4 ping |
| 39 | config rule |
| 40 | option src wan |
| 41 | option proto icmp |
| 42 | option icmp_type echo-request |
| 43 | option family ipv4 |
| 44 | option target ACCEPT |
| 45 | |
| 46 | # Allow essential incoming IPv6 ICMP traffic |
| 47 | config rule |
| 48 | option src wan |
| 49 | option dest * |
| 50 | option proto icmp |
| 51 | list icmp_type echo-request |
| 52 | list icmp_type destination-unreachable |
| 53 | list icmp_type packet-too-big |
| 54 | list icmp_type time-exceeded |
| 55 | list icmp_type bad-header |
| 56 | list icmp_type unknown-header-type |
| 57 | option limit 1000/sec |
| 58 | option family ipv6 |
| 59 | option target ACCEPT |
| 60 | |
| 61 | # include a file with users custom iptables rules |
| 62 | config include |
| 63 | option path /etc/firewall.user |
| 64 | |
| 65 | |
| 66 | ### EXAMPLE CONFIG SECTIONS |
| 67 | # do not allow a specific ip to access wan |
| 68 | #config rule |
| 69 | # option src lan |
| 70 | # option src_ip 192.168.45.2 |
| 71 | # option dest wan |
| 72 | # option proto tcp |
| 73 | # option target REJECT |
| 74 | |
| 75 | # block a specific mac on wan |
| 76 | #config rule |
| 77 | # option dest wan |
| 78 | # option src_mac 00:11:22:33:44:66 |
| 79 | # option target REJECT |
| 80 | |
| 81 | # block incoming ICMP traffic on a zone |
| 82 | #config rule |
| 83 | # option src lan |
| 84 | # option proto ICMP |
| 85 | # option target DROP |
| 86 | |
| 87 | # port redirect port coming in on wan to lan |
| 88 | #config redirect |
| 89 | # option src wan |
| 90 | # option src_dport 80 |
| 91 | # option dest lan |
| 92 | # option dest_ip 192.168.16.235 |
| 93 | # option dest_port 80 |
| 94 | # option proto tcp |
| 95 | |
| 96 | # port redirect of remapped ssh port (22001) on wan |
| 97 | #config redirect |
| 98 | # option src wan |
| 99 | # option src_dport 22001 |
| 100 | # option dest lan |
| 101 | # option dest_port 22 |
| 102 | # option proto tcp |
| 103 | |
| 104 | # allow IPsec/ESP and ISAKMP passthrough |
| 105 | #config rule |
| 106 | # option src wan |
| 107 | # option dest lan |
| 108 | # option protocol esp |
| 109 | # option target ACCEPT |
| 110 | |
| 111 | #config rule |
| 112 | # option src wan |
| 113 | # option dest lan |
| 114 | # option src_port 500 |
| 115 | # option dest_port 500 |
| 116 | # option proto udp |
| 117 | # option target ACCEPT |
| 118 | |
| 119 | ### FULL CONFIG SECTIONS |
| 120 | #config rule |
| 121 | # option src lan |
| 122 | # option src_ip 192.168.45.2 |
| 123 | # option src_mac 00:11:22:33:44:55 |
| 124 | # option src_port 80 |
| 125 | # option dest wan |
| 126 | # option dest_ip 194.25.2.129 |
| 127 | # option dest_port 120 |
| 128 | # option proto tcp |
| 129 | # option target REJECT |
| 130 | |
| 131 | #config redirect |
| 132 | # option src lan |
| 133 | # option src_ip 192.168.45.2 |
| 134 | # option src_mac 00:11:22:33:44:55 |
| 135 | # option src_port 1024 |
| 136 | # option src_dport 80 |
| 137 | # option dest_ip 194.25.2.129 |
| 138 | # option dest_port 120 |
| 139 | # option proto tcp |
| 140 | |
