From aa5d933fae2e6c51adf19911c3704c895e0f6ab9 Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Fri, 1 Jul 2005 15:19:39 +0000 Subject: add firewall script change from whiterussian to head git-svn-id: svn://svn.openwrt.org/openwrt/trunk/openwrt@1305 3c298f89-4303-0410-b956-a3cf2f4a3e73 --- target/default/target_skeleton/etc/firewall.user | 27 ++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100755 target/default/target_skeleton/etc/firewall.user (limited to 'target/default/target_skeleton/etc/firewall.user') diff --git a/target/default/target_skeleton/etc/firewall.user b/target/default/target_skeleton/etc/firewall.user new file mode 100755 index 0000000000..2ba6b4e839 --- /dev/null +++ b/target/default/target_skeleton/etc/firewall.user @@ -0,0 +1,27 @@ +#!/bin/sh +. /etc/functions.sh + +WAN=$(nvram get wan_ifname) +LAN=$(nvram get lan_ifname) + +iptables -F input_rule +iptables -F output_rule +iptables -F forwarding_rule +iptables -F prerouting_rule +iptables -F postrouting_rule + +### BIG FAT DISCLAIMER +### The "-i $WAN" literally means packets that came in over the $WAN interface; +### this WILL NOT MATCH packets sent from the LAN to the WAN address. + +### Allow SSH from WAN +# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT +# iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT + +### Port forwarding +# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j DNAT --to 192.168.1.2 +# iptables -A forwarding_rule -i $WAN -p tcp --dport 22 -d 192.168.1.2 -j ACCEPT + +### DMZ (should be placed after port forwarding / accept rules) +# iptables -t nat -A prerouting_rule -i $WAN -j DNAT --to 192.168.1.2 +# iptables -A forwarding_rule -i $WAN -d 192.168.1.2 -j ACCEPT -- cgit v1.2.3