ad23dd94b6
(a) map the ssh service running on the firewall to 22001 externally, without modifying the configuration of the daemon itself. this allows port 22 on the WAN side to then be port-forwarded to a LAN-based machine if desired, or if not, simply obscures the port from external attack. (b) allow IPsec/ESP and ISAKMP (UDP-based key exchange) to happen by default. useful for most modern VPN clients you might have on your WAN. Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com> SVN-Revision: 26805
121 lines
2.4 KiB
Text
121 lines
2.4 KiB
Text
config defaults
|
|
option syn_flood 1
|
|
option input ACCEPT
|
|
option output ACCEPT
|
|
option forward REJECT
|
|
# Uncomment this line to disable ipv6 rules
|
|
# option disable_ipv6 1
|
|
|
|
config zone
|
|
option name lan
|
|
option input ACCEPT
|
|
option output ACCEPT
|
|
option forward REJECT
|
|
|
|
config zone
|
|
option name wan
|
|
option input REJECT
|
|
option output ACCEPT
|
|
option forward REJECT
|
|
option masq 1
|
|
option mtu_fix 1
|
|
|
|
config forwarding
|
|
option src lan
|
|
option dest wan
|
|
|
|
# We need to accept udp packets on port 68,
|
|
# see https://dev.openwrt.org/ticket/4108
|
|
config rule
|
|
option src wan
|
|
option proto udp
|
|
option dest_port 68
|
|
option target ACCEPT
|
|
option family ipv4
|
|
|
|
#Allow ping
|
|
config rule
|
|
option src wan
|
|
option proto icmp
|
|
option icmp_type echo-request
|
|
option target ACCEPT
|
|
|
|
# include a file with users custom iptables rules
|
|
config include
|
|
option path /etc/firewall.user
|
|
|
|
|
|
### EXAMPLE CONFIG SECTIONS
|
|
# do not allow a specific ip to access wan
|
|
#config rule
|
|
# option src lan
|
|
# option src_ip 192.168.45.2
|
|
# option dest wan
|
|
# option proto tcp
|
|
# option target REJECT
|
|
|
|
# block a specific mac on wan
|
|
#config rule
|
|
# option dest wan
|
|
# option src_mac 00:11:22:33:44:66
|
|
# option target REJECT
|
|
|
|
# block incoming ICMP traffic on a zone
|
|
#config rule
|
|
# option src lan
|
|
# option proto ICMP
|
|
# option target DROP
|
|
|
|
# port redirect port coming in on wan to lan
|
|
#config redirect
|
|
# option src wan
|
|
# option src_dport 80
|
|
# option dest lan
|
|
# option dest_ip 192.168.16.235
|
|
# option dest_port 80
|
|
# option proto tcp
|
|
|
|
# port redirect of remapped ssh port (22001) on wan
|
|
#config redirect
|
|
# option src wan
|
|
# option src_dport 22001
|
|
# option dest lan
|
|
# option dest_port 22
|
|
# option proto tcp
|
|
|
|
# allow IPsec/ESP and ISAKMP passthrough
|
|
#config rule
|
|
# option src wan
|
|
# option dest lan
|
|
# option protocol esp
|
|
# option target ACCEPT
|
|
|
|
#config rule
|
|
# option src wan
|
|
# option dest lan
|
|
# option src_port 500
|
|
# option dest_port 500
|
|
# option proto udp
|
|
# option target ACCEPT
|
|
|
|
### FULL CONFIG SECTIONS
|
|
#config rule
|
|
# option src lan
|
|
# option src_ip 192.168.45.2
|
|
# option src_mac 00:11:22:33:44:55
|
|
# option src_port 80
|
|
# option dest wan
|
|
# option dest_ip 194.25.2.129
|
|
# option dest_port 120
|
|
# option proto tcp
|
|
# option target REJECT
|
|
|
|
#config redirect
|
|
# option src lan
|
|
# option src_ip 192.168.45.2
|
|
# option src_mac 00:11:22:33:44:55
|
|
# option src_port 1024
|
|
# option src_dport 80
|
|
# option dest_ip 194.25.2.129
|
|
# option dest_port 120
|
|
# option proto tcp
|