blob: f156624288acb186360c153117910127486921db [file] [log] [blame]
. /etc/
iptables $*
ip6tables $*
ip46tables -F
ip46tables -X
# ipv4 only
iptables -t nat -F
iptables -t nat -X
case "$1" in
if [ -e /sys/class/net/wan0 ]; then
modprobe -a \
iptable_filter \
iptable_nat \
ipt_tcp \
ipt_udp \
ipt_conntrack \
ipt_pkttype \
ipt_limit \
ipt_LOG \
ipt_REJECT \
nf_nat_ftp \
nf_nat_tftp \
nf_nat_sip \
nf_nat_pptp \
nf_nat_irc \
nf_nat_proto_gre \
nf_nat_h323 \
nf_nat_rtsp \
nf_conntrack_ftp \
nf_conntrack_tftp \
nf_conntrack_sip \
nf_conntrack_pptp \
nf_conntrack_irc \
nf_conntrack_proto_gre \
nf_conntrack_h323 \
nf_conntrack_rtsp \
ip6table_filter \
ip6t_tcp \
ip6t_udp \
nf_conntrack_ipv6 \
ip6t_pkttype \
ip6t_limit \
ip6t_LOG \
ip6t_REJECT \
# Do these first to reduce race conditions
if [ -e /tmp/NFS ]; then
# Workaround because we can't have a temporary network dropout
# when NFS booted.
ip46tables -P INPUT ACCEPT
ip46tables -P INPUT DROP
ip46tables -P FORWARD DROP
# multicast (fiber TV, EAS)
ip46tables -A INPUT -m pkttype --pkt-type multicast -j ACCEPT
ip46tables -A FORWARD -m pkttype --pkt-type multicast -j ACCEPT
# Stop users from connecting to cmm CLI
if [ ! -e /tmp/DEBUG ]; then
ip46tables -A INPUT -p tcp --dport 2103 -j REJECT --reject-with tcp-reset # cmm CLI
# Forwarding
ip46tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip46tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip46tables -A FORWARD -i br0 -j ACCEPT
# I wanted to use '!wan0' here but, it doesn't work as documented.
for ifc in lo br0; do
ip46tables -A INPUT -i "$ifc" -j ACCEPT
# igmp group membership control
ip46tables -A INPUT -p igmp -j ACCEPT
# ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
# Incoming connections
# TODO(apenwarr): Whitelist ports here too for added safety.
if [ -e /tmp/NFS ]; then
# Workaround because netfilter conntracking loaded *after* the NFS
# session was established.
ip46tables -A INPUT -p tcp --sport 2049 -j ACCEPT
# Outgoing connections
# TODO(apenwarr): Add a whitelist on OUTPUT for -o wan0.
# In particular we should have one for samba ports.
# TODO(apenwarr): Remove this when we have real port forwarding controls.
if [ -e /tmp/DEBUG ]; then
ip46tables -A INPUT -p tcp --dport 22 -j ACCEPT # ssh
ip46tables -A INPUT -p tcp --dport 2103 -j ACCEPT # cmm CLI
ip46tables -A INPUT -p tcp --dport 5001 -j ACCEPT # iperf
ip46tables -A INPUT -p udp --dport 5001 -j ACCEPT # iperf
ip46tables -A INPUT -p udp --dport 4948 -j ACCEPT # isoping
# active FTP out
ip46tables -A FORWARD -m conntrack --ctstate RELATED \
-m helper --helper ftp -o wan0+ -p tcp --dport 1024: -j ACCEPT
ip46tables -A FORWARD -m conntrack --ctstate RELATED \
-m helper --helper ftp -i wan0+ -p tcp --dport 1024: -j ACCEPT
# add ACS-configured things
ip46tables -t filter -N acsrules-filter-forward
ip46tables -t filter -A FORWARD -j acsrules-filter-forward
iptables -t nat -N acsrules-nat-prerouting
iptables -t nat -A PREROUTING -j acsrules-nat-prerouting
iptables -t nat -N acsrules-nat-postrouting
iptables -t nat -A POSTROUTING -j acsrules-nat-postrouting
# these are managed by miniupnpd, if running
ip46tables -t filter -N MINIUPNPD
ip46tables -t filter -A FORWARD -i wan0+ ! -o wan0+ -j MINIUPNPD
iptables -t nat -N MINIUPNPD
iptables -t nat -A PREROUTING -i wan0+ -j MINIUPNPD
# nat
iptables -t nat -A POSTROUTING -o wan0+ -j MASQUERADE
# ipv6 addressing
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
# DHCP6 client
ip6tables -A INPUT -p udp --sport 547 --dport 546 -j ACCEPT
# Log packets which weren't explicitly accepted by above rules
ip46tables -N log
ip46tables -A log -m pkttype -m limit \
--pkt-type unicast \
--limit 1/second \
-j LOG --log-prefix "FW: "
ip46tables -A INPUT -i wan0+ -j log
ip46tables -A FORWARD -i wan0+ -j log
# Set the WAN 802.1q pbits
iptables -t mangle -A OUTPUT -p all -j CLASSIFY --set-class 0:2
iptables -t mangle -A OUTPUT -p igmp -j CLASSIFY --set-class 0:6
iptables -t mangle -A OUTPUT -p icmp -j CLASSIFY --set-class 0:6
ip6tables -t mangle -A OUTPUT -p icmpv6 -j CLASSIFY --set-class 0:6
# DHCP and DHCPv6
iptables -t mangle -A OUTPUT -p udp --sport 68 --dport 67 -j CLASSIFY --set-class 0:6
ip6tables -t mangle -A OUTPUT -p udp --sport 547 --dport 546 -j CLASSIFY --set-class 0:6
# Default DROP policy above is safe, but REJECT is friendlier.
# But you can't use REJECT as a policy, so add a catchall rule at the
# bottom.
ip46tables -A INPUT -j REJECT
ip46tables -A FORWARD -j REJECT
# don't add any rules after the REJECTs above
# parse acs state into acsrules chains
# Use iptables to mark packets to set the VLAN p-bits
# Bit(s) Definitions
# 0:4 class/priority of orig [and reply] connection.
# 5:7 VLAN P bits for orig [and reply] connection (if bit 15 = 1)
# 8 DSCP control bit
# 0: DSCP values will remain unchanged
# 1: do DSCP marking for orig [and reply] connection
# 9:14 DSCP value: DSCP value for orig [and reply] connection (if bit 8 # = 1)
# 15 if 0, copy VLAN P bits from ingress packet;
# if 1, set VLAN P bits for orig and reply connection
# 16:20 class/priority of reply connection
# 21:23 VLAN P bits for reply connection (if bit 15 = 1)
# 24 DSCP control bit
# 0: DSCP values will remain unchanged
# 1: do DSCP marking for reply connection;
# 25:30 DSCP value for reply connection (if bit 24 = 1)
# 31 0: use bits 0-15 for reply connection
# 1: use bits 16-30 for reply connection
iptables -A POSTROUTING -t mangle -o wan0.2 -j CONNMARK --set-mark 0x8040
if [ -e /proc/sys/net/netfilter -a -e /sys/class/net/wan0 ]; then
ip46tables -P INPUT ACCEPT
ip46tables -P FORWARD ACCEPT
echo "Usage: $0 {start|stop|restart}"
exit 1