| blob | 38789b9b1fe90c2c6ca9b7dd27d271ab03ebec21 |
1 /*
3 Copyright 2003-2005, CyberTAN Inc. All Rights Reserved
5 This is UNPUBLISHED PROPRIETARY SOURCE CODE of CyberTAN Inc.
6 the contents of this file may not be disclosed to third parties,
7 copied or duplicated in any form without the prior written
8 permission of CyberTAN Inc.
10 This software should be used as a reference only, and it not
11 intended for production use!
13 THIS SOFTWARE IS OFFERED "AS IS", AND CYBERTAN GRANTS NO WARRANTIES OF ANY
14 KIND, EXPRESS OR IMPLIED, BY STATUTE, COMMUNICATION OR OTHERWISE. CYBERTAN
15 SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS
16 FOR A SPECIFIC PURPOSE OR NONINFRINGEMENT CONCERNING THIS SOFTWARE
18 */
19 /*
21 Modified for Tomato Firmware
22 Portions, Copyright (C) 2006-2009 Jonathan Zarate
24 */
28 #include <stdarg.h>
29 #include <arpa/inet.h>
30 #include <dirent.h>
32 wanface_list_t wanfaces;
34 #ifdef TCONFIG_VLAN
38 #endif
40 #ifdef TCONFIG_IPV6
42 #endif
44 #ifdef LINUX26
46 #endif
48 #ifdef DEBUG_IPTFILE
50 #endif
66 #ifdef TCONFIG_IPV6
70 // RFC-4890, sec. 4.3.1
72 #endif
75 {
76 return (nvram_match(wl_nvname("mode", unit, subunit), "sta") && (nvram_match(wl_nvname("bss_enabled", unit, subunit), "1")));
77 }
79 /*
80 struct {
81 } firewall_data;
82 */
84 // -----------------------------------------------------------------------------
86 #ifdef LINUX26
90 {
96 }
100 }
101 }
104 {
117 }
119 }
122 }
125 {
128 }
129 #endif
132 {
133 /*
134 ip_forward - BOOLEAN
135 0 - disabled (default)
136 not 0 - enabled
138 Forward Packets between interfaces.
140 This variable is special, its change resets all configuration
141 parameters to their default state (RFC1122 for hosts, RFC1812
142 for routers)
143 */
146 #ifdef TCONFIG_IPV6
150 }
151 #endif
152 }
155 // -----------------------------------------------------------------------------
157 /*
158 static int ip2cclass(char *ipaddr, char *new, int count)
159 {
160 int ip[4];
162 if (sscanf(ipaddr,"%d.%d.%d.%d",&ip[0],&ip[1],&ip[2],&ip[3]) != 4) return 0;
163 return snprintf(new, count, "%d.%d.%d.",ip[0],ip[1],ip[2]);
164 }
165 */
169 {
181 }
185 }
187 void ipt_log_unresolved(const char *addr, const char *addrtype, const char *categ, const char *name)
188 {
197 }
201 {
206 {
210 }
211 #ifdef TCONFIG_IPV6
215 }
216 #endif
220 #ifdef TCONFIG_IPV6
222 #else
224 #endif
225 }
226 }
227 }
228 else
229 {
232 }
237 }
240 }
242 #define ipt_source_strict(s, src, categ, name) ipt_addr(src, 64, s, "src", IPT_V4, 1, categ, name)
246 /*
247 static void get_src(const char *nv, char *src)
248 {
249 char *p;
251 if (((p = nvram_get(nv)) != NULL) && (*p) && (strlen(p) < 32)) {
252 sprintf(src, "-%s %s", strchr(p, '-') ? "m iprange --src-range" : "s", p);
253 }
254 else {
255 *src = 0;
256 }
257 }
258 */
261 {
267 }
270 {
271 #ifdef TCONFIG_IPV6
277 #endif
278 }
280 // -----------------------------------------------------------------------------
283 {
289 }
295 #ifdef LINUX26
297 #else
299 #endif
301 }
303 // -----------------------------------------------------------------------------
307 {
313 }
318 }
320 // x12
333 }
337 }
340 // -----------------------------------------------------------------------------
345 // This L7 matches inbound traffic, caches the results, then the L7 outbound
346 // should read the cached result and set the appropriate marks -- zzz
348 {
361 }
362 }
363 }
369 #ifdef LINUX26
371 #endif
372 }
375 }
378 }
381 {
397 }
398 }
411 }
413 }
414 }
416 #ifdef LINUX26
418 #else
420 #endif
422 }
424 // -----------------------------------------------------------------------------
439 else
453 // bitwise AND of ip and netmask gives the network
458 //ipv4 only
460 }
461 }
462 }
464 // -----------------------------------------------------------------------------
467 {
470 }
473 {
482 #ifdef LINUX26
484 #endif
490 // include IPs
497 #ifdef TCONFIG_IPV6
500 #endif
506 }
507 }
508 }
509 }
515 // exclude IPs
524 }
528 }
531 "-A monitor -p tcp -m webmon "
537 #ifdef LINUX26
539 #else
541 #endif
542 }
545 // -----------------------------------------------------------------------------
546 // MANGLE
547 // -----------------------------------------------------------------------------
550 {
568 }
572 }
576 }
578 }
582 #ifdef LINUX26
584 #else
586 #endif
587 // set TTL on primary WAN iface only
594 #ifdef TCONFIG_IPV6
595 // FIXME: IPv6 HL should be configurable separately from TTL.
596 // disable it until GUI setting is implemented.
597 #if 0
603 #endif
604 #endif
605 }
606 }
609 }
611 // -----------------------------------------------------------------------------
612 // NAT
613 // -----------------------------------------------------------------------------
616 {
619 #ifdef TCONFIG_VLAN
626 #endif
638 chain_wan_prerouting);
643 #ifdef TCONFIG_VLAN
650 #endif
654 // Drop incoming packets which destination IP address is to our LAN side directly
658 #ifdef TCONFIG_VLAN
671 #endif
672 // chain_wan_prerouting
676 }
677 }
678 }
685 lanaddr);
686 #ifdef TCONFIG_VLAN
691 lan1addr);
696 lan2addr);
701 lan3addr);
702 #endif
703 }
705 // ICMP packets are always redirected to INPUT chains
710 }
718 // ! for loopback (all) to work
720 }
723 }
724 }
725 }
726 }
739 }
740 }
743 #ifdef TCONFIG_IPV6
746 // avoid NATing proto-41 packets when using 6in4 tunnel
749 }
750 #endif
753 if ( (nvram_match("wan_proto", "pppoe") || nvram_match("wan_proto", "dhcp") || nvram_match("wan_proto", "static") )
754 && (modem_ipaddr = nvram_safe_get("modem_ipaddr")) && *modem_ipaddr && !nvram_match("modem_ipaddr","0.0.0.0")
756 ipt_write("-A POSTROUTING -o %s -d %s -j MASQUERADE\n", nvram_safe_get("wan_ifname"), modem_ipaddr);
762 else
763 ipt_write("-A POSTROUTING %s -o %s -j SNAT --to-source %s\n", p, wanfaces.iface[i].name, wanfaces.iface[i].ip);
764 }
765 }
773 lanface,
776 lanaddr);
777 #ifdef TCONFIG_VLAN
780 lan1face,
783 lan1addr);
786 lan2face,
789 lan2addr);
792 lan3face,
795 lan3addr);
796 #endif
798 }
799 }
801 }
803 // -----------------------------------------------------------------------------
804 // FILTER
805 // -----------------------------------------------------------------------------
808 {
821 #ifdef TCONFIG_VLAN
828 #endif
829 }
830 }
831 }
839 /*
840 ? what if the user uses the start button in GUI ?
841 if (nvram_get_int("telnetd_eas"))
842 if (nvram_get_int("sshd_eas"))
843 */
844 #ifdef LINUX26
846 #else
848 #endif
857 ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("sshd_port"));
858 if (nvram_get_int("sshd_remote") && nvram_invmatch("sshd_rport", nvram_safe_get("sshd_port"))) {
859 ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("sshd_rport"));
860 }
861 }
862 if (n & 2) ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("telnetd_port"));
863 }
865 #ifdef TCONFIG_FTP
867 if ((vstrsep(s, ",", &en, &hit, &sec) == 3) && (atoi(en)) && (nvram_get_int("ftp_enable") == 1)) {
868 #ifdef LINUX26
870 #else
872 #endif
879 ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j ftplimit\n", nvram_safe_get("ftp_port"));
880 }
881 #endif
886 lanface);
887 #ifdef TCONFIG_VLAN
891 lan1face);
895 lan2face);
899 lan3face);
900 #endif
902 #ifdef TCONFIG_IPV6
907 // Accept ICMP requests from the remote tunnel endpoint
910 else
916 }
917 #endif
919 // ICMP request from WAN interface
921 // allow ICMP packets to be received, but restrict the flow to avoid ping flood attacks
923 // allow udp traceroute packets
924 ipt_write("-A INPUT -p udp --dport 33434:33534 -m limit --limit 5/second -j %s\n", chain_in_accept);
925 }
927 /* Accept incoming packets from broken dhcp servers, which are sending replies
928 * from addresses other than used for query. This could lead to a lower level
929 * of security, so allow to disable it via nvram variable.
930 */
933 }
945 }
950 }
951 }
966 }
970 }
971 #endif
973 // IGMP query from WAN interface
977 }
979 // Routing protocol, RIP, accept
982 }
984 // if logging
987 }
989 // default policy: DROP
990 }
992 // clamp TCP MSS to PMTU of WAN interface (IPv4 only?)
994 {
996 #ifdef TCONFIG_IPV6
1002 }
1003 #endif
1004 }
1007 {
1016 }
1018 #ifdef TCONFIG_IPV6
1021 #endif
1026 #ifdef TCONFIG_VLAN
1047 /*
1048 1<0<1.2.3.4<1<5.6.7.8<30,45-50<desc
1050 1 = enabled
1051 0 = src bridge
1052 1.2.3.4 = src addr
1053 1 = dst bridge
1054 5.6.7.8 = dst addr
1055 desc = desc
1056 */
1065 //ipv4 only
1068 sbr,
1070 dbr,
1071 src,
1072 dst);
1077 }
1078 }
1080 #endif
1085 // clamp tcp mss to pmtu
1092 }
1099 "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT\n"); // already established or related (via helper)
1101 #ifdef TCONFIG_VLAN
1108 else
1123 else
1131 }
1132 }
1133 // ipt_write("-A FORWARD -i %s -j %s\n", nvram_safe_get(lanN_ifname), chain_out_accept);
1134 }
1135 }
1136 #endif
1138 #ifdef TCONFIG_PPTPD
1139 //Add for pptp server
1143 }
1144 #endif
1146 #ifdef TCONFIG_IPV6
1147 // Filter out invalid WAN->WAN connections
1151 #ifdef LINUX26
1154 #endif
1156 // ICMPv6 rules
1158 ip6t_write("-A FORWARD -p ipv6-icmp --icmpv6-type %i -j %s\n", allowed_icmpv6[i], chain_in_accept);
1159 }
1166 }
1167 #endif
1175 }
1176 }
1178 #ifdef TCONFIG_VLAN
1183 else
1189 }
1190 }
1191 #else
1193 #endif
1195 // #ifdef TCONFIG_VLAN
1196 /* for (i = 0; i < wanfaces.count; ++i) {
1197 if (*(wanfaces.iface[i].name)) {
1198 ipt_write("-A FORWARD -i %s -o %s -j %s\n", lanface, wanfaces.iface[i].name, chain_out_accept);
1199 if (strcmp(lan1face,"")!=0)
1200 ipt_write("-A FORWARD -i %s -o %s -j %s\n", lan1face, wanfaces.iface[i].name, chain_out_accept);
1201 if (strcmp(lan2face,"")!=0)
1202 ipt_write("-A FORWARD -i %s -o %s -j %s\n", lan2face, wanfaces.iface[i].name, chain_out_accept);
1203 if (strcmp(lan3face,"")!=0)
1204 ipt_write("-A FORWARD -i %s -o %s -j %s\n", lan3face, wanfaces.iface[i].name, chain_out_accept);
1205 }
1206 }
1207 */
1208 // #else
1209 // ipt_write("-A FORWARD -i %s -j %s\n", lanface, chain_out_accept);
1210 // #endif
1212 #ifdef TCONFIG_IPV6
1213 //IPv6 forward LAN->WAN accept
1215 #ifdef TCONFIG_VLAN
1222 #endif
1223 #endif
1231 }
1232 }
1233 }
1238 }
1241 #ifdef TCONFIG_IPV6
1243 #endif
1255 }
1256 }
1258 // default policy: DROP
1259 }
1262 {
1269 }
1272 }
1274 #ifdef TCONFIG_IPV6
1276 #endif
1281 #ifdef LINUX26
1282 " --log-macdecode"
1283 #endif
1288 #ifdef LINUX26
1289 " --log-macdecode"
1290 #endif
1294 }
1299 #ifdef LINUX26
1300 " --log-macdecode"
1301 #endif
1304 limit);
1305 }
1306 }
1308 #ifdef TCONFIG_IPV6
1310 {
1319 // RFC-4890, sec. 4.4.1
1327 /* "-A INPUT -m state --state INVALID -j DROP\n" */
1329 chain_in_drop);
1331 #ifdef LINUX26
1334 #endif
1338 #ifdef LINUX26
1340 #else
1342 #endif
1351 ip6t_write("-A INPUT -i %s -p tcp --dport %s -m state --state NEW -j shlimit\n", lanface, nvram_safe_get("sshd_port"));
1352 if (nvram_get_int("sshd_remote") && nvram_invmatch("sshd_rport", nvram_safe_get("sshd_port"))) {
1353 ip6t_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("sshd_rport"));
1354 }
1355 }
1356 if (n & 2) ip6t_write("-A INPUT -i %s -p tcp --dport %s -m state --state NEW -j shlimit\n", lanface, nvram_safe_get("telnetd_port"));
1357 }
1359 #ifdef TCONFIG_FTP
1361 if ((vstrsep(s, ",", &en, &hit, &sec) == 3) && (atoi(en)) && (nvram_get_int("ftp_enable") == 1)) {
1362 #ifdef LINUX26
1364 #else
1366 #endif
1373 ip6t_write("-A INPUT -p tcp --dport %s -m state --state NEW -j ftplimit\n", nvram_safe_get("ftp_port"));
1374 }
1380 lanface );
1385 // allow responses from the dhcpv6 server
1388 }
1390 // ICMPv6 rules
1393 ip6t_write("-A INPUT -p ipv6-icmp --icmpv6-type %i -j %s\n", allowed_icmpv6[n], chain_in_accept);
1394 }
1396 ip6t_write("-A INPUT -p ipv6-icmp --icmpv6-type %i -j %s\n", allowed_local_icmpv6[n], chain_in_accept);
1397 }
1399 // Remote Managment
1410 }
1415 }
1416 }
1422 #ifdef TCONFIG_FTP
1423 // FTP server
1432 }
1436 }
1437 #endif
1439 // if logging
1442 }
1444 // default policy: DROP
1445 }
1447 #endif
1450 {
1455 );
1460 #ifdef TCONFIG_IPV6
1463 #endif
1468 }
1472 }
1474 }
1476 // -----------------------------------------------------------------------------
1479 {
1487 #ifdef TCONFIG_IPV6
1489 #endif
1497 f_write_string("/proc/sys/net/ipv4/tcp_syncookies", nvram_get_int("ne_syncookies") ? "1" : "0", 0, 0);
1499 /* NAT performance tweaks
1500 * These values can be overriden later if needed via firewall script
1501 */
1515 /* DoS-related tweaks */
1521 f_write_string("/proc/sys/net/ipv4/ip_dynaddr", (wanproto == WP_DISABLED || wanproto == WP_STATIC) ? "0" : "1", 0, 0);
1523 #ifdef TCONFIG_EMF
1524 /* Force IGMPv2 due EMF limitations */
1528 }
1529 #endif
1540 // if (nvram_match("nf_drop_reset", "1")) chain_out_drop = chain_out_reject;
1543 #ifdef TCONFIG_VLAN
1547 #endif
1551 #ifdef TCONFIG_IPV6
1553 #endif
1555 #ifdef LINUX26
1557 #endif
1562 #ifdef TCONFIG_VLAN
1563 /*
1564 strlcpy(s, nvram_safe_get("lan1_ipaddr"), sizeof(s));
1565 if ((c = strrchr(s, '.')) != NULL) *(c + 1) = 0;
1566 strlcpy(lan1_cclass, s, sizeof(lan1_cclass));
1568 strlcpy(s, nvram_safe_get("lan2_ipaddr"), sizeof(s));
1569 if ((c = strrchr(s, '.')) != NULL) *(c + 1) = 0;
1570 strlcpy(lan2_cclass, s, sizeof(lan2_cclass));
1572 strlcpy(s, nvram_safe_get("lan3_ipaddr"), sizeof(s));
1573 if ((c = strrchr(s, '.')) != NULL) *(c + 1) = 0;
1574 strlcpy(lan3_cclass, s, sizeof(lan3_cclass));
1575 */
1576 #endif
1578 /*
1579 block obviously spoofed IP addresses
1581 rp_filter - BOOLEAN
1582 1 - do source validation by reversed path, as specified in RFC1812
1583 Recommended option for single homed hosts and stub network
1584 routers. Could cause troubles for complicated (not loop free)
1585 networks running a slow unreliable protocol (sort of RIP),
1586 or using static routes.
1587 0 - No source validation.
1588 */
1590 /* mcast needs rp filter to be turned off only for non default iface */
1591 if (!(nvram_match("multicast_pass", "1")) || !(nvram_match("udpxy_enable", "1")) || strcmp(wanface, c) == 0) c = NULL;
1597 }
1599 }
1604 /* Remote management */
1607 }
1613 }
1615 #ifdef TCONFIG_IPV6
1620 }
1623 #endif
1624 /*Start xt_IMQ and imq */
1626 #ifdef LINUX26
1628 #else
1630 #endif
1639 #ifdef TCONFIG_IPV6
1642 #endif
1644 #ifdef DEBUG_IPTFILE
1649 }
1650 #endif
1658 }
1659 }
1665 }
1672 /*
1674 -P INPUT DROP
1675 -F INPUT
1676 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
1677 -A INPUT -i br0 -j ACCEPT
1679 -P FORWARD DROP
1680 -F FORWARD
1681 -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
1682 -A FORWARD -i br0 -j ACCEPT
1684 */
1685 }
1687 #ifdef TCONFIG_IPV6
1692 }
1698 }
1699 }
1703 }
1704 #endif
1709 }
1717 #ifdef TCONFIG_IPV6
1721 #endif
1722 #ifdef LINUX26
1730 #else
1737 #endif
1743 #ifdef TCONFIG_OPENVPN
1745 #endif
1750 #ifdef LINUX26
1753 #endif
1757 }
1760 {
1763 }
1765 #ifdef DEBUG_IPTFILE
1767 {
1771 }
1772 #endif