redcomani.org/openwrt-files/etc/config/firewall

196 lines
4.1 KiB
Plaintext
Raw Normal View History

2019-04-29 00:56:56 +00:00
config defaults
2019-04-29 15:33:57 +00:00
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
2019-04-29 00:56:56 +00:00
config zone
2019-04-29 15:33:57 +00:00
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
2019-04-29 00:56:56 +00:00
config zone
2019-04-29 15:33:57 +00:00
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
2019-04-29 00:56:56 +00:00
config forwarding
2019-04-29 15:33:57 +00:00
option src lan
option dest wan
2019-04-29 00:56:56 +00:00
2019-04-29 15:33:57 +00:00
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
2019-04-29 00:56:56 +00:00
config rule
2019-04-29 15:33:57 +00:00
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
2019-04-29 00:56:56 +00:00
2019-04-29 15:33:57 +00:00
# Allow IPv4 ping
2019-04-29 00:56:56 +00:00
config rule
2019-04-29 15:33:57 +00:00
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
2019-04-29 00:56:56 +00:00
config rule
2019-04-29 15:33:57 +00:00
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
2019-04-29 00:56:56 +00:00
2019-04-29 15:33:57 +00:00
# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
2019-04-29 00:56:56 +00:00
config rule
2019-04-29 15:33:57 +00:00
option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fc00::/6
option dest_ip fc00::/6
option dest_port 546
option family ipv6
option target ACCEPT
2019-04-29 00:56:56 +00:00
config rule
2019-04-29 15:33:57 +00:00
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
2019-04-29 00:56:56 +00:00
2019-04-29 15:33:57 +00:00
# Allow essential incoming IPv6 ICMP traffic
2019-04-29 00:56:56 +00:00
config rule
2019-04-29 15:33:57 +00:00
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
2019-04-29 00:56:56 +00:00
2019-04-29 15:33:57 +00:00
# Allow essential forwarded IPv6 ICMP traffic
2019-04-29 00:56:56 +00:00
config rule
2019-04-29 15:33:57 +00:00
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
2019-04-29 00:56:56 +00:00
config rule
2019-04-29 15:33:57 +00:00
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
2019-04-29 00:56:56 +00:00
config rule
2019-04-29 15:33:57 +00:00
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
2019-04-29 00:56:56 +00:00
2019-04-29 15:33:57 +00:00
# include a file with users custom iptables rules
2019-04-29 00:56:56 +00:00
config include
2019-04-29 15:33:57 +00:00
option path /etc/firewall.user
### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
# option src lan
# option src_ip 192.168.45.2
# option dest wan
# option proto tcp
# option target REJECT
# block a specific mac on wan
#config rule
# option dest wan
# option src_mac 00:11:22:33:44:66
# option target REJECT
# block incoming ICMP traffic on a zone
#config rule
# option src lan
# option proto ICMP
# option target DROP
# port redirect port coming in on wan to lan
#config redirect
# option src wan
# option src_dport 80
# option dest lan
# option dest_ip 192.168.16.235
# option dest_port 80
# option proto tcp
# port redirect of remapped ssh port (22001) on wan
#config redirect
# option src wan
# option src_dport 22001
# option dest lan
# option dest_port 22
# option proto tcp
### FULL CONFIG SECTIONS
#config rule
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 80
# option dest wan
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
# option target REJECT
2019-04-29 00:56:56 +00:00
2019-04-29 15:33:57 +00:00
#config redirect
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 1024
# option src_dport 80
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp