3 WAN=$(nvram get wan_ifname)
4 LAN=$(nvram get lan_ifname)
7 for T in filter nat mangle; do
12 iptables -N input_rule
13 iptables -N output_rule
14 iptables -N forwarding_rule
16 iptables -t nat -N prerouting_rule
17 iptables -t nat -N postrouting_rule
20 # iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j DNAT --to 192.168.1.2
21 # iptables -A forwarding_rule -i $WAN -p tcp --dport 22 -d 192.168.1.2 -j ACCEPT
24 ### (connections with the router as destination)
27 iptables -P INPUT DROP
28 iptables -A INPUT -m state --state INVALID -j DROP
29 iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
30 iptables -A INPUT -p tcp --syn --tcp-option \! 2 -j DROP
33 iptables -A INPUT -i \! $WAN -j ACCEPT # allow from lan/wifi interfaces
34 iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
35 iptables -A INPUT -p gre -j ACCEPT # allow GRE
37 # insert accept rule or to jump to new accept-check table here
39 iptables -A INPUT -j input_rule
41 # reject (what to do with anything not allowed earlier)
42 iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
43 iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
46 ### (connections with the router as source)
49 iptables -P OUTPUT DROP
50 iptables -A OUTPUT -m state --state INVALID -j DROP
51 iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
54 iptables -A OUTPUT -j ACCEPT #allow everything out
56 # insert accept rule or to jump to new accept-check table here
58 iptables -A OUTPUT -j output_rule
60 # reject (what to do with anything not allowed earlier)
61 iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
62 iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
65 ### (connections routed through the router)
68 iptables -P FORWARD DROP
69 iptables -A FORWARD -m state --state INVALID -j DROP
70 iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
71 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
74 iptables -A FORWARD -i br0 -o br0 -j ACCEPT
75 iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
77 # insert accept rule or to jump to new accept-check table here
79 iptables -A FORWARD -j forwarding_rule
81 # reject (what to do with anything not allowed earlier)
82 # uses the default -P DROP
85 iptables -t nat -A PREROUTING -j prerouting_rule
86 iptables -t nat -A POSTROUTING -j postrouting_rule
87 iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE