3 Copyright 2003-2005, CyberTAN Inc. All Rights Reserved
5 This is UNPUBLISHED PROPRIETARY SOURCE CODE of CyberTAN Inc.
6 the contents of this file may not be disclosed to third parties,
7 copied or duplicated in any form without the prior written
8 permission of CyberTAN Inc.
10 This software should be used as a reference only, and it not
11 intended for production use!
13 THIS SOFTWARE IS OFFERED "AS IS", AND CYBERTAN GRANTS NO WARRANTIES OF ANY
14 KIND, EXPRESS OR IMPLIED, BY STATUTE, COMMUNICATION OR OTHERWISE. CYBERTAN
15 SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS
16 FOR A SPECIFIC PURPOSE OR NONINFRINGEMENT CONCERNING THIS SOFTWARE
21 Modified for Tomato Firmware
22 Portions, Copyright (C) 2006-2009 Jonathan Zarate
29 #include <arpa/inet.h>
32 wanface_list_t wanfaces
;
33 char lanface
[IFNAMSIZ
+ 1];
35 char lan1face
[IFNAMSIZ
+ 1];
36 char lan2face
[IFNAMSIZ
+ 1];
37 char lan3face
[IFNAMSIZ
+ 1];
41 char wan6face
[IFNAMSIZ
+ 1];
43 char lan_cclass
[sizeof("xxx.xxx.xxx.") + 1];
45 static int can_enable_fastnat
;
49 static int debug_only
= 0;
52 static int gateway_mode
;
53 static int remotemanage
;
56 const char *chain_in_drop
;
57 const char *chain_in_accept
;
58 const char *chain_out_drop
;
59 const char *chain_out_accept
;
60 const char *chain_out_reject
;
62 const char chain_wan_prerouting
[] = "WANPREROUTING";
63 const char ipt_fname
[] = "/etc/iptables";
67 const char ip6t_fname
[] = "/etc/ip6tables";
70 // RFC-4890, sec. 4.3.1
71 const int allowed_icmpv6
[] = { 1, 2, 3, 4, 128, 129 };
74 static int is_sta(int idx
, int unit
, int subunit
, void *param
)
76 return (nvram_match(wl_nvname("mode", unit
, subunit
), "sta") && (nvram_match(wl_nvname("bss_enabled", unit
, subunit
), "1")));
84 // -----------------------------------------------------------------------------
87 static const char *fastnat_run_dir
= "/var/run/fastnat";
89 void allow_fastnat(const char *service
, int allow
)
93 snprintf(p
, sizeof(p
), "%s/%s", fastnat_run_dir
, service
);
98 mkdir_if_none(fastnat_run_dir
);
99 f_write_string(p
, "", 0, 0);
103 static inline int fastnat_allowed(void)
109 enabled
= !nvram_get_int("qos_enable") && !nvram_get_int("fastnat_disable");
111 if (enabled
&& (dir
= opendir(fastnat_run_dir
))) {
112 while ((dp
= readdir(dir
))) {
113 if (strcmp(dp
->d_name
, ".") == 0 || strcmp(dp
->d_name
, "..") == 0)
124 void try_enabling_fastnat(void)
126 f_write_string("/proc/sys/net/ipv4/netfilter/ip_conntrack_fastnat",
127 fastnat_allowed() ? "1" : "0", 0, 0);
131 void enable_ip_forward(void)
135 0 - disabled (default)
138 Forward Packets between interfaces.
140 This variable is special, its change resets all configuration
141 parameters to their default state (RFC1122 for hosts, RFC1812
144 f_write_string("/proc/sys/net/ipv4/ip_forward", "1", 0, 0);
147 if (ipv6_enabled()) {
148 f_write_string("/proc/sys/net/ipv6/conf/default/forwarding", "1", 0, 0);
149 f_write_string("/proc/sys/net/ipv6/conf/all/forwarding", "1", 0, 0);
152 f_write_string("/proc/sys/net/ipv6/conf/default/forwarding", "0", 0, 0);
153 f_write_string("/proc/sys/net/ipv6/conf/all/forwarding", "0", 0, 0);
160 // -----------------------------------------------------------------------------
163 static int ip2cclass(char *ipaddr, char *new, int count)
167 if (sscanf(ipaddr,"%d.%d.%d.%d",&ip[0],&ip[1],&ip[2],&ip[3]) != 4) return 0;
168 return snprintf(new, count, "%d.%d.%d.",ip[0],ip[1],ip[2]);
173 static int dmz_dst(char *s
)
179 if (nvram_get_int("dmz_enable") <= 0) return 0;
181 p
= nvram_safe_get("dmz_ipaddr");
182 if ((ia
.s_addr
= inet_addr(p
)) == (in_addr_t
)-1) {
183 if (((n
= atoi(p
)) <= 0) || (n
>= 255)) return 0;
184 if (s
) sprintf(s
, "%s%d", lan_cclass
, n
);
188 if (s
) strcpy(s
, inet_ntoa(ia
));
192 void ipt_log_unresolved(const char *addr
, const char *addrtype
, const char *categ
, const char *name
)
196 pre
= (name
&& *name
) ? " for \"" : "";
197 post
= (name
&& *name
) ? "\"" : "";
199 syslog(LOG_WARNING
, "firewall: "
200 "%s: not using %s%s%s%s (could not resolve as valid %s address)",
201 categ
, addr
, pre
, (name
) ? : "", post
, (addrtype
) ? : "IP");
204 int ipt_addr(char *addr
, int maxlen
, const char *s
, const char *dir
, int af
,
205 int strict
, const char *categ
, const char *name
)
207 char p
[INET6_ADDRSTRLEN
* 2];
210 if ((s
) && (*s
) && (*dir
))
212 if (sscanf(s
, "%[0-9.]-%[0-9.]", p
, p
) == 2) {
213 snprintf(addr
, maxlen
, "-m iprange --%s-range %s", dir
, s
);
217 else if (sscanf(s
, "%[0-9A-Fa-f:]-%[0-9A-Fa-f:]", p
, p
) == 2) {
218 snprintf(addr
, maxlen
, "-m iprange --%s-range %s", dir
, s
);
223 snprintf(addr
, maxlen
, "-%c %s", dir
[0], s
);
224 if (sscanf(s
, "%[^/]/", p
)) {
226 r
= host_addrtypes(p
, strict
? af
: (IPT_V4
| IPT_V6
));
228 r
= host_addrtypes(p
, IPT_V4
);
236 r
= (IPT_V4
| IPT_V6
);
239 if ((r
== 0 || (strict
&& ((r
& af
) != af
))) && (categ
&& *categ
)) {
240 ipt_log_unresolved(s
, categ
, name
,
241 (af
& IPT_V4
& ~r
) ? "IPv4" : ((af
& IPT_V6
& ~r
) ? "IPv6" : NULL
));
247 #define ipt_source_strict(s, src, categ, name) ipt_addr(src, 64, s, "src", IPT_V4, 1, categ, name)
248 #define ipt_source(s, src, categ, name) ipt_addr(src, 64, s, "src", IPT_V4, 0, categ, name)
249 #define ip6t_source(s, src, categ, name) ipt_addr(src, 128, s, "src", IPT_V6, 0, categ, name)
252 static void get_src(const char *nv, char *src)
256 if (((p = nvram_get(nv)) != NULL) && (*p) && (strlen(p) < 32)) {
257 sprintf(src, "-%s %s", strchr(p, '-') ? "m iprange --src-range" : "s", p);
265 void ipt_write(const char *format
, ...)
269 va_start(args
, format
);
270 vfprintf(ipt_file
, format
, args
);
274 void ip6t_write(const char *format
, ...)
279 va_start(args
, format
);
280 vfprintf(ip6t_file
, format
, args
);
285 // -----------------------------------------------------------------------------
287 int ipt_dscp(const char *v
, char *opt
)
296 n
= strtoul(v
, NULL
, 0);
298 sprintf(opt
, " -m dscp --dscp 0x%02X", n
);
303 modprobe("ipt_dscp");
308 // -----------------------------------------------------------------------------
311 int ipt_ipp2p(const char *v
, char *opt
)
320 strcpy(opt
, "-m ipp2p ");
321 if ((n
& 0xFFF) == 0xFFF) {
322 strcat(opt
, "--ipp2p");
326 if (n
& 0x0001) strcat(opt
, "--apple ");
327 if (n
& 0x0002) strcat(opt
, "--ares ");
328 if (n
& 0x0004) strcat(opt
, "--bit ");
329 if (n
& 0x0008) strcat(opt
, "--dc ");
330 if (n
& 0x0010) strcat(opt
, "--edk ");
331 if (n
& 0x0020) strcat(opt
, "--gnu ");
332 if (n
& 0x0040) strcat(opt
, "--kazaa ");
333 if (n
& 0x0080) strcat(opt
, "--mute ");
334 if (n
& 0x0100) strcat(opt
, "--soul ");
335 if (n
& 0x0200) strcat(opt
, "--waste ");
336 if (n
& 0x0400) strcat(opt
, "--winmx ");
337 if (n
& 0x0800) strcat(opt
, "--xdcc ");
339 if (n
& 0x1000) strcat(opt
, "--pp ");
340 if (n
& 0x2000) strcat(opt
, "--xunlei ");
344 modprobe("ipt_ipp2p");
349 // -----------------------------------------------------------------------------
354 // This L7 matches inbound traffic, caches the results, then the L7 outbound
355 // should read the cached result and set the appropriate marks -- zzz
356 void ipt_layer7_inbound(void)
361 if (!layer7_in
) return;
363 en
= nvram_match("nf_l7in", "1");
365 ipt_write(":L7in - [0:0]\n");
366 for (i
= 0; i
< wanfaces
.count
; ++i
) {
367 if (*(wanfaces
.iface
[i
].name
)) {
368 ipt_write("-A FORWARD -i %s -j L7in\n",
369 wanfaces
.iface
[i
].name
);
377 ipt_write("-A L7in %s -j RETURN\n", *p
);
379 can_enable_fastnat
= 0;
389 int ipt_layer7(const char *v
, char *opt
)
395 if (*v
== 0) return 0;
396 if (strlen(v
) > 32) return -1;
398 path
= "/etc/l7-extra";
399 sprintf(s
, "%s/%s.pat", path
, v
);
401 path
= "/etc/l7-protocols";
402 sprintf(s
, "%s/%s.pat", path
, v
);
404 syslog(LOG_ERR
, "L7 %s was not found", v
);
409 sprintf(opt
, "-m layer7 --l7dir %s --l7proto %s", path
, v
);
411 if (nvram_match("nf_l7in", "1")) {
412 if (!layer7_in
) layer7_in
= calloc(51, sizeof(char *));
418 if (strcmp(*p
, opt
) == 0) return 1;
421 if (((p
- layer7_in
) / sizeof(char *)) < 50) *p
= strdup(opt
);
426 modprobe("xt_layer7");
428 modprobe("ipt_layer7");
433 // -----------------------------------------------------------------------------
435 static void ipt_account(void) {
436 struct in_addr ipaddr
, netmask
, network
;
437 char lanN_ifname
[] = "lanXX_ifname";
438 char lanN_ipaddr
[] = "lanXX_ipaddr";
439 char lanN_netmask
[] = "lanXX_netmask";
440 char lanN
[] = "lanXX";
441 char netaddrnetmask
[] = "255.255.255.255/255.255.255.255 ";
443 // If the IP Address changes, the below rule will cause things to choke, and blocking rules don't get applied
444 // As a workaround, flush the entire FORWARD chain
445 system("iptables -F FORWARD");
447 for(br
=0 ; br
<=3 ; br
++) {
448 char bridge
[2] = "0";
454 sprintf(lanN_ifname
, "lan%s_ifname", bridge
);
456 if (strcmp(nvram_safe_get(lanN_ifname
), "")!=0) {
458 sprintf(lanN_ipaddr
, "lan%s_ipaddr", bridge
);
459 sprintf(lanN_netmask
, "lan%s_netmask", bridge
);
460 sprintf(lanN
, "lan%s", bridge
);
462 inet_aton(nvram_safe_get(lanN_ipaddr
), &ipaddr
);
463 inet_aton(nvram_safe_get(lanN_netmask
), &netmask
);
465 // bitwise AND of ip and netmask gives the network
466 network
.s_addr
= ipaddr
.s_addr
& netmask
.s_addr
;
468 sprintf(netaddrnetmask
, "%s/%s", inet_ntoa(network
), nvram_safe_get(lanN_netmask
));
471 ipt_write("-A FORWARD -m account --aaddr %s --aname %s\n", netaddrnetmask
, lanN
);
476 // -----------------------------------------------------------------------------
478 static void save_webmon(void)
480 eval("cp", "/proc/webmon_recent_domains", "/var/webmon/domain");
481 eval("cp", "/proc/webmon_recent_searches", "/var/webmon/search");
484 static void ipt_webmon()
486 int wmtype
, clear
, i
;
492 if (!nvram_get_int("log_wm")) return;
495 can_enable_fastnat
= 0;
497 wmtype
= nvram_get_int("log_wmtype");
498 clear
= nvram_get_int("log_wmclear");
500 ip46t_write(":monitor - [0:0]\n");
503 strlcpy(t
, wmtype
== 1 ? nvram_safe_get("log_wmip") : "", sizeof(t
));
506 if ((c
= strchr(p
, ',')) != NULL
) *c
= 0;
508 if ((ok
= ipt_addr(src
, sizeof(src
), p
, "src", IPT_V4
|IPT_V6
, 0, "webmon", NULL
))) {
510 if (*wan6face
&& (ok
& IPT_V6
))
511 ip6t_write("-A FORWARD -o %s %s -j monitor\n", wan6face
, src
);
514 for (i
= 0; i
< wanfaces
.count
; ++i
) {
515 if (*(wanfaces
.iface
[i
].name
)) {
516 ipt_write("-A FORWARD -o %s %s -j monitor\n",
517 wanfaces
.iface
[i
].name
, src
);
529 strlcpy(t
, nvram_safe_get("log_wmip"), sizeof(t
));
532 if ((c
= strchr(p
, ',')) != NULL
) *c
= 0;
533 if ((ok
= ipt_addr(src
, sizeof(src
), p
, "src", IPT_V4
|IPT_V6
, 0, "webmon", NULL
))) {
535 ip46t_flagged_write(ok
, "-A monitor %s -j RETURN\n", src
);
543 "-A monitor -p tcp -m webmon "
544 "--max_domains %d --max_searches %d %s %s -j RETURN\n",
545 nvram_get_int("log_wmdmax") ? : 1, nvram_get_int("log_wmsmax") ? : 1,
546 (clear
& 1) == 0 ? "--domain_load_file /var/webmon/domain" : "--clear_domain",
547 (clear
& 2) == 0 ? "--search_load_file /var/webmon/search" : "--clear_search");
550 modprobe("xt_webmon");
552 modprobe("ipt_webmon");
557 // -----------------------------------------------------------------------------
559 // -----------------------------------------------------------------------------
561 static void mangle_table(void)
568 ":PREROUTING ACCEPT [0:0]\n"
569 ":OUTPUT ACCEPT [0:0]\n");
577 p
= nvram_safe_get("nf_ttl");
578 if (strncmp(p
, "c:", 2) == 0) {
581 p
= (ttl
>= 0 && ttl
<= 255) ? "set" : NULL
;
583 else if ((ttl
= atoi(p
)) != 0) {
591 if (ttl
> 255) p
= NULL
;
601 // set TTL on primary WAN iface only
602 wanface
= wanfaces
.iface
[0].name
;
604 "-I PREROUTING -i %s -j TTL --ttl-%s %d\n"
605 "-I POSTROUTING -o %s -j TTL --ttl-%s %d\n",
609 // FIXME: IPv6 HL should be configurable separately from TTL.
610 // disable it until GUI setting is implemented.
613 "-I PREROUTING -i %s -j HL --hl-%s %d\n"
614 "-I POSTROUTING -o %s -j HL --hl-%s %d\n",
622 ip46t_write("COMMIT\n");
625 // -----------------------------------------------------------------------------
627 // -----------------------------------------------------------------------------
629 static void nat_table(void)
648 ":PREROUTING ACCEPT [0:0]\n"
649 ":POSTROUTING ACCEPT [0:0]\n"
650 ":OUTPUT ACCEPT [0:0]\n"
652 chain_wan_prerouting
);
658 strlcpy(lanaddr
, nvram_safe_get("lan_ipaddr"), sizeof(lanaddr
));
659 strlcpy(lanmask
, nvram_safe_get("lan_netmask"), sizeof(lanmask
));
661 strlcpy(lan1addr
, nvram_safe_get("lan1_ipaddr"), sizeof(lan1addr
));
662 strlcpy(lan1mask
, nvram_safe_get("lan1_netmask"), sizeof(lan1mask
));
663 strlcpy(lan2addr
, nvram_safe_get("lan2_ipaddr"), sizeof(lan2addr
));
664 strlcpy(lan2mask
, nvram_safe_get("lan2_netmask"), sizeof(lan2mask
));
665 strlcpy(lan3addr
, nvram_safe_get("lan3_ipaddr"), sizeof(lan3addr
));
666 strlcpy(lan3mask
, nvram_safe_get("lan3_netmask"), sizeof(lan3mask
));
669 for (i
= 0; i
< wanfaces
.count
; ++i
) {
670 if (*(wanfaces
.iface
[i
].name
)) {
671 // chain_wan_prerouting
673 ipt_write("-A PREROUTING -d %s -j %s\n",
674 wanfaces
.iface
[i
].ip
, chain_wan_prerouting
);
677 // Drop incoming packets which destination IP address is to our LAN side directly
678 ipt_write("-A PREROUTING -i %s -d %s/%s -j DROP\n",
679 wanfaces
.iface
[i
].name
,
680 lanaddr
, lanmask
); // note: ipt will correct lanaddr
682 if(strcmp(lan1addr
,"")!=0)
683 ipt_write("-A PREROUTING -i %s -d %s/%s -j DROP\n",
684 wanfaces
.iface
[i
].name
,
686 if(strcmp(lan2addr
,"")!=0)
687 ipt_write("-A PREROUTING -i %s -d %s/%s -j DROP\n",
688 wanfaces
.iface
[i
].name
,
690 if(strcmp(lan3addr
,"")!=0)
691 ipt_write("-A PREROUTING -i %s -d %s/%s -j DROP\n",
692 wanfaces
.iface
[i
].name
,
699 if (nvram_match("dns_intcpt", "1")) {
700 ipt_write("-A PREROUTING -p udp -s %s/%s ! -d %s/%s --dport 53 -j DNAT --to-destination %s\n",
705 if(strcmp(lan1addr
,"")!=0)
706 ipt_write("-A PREROUTING -p udp -s %s/%s ! -d %s/%s --dport 53 -j DNAT --to-destination %s\n",
710 if(strcmp(lan2addr
,"")!=0)
711 ipt_write("-A PREROUTING -p udp -s %s/%s ! -d %s/%s --dport 53 -j DNAT --to-destination %s\n",
715 if(strcmp(lan3addr
,"")!=0)
716 ipt_write("-A PREROUTING -p udp -s %s/%s ! -d %s/%s --dport 53 -j DNAT --to-destination %s\n",
725 if (nvram_match("nginx_enable", "1")) {
726 ipt_write("-A PREROUTING -p tcp -s %s/%s ! -d %s/%s --dport 80 -j DNAT --to-destination %s\n",
730 ipt_write("-A PREROUTING -p tcp -s %s/%s ! -d %s/%s --dport 44380 -j DNAT --to-destination %s\n",
738 // ICMP packets are always redirected to INPUT chains
739 ipt_write("-A %s -p icmp -j DNAT --to-destination %s\n", chain_wan_prerouting
, lanaddr
);
741 ipt_forward(IPT_TABLE_NAT
);
742 ipt_triggered(IPT_TABLE_NAT
);
745 if (nvram_get_int("upnp_enable") & 3) {
746 ipt_write(":upnp - [0:0]\n");
748 for (i
= 0; i
< wanfaces
.count
; ++i
) {
749 if (*(wanfaces
.iface
[i
].name
)) {
751 // ! for loopback (all) to work
752 ipt_write("-A PREROUTING -d %s -j upnp\n", wanfaces
.iface
[i
].ip
);
755 ipt_write("-A PREROUTING -i %s -j upnp\n", wanfaces
.iface
[i
].name
);
763 strlcpy(t
, nvram_safe_get("dmz_sip"), sizeof(t
));
766 if ((c
= strchr(p
, ',')) != NULL
) *c
= 0;
767 if (ipt_source_strict(p
, src
, "dmz", NULL
))
768 ipt_write("-A %s %s -j DNAT --to-destination %s\n", chain_wan_prerouting
, src
, dst
);
777 switch (get_ipv6_service()) {
779 // avoid NATing proto-41 packets when using 6in4 tunnel
785 for (i
= 0; i
< wanfaces
.count
; ++i
) {
786 if (*(wanfaces
.iface
[i
].name
)) {
787 if ((!wanup
) || (nvram_get_int("ne_snat") != 1))
788 ipt_write("-A POSTROUTING %s -o %s -j MASQUERADE\n", p
, wanfaces
.iface
[i
].name
);
790 ipt_write("-A POSTROUTING %s -o %s -j SNAT --to-source %s\n", p
, wanfaces
.iface
[i
].name
, wanfaces
.iface
[i
].ip
);
795 if ( (nvram_match("wan_proto", "pppoe") || nvram_match("wan_proto", "dhcp") || nvram_match("wan_proto", "static") )
796 && (modem_ipaddr
= nvram_safe_get("modem_ipaddr")) && *modem_ipaddr
&& !nvram_match("modem_ipaddr","0.0.0.0")
797 && (!foreach_wif(1, NULL
, is_sta
)) )
798 ipt_write("-A POSTROUTING -o %s -d %s -j MASQUERADE\n", nvram_safe_get("wan_ifname"), modem_ipaddr
);
800 switch (nvram_get_int("nf_loopback")) {
801 case 1: // 1 = forwarded-only
802 case 2: // 2 = disable
804 default: // 0 = all (same as block_loopback=0)
805 ipt_write("-A POSTROUTING -o %s -s %s/%s -d %s/%s -j SNAT --to-source %s\n",
811 if (strcmp(lan1face
,"")!=0)
812 ipt_write("-A POSTROUTING -o %s -s %s/%s -d %s/%s -j SNAT --to-source %s\n",
817 if (strcmp(lan2face
,"")!=0)
818 ipt_write("-A POSTROUTING -o %s -s %s/%s -d %s/%s -j SNAT --to-source %s\n",
823 if (strcmp(lan3face
,"")!=0)
824 ipt_write("-A POSTROUTING -o %s -s %s/%s -d %s/%s -j SNAT --to-source %s\n",
833 ipt_write("COMMIT\n");
836 // -----------------------------------------------------------------------------
838 // -----------------------------------------------------------------------------
840 static void filter_input(void)
850 if ((nvram_get_int("nf_loopback") != 0) && (wanup
)) { // 0 = all
851 for (n
= 0; n
< wanfaces
.count
; ++n
) {
852 if (*(wanfaces
.iface
[n
].name
)) {
853 ipt_write("-A INPUT -i %s -d %s -j DROP\n", lanface
, wanfaces
.iface
[n
].ip
);
855 if (strcmp(lan1face
,"")!=0)
856 ipt_write("-A INPUT -i %s -d %s -j DROP\n", lan1face
, wanfaces
.iface
[n
].ip
);
857 if (strcmp(lan2face
,"")!=0)
858 ipt_write("-A INPUT -i %s -d %s -j DROP\n", lan2face
, wanfaces
.iface
[n
].ip
);
859 if (strcmp(lan3face
,"")!=0)
860 ipt_write("-A INPUT -i %s -d %s -j DROP\n", lan3face
, wanfaces
.iface
[n
].ip
);
867 "-A INPUT -m state --state INVALID -j DROP\n"
868 "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n");
870 strlcpy(s
, nvram_safe_get("ne_shlimit"), sizeof(s
));
871 if ((vstrsep(s
, ",", &en
, &hit
, &sec
) == 3) && ((n
= atoi(en
) & 3) != 0)) {
873 ? what if the user uses the start button in GUI ?
874 if (nvram_get_int("telnetd_eas"))
875 if (nvram_get_int("sshd_eas"))
878 modprobe("xt_recent");
880 modprobe("ipt_recent");
885 "-A shlimit -m recent --set --name shlimit\n"
886 "-A shlimit -m recent --update --hitcount %d --seconds %s --name shlimit -j %s\n",
887 atoi(hit
) + 1, sec
, chain_in_drop
);
890 ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("sshd_port"));
891 if (nvram_get_int("sshd_remote") && nvram_invmatch("sshd_rport", nvram_safe_get("sshd_port"))) {
892 ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("sshd_rport"));
895 if (n
& 2) ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("telnetd_port"));
899 strlcpy(s
, nvram_safe_get("ftp_limit"), sizeof(s
));
900 if ((vstrsep(s
, ",", &en
, &hit
, &sec
) == 3) && (atoi(en
)) && (nvram_get_int("ftp_enable") == 1)) {
902 modprobe("xt_recent");
904 modprobe("ipt_recent");
909 "-A ftplimit -m recent --set --name ftp\n"
910 "-A ftplimit -m recent --update --hitcount %d --seconds %s --name ftp -j %s\n",
911 atoi(hit
) + 1, sec
, chain_in_drop
);
912 ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j ftplimit\n", nvram_safe_get("ftp_port"));
917 "-A INPUT -i lo -j ACCEPT\n"
918 "-A INPUT -i %s -j ACCEPT\n",
922 if (strcmp(lan1face
,"")!=0)
924 "-A INPUT -i %s -j ACCEPT\n",
926 if (strcmp(lan2face
,"")!=0)
928 "-A INPUT -i %s -j ACCEPT\n",
930 if (strcmp(lan3face
,"")!=0)
932 "-A INPUT -i %s -j ACCEPT\n",
937 n
= get_ipv6_service();
939 case IPV6_ANYCAST_6TO4
:
941 // Accept ICMP requests from the remote tunnel endpoint
942 if (n
== IPV6_ANYCAST_6TO4
)
943 sprintf(s
, "192.88.99.%d", nvram_get_int("ipv6_relay"));
945 strlcpy(s
, nvram_safe_get("ipv6_tun_v4end"), sizeof(s
));
946 if (*s
&& strcmp(s
, "0.0.0.0") != 0)
947 ipt_write("-A INPUT -p icmp -s %s -j %s\n", s
, chain_in_accept
);
948 ipt_write("-A INPUT -p 41 -j %s\n", chain_in_accept
);
953 // ICMP request from WAN interface
954 if (nvram_match("block_wan", "0")) {
955 if (nvram_match("block_wan_limit", "0")) {
956 // allow ICMP packets to be received
957 ipt_write("-A INPUT -p icmp -j %s\n", chain_in_accept
);
958 // allow udp traceroute packets
959 ipt_write("-A INPUT -p udp --dport 33434:33534 -j %s\n", chain_in_accept
);
961 // allow ICMP packets to be received, but restrict the flow to avoid ping flood attacks
962 ipt_write("-A INPUT -p icmp -m limit --limit %d/second -j %s\n", nvram_get_int("block_wan_limit_icmp"), chain_in_accept
);
963 // allow udp traceroute packets, but restrict the flow to avoid ping flood attacks
964 ipt_write("-A INPUT -p udp --dport 33434:33534 -m limit --limit %d/second -j %s\n", nvram_get_int("block_wan_limit_tr"), chain_in_accept
);
968 /* Accept incoming packets from broken dhcp servers, which are sending replies
969 * from addresses other than used for query. This could lead to a lower level
970 * of security, so allow to disable it via nvram variable.
972 if (nvram_invmatch("dhcp_pass", "0") && using_dhcpc()) {
973 ipt_write("-A INPUT -p udp --sport 67 --dport 68 -j %s\n", chain_in_accept
);
976 strlcpy(t
, nvram_safe_get("rmgt_sip"), sizeof(t
));
979 if ((c
= strchr(p
, ',')) != NULL
) *c
= 0;
981 if (ipt_source(p
, s
, "remote management", NULL
)) {
984 ipt_write("-A INPUT -p tcp %s --dport %s -j %s\n",
985 s
, nvram_safe_get("http_wanport"), chain_in_accept
);
988 if (nvram_get_int("sshd_remote")) {
989 ipt_write("-A INPUT -p tcp %s --dport %s -j %s\n",
990 s
, nvram_safe_get("sshd_rport"), chain_in_accept
);
996 if (nvram_get_int("nginx_enable")) {
997 ipt_write("-A INPUT -p tcp %s -m tcp -d %s --dport %s -j %s\n",
998 s, nvram_safe_get("lan_ipaddr"), nvram_safe_get("nginx_port"), chain_in_accept);
1006 #ifdef TCONFIG_FTP // !!TB - FTP Server
1007 if (nvram_match("ftp_enable", "1")) { // FTP WAN access enabled
1008 strlcpy(t
, nvram_safe_get("ftp_sip"), sizeof(t
));
1011 if ((c
= strchr(p
, ',')) != NULL
) *c
= 0;
1012 if (ipt_source(p
, s
, "ftp", "remote access")) {
1013 ipt_write("-A INPUT -p tcp %s --dport %s -j %s\n",
1014 s
, nvram_safe_get("ftp_port"), chain_in_accept
);
1023 if( nvram_match( "snmp_enable", "1" ) && nvram_match("snmp_remote", "1"))
1025 strlcpy(t
, nvram_safe_get("snmp_remote_sip"), sizeof(t
));
1028 if ((c
= strchr(p
, ',')) != NULL
) *c
= 0;
1030 if (ipt_source(p
, s
, "snmp", "remote")) {
1031 ipt_write("-A INPUT -p udp %s --dport %s -j %s\n",
1032 s
, nvram_safe_get("snmp_port"), chain_in_accept
);
1041 // IGMP query from WAN interface
1042 if ((nvram_match("multicast_pass", "1")) || (nvram_match("udpxy_enable", "1"))) {
1043 ipt_write("-A INPUT -p igmp -d 224.0.0.0/4 -j ACCEPT\n");
1044 ipt_write("-A INPUT -p udp -d 224.0.0.0/4 ! --dport 1900 -j ACCEPT\n");
1047 // Routing protocol, RIP, accept
1048 if (nvram_invmatch("dr_wan_rx", "0")) {
1049 ipt_write("-A INPUT -p udp --dport 520 -j ACCEPT\n");
1053 if (*chain_in_drop
== 'l') {
1054 ipt_write( "-A INPUT -j %s\n", chain_in_drop
);
1057 // default policy: DROP
1060 // clamp TCP MSS to PMTU of WAN interface (IPv4 only?)
1061 static void clampmss(void)
1063 ipt_write("-A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n");
1065 switch (get_ipv6_service()) {
1066 case IPV6_ANYCAST_6TO4
:
1068 ip6t_write("-A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n");
1074 static void filter_forward(void)
1082 if (nvram_match("cstats_enable", "1")) {
1088 "-A FORWARD -m rt --rt-type 0 -j DROP\n");
1092 "-A FORWARD -i %s -o %s -j ACCEPT\n", // accept all lan to lan
1095 if (strcmp(lan1face
,"")!=0)
1097 "-A FORWARD -i %s -o %s -j ACCEPT\n",
1098 lan1face
, lan1face
);
1099 if (strcmp(lan2face
,"")!=0)
1101 "-A FORWARD -i %s -o %s -j ACCEPT\n",
1102 lan2face
, lan2face
);
1103 if (strcmp(lan3face
,"")!=0)
1105 "-A FORWARD -i %s -o %s -j ACCEPT\n",
1106 lan3face
, lan3face
);
1108 char lanAccess
[17] = "0000000000000000";
1109 const char *d
, *sbr
, *saddr
, *dbr
, *daddr
, *desc
;
1112 nvp
= nv
= strdup(nvram_safe_get("lan_access"));
1114 while ((b
= strsep(&nvp
, ">")) != NULL
) {
1116 1<0<1.2.3.4<1<5.6.7.8<30,45-50<desc
1125 n
= vstrsep(b
, "<", &d
, &sbr
, &saddr
, &dbr
, &daddr
, &desc
);
1128 if (!ipt_addr(src
, sizeof(src
), saddr
, "src", IPT_V4
|IPT_V6
, 0, "LAN access", desc
))
1130 if (!ipt_addr(dst
, sizeof(dst
), daddr
, "dst", IPT_V4
|IPT_V6
, 0, "LAN access", desc
))
1134 ipt_write("-A FORWARD -i %s%s -o %s%s %s %s -j ACCEPT\n",
1142 if ((strcmp(src
,"")==0) && (strcmp(dst
,"")==0))
1143 lanAccess
[((*sbr
-48)+(*dbr
-48)*4)] = '1';
1151 "-A FORWARD -m state --state INVALID -j DROP\n"); // drop if INVALID state
1153 // clamp tcp mss to pmtu
1159 ipt_layer7_inbound();
1167 "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT\n"); // already established or related (via helper)
1170 char lanN_ifname
[] = "lanXX_ifname";
1172 for(br
=0 ; br
<=3 ; br
++) {
1173 char bridge
[2] = "0";
1179 sprintf(lanN_ifname
, "lan%s_ifname", bridge
);
1180 if (strncmp(nvram_safe_get(lanN_ifname
), "br", 2) == 0) {
1181 char lanN_ifname2
[] = "lanXX_ifname";
1183 for(br2
=0 ; br2
<=3 ; br2
++) {
1184 if (br
==br2
) continue;
1186 if (lanAccess
[((br
)+(br2
)*4)] == '1') continue;
1188 char bridge2
[2] = "0";
1192 strcpy(bridge2
, "");
1194 sprintf(lanN_ifname2
, "lan%s_ifname", bridge2
);
1195 if (strncmp(nvram_safe_get(lanN_ifname2
), "br", 2) == 0) {
1196 ip46t_write("-A FORWARD -i %s -o %s -j DROP\n",
1197 nvram_safe_get(lanN_ifname
),
1198 nvram_safe_get(lanN_ifname2
));
1201 // ipt_write("-A FORWARD -i %s -j %s\n", nvram_safe_get(lanN_ifname), chain_out_accept);
1206 #ifdef TCONFIG_PPTPD
1207 //Add for pptp server
1208 if (nvram_match("pptpd_enable", "1")) {
1209 ipt_write("-A INPUT -p tcp --dport 1723 -j ACCEPT\n");
1210 ipt_write("-A INPUT -p 47 -j ACCEPT\n");
1215 // Filter out invalid WAN->WAN connections
1217 ip6t_write("-A FORWARD -o %s ! -i %s -j %s\n", wan6face
, lanface
, chain_in_drop
);
1220 modprobe("xt_length");
1221 ip6t_write("-A FORWARD -p ipv6-nonxt -m length --length 40 -j ACCEPT\n");
1225 for (i
= 0; i
< sizeof(allowed_icmpv6
)/sizeof(int); ++i
) {
1226 ip6t_write("-A FORWARD -p ipv6-icmp --icmpv6-type %i -j %s\n", allowed_icmpv6
[i
], chain_in_accept
);
1232 "-A FORWARD -i %s -j wanin\n" // generic from wan
1233 "-A FORWARD -o %s -j wanout\n", // generic to wan
1234 wan6face
, wan6face
);
1239 for (i
= 0; i
< wanfaces
.count
; ++i
) {
1240 if (*(wanfaces
.iface
[i
].name
)) {
1242 "-A FORWARD -i %s -j wanin\n" // generic from wan
1243 "-A FORWARD -o %s -j wanout\n", // generic to wan
1244 wanfaces
.iface
[i
].name
, wanfaces
.iface
[i
].name
);
1249 for(br
=0 ; br
<=3 ; br
++) {
1250 char bridge
[2] = "0";
1256 sprintf(lanN_ifname
, "lan%s_ifname", bridge
);
1257 if (strncmp(nvram_safe_get(lanN_ifname
), "br", 2) == 0) {
1258 ipt_write("-A FORWARD -i %s -j %s\n", nvram_safe_get(lanN_ifname
), chain_out_accept
);
1262 ipt_write("-A FORWARD -i %s -j %s\n", lanface
, chain_out_accept
);
1265 // #ifdef TCONFIG_VLAN
1266 /* for (i = 0; i < wanfaces.count; ++i) {
1267 if (*(wanfaces.iface[i].name)) {
1268 ipt_write("-A FORWARD -i %s -o %s -j %s\n", lanface, wanfaces.iface[i].name, chain_out_accept);
1269 if (strcmp(lan1face,"")!=0)
1270 ipt_write("-A FORWARD -i %s -o %s -j %s\n", lan1face, wanfaces.iface[i].name, chain_out_accept);
1271 if (strcmp(lan2face,"")!=0)
1272 ipt_write("-A FORWARD -i %s -o %s -j %s\n", lan2face, wanfaces.iface[i].name, chain_out_accept);
1273 if (strcmp(lan3face,"")!=0)
1274 ipt_write("-A FORWARD -i %s -o %s -j %s\n", lan3face, wanfaces.iface[i].name, chain_out_accept);
1279 // ipt_write("-A FORWARD -i %s -j %s\n", lanface, chain_out_accept);
1283 //IPv6 forward LAN->WAN accept
1284 ip6t_write("-A FORWARD -i %s -o %s -j %s\n", lanface
, wan6face
, chain_out_accept
);
1286 if (strcmp(lan1face
,"")!=0)
1287 ip6t_write("-A FORWARD -i %s -o %s -j %s\n", lan1face
, wan6face
, chain_out_accept
);
1288 if (strcmp(lan2face
,"")!=0)
1289 ip6t_write("-A FORWARD -i %s -o %s -j %s\n", lan2face
, wan6face
, chain_out_accept
);
1290 if (strcmp(lan3face
,"")!=0)
1291 ip6t_write("-A FORWARD -i %s -o %s -j %s\n", lan3face
, wan6face
, chain_out_accept
);
1296 if (nvram_get_int("upnp_enable") & 3) {
1297 ipt_write(":upnp - [0:0]\n");
1298 for (i
= 0; i
< wanfaces
.count
; ++i
) {
1299 if (*(wanfaces
.iface
[i
].name
)) {
1300 ipt_write("-A FORWARD -i %s -j upnp\n",
1301 wanfaces
.iface
[i
].name
);
1307 if ((nvram_match("multicast_pass", "1")) || (nvram_match("udpxy_enable", "1"))) {
1308 ipt_write("-A wanin -p udp -d 224.0.0.0/4 -j %s\n", chain_in_accept
);
1310 ipt_triggered(IPT_TABLE_FILTER
);
1311 ipt_forward(IPT_TABLE_FILTER
);
1318 char dmz_ifname
[IFNAMSIZ
+1];
1319 strlcpy(dmz_ifname
, nvram_safe_get("dmz_ifname"), sizeof(dmz_ifname
));
1320 if(strcmp(dmz_ifname
, "") == 0)
1321 strlcpy(dmz_ifname
, lanface
, sizeof(lanface
));
1323 strlcpy(t
, nvram_safe_get("dmz_sip"), sizeof(t
));
1326 if ((c
= strchr(p
, ',')) != NULL
) *c
= 0;
1327 if (ipt_source_strict(p
, src
, "dmz", NULL
))
1329 ipt_write("-A FORWARD -o %s %s -d %s -j %s\n", dmz_ifname
, src
, dst
, chain_in_accept
);
1331 ipt_write("-A FORWARD -o %s %s -d %s -j %s\n", lanface
, src
, dst
, chain_in_accept
);
1339 // default policy: DROP
1342 static void filter_log(void)
1347 n
= nvram_get_int("log_limit");
1348 if ((n
>= 1) && (n
<= 9999)) {
1349 sprintf(limit
, "-m limit --limit %d/m", n
);
1356 modprobe("ip6t_LOG");
1358 if ((*chain_in_drop
== 'l') || (*chain_out_drop
== 'l')) {
1360 ":logdrop - [0:0]\n"
1361 "-A logdrop -m state --state NEW %s -j LOG --log-prefix \"DROP \""
1365 " --log-tcp-sequence --log-tcp-options --log-ip-options\n"
1366 "-A logdrop -j DROP\n"
1367 ":logreject - [0:0]\n"
1368 "-A logreject %s -j LOG --log-prefix \"REJECT \""
1372 " --log-tcp-sequence --log-tcp-options --log-ip-options\n"
1373 "-A logreject -p tcp -j REJECT --reject-with tcp-reset\n",
1376 if ((*chain_in_accept
== 'l') || (*chain_out_accept
== 'l')) {
1378 ":logaccept - [0:0]\n"
1379 "-A logaccept -m state --state NEW %s -j LOG --log-prefix \"ACCEPT \""
1383 " --log-tcp-sequence --log-tcp-options --log-ip-options\n"
1384 "-A logaccept -j ACCEPT\n",
1390 static void filter6_input(void)
1400 // RFC-4890, sec. 4.4.1
1401 const int allowed_local_icmpv6
[] =
1402 { 130, 131, 132, 133, 134, 135, 136,
1404 148, 149, 151, 152, 153 };
1407 "-A INPUT -m rt --rt-type 0 -j %s\n"
1408 /* "-A INPUT -m state --state INVALID -j DROP\n" */
1409 "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n",
1413 modprobe("xt_length");
1414 ip6t_write("-A INPUT -p ipv6-nonxt -m length --length 40 -j ACCEPT\n");
1417 strlcpy(s
, nvram_safe_get("ne_shlimit"), sizeof(s
));
1418 if ((vstrsep(s
, ",", &en
, &hit
, &sec
) == 3) && ((n
= atoi(en
) & 3) != 0)) {
1420 modprobe("xt_recent");
1422 modprobe("ipt_recent");
1427 "-A shlimit -m recent --set --name shlimit\n"
1428 "-A shlimit -m recent --update --hitcount %d --seconds %s --name shlimit -j %s\n",
1429 atoi(hit
) + 1, sec
, chain_in_drop
);
1432 ip6t_write("-A INPUT -i %s -p tcp --dport %s -m state --state NEW -j shlimit\n", lanface
, nvram_safe_get("sshd_port"));
1433 if (nvram_get_int("sshd_remote") && nvram_invmatch("sshd_rport", nvram_safe_get("sshd_port"))) {
1434 ip6t_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("sshd_rport"));
1437 if (n
& 2) ip6t_write("-A INPUT -i %s -p tcp --dport %s -m state --state NEW -j shlimit\n", lanface
, nvram_safe_get("telnetd_port"));
1441 strlcpy(s
, nvram_safe_get("ftp_limit"), sizeof(s
));
1442 if ((vstrsep(s
, ",", &en
, &hit
, &sec
) == 3) && (atoi(en
)) && (nvram_get_int("ftp_enable") == 1)) {
1444 modprobe("xt_recent");
1446 modprobe("ipt_recent");
1451 "-A ftplimit -m recent --set --name ftp\n"
1452 "-A ftplimit -m recent --update --hitcount %d --seconds %s --name ftp -j %s\n",
1453 atoi(hit
) + 1, sec
, chain_in_drop
);
1454 ip6t_write("-A INPUT -p tcp --dport %s -m state --state NEW -j ftplimit\n", nvram_safe_get("ftp_port"));
1456 #endif // TCONFIG_FTP
1459 "-A INPUT -i %s -j ACCEPT\n" // anything coming from LAN
1460 "-A INPUT -i lo -j ACCEPT\n",
1463 switch (get_ipv6_service()) {
1464 case IPV6_ANYCAST_6TO4
:
1465 case IPV6_NATIVE_DHCP
:
1466 // allow responses from the dhcpv6 server
1467 ip6t_write("-A INPUT -p udp --dport 546 -j %s\n", chain_in_accept
);
1472 const int allowed_icmpv6
[6] = { 1, 2, 3, 4, 128, 129 };
1473 for (n
= 0; n
< sizeof(allowed_icmpv6
)/sizeof(int); n
++) {
1474 ip6t_write("-A INPUT -p ipv6-icmp --icmpv6-type %i -j %s\n", allowed_icmpv6
[n
], chain_in_accept
);
1476 for (n
= 0; n
< sizeof(allowed_local_icmpv6
)/sizeof(int); n
++) {
1477 ip6t_write("-A INPUT -p ipv6-icmp --icmpv6-type %i -j %s\n", allowed_local_icmpv6
[n
], chain_in_accept
);
1481 strlcpy(t
, nvram_safe_get("rmgt_sip"), sizeof(t
));
1484 if ((c
= strchr(p
, ',')) != NULL
) *c
= 0;
1486 if (ip6t_source(p
, s
, "remote management", NULL
)) {
1489 ip6t_write("-A INPUT -p tcp %s --dport %s -j %s\n",
1490 s
, nvram_safe_get("http_wanport"), chain_in_accept
);
1493 if (nvram_get_int("sshd_remote")) {
1494 ip6t_write("-A INPUT -p tcp %s --dport %s -j %s\n",
1495 s
, nvram_safe_get("sshd_rport"), chain_in_accept
);
1505 if (nvram_match("ftp_enable", "1")) { // FTP WAN access enabled
1506 strlcpy(t
, nvram_safe_get("ftp_sip"), sizeof(t
));
1509 if ((c
= strchr(p
, ',')) != NULL
) *c
= 0;
1510 if (ip6t_source(p
, s
, "ftp", "remote access")) {
1511 ip6t_write("-A INPUT -p tcp %s --dport %s -j %s\n",
1512 s
, nvram_safe_get("ftp_port"), chain_in_accept
);
1521 if (*chain_in_drop
== 'l') {
1522 ip6t_write( "-A INPUT -j %s\n", chain_in_drop
);
1525 // default policy: DROP
1530 static void filter_table(void)
1534 ":INPUT DROP [0:0]\n"
1535 ":OUTPUT ACCEPT [0:0]\n"
1543 ip6t_write("-A OUTPUT -m rt --rt-type 0 -j %s\n", chain_in_drop
);
1546 if ((gateway_mode
) || (nvram_match("wk_mode_x", "1"))) {
1547 ip46t_write(":FORWARD DROP [0:0]\n");
1551 ip46t_write(":FORWARD ACCEPT [0:0]\n");
1554 ip46t_write("COMMIT\n");
1557 // -----------------------------------------------------------------------------
1559 int start_firewall(void)
1562 struct dirent
*dirent
;
1567 char *iptrestore_argv
[] = { "iptables-restore", (char *)ipt_fname
, NULL
};
1569 char *ip6trestore_argv
[] = { "ip6tables-restore", (char *)ip6t_fname
, NULL
};
1572 simple_lock("firewall");
1573 simple_lock("restrictions");
1575 wanproto
= get_wan_proto();
1576 wanup
= check_wanup();
1578 f_write_string("/proc/sys/net/ipv4/tcp_syncookies", nvram_get_int("ne_syncookies") ? "1" : "0", 0, 0);
1580 /* NAT performance tweaks
1581 * These values can be overriden later if needed via firewall script
1583 f_write_string("/proc/sys/net/core/netdev_max_backlog", "3072", 0, 0);
1584 f_write_string("/proc/sys/net/core/somaxconn", "3072", 0, 0);
1585 f_write_string("/proc/sys/net/ipv4/tcp_max_syn_backlog", "8192", 0, 0);
1586 f_write_string("/proc/sys/net/ipv4/tcp_fin_timeout", "30", 0, 0);
1587 f_write_string("/proc/sys/net/ipv4/tcp_keepalive_intvl", "24", 0, 0);
1588 f_write_string("/proc/sys/net/ipv4/tcp_keepalive_probes", "3", 0, 0);
1589 f_write_string("/proc/sys/net/ipv4/tcp_keepalive_time", "1800", 0, 0);
1590 f_write_string("/proc/sys/net/ipv4/tcp_retries2", "5", 0, 0);
1591 f_write_string("/proc/sys/net/ipv4/tcp_syn_retries", "3", 0, 0);
1592 f_write_string("/proc/sys/net/ipv4/tcp_synack_retries", "3", 0, 0);
1593 f_write_string("/proc/sys/net/ipv4/tcp_tw_recycle", "1", 0, 0);
1594 f_write_string("/proc/sys/net/ipv4/tcp_tw_reuse", "1", 0, 0);
1596 /* DoS-related tweaks */
1597 f_write_string("/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses", "1", 0, 0);
1598 f_write_string("/proc/sys/net/ipv4/tcp_rfc1337", "1", 0, 0);
1599 f_write_string("/proc/sys/net/ipv4/ip_local_port_range", "1024 65535", 0, 0);
1601 wanproto
= get_wan_proto();
1602 f_write_string("/proc/sys/net/ipv4/ip_dynaddr", (wanproto
== WP_DISABLED
|| wanproto
== WP_STATIC
) ? "0" : "1", 0, 0);
1605 /* Force IGMPv2 due EMF limitations */
1606 if (nvram_get_int("emf_enable")) {
1607 f_write_string("/proc/sys/net/ipv4/conf/default/force_igmp_version", "2", 0, 0);
1608 f_write_string("/proc/sys/net/ipv4/conf/all/force_igmp_version", "2", 0, 0);
1612 n
= nvram_get_int("log_in");
1613 chain_in_drop
= (n
& 1) ? "logdrop" : "DROP";
1614 chain_in_accept
= (n
& 2) ? "logaccept" : "ACCEPT";
1616 n
= nvram_get_int("log_out");
1617 chain_out_drop
= (n
& 1) ? "logdrop" : "DROP";
1618 chain_out_reject
= (n
& 1) ? "logreject" : "REJECT --reject-with tcp-reset";
1619 chain_out_accept
= (n
& 2) ? "logaccept" : "ACCEPT";
1621 // if (nvram_match("nf_drop_reset", "1")) chain_out_drop = chain_out_reject;
1623 strlcpy(lanface
, nvram_safe_get("lan_ifname"), IFNAMSIZ
);
1625 strlcpy(lan1face
, nvram_safe_get("lan1_ifname"), IFNAMSIZ
);
1626 strlcpy(lan2face
, nvram_safe_get("lan2_ifname"), IFNAMSIZ
);
1627 strlcpy(lan3face
, nvram_safe_get("lan3_ifname"), IFNAMSIZ
);
1630 memcpy(&wanfaces
, get_wanfaces(), sizeof(wanfaces
));
1631 wanface
= wanfaces
.iface
[0].name
;
1633 strlcpy(wan6face
, get_wan6face(), sizeof(wan6face
));
1637 can_enable_fastnat
= 1;
1640 strlcpy(s
, nvram_safe_get("lan_ipaddr"), sizeof(s
));
1641 if ((c
= strrchr(s
, '.')) != NULL
) *(c
+ 1) = 0;
1642 strlcpy(lan_cclass
, s
, sizeof(lan_cclass
));
1645 strlcpy(s, nvram_safe_get("lan1_ipaddr"), sizeof(s));
1646 if ((c = strrchr(s, '.')) != NULL) *(c + 1) = 0;
1647 strlcpy(lan1_cclass, s, sizeof(lan1_cclass));
1649 strlcpy(s, nvram_safe_get("lan2_ipaddr"), sizeof(s));
1650 if ((c = strrchr(s, '.')) != NULL) *(c + 1) = 0;
1651 strlcpy(lan2_cclass, s, sizeof(lan2_cclass));
1653 strlcpy(s, nvram_safe_get("lan3_ipaddr"), sizeof(s));
1654 if ((c = strrchr(s, '.')) != NULL) *(c + 1) = 0;
1655 strlcpy(lan3_cclass, s, sizeof(lan3_cclass));
1660 block obviously spoofed IP addresses
1663 1 - do source validation by reversed path, as specified in RFC1812
1664 Recommended option for single homed hosts and stub network
1665 routers. Could cause troubles for complicated (not loop free)
1666 networks running a slow unreliable protocol (sort of RIP),
1667 or using static routes.
1668 0 - No source validation.
1670 c
= nvram_get("wan_ifname");
1671 /* mcast needs rp filter to be turned off only for non default iface */
1672 if (!(nvram_match("multicast_pass", "1")) || !(nvram_match("udpxy_enable", "1")) || strcmp(wanface
, c
) == 0) c
= NULL
;
1674 if ((dir
= opendir("/proc/sys/net/ipv4/conf")) != NULL
) {
1675 while ((dirent
= readdir(dir
)) != NULL
) {
1676 sprintf(s
, "/proc/sys/net/ipv4/conf/%s/rp_filter", dirent
->d_name
);
1677 f_write_string(s
, (c
&& strcmp(dirent
->d_name
, c
) == 0) ? "0" : "1", 0, 0);
1683 gateway_mode
= !nvram_match("wk_mode", "router");
1685 /* Remote management */
1686 if (nvram_match("remote_management", "1") && nvram_invmatch("http_wanport", "") &&
1687 nvram_invmatch("http_wanport", "0")) remotemanage
= 1;
1690 if ((ipt_file
= fopen(ipt_fname
, "w")) == NULL
) {
1691 notice_set("iptables", "Unable to create iptables restore file");
1692 simple_unlock("firewall");
1697 if ((ip6t_file
= fopen(ip6t_fname
, "w")) == NULL
) {
1698 notice_set("ip6tables", "Unable to create ip6tables restore file");
1699 simple_unlock("firewall");
1702 modprobe("nf_conntrack_ipv6");
1703 modprobe("ip6t_REJECT");
1705 /*Start xt_IMQ and imq */
1710 modprobe("ipt_IMQ");
1725 #ifdef DEBUG_IPTFILE
1727 simple_unlock("firewall");
1728 simple_unlock("restrictions");
1735 if (nvram_get_int("upnp_enable") & 3) {
1736 f_write("/etc/upnp/save", NULL
, 0, 0, 0);
1737 if (killall("miniupnpd", SIGUSR2
) == 0) {
1738 f_wait_notexists("/etc/upnp/save", 5);
1742 notice_set("iptables", "");
1743 if (_eval(iptrestore_argv
, ">/var/notice/iptables", 0, NULL
) == 0) {
1745 notice_set("iptables", "");
1748 sprintf(s
, "%s.error", ipt_fname
);
1749 rename(ipt_fname
, s
);
1750 syslog(LOG_CRIT
, "Error while loading rules. See %s file.", s
);
1757 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
1758 -A INPUT -i br0 -j ACCEPT
1762 -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
1763 -A FORWARD -i br0 -j ACCEPT
1769 if (ipv6_enabled()) {
1770 notice_set("ip6tables", "");
1771 if (_eval(ip6trestore_argv
, ">/var/notice/ip6tables", 0, NULL
) == 0) {
1772 notice_set("ip6tables", "");
1775 sprintf(s
, "%s.error", ip6t_fname
);
1776 rename(ip6t_fname
, s
);
1777 syslog(LOG_CRIT
, "Error while loading rules. See %s file.", s
);
1782 eval("ip6tables", "-F");
1783 eval("ip6tables", "-t", "mangle", "-F");
1787 if (nvram_get_int("upnp_enable") & 3) {
1788 f_write("/etc/upnp/load", NULL
, 0, 0, 0);
1789 killall("miniupnpd", SIGUSR2
);
1792 simple_unlock("restrictions");
1793 sched_restrictions();
1794 enable_ip_forward();
1796 led(LED_DMZ
, dmz_dst(NULL
));
1799 modprobe_r("nf_conntrack_ipv6");
1800 modprobe_r("ip6t_LOG");
1801 modprobe_r("ip6t_REJECT");
1804 modprobe_r("xt_layer7");
1805 modprobe_r("xt_recent");
1806 modprobe_r("xt_HL");
1807 modprobe_r("xt_length");
1808 modprobe_r("xt_web");
1809 modprobe_r("xt_webmon");
1810 modprobe_r("xt_dscp");
1812 modprobe_r("ipt_layer7");
1813 modprobe_r("ipt_recent");
1814 modprobe_r("ipt_TTL");
1815 modprobe_r("ipt_web");
1816 modprobe_r("ipt_webmon");
1817 modprobe_r("ipt_dscp");
1819 modprobe_r("ipt_ipp2p");
1821 unlink("/var/webmon/domain");
1822 unlink("/var/webmon/search");
1824 #ifdef TCONFIG_OPENVPN
1825 run_vpn_firewall_scripts();
1827 run_nvscript("script_fire", NULL
, 1);
1832 allow_fastnat("firewall", can_enable_fastnat
);
1833 try_enabling_fastnat();
1836 simple_unlock("firewall");
1840 int stop_firewall(void)
1846 #ifdef DEBUG_IPTFILE
1847 void create_test_iptfile(void)