#!/bin/sh insmod /lib/modules/2.4.37/ipt_CONNMARK.o insmod /lib/modules/2.4.37/ipt_mark.o echo "`date` Flushing and adding new firewall rules" >> /var/log/messages IPTABLES="/jffs/bin/iptables" for RULE in $(nvram get forward_spec) do FROM=`echo $RULE | cut -d '>' -f 1` TO=`echo $RULE | cut -d '>' -f 2` STATE=`echo $FROM | cut -d ':' -f 2` PROTO=`echo $FROM | cut -d ':' -f 3` SPORT=`echo $FROM | cut -d ':' -f 4` DEST=`echo $TO | cut -d ':' -f 1` DPORT=`echo $TO | cut -d ':' -f 2` if [ "$STATE" = "on" ]; then if [ "$PROTO" = "both" ]; then iptables -A PREROUTING -t nat -p udp -d $(nvram get wan2_ipaddr) --dport $SPORT -j DNAT --to $DEST:$DPORT iptables -A PREROUTING -t nat -p tcp -d $(nvram get wan2_ipaddr) --dport $SPORT -j DNAT --to $DEST:$DPORT else iptables -A PREROUTING -t nat -p $PROTO -d $(nvram get wan2_ipaddr) --dport $SPORT -j DNAT --to $DEST:$DPORT fi fi done for RULE in $(nvram get forward_port) do FROM=`echo $RULE | cut -d '>' -f 1` TO=`echo $RULE | cut -d '>' -f 2` STATE=`echo $FROM | cut -d ':' -f 2` PROTO=`echo $FROM | cut -d ':' -f 3` SPORT=`echo $FROM | cut -d ':' -f 4` EPORT=`echo $FROM | cut -d ':' -f 5` if [ "$STATE" = "on" ]; then if [ "$PROTO" = "both" ]; then iptables -A PREROUTING -t nat -p udp -d $(nvram get wan2_ipaddr) --dport $SPORT:$EPORT -j DNAT --to $TO iptables -A PREROUTING -t nat -p tcp -d $(nvram get wan2_ipaddr) --dport $SPORT:$EPORT -j DNAT --to $TO else iptables -A PREROUTING -t nat -p $PROTO -d $(nvram get wan2_ipaddr) --dport $SPORT:$EPORT -j DNAT --to $TO fi fi done iptables -A PREROUTING -t nat -p icmp -d $(nvram get wan2_ipaddr) -j DNAT --to $(nvram get lan_ipaddr) if [ $(nvram get remote_management) -eq 1 ]; then iptables -A PREROUTING -t nat -p tcp -d $(nvram get wan2_ipaddr) --dport $(nvram get http_wanport) -j DNAT --to $(nvram get lan_ipaddr):$(nvram get http_lanport) fi if [ $(nvram get dmz_enable) -eq 1 ]; then DMZ_IP=$(nvram get lan_ipaddr | sed -r 's/[0-9]+$//')$(nvram get dmz_ipaddr) iptables -A PREROUTING -t nat -d $(nvram get wan2_ipaddr) -j DNAT --to $DMZ_IP fi iptables -A PREROUTING -t nat --dest $(nvram get wan2_ipaddr) -j TRIGGER --trigger-type dnat iptables -A FORWARD -i $(nvram get wan2_ifname) -o $(nvram get lan_ifname) -j TRIGGER --trigger-type in $IPTABLES -t mangle -F PREROUTING $IPTABLES -t mangle -F OUTPUT $IPTABLES -F POSTROUTING -t nat $IPTABLES -t mangle -N ETH1 $IPTABLES -t mangle -F ETH1 $IPTABLES -t mangle -A ETH1 -j MARK --set-mark 0x100 $IPTABLES -t mangle -A ETH1 -j CONNMARK --save-mark $IPTABLES -t mangle -N ETH2 $IPTABLES -t mangle -F ETH2 $IPTABLES -t mangle -A ETH2 -j MARK --set-mark 0x200 $IPTABLES -t mangle -A ETH2 -j CONNMARK --save-mark $IPTABLES -t mangle -N RANDOM $IPTABLES -t mangle -F RANDOM $IPTABLES -t mangle -A RANDOM -m random --average 50 -j ETH1 $IPTABLES -t mangle -A RANDOM -m random --average 50 -j ETH2 $IPTABLES -t nat -N SPOOF_ETH1 $IPTABLES -t nat -F SPOOF_ETH1 $IPTABLES -t nat -A SPOOF_ETH1 -j SNAT --to $(nvram get wan_ipaddr) $IPTABLES -t nat -N SPOOF_ETH2 $IPTABLES -t nat -F SPOOF_ETH2 $IPTABLES -t nat -A SPOOF_ETH2 -j SNAT --to $(nvram get wan2_ipaddr) $IPTABLES -t filter -N keep_state $IPTABLES -t filter -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -t filter -A keep_state -j RETURN $IPTABLES -t nat -N keep_state $IPTABLES -t nat -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -t nat -A keep_state -j RETURN $IPTABLES -t nat -I PREROUTING -j keep_state $IPTABLES -t nat -I OUTPUT -j keep_state $IPTABLES -t filter -I INPUT -j keep_state $IPTABLES -t filter -I FORWARD -j keep_state $IPTABLES -t filter -I OUTPUT -j keep_state $IPTABLES -t nat -I POSTROUTING -j keep_state $IPTABLES -t nat -A POSTROUTING -o $(nvram get wan_ifname) -j SPOOF_ETH1 $IPTABLES -t nat -A POSTROUTING -o $(nvram get wan2_ifname) -j SPOOF_ETH2 $IPTABLES -t mangle -A FORWARD -j CONNMARK --restore-mark $IPTABLES -t mangle -A FORWARD -i vlan1 -j ETH1 $IPTABLES -t mangle -A FORWARD -i vlan2 -j ETH2 $IPTABLES -t mangle -A PREROUTING -i br0 -p tcp -m state --state ESTABLISHED -j CONNMARK --restore-mark $IPTABLES -t mangle -A PREROUTING -i br0 -m state --state NEW -j RANDOM $IPTABLES -t mangle -A PREROUTING -m mark --mark 0x100 -j ACCEPT $IPTABLES -t mangle -A PREROUTING -m mark --mark 0x200 -j ACCEPT $IPTABLES -t mangle -A PREROUTING -i vlan1 -j ETH1 $IPTABLES -t mangle -A PREROUTING -i vlan2 -j ETH2 # Rate Limit $IPTABLES -N rate_limit $IPTABLES -F rate_limit $IPTABLES -A rate_limit -p tcp --dport 22 -m limit --limit 3/min --limit-burst 3 -j ACCEPT $IPTABLES -A rate_limit -p udp --dport 1194 -m limit --limit 3/min --limit-burst 3 -j ACCEPT $IPTABLES -A rate_limit -p ICMP --icmp-type echo-request -m limit --limit 3/sec -j ACCEPT $IPTABLES -A rate_limit -p ! ICMP -j LOG --log-prefix " Connection dropped!! " $IPTABLES -A rate_limit -p tcp -j REJECT --reject-with tcp-reset $IPTABLES -A rate_limit -p udp -j REJECT --reject-with icmp-port-unreachable $IPTABLES -A rate_limit -j DROP # Add Limits $IPTABLES -I INPUT -p ICMP --icmp-type echo-request -j rate_limit $IPTABLES -I INPUT -p tcp --dport 22 -m state --state NEW -j rate_limit RP_PATH=/proc/sys/net/ipv4/conf for IFACE in `ls $RP_PATH`; do echo 0 > $RP_PATH/$IFACE/rp_filter done echo "`date` firewall.firewall is now completed" >> /var/log/messages