aboutsummaryrefslogtreecommitdiffstats
path: root/package/base-files/default/etc/firewall.user
diff options
context:
space:
mode:
Diffstat (limited to 'package/base-files/default/etc/firewall.user')
-rwxr-xr-xpackage/base-files/default/etc/firewall.user27
1 files changed, 27 insertions, 0 deletions
diff --git a/package/base-files/default/etc/firewall.user b/package/base-files/default/etc/firewall.user
new file mode 100755
index 0000000000..1781bd4ea0
--- /dev/null
+++ b/package/base-files/default/etc/firewall.user
@@ -0,0 +1,27 @@
+#!/bin/sh
+. /etc/functions.sh
+
+WAN=$(nvram get wan_ifname)
+LAN=$(nvram get lan_ifname)
+
+iptables -F input_rule
+iptables -F output_rule
+iptables -F forwarding_rule
+iptables -t nat -F prerouting_rule
+iptables -t nat -F postrouting_rule
+
+### BIG FAT DISCLAIMER
+### The "-i $WAN" literally means packets that came in over the $WAN interface;
+### this WILL NOT MATCH packets sent from the LAN to the WAN address.
+
+### Allow SSH from WAN
+# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT
+# iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT
+
+### Port forwarding
+# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j DNAT --to 192.168.1.2
+# iptables -A forwarding_rule -i $WAN -p tcp --dport 22 -d 192.168.1.2 -j ACCEPT
+
+### DMZ (should be placed after port forwarding / accept rules)
+# iptables -t nat -A prerouting_rule -i $WAN -j DNAT --to 192.168.1.2
+# iptables -A forwarding_rule -i $WAN -d 192.168.1.2 -j ACCEPT