1 config defaults 2 option syn_flood 1 3 option input ACCEPT 4 option output ACCEPT 5 option forward REJECT 6 # Uncomment this line to disable ipv6 rules 7 # option disable_ipv6 1 8 9 config zone 10 option name lan 11 list network 'lan' 12 option input ACCEPT 13 option output ACCEPT 14 option forward ACCEPT 15 16 config zone 17 option name wan 18 list network 'wan' 19 list network 'wan6' 20 option input REJECT 21 option output ACCEPT 22 option forward REJECT 23 option masq 1 24 option mtu_fix 1 25 26 config forwarding 27 option src lan 28 option dest wan 29 30 # We need to accept udp packets on port 68, 31 # see https://dev.openwrt.org/ticket/4108 32 config rule 33 option name Allow-DHCP-Renew 34 option src wan 35 option proto udp 36 option dest_port 68 37 option target ACCEPT 38 option family ipv4 39 40 # Allow IPv4 ping 41 config rule 42 option name Allow-Ping 43 option src wan 44 option proto icmp 45 option icmp_type echo-request 46 option family ipv4 47 option target ACCEPT 48 49 config rule 50 option name Allow-IGMP 51 option src wan 52 option proto igmp 53 option family ipv4 54 option target ACCEPT 55 56 # Allow DHCPv6 replies 57 # see https://dev.openwrt.org/ticket/10381 58 config rule 59 option name Allow-DHCPv6 60 option src wan 61 option proto udp 62 option src_ip fc00::/6 63 option dest_ip fc00::/6 64 option dest_port 546 65 option family ipv6 66 option target ACCEPT 67 68 config rule 69 option name Allow-MLD 70 option src wan 71 option proto icmp 72 option src_ip fe80::/10 73 list icmp_type '130/0' 74 list icmp_type '131/0' 75 list icmp_type '132/0' 76 list icmp_type '143/0' 77 option family ipv6 78 option target ACCEPT 79 80 # Allow essential incoming IPv6 ICMP traffic 81 config rule 82 option name Allow-ICMPv6-Input 83 option src wan 84 option proto icmp 85 list icmp_type echo-request 86 list icmp_type echo-reply 87 list icmp_type destination-unreachable 88 list icmp_type packet-too-big 89 list icmp_type time-exceeded 90 list icmp_type bad-header 91 list icmp_type unknown-header-type 92 list icmp_type router-solicitation 93 list icmp_type neighbour-solicitation 94 list icmp_type router-advertisement 95 list icmp_type neighbour-advertisement 96 option limit 1000/sec 97 option family ipv6 98 option target ACCEPT 99 100 # Allow essential forwarded IPv6 ICMP traffic 101 config rule 102 option name Allow-ICMPv6-Forward 103 option src wan 104 option dest * 105 option proto icmp 106 list icmp_type echo-request 107 list icmp_type echo-reply 108 list icmp_type destination-unreachable 109 list icmp_type packet-too-big 110 list icmp_type time-exceeded 111 list icmp_type bad-header 112 list icmp_type unknown-header-type 113 option limit 1000/sec 114 option family ipv6 115 option target ACCEPT 116 117 config rule 118 option name Allow-IPSec-ESP 119 option src wan 120 option dest lan 121 option proto esp 122 option target ACCEPT 123 124 config rule 125 option name Allow-ISAKMP 126 option src wan 127 option dest lan 128 option dest_port 500 129 option proto udp 130 option target ACCEPT 131 132 # allow interoperability with traceroute classic 133 # note that traceroute uses a fixed port range, and depends on getting 134 # back ICMP Unreachables. if we're operating in DROP mode, it won't 135 # work so we explicitly REJECT packets on these ports. 136 config rule 137 option name Support-UDP-Traceroute 138 option src wan 139 option dest_port 33434:33689 140 option proto udp 141 option family ipv4 142 option target REJECT 143 option enabled false 144 145 # include a file with users custom iptables rules 146 config include 147 option path /etc/firewall.user 148 149 150 ### EXAMPLE CONFIG SECTIONS 151 # do not allow a specific ip to access wan 152 #config rule 153 # option src lan 154 # option src_ip 192.168.45.2 155 # option dest wan 156 # option proto tcp 157 # option target REJECT 158 159 # block a specific mac on wan 160 #config rule 161 # option dest wan 162 # option src_mac 00:11:22:33:44:66 163 # option target REJECT 164 165 # block incoming ICMP traffic on a zone 166 #config rule 167 # option src lan 168 # option proto ICMP 169 # option target DROP 170 171 # port redirect port coming in on wan to lan 172 #config redirect 173 # option src wan 174 # option src_dport 80 175 # option dest lan 176 # option dest_ip 192.168.16.235 177 # option dest_port 80 178 # option proto tcp 179 180 # port redirect of remapped ssh port (22001) on wan 181 #config redirect 182 # option src wan 183 # option src_dport 22001 184 # option dest lan 185 # option dest_port 22 186 # option proto tcp 187 188 ### FULL CONFIG SECTIONS 189 #config rule 190 # option src lan 191 # option src_ip 192.168.45.2 192 # option src_mac 00:11:22:33:44:55 193 # option src_port 80 194 # option dest wan 195 # option dest_ip 194.25.2.129 196 # option dest_port 120 197 # option proto tcp 198 # option target REJECT 199 200 #config redirect 201 # option src lan 202 # option src_ip 192.168.45.2 203 # option src_mac 00:11:22:33:44:55 204 # option src_port 1024 205 # option src_dport 80 206 # option dest_ip 194.25.2.129 207 # option dest_port 120 208 # option proto tcp
This page was automatically generated by LXR 0.3.1. • OpenWrt