From 016925b2601b378a541ce1375be3ecf0895c81a4 Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Wed, 20 Dec 2006 05:58:41 +0000 Subject: [PATCH] prepare for moving part of the firewall to hotplug. created new chains {input,forwarding,prerouting}_wan for wan port forwardings and updated the examples. syntax of /etc/config/firewall unchanged and old firewall.user files are still compatible SVN-Revision: 5878 --- openwrt/package/iptables/files/firewall.awk | 26 ++++--------------- openwrt/package/iptables/files/firewall.init | 7 +++++ openwrt/package/iptables/files/firewall.user | 27 ++++++++++---------- 3 files changed, 25 insertions(+), 35 deletions(-) diff --git a/openwrt/package/iptables/files/firewall.awk b/openwrt/package/iptables/files/firewall.awk index d5fba0550c..7ad245cfcd 100644 --- a/openwrt/package/iptables/files/firewall.awk +++ b/openwrt/package/iptables/files/firewall.awk @@ -1,20 +1,4 @@ BEGIN { - print "proto=\"$(nvram get wan_proto)\"" - print "[ -z \"$proto\" -o \"$proto\" = \"none\" ] && exit" - print "ifname=\"$(nvram get wan_ifname)\"" - print "[ -z \"$ifname\" ] && exit" - print "" - print "iptables -X input_$ifname 2>&- >&-" - print "iptables -N input_$ifname" - print "iptables -X forward_$ifname 2>&- >&-" - print "iptables -N forward_$ifname" - print "iptables -t nat -X prerouting_$ifname 2>&- >&-" - print "iptables -t nat -N prerouting_$ifname" - print "" - print "iptables -A input_rule -i \"$ifname\" -j input_$ifname" - print "iptables -A forwarding_rule -i \"$ifname\" -j forward_$ifname" - print "iptables -t nat -A prerouting_rule -i \"$ifname\" -j prerouting_$ifname" - print "" FS=":" } @@ -32,15 +16,15 @@ BEGIN { ($1 == "accept") { target = " -j ACCEPT" for (o in _opt) { - print "iptables -t nat -A prerouting_$ifname" _opt[o] str2ipt($2) target - print "iptables -A input_$ifname " _opt[o] str2ipt($2) target + print "iptables -t nat -A prerouting_wan" _opt[o] str2ipt($2) target + print "iptables -A input_wan " _opt[o] str2ipt($2) target print "" } } ($1 == "drop") { for (o in _opt) { - print "iptables -t nat -A prerouting_$ifname" _opt[o] str2ipt($2) " -j DROP" + print "iptables -t nat -A prerouting_wan" _opt[o] str2ipt($2) " -j DROP" print "" } } @@ -57,8 +41,8 @@ BEGIN { else fwopts = "" } for (o in _opt) { - print "iptables -t nat -A prerouting_$ifname" _opt[o] str2ipt($2) target - print "iptables -A forward_$ifname " _opt[o] " -d " $3 fwopts " -j ACCEPT" + print "iptables -t nat -A prerouting_wan" _opt[o] str2ipt($2) target + print "iptables -A forwarding_wan " _opt[o] " -d " $3 fwopts " -j ACCEPT" print "" } } diff --git a/openwrt/package/iptables/files/firewall.init b/openwrt/package/iptables/files/firewall.init index 5274a5250d..71e5036135 100755 --- a/openwrt/package/iptables/files/firewall.init +++ b/openwrt/package/iptables/files/firewall.init @@ -14,9 +14,12 @@ for T in filter nat; do done iptables -N input_rule +iptables -N input_wan iptables -N output_rule iptables -N forwarding_rule +iptables -N forwarding_wan +iptables -t nat -N prerouting_wan iptables -t nat -N prerouting_rule iptables -t nat -N postrouting_rule @@ -38,6 +41,7 @@ iptables -A LAN_ACCEPT -j ACCEPT # insert accept rule or to jump to new accept-check table here # iptables -A INPUT -j input_rule + iptables -A INPUT -i $WAN -j input_wan # allow iptables -A INPUT -j LAN_ACCEPT # allow from lan/wifi interfaces @@ -81,6 +85,7 @@ iptables -A LAN_ACCEPT -j ACCEPT # insert accept rule or to jump to new accept-check table here # iptables -A FORWARD -j forwarding_rule + iptables -A FORWARD -i $WAN -j forwarding_wan # allow iptables -A FORWARD -i br0 -o br0 -j ACCEPT @@ -91,6 +96,8 @@ iptables -A LAN_ACCEPT -j ACCEPT ### MASQ iptables -t nat -A PREROUTING -j prerouting_rule + iptables -t nat -A PREROUTING -i $WAN -j prerouting_wan + iptables -t nat -A POSTROUTING -j postrouting_rule iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE diff --git a/openwrt/package/iptables/files/firewall.user b/openwrt/package/iptables/files/firewall.user index c19f596887..f4eb18ef7d 100755 --- a/openwrt/package/iptables/files/firewall.user +++ b/openwrt/package/iptables/files/firewall.user @@ -1,8 +1,5 @@ #!/bin/sh -. /etc/functions.sh - -WAN=$(nvram get wan_ifname) -LAN=$(nvram get lan_ifname) +# Copyright (C) 2006 OpenWrt.org iptables -F input_rule iptables -F output_rule @@ -10,22 +7,24 @@ iptables -F forwarding_rule iptables -t nat -F prerouting_rule iptables -t nat -F postrouting_rule -### BIG FAT DISCLAIMER -## The "-i $WAN" is used to match packets that come in via the $WAN interface. -## it WILL NOT MATCH packets sent from the $WAN ip address -- you won't be able -## to see the effects from within the LAN. +# The following chains are for traffic directed at the IP of the +# WAN interface + +iptables -F input_wan +iptables -F forwarding_wan +iptables -t nat -F prerouting_wan ### Open port to WAN ## -- This allows port 22 to be answered by (dropbear on) the router -# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT -# iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT +# iptables -t nat -A prerouting_wan -p tcp --dport 22 -j ACCEPT +# iptables -A input_wan -p tcp --dport 22 -j ACCEPT ### Port forwarding ## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.2 -# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 8080 -j DNAT --to 192.168.1.2:80 -# iptables -A forwarding_rule -i $WAN -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT +# iptables -t nat -A prerouting_wan -p tcp --dport 8080 -j DNAT --to 192.168.1.2:80 +# iptables -A forwarding_wan -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT ### DMZ ## -- Connections to ports not handled above will be forwarded to 192.168.1.2 -# iptables -t nat -A prerouting_rule -i $WAN -j DNAT --to 192.168.1.2 -# iptables -A forwarding_rule -i $WAN -d 192.168.1.2 -j ACCEPT +# iptables -t nat -A prerouting_wan -j DNAT --to 192.168.1.2 +# iptables -A forwarding_wan -d 192.168.1.2 -j ACCEPT -- 2.30.2