#!/bin/sh
-[ "$FAILSAFE" = "true" ] && exec /bin/ash --login
-
-[ -f /etc/sysconf ] && . /etc/sysconf
-
-if [ "$BR2_SYSCONF_TELNET_FAILSAFE_ONLY" = "y" ]; then
- if grep '^root:!' /etc/passwd > /dev/null 2>/dev/null; then
- echo "You need to set a login password to protect your"
- echo "Router from unauthorized access."
- echo
- echo "Use 'passwd' to set your password."
- echo "telnet login will be disabled afterwards,"
- echo "You can then login using SSH."
- echo
- else
- echo "Login failed."
- exit 0
- fi
-fi
+. /etc/sysconf 2>&-
+[ "$FAILSAFE" != "true" ] &&
+[ "$BR2_SYSCONF_TELNET_FAILSAFE_ONLY" = "y" ] &&
+{
+ grep '^root:[^!]' /etc/passwd >&- 2>&- &&
+ {
+ echo "Login failed."
+ exit 0
+ } || {
+cat << EOF
+ === IMPORTANT ============================
+ Use 'passwd' to set your login password
+ this will disable telnet and enable SSH
+ ------------------------------------------
+EOF
+ }
+}
exec /bin/ash --login
#!/bin/sh
. /etc/functions.sh
-export WAN=$(nvram get wan_ifname)
-export LAN=$(nvram get lan_ifname)
+WAN=$(nvram get wan_ifname)
+LAN=$(nvram get lan_ifname)
## CLEAR TABLES
for T in filter nat mangle; do
iptables -t nat -N postrouting_rule
### Port forwarding
-# iptables -t nat -A prerouting_rule -p tcp --dport 22 -j DNAT --to 192.168.1.2
-# iptables -A forwarding_rule -p tcp --dport 22 -d 192.168.1.2 -j ACCEPT
+# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j DNAT --to 192.168.1.2
+# iptables -A forwarding_rule -i $WAN -p tcp --dport 22 -d 192.168.1.2 -j ACCEPT
### INPUT
### (connections with the router as destination)
iptables -P INPUT DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+ iptables -A INPUT -p tcp --syn --tcp-option \! 2 -j DROP
# allow
- iptables -A INPUT -i \! $WAN -j ACCEPT # allow from lan/wifi interfaces
- iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
- iptables -A INPUT -p 47 -j ACCEPT # allow GRE
- iptables -A INPUT -p tcp --syn --tcp-option \! 2 -j DROP
+ iptables -A INPUT -i \! $WAN -j ACCEPT # allow from lan/wifi interfaces
+ iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
+ iptables -A INPUT -p gre -j ACCEPT # allow GRE
#
# insert accept rule or to jump to new accept-check table here
#