uci firewall - make uci firewall default and remove old code - fix up dependencies

SVN-Revision: 12284
This commit is contained in:
John Crispin 2008-08-11 22:27:36 +00:00
parent 4b5488ebfa
commit 5627667654
10 changed files with 5 additions and 314 deletions

View file

@ -1,17 +0,0 @@
choice
prompt "Choose firewall"
default FIREWALL_OLD
depends PACKAGE_firewall
config FIREWALL_OLD
bool "old firewall"
config FIREWALL_NEW
bool "new uci firewall"
select PACKAGE_iptables-mod-conntrack
select PACKAGE_iptables-mod-extra
select PACKAGE_iptables-mod-ipopt
select PACKAGE_iptables-mod-ulog
select PACKAGE_kmod-ipt-nathelper
endchoice

View file

@ -18,52 +18,30 @@ define Package/firewall
CATEGORY:=Base system CATEGORY:=Base system
URL:=http://openwrt.org/ URL:=http://openwrt.org/
TITLE:=OpenWrt firewall TITLE:=OpenWrt firewall
DEPENDS:=+iptables DEPENDS:=+iptables +iptables-mod-ipopt +iptables-mod-extra
endef endef
define Package/firewall/description define Package/firewall/description
firewall for openwrt, you can select if you want to use the old version or the new uci based script firewall for openwrt, you can select if you want to use the old version or the new uci based script
endef endef
define Package/firewall/config
source "$(SOURCE)/Config.in"
endef
define Build/Compile define Build/Compile
true true
endef endef
ifeq ($(CONFIG_FIREWALL_NEW),y)
define Package/firewall/conffiles define Package/firewall/conffiles
/etc/config/firewall /etc/config/firewall
endef endef
define Package/firewall/install define Package/firewall/install
$(INSTALL_DIR) $(1)/lib/firewall $(INSTALL_DIR) $(1)/lib/firewall
$(INSTALL_DATA) ./files/new/uci_firewall.sh $(1)/lib/firewall $(INSTALL_DATA) ./files/uci_firewall.sh $(1)/lib/firewall
$(INSTALL_DIR) $(1)/etc/config $(INSTALL_DIR) $(1)/etc/config
$(INSTALL_DATA) ./files/new/firewall.config $(1)/etc/config/firewall $(INSTALL_DATA) ./files/firewall.config $(1)/etc/config/firewall
$(INSTALL_DIR) $(1)/etc/init.d/ $(INSTALL_DIR) $(1)/etc/init.d/
$(INSTALL_BIN) ./files/new/firewall.init $(1)/etc/init.d/firewall $(INSTALL_BIN) ./files/firewall.init $(1)/etc/init.d/firewall
$(INSTALL_DIR) $(1)/etc/hotplug.d/iface $(INSTALL_DIR) $(1)/etc/hotplug.d/iface
$(INSTALL_DATA) ./files/new/20-firewall $(1)/etc/hotplug.d/iface $(INSTALL_DATA) ./files/20-firewall $(1)/etc/hotplug.d/iface
endef endef
else
define Package/firewall/conffiles
/etc/firewall.config
/etc/firewall.user
endef
define Package/firewall/install
$(INSTALL_DIR) $(1)/etc/config
$(INSTALL_DATA) ./files/old/firewall.config $(1)/etc/
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/old/firewall.init $(1)/etc/init.d/firewall
$(INSTALL_BIN) ./files/old/firewall.user $(1)/etc/
$(INSTALL_DIR) $(1)/usr/lib
$(INSTALL_DATA) ./files/old/firewall.awk $(1)/usr/lib
endef
endif
$(eval $(call BuildPackage,firewall)) $(eval $(call BuildPackage,firewall))

View file

@ -1,50 +0,0 @@
# Copyright (C) 2006 OpenWrt.org
BEGIN {
FS=":"
}
($1 == "accept") || ($1 == "drop") || ($1 == "forward") {
delete _opt
str2data($2)
if ((_l["proto"] == "") && (_l["sport"] _l["dport"] != "")) {
_opt[0] = " -p tcp"
_opt[1] = " -p udp"
} else {
_opt[0] = ""
}
}
($1 == "accept") {
target = " -j ACCEPT"
for (o in _opt) {
print "iptables -t nat -A prerouting_wan" _opt[o] str2ipt($2) target
print "iptables -A input_wan " _opt[o] str2ipt($2) target
print ""
}
}
($1 == "drop") {
for (o in _opt) {
print "iptables -t nat -A prerouting_wan" _opt[o] str2ipt($2) " -j DROP"
print ""
}
}
($1 == "forward") {
target = " -j DNAT --to " $3
fwopts = ""
if ($4 != "") {
if ((_l["proto"] == "tcp") || (_l["proto"] == "udp") || (_l["proto"] == "")) {
if (_l["proto"] != "") fwopts = " -p " _l["proto"]
fwopts = fwopts " --dport " $4
target = target ":" $4
}
else fwopts = ""
}
for (o in _opt) {
print "iptables -t nat -A prerouting_wan" _opt[o] str2ipt($2) target
print "iptables -A forwarding_wan " _opt[o] " -d " $3 fwopts " -j ACCEPT"
print ""
}
}

View file

@ -1,48 +0,0 @@
# Copyright (C) 2006 OpenWrt.org
# RULE SYNTAX:
#
# forward:<match>:<target>[:<port>]
# - forwards all packets matched by <match> to <target>,
# optionally changing the port to <port>
#
# accept:<match>
# - accepts all traffic matched by <match>
#
# drop:<match>
# - drops all traffic matched by <match>
#
#
# MATCHING OPTIONS:
#
# src=<ip>
# - match the source ip <ip>
#
# dest=<ip>
# - match the destination ip <ip>
#
# proto=<proto>
# - match the protocol by name or number
#
# sport=<port(s)>
# - match the source port(s), see below for syntax
#
# dport=<port(s)>
# - match the destination port(s), see below for syntax
#
#
#
# PORT SYNTAX:
#
# You can enter an arbitrary list of ports and port ranges in the following format:
# - 22,53,993,1000-1024
#
# If you don't set the protocol to tcp or udp, it will apply to both
#
#
#
# EXAMPLES:
#
# drop:dport=22 src=1.3.3.7
# accept:proto=tcp dport=22
# forward:dport=60168:192.168.1.2:60169

View file

@ -1,142 +0,0 @@
#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org
## Please make changes in /etc/firewall.user
START=45
start() {
include /lib/network
scan_interfaces
config_get WAN wan ifname
config_get WANDEV wan device
config_get LAN lan ifname
config_get_bool NAT_LAN lan nat 1
if [ $NAT_LAN -ne 0 ]
then
config_get LAN_MASK lan netmask
config_get LAN_IP lan ipaddr
LAN_NET=$(/bin/ipcalc.sh $LAN_IP $LAN_MASK | grep NETWORK | cut -d= -f2)
fi
## CLEAR TABLES
for T in filter nat; do
iptables -t $T -F
iptables -t $T -X
done
iptables -N input_rule
iptables -N input_wan
iptables -N output_rule
iptables -N forwarding_rule
iptables -N forwarding_wan
iptables -t nat -N NEW
iptables -t nat -N prerouting_rule
iptables -t nat -N prerouting_wan
iptables -t nat -N postrouting_rule
iptables -N LAN_ACCEPT
[ -z "$WAN" ] || iptables -A LAN_ACCEPT -i "$WAN" -j RETURN
[ -z "$WANDEV" -o "$WANDEV" = "$WAN" ] || iptables -A LAN_ACCEPT -i "$WANDEV" -j RETURN
iptables -A LAN_ACCEPT -j ACCEPT
### INPUT
### (connections with the router as destination)
# base case
iptables -P INPUT DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A INPUT -j input_rule
[ -z "$WAN" ] || iptables -A INPUT -i $WAN -j input_wan
# allow
iptables -A INPUT -j LAN_ACCEPT # allow from lan/wifi interfaces
iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
iptables -A INPUT -p gre -j ACCEPT # allow GRE
# reject (what to do with anything not allowed earlier)
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
### OUTPUT
### (connections with the router as source)
# base case
iptables -P OUTPUT DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A OUTPUT -j output_rule
# allow
iptables -A OUTPUT -j ACCEPT #allow everything out
# reject (what to do with anything not allowed earlier)
iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
### FORWARDING
### (connections routed through the router)
# base case
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A FORWARD -j forwarding_rule
[ -z "$WAN" ] || iptables -A FORWARD -i $WAN -j forwarding_wan
# allow
iptables -A FORWARD -i $LAN -o $LAN -j ACCEPT
[ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
# reject (what to do with anything not allowed earlier)
# uses the default -P DROP
### MASQ
iptables -t nat -A PREROUTING -m state --state NEW -p tcp -j NEW
iptables -t nat -A PREROUTING -j prerouting_rule
[ -z "$WAN" ] || iptables -t nat -A PREROUTING -i "$WAN" -j prerouting_wan
iptables -t nat -A POSTROUTING -j postrouting_rule
### Only LAN, unless told not to
if [ $NAT_LAN -ne 0 ]
then
[ -z "$WAN" ] || iptables -t nat -A POSTROUTING --src $LAN_NET/$LAN_MASK -o $WAN -j MASQUERADE
fi
iptables -t nat -A NEW -m limit --limit 50 --limit-burst 100 -j RETURN && \
iptables -t nat -A NEW -j DROP
## USER RULES
[ -f /etc/firewall.user ] && . /etc/firewall.user
[ -n "$WAN" -a -e /etc/firewall.config ] && {
export WAN
awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/firewall.config | ash
}
}
stop() {
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t nat -X
}

View file

@ -1,30 +0,0 @@
#!/bin/sh
# Copyright (C) 2006 OpenWrt.org
iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule
# The following chains are for traffic directed at the IP of the
# WAN interface
iptables -F input_wan
iptables -F forwarding_wan
iptables -t nat -F prerouting_wan
### Open port to WAN
## -- This allows port 22 to be answered by (dropbear on) the router
# iptables -t nat -A prerouting_wan -p tcp --dport 22 -j ACCEPT
# iptables -A input_wan -p tcp --dport 22 -j ACCEPT
### Port forwarding
## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.2
# iptables -t nat -A prerouting_wan -p tcp --dport 8080 -j DNAT --to 192.168.1.2:80
# iptables -A forwarding_wan -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT
### DMZ
## -- Connections to ports not handled above will be forwarded to 192.168.1.2
# iptables -t nat -A prerouting_wan -j DNAT --to 192.168.1.2
# iptables -A forwarding_wan -d 192.168.1.2 -j ACCEPT