Root/package/firewall/files/firewall.config

1config defaults
2    option syn_flood 1
3    option input ACCEPT
4    option output ACCEPT
5    option forward REJECT
6# Uncomment this line to disable ipv6 rules
7# option disable_ipv6 1
8
9config zone
10    option name lan
11    option network 'lan'
12    option input ACCEPT
13    option output ACCEPT
14    option forward REJECT
15
16config zone
17    option name wan
18    option network 'wan'
19    option input REJECT
20    option output ACCEPT
21    option forward REJECT
22    option masq 1
23    option mtu_fix 1
24
25config forwarding
26    option src lan
27    option dest wan
28
29# We need to accept udp packets on port 68,
30# see https://dev.openwrt.org/ticket/4108
31config rule
32    option src wan
33    option proto udp
34    option dest_port 68
35    option target ACCEPT
36    option family ipv4
37
38# Allow IPv4 ping
39config rule
40    option src wan
41    option proto icmp
42    option icmp_type echo-request
43    option family ipv4
44    option target ACCEPT
45
46# Allow essential incoming IPv6 ICMP traffic
47config rule
48    option src wan
49    option proto icmp
50    list icmp_type echo-request
51    list icmp_type destination-unreachable
52    list icmp_type packet-too-big
53    list icmp_type time-exceeded
54    list icmp_type bad-header
55    list icmp_type unknown-header-type
56    list icmp_type router-solicitation
57    list icmp_type neighbour-solicitation
58    option limit 1000/sec
59    option family ipv6
60    option target ACCEPT
61
62# Allow essential forwarded IPv6 ICMP traffic
63config rule
64    option src wan
65    option dest *
66    option proto icmp
67    list icmp_type echo-request
68    list icmp_type destination-unreachable
69    list icmp_type packet-too-big
70    list icmp_type time-exceeded
71    list icmp_type bad-header
72    list icmp_type unknown-header-type
73    option limit 1000/sec
74    option family ipv6
75    option target ACCEPT
76
77# include a file with users custom iptables rules
78config include
79    option path /etc/firewall.user
80
81
82### EXAMPLE CONFIG SECTIONS
83# do not allow a specific ip to access wan
84#config rule
85# option src lan
86# option src_ip 192.168.45.2
87# option dest wan
88# option proto tcp
89# option target REJECT
90
91# block a specific mac on wan
92#config rule
93# option dest wan
94# option src_mac 00:11:22:33:44:66
95# option target REJECT
96
97# block incoming ICMP traffic on a zone
98#config rule
99# option src lan
100# option proto ICMP
101# option target DROP
102
103# port redirect port coming in on wan to lan
104#config redirect
105# option src wan
106# option src_dport 80
107# option dest lan
108# option dest_ip 192.168.16.235
109# option dest_port 80
110# option proto tcp
111
112# port redirect of remapped ssh port (22001) on wan
113#config redirect
114# option src wan
115# option src_dport 22001
116# option dest lan
117# option dest_port 22
118# option proto tcp
119
120# allow IPsec/ESP and ISAKMP passthrough
121#config rule
122# option src wan
123# option dest lan
124# option protocol esp
125# option target ACCEPT
126
127#config rule
128# option src wan
129# option dest lan
130# option src_port 500
131# option dest_port 500
132# option proto udp
133# option target ACCEPT
134
135### FULL CONFIG SECTIONS
136#config rule
137# option src lan
138# option src_ip 192.168.45.2
139# option src_mac 00:11:22:33:44:55
140# option src_port 80
141# option dest wan
142# option dest_ip 194.25.2.129
143# option dest_port 120
144# option proto tcp
145# option target REJECT
146
147#config redirect
148# option src lan
149# option src_ip 192.168.45.2
150# option src_mac 00:11:22:33:44:55
151# option src_port 1024
152# option src_dport 80
153# option dest_ip 194.25.2.129
154# option dest_port 120
155# option proto tcp
156

Archive Download this file



interactive