/* Firewall */ vollkommen anders
This commit is contained in:
parent
866daacaf7
commit
39d6cd6438
|
@ -134,110 +134,20 @@ config wifi-iface
|
||||||
|
|
||||||
|
|
||||||
=== Firewall ===
|
=== Firewall ===
|
||||||
/etc/config/firewall :
|
Crappy OpenWRT firewall disabled.
|
||||||
|
|
||||||
<pre>
|
<pre>
|
||||||
|
root@ratbert:~# cat /etc/rc.local
|
||||||
|
# Put your custom commands here that should be executed once
|
||||||
|
# the system init finished. By default this file does nothing.
|
||||||
|
|
||||||
root@ratbert:/etc/config# cat firewall
|
iptables -t nat -A POSTROUTING -o pppoe-wan -j MASQUERADE
|
||||||
config defaults
|
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
||||||
option syn_flood 1
|
|
||||||
option input ACCEPT
|
|
||||||
option output ACCEPT
|
|
||||||
option forward REJECT
|
|
||||||
# Uncomment this line to disable ipv6 rules
|
|
||||||
# option disable_ipv6 1
|
|
||||||
|
|
||||||
config zone
|
|
||||||
option name lan
|
|
||||||
option network 'lan'
|
|
||||||
option input ACCEPT
|
|
||||||
option output ACCEPT
|
|
||||||
option forward REJECT
|
|
||||||
|
|
||||||
config zone
|
|
||||||
option name wan
|
|
||||||
option network 'wan'
|
|
||||||
option input REJECT
|
|
||||||
option output ACCEPT
|
|
||||||
option forward REJECT
|
|
||||||
option masq 1
|
|
||||||
option mtu_fix 1
|
|
||||||
|
|
||||||
config forwarding
|
|
||||||
option src lan
|
|
||||||
option dest wan
|
|
||||||
|
|
||||||
# We need to accept udp packets on port 68,
|
|
||||||
# see https://dev.openwrt.org/ticket/4108
|
|
||||||
config rule
|
|
||||||
option name Allow-DHCP-Renew
|
|
||||||
option src wan
|
|
||||||
option proto udp
|
|
||||||
option dest_port 68
|
|
||||||
option target ACCEPT
|
|
||||||
option family ipv4
|
|
||||||
|
|
||||||
# Allow IPv4 ping
|
|
||||||
config rule
|
|
||||||
option name Allow-Ping
|
|
||||||
option src wan
|
|
||||||
option proto icmp
|
|
||||||
option icmp_type echo-request
|
|
||||||
option family ipv4
|
|
||||||
option target ACCEPT
|
|
||||||
|
|
||||||
# Allow DHCPv6 replies
|
|
||||||
# see https://dev.openwrt.org/ticket/10381
|
|
||||||
config rule
|
|
||||||
option name Allow-DHCPv6
|
|
||||||
option src wan
|
|
||||||
option proto udp
|
|
||||||
option src_ip fe80::/10
|
|
||||||
option src_port 547
|
|
||||||
option dest_ip fe80::/10
|
|
||||||
option dest_port 546
|
|
||||||
option family ipv6
|
|
||||||
option target ACCEPT
|
|
||||||
|
|
||||||
# Allow essential incoming IPv6 ICMP traffic
|
|
||||||
config rule
|
|
||||||
option name Allow-ICMPv6-Input
|
|
||||||
option src wan
|
|
||||||
option proto icmp
|
|
||||||
list icmp_type echo-request
|
|
||||||
list icmp_type destination-unreachable
|
|
||||||
list icmp_type packet-too-big
|
|
||||||
list icmp_type time-exceeded
|
|
||||||
list icmp_type bad-header
|
|
||||||
list icmp_type unknown-header-type
|
|
||||||
list icmp_type router-solicitation
|
|
||||||
list icmp_type neighbour-solicitation
|
|
||||||
option limit 1000/sec
|
|
||||||
option family ipv6
|
|
||||||
option target ACCEPT
|
|
||||||
|
|
||||||
# Allow essential forwarded IPv6 ICMP traffic
|
|
||||||
config rule
|
|
||||||
option name Allow-ICMPv6-Forward
|
|
||||||
option src wan
|
|
||||||
option dest *
|
|
||||||
option proto icmp
|
|
||||||
list icmp_type echo-request
|
|
||||||
list icmp_type destination-unreachable
|
|
||||||
list icmp_type packet-too-big
|
|
||||||
list icmp_type time-exceeded
|
|
||||||
list icmp_type bad-header
|
|
||||||
list icmp_type unknown-header-type
|
|
||||||
option limit 1000/sec
|
|
||||||
option family ipv6
|
|
||||||
option target ACCEPT
|
|
||||||
|
|
||||||
# include a file with users custom iptables rules
|
|
||||||
config include
|
|
||||||
option path /etc/firewall.user
|
|
||||||
|
|
||||||
|
exit 0
|
||||||
</pre>
|
</pre>
|
||||||
|
|
||||||
|
Wir hatten mal noch in der raw table NOTRACK zwischen LAN & WLAN...
|
||||||
|
|
||||||
=== DNSmasq ===
|
=== DNSmasq ===
|
||||||
Der combinierte DNS und DHCP Server dnsmasq ist in /etc/config/dhcp so eingestellt:
|
Der combinierte DNS und DHCP Server dnsmasq ist in /etc/config/dhcp so eingestellt:
|
||||||
|
|
Loading…
Reference in New Issue
Block a user