Merge "firewall: specify interfaces for rules explicitly."
diff --git a/fs/skeleton/etc/init.d/firewall b/fs/skeleton/etc/init.d/firewall
index 6bceaad..5eec0be 100755
--- a/fs/skeleton/etc/init.d/firewall
+++ b/fs/skeleton/etc/init.d/firewall
@@ -144,15 +144,6 @@
fi
ip46tables -P FORWARD DROP
- # multicast (fiber TV, EAS)
- ip46tables -A INPUT -m pkttype --pkt-type multicast -j ACCEPT
- ip46tables -A FORWARD -m pkttype --pkt-type multicast -j ACCEPT
- iptables -t nat -A PREROUTING -m pkttype --pkt-type multicast -j ACCEPT
-
- # Forwarding
- ip46tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- ip46tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-
# captive-portal-filter and captive-portal-input contain rules that should
# always be applied to the br1 (captive portal) interface, regardless of
# what services we're trying to provide with it.
@@ -164,6 +155,8 @@
ip46tables -N acs-captive-portal-filter
ip46tables -N acsrules-filter-forward
ip46tables -N MINIUPNPD
+ ip46tables -N wan-input
+ ip46tables -N wan-forward
ip46tables -N log
ip46tables -t nat -N captive-portal-guests-nat
@@ -172,12 +165,16 @@
iptables -t nat -N acsrules-nat-postrouting
ip46tables -t nat -N sniproxy-nat
iptables -t nat -N MINIUPNPD
+ ip46tables -t nat -N wan-nat
- ip46tables -A FORWARD -i br0 -j ACCEPT
- ip46tables -A FORWARD -i br1 -j captive-portal-guests
- ip46tables -A FORWARD -i br1 -j captive-portal-filter
+ iptables -A INPUT -i wan0+ -j wan-input
- # I wanted to use '!wan0' here but, it doesn't work as documented.
+ iptables -A FORWARD -i wan0+ -j wan-forward
+ ip46tables -A FORWARD -i br0 -o br0 -j ACCEPT
+ ip46tables -A FORWARD -i br0 -o wan0+ -j ACCEPT
+ ip46tables -A FORWARD -i br1 -o wan0+ -j captive-portal-guests
+ ip46tables -A FORWARD -i br1 -o wan0+ -j captive-portal-filter
+
for ifc in lo br0; do
ip46tables -A INPUT -i "$ifc" -j ACCEPT
done
@@ -186,8 +183,19 @@
ip46tables -A INPUT -i br1 -j acs-captive-portal-input
ip46tables -A INPUT -i br1 -j sniproxy-input
+ ip46tables -t nat -A PREROUTING -i wan0+ -j wan-nat
+
+ # multicast (fiber TV, EAS)
+ ip46tables -A wan-input -m pkttype --pkt-type multicast -j ACCEPT
+ ip46tables -A wan-forward -m pkttype --pkt-type multicast -j ACCEPT
+ iptables -t nat -A wan-nat -m pkttype --pkt-type multicast -j ACCEPT
+
+ # Forwarding
+ ip46tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+ ip46tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+
# igmp group membership control
- ip46tables -A INPUT -p igmp -j ACCEPT
+ ip46tables -A wan-input -p igmp -j ACCEPT
# ping and PMTUD
iptables -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT
@@ -195,14 +203,14 @@
iptables -A INPUT -p icmp --icmp-type 11/0 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
# RFC4890 says RFC4380 requires forwarding ipv6 ping requests
- ip6tables -A FORWARD -p icmpv6 --icmpv6-type echo-request -j ACCEPT
+ ip6tables -A wan-forward -p icmpv6 --icmpv6-type echo-request -j ACCEPT
# Incoming connections
# TODO(apenwarr): Whitelist ports here too for added safety.
if [ -e /tmp/NFS ]; then
# Workaround because netfilter conntracking loaded *after* the NFS
# session was established.
- ip46tables -A INPUT -p tcp --sport 2049 -j ACCEPT
+ ip46tables -A wan-input -p tcp --sport 2049 -j ACCEPT
fi
# Outgoing connections
@@ -211,40 +219,40 @@
# TODO(apenwarr): Remove this when we have real port forwarding controls.
if [ -e /tmp/DEBUG ]; then
- ip46tables -A INPUT -p tcp --dport 22 -j ACCEPT # ssh
- ip46tables -A FORWARD -p tcp --dport 22 -j ACCEPT # ssh for lan clients
- ip46tables -A INPUT -p tcp --dport 5001 -j ACCEPT # iperf
- ip46tables -A INPUT -p udp --dport 5001 -j ACCEPT # iperf
- ip46tables -A INPUT -p udp --dport 4948 -j ACCEPT # isoping
+ ip46tables -A wan-input -p tcp --dport 22 -j ACCEPT # ssh
+ ip46tables -A wan-forward -p tcp --dport 22 -j ACCEPT # ssh for lan clients
+ ip46tables -A wan-input -p tcp --dport 5001 -j ACCEPT # iperf
+ ip46tables -A wan-input -p udp --dport 5001 -j ACCEPT # iperf
+ ip46tables -A wan-input -p udp --dport 4948 -j ACCEPT # isoping
fi
# Open incoming ports for McDoleCast
if experiment McDoleCast; then
- ip46tables -A INPUT -p tcp --dport 31098 -j ACCEPT # sagesrv
- ip46tables -A INPUT -p tcp --dport 32825 -j ACCEPT # marjoram
+ ip46tables -A wan-input -p tcp --dport 31098 -j ACCEPT # sagesrv
+ ip46tables -A wan-input -p tcp --dport 32825 -j ACCEPT # marjoram
fi
# cwmpd ACS kick
- ip46tables -A INPUT -p tcp --dport 7547 -j ACCEPT # cwmpd
- ip6tables -A FORWARD -p tcp --dport 7547 -j ACCEPT # cwmpd
- iptables -t nat -A PREROUTING -p tcp --dport 7547 -j ACCEPT # cwmpd
+ ip46tables -A wan-input -p tcp --dport 7547 -j ACCEPT # cwmpd
+ ip6tables -A wan-forward -p tcp --dport 7547 -j ACCEPT # cwmpd
+ iptables -t nat -A wan-nat -p tcp --dport 7547 -j ACCEPT # cwmpd
if [ -e /tmp/factory_status ]; then
- ip46tables -A INPUT -p tcp --dport 8883 -j ACCEPT # factory web server
+ ip46tables -A wan-input -p tcp --dport 8883 -j ACCEPT # factory web server
fi
# active FTP out
ip46tables -A FORWARD -m conntrack --ctstate RELATED \
-m helper --helper ftp -o wan0+ -p tcp --dport 1024: -j ACCEPT
- ip46tables -A FORWARD -m conntrack --ctstate RELATED \
- -m helper --helper ftp -i wan0+ -p tcp --dport 1024: -j ACCEPT
+ ip46tables -A wan-forward -m conntrack --ctstate RELATED \
+ -m helper --helper ftp -p tcp --dport 1024: -j ACCEPT
# add ACS-configured things
ip46tables -A FORWARD -i br1 -j acs-captive-portal-filter
- ip46tables -A FORWARD -j acsrules-filter-forward
+ ip46tables -A FORWARD -i wan0+ -j acsrules-filter-forward
ip46tables -t nat -A PREROUTING -i br1 -j captive-portal-guests-nat
ip46tables -t nat -A PREROUTING -i br1 -j acs-captive-portal-nat
- iptables -t nat -A PREROUTING -j acsrules-nat-prerouting
- iptables -t nat -A POSTROUTING -j acsrules-nat-postrouting
+ iptables -t nat -A PREROUTING -i wan0+ -j acsrules-nat-prerouting
+ iptables -t nat -A POSTROUTING -o wan0+ -j acsrules-nat-postrouting
# these are managed by sniproxy, if running
ip46tables -t nat -A PREROUTING -j sniproxy-nat -i br1