| blob | ba19d5310619ce1544839920ff308738dfa0d396 |
1 /*
3 Copyright 2003-2005, CyberTAN Inc. All Rights Reserved
5 This is UNPUBLISHED PROPRIETARY SOURCE CODE of CyberTAN Inc.
6 the contents of this file may not be disclosed to third parties,
7 copied or duplicated in any form without the prior written
8 permission of CyberTAN Inc.
10 This software should be used as a reference only, and it not
11 intended for production use!
13 THIS SOFTWARE IS OFFERED "AS IS", AND CYBERTAN GRANTS NO WARRANTIES OF ANY
14 KIND, EXPRESS OR IMPLIED, BY STATUTE, COMMUNICATION OR OTHERWISE. CYBERTAN
15 SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS
16 FOR A SPECIFIC PURPOSE OR NONINFRINGEMENT CONCERNING THIS SOFTWARE
18 */
19 /*
21 Modified for Tomato Firmware
22 Portions, Copyright (C) 2006-2009 Jonathan Zarate
24 */
28 #include <stdarg.h>
29 #include <arpa/inet.h>
30 #include <dirent.h>
32 wanface_list_t wanfaces;
34 #ifdef TCONFIG_VLAN
38 #endif
40 #ifdef TCONFIG_IPV6
42 #endif
44 #ifdef LINUX26
46 #endif
48 #ifdef DEBUG_IPTFILE
50 #endif
66 #ifdef TCONFIG_IPV6
70 // RFC-4890, sec. 4.3.1
72 #endif
75 {
76 return (nvram_match(wl_nvname("mode", unit, subunit), "sta") && (nvram_match(wl_nvname("bss_enabled", unit, subunit), "1")));
77 }
79 /*
80 struct {
81 } firewall_data;
82 */
84 // -----------------------------------------------------------------------------
86 #ifdef LINUX26
90 {
96 }
100 }
101 }
104 {
117 }
119 }
122 }
125 {
128 }
129 #endif
132 {
133 /*
134 ip_forward - BOOLEAN
135 0 - disabled (default)
136 not 0 - enabled
138 Forward Packets between interfaces.
140 This variable is special, its change resets all configuration
141 parameters to their default state (RFC1122 for hosts, RFC1812
142 for routers)
143 */
146 #ifdef TCONFIG_IPV6
150 }
151 #endif
152 }
155 // -----------------------------------------------------------------------------
157 /*
158 static int ip2cclass(char *ipaddr, char *new, int count)
159 {
160 int ip[4];
162 if (sscanf(ipaddr,"%d.%d.%d.%d",&ip[0],&ip[1],&ip[2],&ip[3]) != 4) return 0;
163 return snprintf(new, count, "%d.%d.%d.",ip[0],ip[1],ip[2]);
164 }
165 */
169 {
181 }
185 }
187 void ipt_log_unresolved(const char *addr, const char *addrtype, const char *categ, const char *name)
188 {
197 }
201 {
206 {
210 }
211 #ifdef TCONFIG_IPV6
215 }
216 #endif
220 #ifdef TCONFIG_IPV6
222 #else
224 #endif
225 }
226 }
227 }
228 else
229 {
232 }
237 }
240 }
242 #define ipt_source_strict(s, src, categ, name) ipt_addr(src, 64, s, "src", IPT_V4, 1, categ, name)
246 /*
247 static void get_src(const char *nv, char *src)
248 {
249 char *p;
251 if (((p = nvram_get(nv)) != NULL) && (*p) && (strlen(p) < 32)) {
252 sprintf(src, "-%s %s", strchr(p, '-') ? "m iprange --src-range" : "s", p);
253 }
254 else {
255 *src = 0;
256 }
257 }
258 */
261 {
267 }
270 {
271 #ifdef TCONFIG_IPV6
277 #endif
278 }
280 // -----------------------------------------------------------------------------
283 {
289 }
295 #ifdef LINUX26
297 #else
299 #endif
301 }
303 // -----------------------------------------------------------------------------
307 {
313 }
318 }
320 // x12
333 }
337 }
340 // -----------------------------------------------------------------------------
345 // This L7 matches inbound traffic, caches the results, then the L7 outbound
346 // should read the cached result and set the appropriate marks -- zzz
348 {
361 }
362 }
363 }
369 #ifdef LINUX26
371 #endif
372 }
375 }
378 }
381 {
397 }
398 }
411 }
413 }
414 }
416 #ifdef LINUX26
418 #else
420 #endif
422 }
424 // -----------------------------------------------------------------------------
439 else
453 // bitwise AND of ip and netmask gives the network
459 }
460 }
461 }
463 // -----------------------------------------------------------------------------
466 {
469 }
472 {
481 #ifdef LINUX26
483 #endif
489 // include IPs
496 #ifdef TCONFIG_IPV6
499 #endif
505 }
506 }
507 }
508 }
514 // exclude IPs
523 }
527 }
530 "-A monitor -p tcp -m webmon "
536 #ifdef LINUX26
538 #else
540 #endif
541 }
544 // -----------------------------------------------------------------------------
545 // MANGLE
546 // -----------------------------------------------------------------------------
549 {
561 //1 for mangle
569 }
573 }
577 }
579 }
583 #ifdef LINUX26
585 #else
587 #endif
588 // set TTL on primary WAN iface only
595 #ifdef TCONFIG_IPV6
596 // FIXME: IPv6 HL should be configurable separately from TTL.
597 // disable it until GUI setting is implemented.
598 #if 0
604 #endif
605 #endif
606 }
607 }
610 }
612 // -----------------------------------------------------------------------------
613 // NAT
614 // -----------------------------------------------------------------------------
617 {
620 #ifdef TCONFIG_VLAN
627 #endif
639 chain_wan_prerouting);
641 //2 for nat
647 #ifdef TCONFIG_VLAN
654 #endif
658 // Drop incoming packets which destination IP address is to our LAN side directly
662 #ifdef TCONFIG_VLAN
675 #endif
676 // chain_wan_prerouting
680 }
681 }
682 }
689 lanaddr);
690 #ifdef TCONFIG_VLAN
695 lan1addr);
700 lan2addr);
705 lan3addr);
706 #endif
707 }
709 // ICMP packets are always redirected to INPUT chains
714 }
722 // ! for loopback (all) to work
724 }
727 }
728 }
729 }
730 }
743 }
744 }
747 #ifdef TCONFIG_IPV6
750 // avoid NATing proto-41 packets when using 6in4 tunnel
753 }
754 #endif
757 if ( (nvram_match("wan_proto", "pppoe") || nvram_match("wan_proto", "dhcp") || nvram_match("wan_proto", "static") )
758 && (modem_ipaddr = nvram_safe_get("modem_ipaddr")) && *modem_ipaddr && !nvram_match("modem_ipaddr","0.0.0.0")
760 ipt_write("-A POSTROUTING -o %s -d %s -j MASQUERADE\n", nvram_safe_get("wan_ifname"), modem_ipaddr);
766 else
767 ipt_write("-A POSTROUTING %s -o %s -j SNAT --to-source %s\n", p, wanfaces.iface[i].name, wanfaces.iface[i].ip);
768 }
769 }
777 lanface,
780 lanaddr);
781 #ifdef TCONFIG_VLAN
784 lan1face,
787 lan1addr);
790 lan2face,
793 lan2addr);
796 lan3face,
799 lan3addr);
800 #endif
802 }
803 }
805 }
807 // -----------------------------------------------------------------------------
808 // FILTER
809 // -----------------------------------------------------------------------------
812 {
825 #ifdef TCONFIG_VLAN
832 #endif
833 }
834 }
835 }
843 /*
844 ? what if the user uses the start button in GUI ?
845 if (nvram_get_int("telnetd_eas"))
846 if (nvram_get_int("sshd_eas"))
847 */
848 #ifdef LINUX26
850 #else
852 #endif
861 ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("sshd_port"));
862 if (nvram_get_int("sshd_remote") && nvram_invmatch("sshd_rport", nvram_safe_get("sshd_port"))) {
863 ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("sshd_rport"));
864 }
865 }
866 if (n & 2) ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("telnetd_port"));
867 }
869 #ifdef TCONFIG_FTP
871 if ((vstrsep(s, ",", &en, &hit, &sec) == 3) && (atoi(en)) && (nvram_get_int("ftp_enable") == 1)) {
872 #ifdef LINUX26
874 #else
876 #endif
883 ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j ftplimit\n", nvram_safe_get("ftp_port"));
884 }
885 #endif
890 lanface);
891 #ifdef TCONFIG_VLAN
895 lan1face);
899 lan2face);
903 lan3face);
904 #endif
906 #ifdef TCONFIG_IPV6
911 // Accept ICMP requests from the remote tunnel endpoint
914 else
920 }
921 #endif
923 // ICMP request from WAN interface
925 // allow ICMP packets to be received, but restrict the flow to avoid ping flood attacks
927 // allow udp traceroute packets
928 ipt_write("-A INPUT -p udp --dport 33434:33534 -m limit --limit 5/second -j %s\n", chain_in_accept);
929 }
931 /* Accept incoming packets from broken dhcp servers, which are sending replies
932 * from addresses other than used for query. This could lead to a lower level
933 * of security, so allow to disable it via nvram variable.
934 */
937 }
949 }
954 }
955 }
970 }
974 }
975 #endif
977 // IGMP query from WAN interface
981 }
983 // Routing protocol, RIP, accept
986 }
988 // if logging
991 }
993 // default policy: DROP
994 }
996 // clamp TCP MSS to PMTU of WAN interface (IPv4 only?)
998 {
1000 #ifdef TCONFIG_IPV6
1006 }
1007 #endif
1008 }
1011 {
1020 }
1022 #ifdef TCONFIG_IPV6
1025 #endif
1030 #ifdef TCONFIG_VLAN
1051 /*
1052 1<0<1.2.3.4<1<5.6.7.8<30,45-50<desc
1054 1 = enabled
1055 0 = src bridge
1056 1.2.3.4 = src addr
1057 1 = dst bridge
1058 5.6.7.8 = dst addr
1059 desc = desc
1060 */
1071 sbr,
1073 dbr,
1074 src,
1075 dst);
1080 }
1081 }
1083 #endif
1088 // clamp tcp mss to pmtu
1095 }
1102 "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT\n"); // already established or related (via helper)
1104 #ifdef TCONFIG_VLAN
1111 else
1126 else
1134 }
1135 }
1136 // ipt_write("-A FORWARD -i %s -j %s\n", nvram_safe_get(lanN_ifname), chain_out_accept);
1137 }
1138 }
1139 #endif
1141 #ifdef TCONFIG_IPV6
1142 // Filter out invalid WAN->WAN connections
1146 #ifdef LINUX26
1149 #endif
1151 // ICMPv6 rules
1153 ip6t_write("-A FORWARD -p ipv6-icmp --icmpv6-type %i -j %s\n", allowed_icmpv6[i], chain_in_accept);
1154 }
1161 }
1162 #endif
1170 }
1171 }
1173 #ifdef TCONFIG_VLAN
1178 else
1184 }
1185 }
1186 #else
1188 #endif
1190 // #ifdef TCONFIG_VLAN
1191 /* for (i = 0; i < wanfaces.count; ++i) {
1192 if (*(wanfaces.iface[i].name)) {
1193 ipt_write("-A FORWARD -i %s -o %s -j %s\n", lanface, wanfaces.iface[i].name, chain_out_accept);
1194 if (strcmp(lan1face,"")!=0)
1195 ipt_write("-A FORWARD -i %s -o %s -j %s\n", lan1face, wanfaces.iface[i].name, chain_out_accept);
1196 if (strcmp(lan2face,"")!=0)
1197 ipt_write("-A FORWARD -i %s -o %s -j %s\n", lan2face, wanfaces.iface[i].name, chain_out_accept);
1198 if (strcmp(lan3face,"")!=0)
1199 ipt_write("-A FORWARD -i %s -o %s -j %s\n", lan3face, wanfaces.iface[i].name, chain_out_accept);
1200 }
1201 }
1202 */
1203 // #else
1204 // ipt_write("-A FORWARD -i %s -j %s\n", lanface, chain_out_accept);
1205 // #endif
1207 #ifdef TCONFIG_IPV6
1208 //IPv6 forward LAN->WAN accept
1210 #ifdef TCONFIG_VLAN
1217 #endif
1218 #endif
1226 }
1227 }
1228 }
1233 }
1236 #ifdef TCONFIG_IPV6
1238 #endif
1250 }
1251 }
1253 // default policy: DROP
1254 }
1257 {
1264 }
1267 }
1269 #ifdef TCONFIG_IPV6
1271 #endif
1276 #ifdef LINUX26
1277 " --log-macdecode"
1278 #endif
1283 #ifdef LINUX26
1284 " --log-macdecode"
1285 #endif
1289 }
1294 #ifdef LINUX26
1295 " --log-macdecode"
1296 #endif
1299 limit);
1300 }
1301 }
1303 #ifdef TCONFIG_IPV6
1305 {
1314 // RFC-4890, sec. 4.4.1
1322 /* "-A INPUT -m state --state INVALID -j DROP\n" */
1324 chain_in_drop);
1326 #ifdef LINUX26
1329 #endif
1333 #ifdef LINUX26
1335 #else
1337 #endif
1346 ip6t_write("-A INPUT -i %s -p tcp --dport %s -m state --state NEW -j shlimit\n", lanface, nvram_safe_get("sshd_port"));
1347 if (nvram_get_int("sshd_remote") && nvram_invmatch("sshd_rport", nvram_safe_get("sshd_port"))) {
1348 ip6t_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("sshd_rport"));
1349 }
1350 }
1351 if (n & 2) ip6t_write("-A INPUT -i %s -p tcp --dport %s -m state --state NEW -j shlimit\n", lanface, nvram_safe_get("telnetd_port"));
1352 }
1354 #ifdef TCONFIG_FTP
1356 if ((vstrsep(s, ",", &en, &hit, &sec) == 3) && (atoi(en)) && (nvram_get_int("ftp_enable") == 1)) {
1357 #ifdef LINUX26
1359 #else
1361 #endif
1368 ip6t_write("-A INPUT -p tcp --dport %s -m state --state NEW -j ftplimit\n", nvram_safe_get("ftp_port"));
1369 }
1375 lanface );
1380 // allow responses from the dhcpv6 server
1383 }
1385 // ICMPv6 rules
1388 ip6t_write("-A INPUT -p ipv6-icmp --icmpv6-type %i -j %s\n", allowed_icmpv6[n], chain_in_accept);
1389 }
1391 ip6t_write("-A INPUT -p ipv6-icmp --icmpv6-type %i -j %s\n", allowed_local_icmpv6[n], chain_in_accept);
1392 }
1394 // Remote Managment
1405 }
1410 }
1411 }
1417 #ifdef TCONFIG_FTP
1418 // FTP server
1427 }
1431 }
1432 #endif
1434 // if logging
1437 }
1439 // default policy: DROP
1440 }
1442 #endif
1445 {
1450 );
1455 #ifdef TCONFIG_IPV6
1458 #endif
1463 }
1467 }
1469 }
1471 // -----------------------------------------------------------------------------
1474 {
1482 #ifdef TCONFIG_IPV6
1484 #endif
1492 f_write_string("/proc/sys/net/ipv4/tcp_syncookies", nvram_get_int("ne_syncookies") ? "1" : "0", 0, 0);
1494 /* NAT performance tweaks
1495 * These values can be overriden later if needed via firewall script
1496 */
1510 /* DoS-related tweaks */
1516 f_write_string("/proc/sys/net/ipv4/ip_dynaddr", (wanproto == WP_DISABLED || wanproto == WP_STATIC) ? "0" : "1", 0, 0);
1518 #ifdef TCONFIG_EMF
1519 /* Force IGMPv2 due EMF limitations */
1523 }
1524 #endif
1535 // if (nvram_match("nf_drop_reset", "1")) chain_out_drop = chain_out_reject;
1538 #ifdef TCONFIG_VLAN
1542 #endif
1546 #ifdef TCONFIG_IPV6
1548 #endif
1550 #ifdef LINUX26
1552 #endif
1557 #ifdef TCONFIG_VLAN
1558 /*
1559 strlcpy(s, nvram_safe_get("lan1_ipaddr"), sizeof(s));
1560 if ((c = strrchr(s, '.')) != NULL) *(c + 1) = 0;
1561 strlcpy(lan1_cclass, s, sizeof(lan1_cclass));
1563 strlcpy(s, nvram_safe_get("lan2_ipaddr"), sizeof(s));
1564 if ((c = strrchr(s, '.')) != NULL) *(c + 1) = 0;
1565 strlcpy(lan2_cclass, s, sizeof(lan2_cclass));
1567 strlcpy(s, nvram_safe_get("lan3_ipaddr"), sizeof(s));
1568 if ((c = strrchr(s, '.')) != NULL) *(c + 1) = 0;
1569 strlcpy(lan3_cclass, s, sizeof(lan3_cclass));
1570 */
1571 #endif
1573 /*
1574 block obviously spoofed IP addresses
1576 rp_filter - BOOLEAN
1577 1 - do source validation by reversed path, as specified in RFC1812
1578 Recommended option for single homed hosts and stub network
1579 routers. Could cause troubles for complicated (not loop free)
1580 networks running a slow unreliable protocol (sort of RIP),
1581 or using static routes.
1582 0 - No source validation.
1583 */
1585 /* mcast needs rp filter to be turned off only for non default iface */
1586 if (!(nvram_match("multicast_pass", "1")) || !(nvram_match("udpxy_enable", "1")) || strcmp(wanface, c) == 0) c = NULL;
1592 }
1594 }
1599 /* Remote management */
1602 }
1608 }
1610 #ifdef TCONFIG_IPV6
1615 }
1618 #endif
1619 /*Deon Thomas attempt to start xt_IMQ and imq */
1620 /*shibby - fix modprobing IMQ for kernel 2.4 */
1622 #ifdef LINUX26
1624 #else
1626 #endif
1635 #ifdef TCONFIG_IPV6
1638 #endif
1640 #ifdef DEBUG_IPTFILE
1645 }
1646 #endif
1654 }
1655 }
1661 }
1668 /*
1670 -P INPUT DROP
1671 -F INPUT
1672 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
1673 -A INPUT -i br0 -j ACCEPT
1675 -P FORWARD DROP
1676 -F FORWARD
1677 -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
1678 -A FORWARD -i br0 -j ACCEPT
1680 */
1681 }
1683 #ifdef TCONFIG_IPV6
1688 }
1694 }
1695 }
1699 }
1700 #endif
1705 }
1713 #ifdef TCONFIG_IPV6
1717 #endif
1718 #ifdef LINUX26
1726 #else
1733 #endif
1739 #ifdef TCONFIG_OPENVPN
1741 #endif
1746 #ifdef LINUX26
1749 #endif
1753 }
1756 {
1759 }
1761 #ifdef DEBUG_IPTFILE
1763 {
1767 }
1768 #endif