#!/bin/sh
-${FAILSAFE:+return}
. /etc/functions.sh
WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)
iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule
-### Allow SSH from WAN
-# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT
-# iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT
-
-### Port forwarding
-# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j DNAT --to 192.168.1.2
-# iptables -A forwarding_rule -i $WAN -p tcp --dport 22 -d 192.168.1.2 -j ACCEPT
-
-### DMZ (should be placed after port forwarding / accept rules)
-# iptables -t nat -A prerouting_rule -i $WAN -j DNAT --to 192.168.1.2
-# iptables -A forwarding_rule -i $WAN -d 192.168.1.2 -j ACCEPT
-
### INPUT
### (connections with the router as destination)
iptables -t nat -A PREROUTING -j prerouting_rule
iptables -t nat -A POSTROUTING -j postrouting_rule
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
+
+## USER RULES
+. /etc/firewall.user
#!/bin/ash
. /etc/functions.sh
- type=$1
- debug "### ifup $type ###"
-
- if=$(nvram get ${type}_ifname)
- if [ "${if%%[0-9]}" = "ppp" ]; then
- if=$(nvram get pppoe_ifname)
- fi
-
- if_valid $if || return
-
- mac=$(nvram get ${type}_hwaddr)
- $DEBUG ifconfig $if down 2>&-
- if [ "${if%%[0-9]}" = "br" ]; then
- stp=$(nvram get ${type}_stp)
- $DEBUG brctl delbr $if 2>&-
- $DEBUG brctl addbr $if
- $DEBUG brctl setfd $if 0
- $DEBUG brctl stp $if ${stp:-0}
- for sif in $(nvram get ${type}_ifnames); do {
- if_valid $sif || continue
- ${mac:+$DEBUG ifconfig $sif down hw ether $mac}
- $DEBUG ifconfig $sif 0.0.0.0 up
- $DEBUG brctl addif $if $sif
- } done
- else
- ${mac:+$DEBUG ifconfig $if down hw ether $mac}
- fi
-
-
- if_proto=$(nvram get ${type}_proto)
- case "$if_proto" in
- static)
- ip=$(nvram get ${type}_ipaddr)
- netmask=$(nvram get ${type}_netmask)
- gateway=$(nvram get ${type}_gateway)
-
- $DEBUG ifconfig $if $ip ${netmask:+netmask $netmask} broadcast + up
- ${gateway:+$DEBUG route add default gw $gateway}
-
- [ -f /etc/resolv.conf ] && return
-
- debug "# --- creating /etc/resolv.conf ---"
- for dns in $(nvram get ${type}_dns); do {
+type=$1
+debug "### ifup $type ###"
+
+if=$(nvram get ${type}_ifname)
+if [ "${if%%[0-9]}" = "ppp" ]; then
+ if=$(nvram get pppoe_ifname)
+fi
+
+if_valid $if || return
+
+mac=$(nvram get ${type}_hwaddr)
+$DEBUG ifconfig $if down 2>&-
+if [ "${if%%[0-9]}" = "br" ]; then
+ stp=$(nvram get ${type}_stp)
+ $DEBUG brctl delbr $if 2>&-
+ $DEBUG brctl addbr $if
+ $DEBUG brctl setfd $if 0
+ $DEBUG brctl stp $if ${stp:-0}
+ for sif in $(nvram get ${type}_ifnames); do {
+ if_valid $sif || continue
+ ${mac:+$DEBUG ifconfig $sif down hw ether $mac}
+ $DEBUG ifconfig $sif 0.0.0.0 up
+ $DEBUG brctl addif $if $sif
+ } done
+else
+ ${mac:+$DEBUG ifconfig $if down hw ether $mac}
+fi
+
+
+if_proto=$(nvram get ${type}_proto)
+case "$if_proto" in
+ static)
+ ip=$(nvram get ${type}_ipaddr)
+ netmask=$(nvram get ${type}_netmask)
+ gateway=$(nvram get ${type}_gateway)
+
+ $DEBUG ifconfig $if $ip ${netmask:+netmask $netmask} broadcast + up
+ ${gateway:+$DEBUG route add default gw $gateway}
+
+ [ -f /etc/resolv.conf ] && return
+
+ debug "# --- creating /etc/resolv.conf ---"
+ for dns in $(nvram get ${type}_dns); do {
echo "nameserver $dns" >> /etc/resolv.conf
- } done
- ;;
- dhcp)
- ip=$(nvram get ${type}_ipaddr)
- pidfile=/tmp/dhcp-${type}.pid
- if [ -f $pidfile ]; then
- $DEBUG kill $(cat $pidfile)
- fi
- ${DEBUG:-eval} "udhcpc -R -i $if ${ip:+-r $ip} -b -p $pidfile &"
- ;;
- none|"")
- # pppoe is handled by /etc/init.d/S50pppoe
- ;;
- *)
- echo "### ifup $type: ignored ${type}_proto=\"$if_proto\" (not supported)"
- ;;
- esac
+ } done
+ ;;
+ dhcp)
+ ip=$(nvram get ${type}_ipaddr)
+ pidfile=/tmp/dhcp-${type}.pid
+ if [ -f $pidfile ]; then
+ $DEBUG kill $(cat $pidfile)
+ fi
+ ${DEBUG:-eval} "udhcpc -R -i $if ${ip:+-r $ip} -b -p $pidfile &"
+ ;;
+ none|"")
+ ;;
+ *)
+ [ -x "/sbin/ifup.${if_proto}" ] && { $DEBUG /sbin/ifup.${if_proto} $*; exit; }
+ echo "### ifup $type: ignored ${type}_proto=\"$if_proto\" (not supported)"
+ ;;
+esac