3 Copyright 2003-2005, CyberTAN Inc. All Rights Reserved
5 This is UNPUBLISHED PROPRIETARY SOURCE CODE of CyberTAN Inc.
6 the contents of this file may not be disclosed to third parties,
7 copied or duplicated in any form without the prior written
8 permission of CyberTAN Inc.
10 This software should be used as a reference only, and it not
11 intended for production use!
13 THIS SOFTWARE IS OFFERED "AS IS", AND CYBERTAN GRANTS NO WARRANTIES OF ANY
14 KIND, EXPRESS OR IMPLIED, BY STATUTE, COMMUNICATION OR OTHERWISE. CYBERTAN
15 SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS
16 FOR A SPECIFIC PURPOSE OR NONINFRINGEMENT CONCERNING THIS SOFTWARE
21 Modified for Tomato Firmware
22 Portions, Copyright (C) 2006-2009 Jonathan Zarate
29 #include <arpa/inet.h>
32 static int web_lanport
;
33 wanface_list_t wanfaces
;
34 char lanface
[IFNAMSIZ
+ 1];
35 char lan1face
[IFNAMSIZ
+ 1];
36 char lan2face
[IFNAMSIZ
+ 1];
37 char lan3face
[IFNAMSIZ
+ 1];
39 char wan6face
[IFNAMSIZ
+ 1];
41 char lan_cclass
[sizeof("xxx.xxx.xxx.") + 1];
43 static int can_enable_fastnat
;
47 static int debug_only
= 0;
50 static int gateway_mode
;
51 static int remotemanage
;
54 const char *chain_in_drop
;
55 const char *chain_in_accept
;
56 const char *chain_out_drop
;
57 const char *chain_out_accept
;
58 const char *chain_out_reject
;
60 const char chain_wan_prerouting
[] = "WANPREROUTING";
61 const char ipt_fname
[] = "/etc/iptables";
65 const char ip6t_fname
[] = "/etc/ip6tables";
68 // RFC-4890, sec. 4.3.1
69 const int allowed_icmpv6
[] = { 1, 2, 3, 4, 128, 129 };
72 static int is_sta(int idx
, int unit
, int subunit
, void *param
)
74 return (nvram_match(wl_nvname("mode", unit
, subunit
), "sta") && (nvram_match(wl_nvname("bss_enabled", unit
, subunit
), "1")));
82 // -----------------------------------------------------------------------------
85 static const char *fastnat_run_dir
= "/var/run/fastnat";
87 void allow_fastnat(const char *service
, int allow
)
91 snprintf(p
, sizeof(p
), "%s/%s", fastnat_run_dir
, service
);
96 mkdir_if_none(fastnat_run_dir
);
97 f_write_string(p
, "", 0, 0);
101 static inline int fastnat_allowed(void)
107 enabled
= !nvram_get_int("qos_enable") && !nvram_get_int("fastnat_disable");
109 if (enabled
&& (dir
= opendir(fastnat_run_dir
))) {
110 while ((dp
= readdir(dir
))) {
111 if (strcmp(dp
->d_name
, ".") == 0 || strcmp(dp
->d_name
, "..") == 0)
122 void try_enabling_fastnat(void)
124 f_write_string("/proc/sys/net/ipv4/netfilter/ip_conntrack_fastnat",
125 fastnat_allowed() ? "1" : "0", 0, 0);
129 void enable_ip_forward(void)
133 0 - disabled (default)
136 Forward Packets between interfaces.
138 This variable is special, its change resets all configuration
139 parameters to their default state (RFC1122 for hosts, RFC1812
142 f_write_string("/proc/sys/net/ipv4/ip_forward", "1", 0, 0);
147 void enable_ip6_forward(void)
149 if (ipv6_enabled()) {
150 f_write_string("/proc/sys/net/ipv6/conf/default/forwarding", "1", 0, 0);
151 f_write_string("/proc/sys/net/ipv6/conf/all/forwarding", "1", 0, 0);
154 f_write_string("/proc/sys/net/ipv6/conf/default/forwarding", "0", 0, 0);
155 f_write_string("/proc/sys/net/ipv6/conf/all/forwarding", "0", 0, 0);
161 // -----------------------------------------------------------------------------
164 static int ip2cclass(char *ipaddr, char *new, int count)
168 if (sscanf(ipaddr,"%d.%d.%d.%d",&ip[0],&ip[1],&ip[2],&ip[3]) != 4) return 0;
169 return snprintf(new, count, "%d.%d.%d.",ip[0],ip[1],ip[2]);
174 static int dmz_dst(char *s
)
180 if (nvram_get_int("dmz_enable") <= 0) return 0;
182 p
= nvram_safe_get("dmz_ipaddr");
183 if ((ia
.s_addr
= inet_addr(p
)) == (in_addr_t
)-1) {
184 if (((n
= atoi(p
)) <= 0) || (n
>= 255)) return 0;
185 if (s
) sprintf(s
, "%s%d", lan_cclass
, n
);
189 if (s
) strcpy(s
, inet_ntoa(ia
));
193 void ipt_log_unresolved(const char *addr
, const char *addrtype
, const char *categ
, const char *name
)
197 pre
= (name
&& *name
) ? " for \"" : "";
198 post
= (name
&& *name
) ? "\"" : "";
200 syslog(LOG_WARNING
, "firewall: "
201 "%s: not using %s%s%s%s (could not resolve as valid %s address)",
202 categ
, addr
, pre
, (name
) ? : "", post
, (addrtype
) ? : "IP");
205 int ipt_addr(char *addr
, int maxlen
, const char *s
, const char *dir
, int af
,
206 int strict
, const char *categ
, const char *name
)
208 char p
[INET6_ADDRSTRLEN
* 2];
211 if ((s
) && (*s
) && (*dir
))
213 if (sscanf(s
, "%[0-9.]-%[0-9.]", p
, p
) == 2) {
214 snprintf(addr
, maxlen
, "-m iprange --%s-range %s", dir
, s
);
218 else if (sscanf(s
, "%[0-9A-Fa-f:]-%[0-9A-Fa-f:]", p
, p
) == 2) {
219 snprintf(addr
, maxlen
, "-m iprange --%s-range %s", dir
, s
);
224 snprintf(addr
, maxlen
, "-%c %s", dir
[0], s
);
225 if (sscanf(s
, "%[^/]/", p
)) {
227 r
= host_addrtypes(p
, strict
? af
: (IPT_V4
| IPT_V6
));
229 r
= host_addrtypes(p
, IPT_V4
);
237 r
= (IPT_V4
| IPT_V6
);
240 if ((r
== 0 || (strict
&& ((r
& af
) != af
))) && (categ
&& *categ
)) {
241 ipt_log_unresolved(s
, categ
, name
,
242 (af
& IPT_V4
& ~r
) ? "IPv4" : ((af
& IPT_V6
& ~r
) ? "IPv6" : NULL
));
248 #define ipt_source_strict(s, src, categ, name) ipt_addr(src, 64, s, "src", IPT_V4, 1, categ, name)
249 #define ipt_source(s, src, categ, name) ipt_addr(src, 64, s, "src", IPT_V4, 0, categ, name)
250 #define ip6t_source(s, src, categ, name) ipt_addr(src, 128, s, "src", IPT_V6, 0, categ, name)
253 static void get_src(const char *nv, char *src)
257 if (((p = nvram_get(nv)) != NULL) && (*p) && (strlen(p) < 32)) {
258 sprintf(src, "-%s %s", strchr(p, '-') ? "m iprange --src-range" : "s", p);
266 void ipt_write(const char *format
, ...)
270 va_start(args
, format
);
271 vfprintf(ipt_file
, format
, args
);
275 void ip6t_write(const char *format
, ...)
280 va_start(args
, format
);
281 vfprintf(ip6t_file
, format
, args
);
286 // -----------------------------------------------------------------------------
288 int ipt_dscp(const char *v
, char *opt
)
297 n
= strtoul(v
, NULL
, 0);
299 sprintf(opt
, " -m dscp --dscp 0x%02X", n
);
304 modprobe("ipt_dscp");
309 // -----------------------------------------------------------------------------
312 int ipt_ipp2p(const char *v
, char *opt
)
321 strcpy(opt
, " -m ipp2p ");
322 if ((n
& 0xFFF) == 0xFFF) {
323 strcat(opt
, "--ipp2p");
327 if (n
& 0x0001) strcat(opt
, "--apple ");
328 if (n
& 0x0002) strcat(opt
, "--ares ");
329 if (n
& 0x0004) strcat(opt
, "--bit ");
330 if (n
& 0x0008) strcat(opt
, "--dc ");
331 if (n
& 0x0010) strcat(opt
, "--edk ");
332 if (n
& 0x0020) strcat(opt
, "--gnu ");
333 if (n
& 0x0040) strcat(opt
, "--kazaa ");
334 if (n
& 0x0080) strcat(opt
, "--mute ");
335 if (n
& 0x0100) strcat(opt
, "--soul ");
336 if (n
& 0x0200) strcat(opt
, "--waste ");
337 if (n
& 0x0400) strcat(opt
, "--winmx ");
338 if (n
& 0x0800) strcat(opt
, "--xdcc ");
340 if (n
& 0x1000) strcat(opt
, "--pp ");
341 if (n
& 0x2000) strcat(opt
, "--xunlei ");
345 modprobe("ipt_ipp2p");
350 // -----------------------------------------------------------------------------
355 // This L7 matches inbound traffic, caches the results, then the L7 outbound
356 // should read the cached result and set the appropriate marks -- zzz
357 void ipt_layer7_inbound(void)
362 if (!layer7_in
) return;
364 en
= nvram_match("nf_l7in", "1");
366 ipt_write(":L7in - [0:0]\n");
367 for (i
= 0; i
< wanfaces
.count
; ++i
) {
368 if (*(wanfaces
.iface
[i
].name
)) {
369 ipt_write("-A FORWARD -i %s -j L7in\n",
370 wanfaces
.iface
[i
].name
);
378 ipt_write("-A L7in %s -j RETURN\n", *p
);
380 can_enable_fastnat
= 0;
390 int ipt_layer7(const char *v
, char *opt
)
396 if (*v
== 0) return 0;
397 if (strlen(v
) > 32) return -1;
399 path
= "/etc/l7-extra";
400 sprintf(s
, "%s/%s.pat", path
, v
);
402 path
= "/etc/l7-protocols";
403 sprintf(s
, "%s/%s.pat", path
, v
);
405 syslog(LOG_ERR
, "L7 %s was not found", v
);
410 sprintf(opt
, " -m layer7 --l7dir %s --l7proto %s", path
, v
);
412 if (nvram_match("nf_l7in", "1")) {
413 if (!layer7_in
) layer7_in
= calloc(51, sizeof(char *));
419 if (strcmp(*p
, opt
) == 0) return 1;
422 if (((p
- layer7_in
) / sizeof(char *)) < 50) *p
= strdup(opt
);
427 modprobe("xt_layer7");
429 modprobe("ipt_layer7");
434 // -----------------------------------------------------------------------------
436 static void ipt_account(void) {
437 struct in_addr ipaddr
, netmask
, network
;
438 char lanN_ifname
[] = "lanXX_ifname";
439 char lanN_ipaddr
[] = "lanXX_ipaddr";
440 char lanN_netmask
[] = "lanXX_netmask";
441 char lanN
[] = "lanXX";
442 char netaddrnetmask
[] = "255.255.255.255/255.255.255.255 ";
444 // If the IP Address changes, the below rule will cause things to choke, and blocking rules don't get applied
445 // As a workaround, flush the entire FORWARD chain
446 system("iptables -F FORWARD");
448 for(br
=0 ; br
<=3 ; br
++) {
449 char bridge
[2] = "0";
455 sprintf(lanN_ifname
, "lan%s_ifname", bridge
);
457 if (strcmp(nvram_safe_get(lanN_ifname
), "")!=0) {
459 sprintf(lanN_ipaddr
, "lan%s_ipaddr", bridge
);
460 sprintf(lanN_netmask
, "lan%s_netmask", bridge
);
461 sprintf(lanN
, "lan%s", bridge
);
463 inet_aton(nvram_safe_get(lanN_ipaddr
), &ipaddr
);
464 inet_aton(nvram_safe_get(lanN_netmask
), &netmask
);
466 // bitwise AND of ip and netmask gives the network
467 network
.s_addr
= ipaddr
.s_addr
& netmask
.s_addr
;
469 sprintf(netaddrnetmask
, "%s/%s", inet_ntoa(network
), nvram_safe_get(lanN_netmask
));
472 ipt_write("-A FORWARD -m account --aaddr %s --aname %s\n", netaddrnetmask
, lanN
);
477 // -----------------------------------------------------------------------------
479 static void save_webmon(void)
481 eval("cp", "/proc/webmon_recent_domains", "/var/webmon/domain");
482 eval("cp", "/proc/webmon_recent_searches", "/var/webmon/search");
485 static void ipt_webmon()
487 int wmtype
, clear
, i
;
493 if (!nvram_get_int("log_wm")) return;
496 can_enable_fastnat
= 0;
498 wmtype
= nvram_get_int("log_wmtype");
499 clear
= nvram_get_int("log_wmclear");
501 ip46t_write(":monitor - [0:0]\n");
504 strlcpy(t
, wmtype
== 1 ? nvram_safe_get("log_wmip") : "", sizeof(t
));
507 if ((c
= strchr(p
, ',')) != NULL
) *c
= 0;
509 if ((ok
= ipt_addr(src
, sizeof(src
), p
, "src", IPT_V4
|IPT_V6
, 0, "webmon", NULL
))) {
511 if (*wan6face
&& (ok
& IPT_V6
))
512 ip6t_write("-A FORWARD -o %s %s -j monitor\n", wan6face
, src
);
515 for (i
= 0; i
< wanfaces
.count
; ++i
) {
516 if (*(wanfaces
.iface
[i
].name
)) {
517 ipt_write("-A FORWARD -o %s %s -j monitor\n",
518 wanfaces
.iface
[i
].name
, src
);
530 strlcpy(t
, nvram_safe_get("log_wmip"), sizeof(t
));
533 if ((c
= strchr(p
, ',')) != NULL
) *c
= 0;
534 if ((ok
= ipt_addr(src
, sizeof(src
), p
, "src", IPT_V4
|IPT_V6
, 0, "webmon", NULL
))) {
536 ip46t_flagged_write(ok
, "-A monitor %s -j RETURN\n", src
);
546 if( nvram_match( "webmon_bkp", "1" ) ) {
547 xstart( "/usr/sbin/webmon_bkp", "add" ); // add jobs to cru
549 sprintf(webdomain
, "--domain_load_file %s/webmon_recent_domains", nvram_safe_get("webmon_dir"));
550 sprintf(websearch
, "--search_load_file %s/webmon_recent_searches", nvram_safe_get("webmon_dir"));
552 sprintf(webdomain
, "--domain_load_file /var/webmon/domain");
553 sprintf(websearch
, "--search_load_file /var/webmon/search");
557 "-A monitor -p tcp -m webmon "
558 "--max_domains %d --max_searches %d %s %s -j RETURN\n",
559 nvram_get_int("log_wmdmax") ? : 1, nvram_get_int("log_wmsmax") ? : 1,
560 (clear
& 1) == 0 ? webdomain
: "--clear_domain",
561 (clear
& 2) == 0 ? websearch
: "--clear_search");
563 if( nvram_match( "webmon_bkp", "1" ) )
564 xstart( "/usr/sbin/webmon_bkp", "hourly" ); // make a copy immediately
568 modprobe("xt_webmon");
570 modprobe("ipt_webmon");
576 // -----------------------------------------------------------------------------
578 // -----------------------------------------------------------------------------
580 static void mangle_table(void)
587 ":PREROUTING ACCEPT [0:0]\n"
588 ":OUTPUT ACCEPT [0:0]\n");
596 p
= nvram_safe_get("nf_ttl");
597 if (strncmp(p
, "c:", 2) == 0) {
600 p
= (ttl
>= 0 && ttl
<= 255) ? "set" : NULL
;
602 else if ((ttl
= atoi(p
)) != 0) {
610 if (ttl
> 255) p
= NULL
;
620 // set TTL on primary WAN iface only
621 wanface
= wanfaces
.iface
[0].name
;
623 "-I PREROUTING -i %s -j TTL --ttl-%s %d\n"
624 "-I POSTROUTING -o %s -j TTL --ttl-%s %d\n",
628 // FIXME: IPv6 HL should be configurable separately from TTL.
629 // disable it until GUI setting is implemented.
632 "-I PREROUTING -i %s -j HL --hl-%s %d\n"
633 "-I POSTROUTING -o %s -j HL --hl-%s %d\n",
639 // Reset Incoming DSCP to 0x00
640 if (nvram_match("DSCP_fix_enable", "1")) {
644 modprobe("ipt_DSCP");
646 ipt_write("-I PREROUTING -i %s -j DSCP --set-dscp 0\n", wanface
);
651 // Clamp TCP MSS to PMTU of WAN interface (IPv4 & IPv6)
652 ip46t_write("-I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n");
654 ip46t_write("COMMIT\n");
657 // -----------------------------------------------------------------------------
659 // -----------------------------------------------------------------------------
661 static void nat_table(void)
678 ":PREROUTING ACCEPT [0:0]\n"
679 ":POSTROUTING ACCEPT [0:0]\n"
680 ":OUTPUT ACCEPT [0:0]\n"
682 chain_wan_prerouting
);
688 strlcpy(lanaddr
, nvram_safe_get("lan_ipaddr"), sizeof(lanaddr
));
689 strlcpy(lanmask
, nvram_safe_get("lan_netmask"), sizeof(lanmask
));
690 strlcpy(lan1addr
, nvram_safe_get("lan1_ipaddr"), sizeof(lan1addr
));
691 strlcpy(lan1mask
, nvram_safe_get("lan1_netmask"), sizeof(lan1mask
));
692 strlcpy(lan2addr
, nvram_safe_get("lan2_ipaddr"), sizeof(lan2addr
));
693 strlcpy(lan2mask
, nvram_safe_get("lan2_netmask"), sizeof(lan2mask
));
694 strlcpy(lan3addr
, nvram_safe_get("lan3_ipaddr"), sizeof(lan3addr
));
695 strlcpy(lan3mask
, nvram_safe_get("lan3_netmask"), sizeof(lan3mask
));
698 for (i
= 0; i
< wanfaces
.count
; ++i
) {
699 if (*(wanfaces
.iface
[i
].name
)) {
700 // chain_wan_prerouting
702 ipt_write("-A PREROUTING -d %s -j %s\n",
703 wanfaces
.iface
[i
].ip
, chain_wan_prerouting
);
706 // Drop incoming packets which destination IP address is to our LAN side directly
707 ipt_write("-A PREROUTING -i %s -d %s/%s -j DROP\n",
708 wanfaces
.iface
[i
].name
,
709 lanaddr
, lanmask
); // note: ipt will correct lanaddr
710 if(strcmp(lan1addr
,"")!=0)
711 ipt_write("-A PREROUTING -i %s -d %s/%s -j DROP\n",
712 wanfaces
.iface
[i
].name
,
714 if(strcmp(lan2addr
,"")!=0)
715 ipt_write("-A PREROUTING -i %s -d %s/%s -j DROP\n",
716 wanfaces
.iface
[i
].name
,
718 if(strcmp(lan3addr
,"")!=0)
719 ipt_write("-A PREROUTING -i %s -d %s/%s -j DROP\n",
720 wanfaces
.iface
[i
].name
,
726 if (nvram_match("dns_intcpt", "1")) {
727 ipt_write("-A PREROUTING -p udp -s %s/%s ! -d %s/%s --dport 53 -j DNAT --to-destination %s\n",
731 if(strcmp(lan1addr
,"")!=0)
732 ipt_write("-A PREROUTING -p udp -s %s/%s ! -d %s/%s --dport 53 -j DNAT --to-destination %s\n",
736 if(strcmp(lan2addr
,"")!=0)
737 ipt_write("-A PREROUTING -p udp -s %s/%s ! -d %s/%s --dport 53 -j DNAT --to-destination %s\n",
741 if(strcmp(lan3addr
,"")!=0)
742 ipt_write("-A PREROUTING -p udp -s %s/%s ! -d %s/%s --dport 53 -j DNAT --to-destination %s\n",
748 // ICMP packets are always redirected to INPUT chains
749 ipt_write("-A %s -p icmp -j DNAT --to-destination %s\n", chain_wan_prerouting
, lanaddr
);
752 //force remote access to router if DMZ is enabled - shibby
753 if( (nvram_match("dmz_enable", "1")) && (nvram_match("dmz_ra", "1")) ) {
754 strlcpy(t
, nvram_safe_get("rmgt_sip"), sizeof(t
));
757 if ((c
= strchr(p
, ',')) != NULL
) *c
= 0;
758 ipt_source(p
, src
, "ra", NULL
);
761 ipt_write("-A %s -p tcp -m tcp %s --dport %s -j DNAT --to-destination %s:%d\n",
762 chain_wan_prerouting
, src
, nvram_safe_get("http_wanport"), lanaddr
, web_lanport
);
765 if (nvram_get_int("sshd_remote")) {
766 ipt_write("-A %s %s -p tcp -m tcp --dport %s -j DNAT --to-destination %s:%s\n",
767 chain_wan_prerouting
, src
, nvram_safe_get("sshd_rport"), lanaddr
, nvram_safe_get("sshd_port"));
776 ipt_forward(IPT_TABLE_NAT
);
777 ipt_triggered(IPT_TABLE_NAT
);
780 if (nvram_get_int("upnp_enable") & 3) {
781 ipt_write(":upnp - [0:0]\n");
782 ipt_write(":pupnp - [0:0]\n");
784 for (i
= 0; i
< wanfaces
.count
; ++i
) {
785 if (*(wanfaces
.iface
[i
].name
)) {
787 // ! for loopback (all) to work
788 ipt_write("-A PREROUTING -d %s -j upnp\n", wanfaces
.iface
[i
].ip
);
791 ipt_write("-A PREROUTING -i %s -j upnp\n", wanfaces
.iface
[i
].name
);
799 if (nvram_match("tor_enable", "1")) {
800 if (nvram_match("tor_iface", "br0")) {
801 ipt_write("-A PREROUTING -i %s -p tcp --dport 80 ! -d %s -j DNAT --to-destination %s:%s\n",
802 nvram_safe_get("tor_iface"), nvram_safe_get("lan_ipaddr"), nvram_safe_get("lan_ipaddr"), nvram_safe_get("tor_transport") );
803 } else if (nvram_match("tor_iface", "br1")) {
804 ipt_write("-A PREROUTING -i %s -p tcp --dport 80 ! -d %s -j DNAT --to-destination %s:%s\n",
805 nvram_safe_get("tor_iface"), nvram_safe_get("lan1_ipaddr"), nvram_safe_get("lan1_ipaddr"), nvram_safe_get("tor_transport") );
806 } else if (nvram_match("tor_iface", "br2")) {
807 ipt_write("-A PREROUTING -i %s -p tcp --dport 80 ! -d %s -j DNAT --to-destination %s:%s\n",
808 nvram_safe_get("tor_iface"), nvram_safe_get("lan2_ipaddr"), nvram_safe_get("lan2_ipaddr"), nvram_safe_get("tor_transport") );
809 } else if (nvram_match("tor_iface", "br3")) {
810 ipt_write("-A PREROUTING -i %s -p tcp --dport 80 ! -d %s -j DNAT --to-destination %s:%s\n",
811 nvram_safe_get("tor_iface"), nvram_safe_get("lan3_ipaddr"), nvram_safe_get("lan3_ipaddr"), nvram_safe_get("tor_transport") );
813 strlcpy(t
, nvram_safe_get("tor_users"), sizeof(t
));
816 if ((c
= strchr(p
, ',')) != NULL
) *c
= 0;
818 if (ipt_source_strict(p
, src
, "tor", NULL
))
819 ipt_write("-A PREROUTING %s -p tcp --dport 80 ! -d %s -j DNAT --to-destination %s:%s\n",
820 src
, nvram_safe_get("lan_ipaddr"), nvram_safe_get("lan_ipaddr"), nvram_safe_get("tor_transport") );
831 strlcpy(t
, nvram_safe_get("dmz_sip"), sizeof(t
));
834 if ((c
= strchr(p
, ',')) != NULL
) *c
= 0;
835 if (ipt_source_strict(p
, src
, "dmz", NULL
))
836 ipt_write("-A %s %s -j DNAT --to-destination %s\n", chain_wan_prerouting
, src
, dst
);
845 switch (get_ipv6_service()) {
847 // avoid NATing proto-41 packets when using 6in4 tunnel
853 for (i
= 0; i
< wanfaces
.count
; ++i
) {
854 if (*(wanfaces
.iface
[i
].name
)) {
855 if ((!wanup
) || (nvram_get_int("ne_snat") != 1))
856 ipt_write("-A POSTROUTING %s -o %s -j MASQUERADE\n", p
, wanfaces
.iface
[i
].name
);
858 ipt_write("-A POSTROUTING %s -o %s -j SNAT --to-source %s\n", p
, wanfaces
.iface
[i
].name
, wanfaces
.iface
[i
].ip
);
863 if ( (nvram_match("wan_proto", "pppoe") || nvram_match("wan_proto", "dhcp") || nvram_match("wan_proto", "static") )
864 && (modem_ipaddr
= nvram_safe_get("modem_ipaddr")) && *modem_ipaddr
&& !nvram_match("modem_ipaddr","0.0.0.0")
865 && (!foreach_wif(1, NULL
, is_sta
)) )
866 ipt_write("-A POSTROUTING -o %s -d %s -j MASQUERADE\n", nvram_safe_get("wan_ifname"), modem_ipaddr
);
868 switch (nvram_get_int("nf_loopback")) {
869 case 1: // 1 = forwarded-only
870 case 2: // 2 = disable
872 default: // 0 = all (same as block_loopback=0)
873 ipt_write("-A POSTROUTING -o %s -s %s/%s -d %s/%s -j SNAT --to-source %s\n",
878 if (strcmp(lan1face
,"")!=0)
879 ipt_write("-A POSTROUTING -o %s -s %s/%s -d %s/%s -j SNAT --to-source %s\n",
884 if (strcmp(lan2face
,"")!=0)
885 ipt_write("-A POSTROUTING -o %s -s %s/%s -d %s/%s -j SNAT --to-source %s\n",
890 if (strcmp(lan3face
,"")!=0)
891 ipt_write("-A POSTROUTING -o %s -s %s/%s -d %s/%s -j SNAT --to-source %s\n",
899 ipt_write("COMMIT\n");
902 // -----------------------------------------------------------------------------
904 // -----------------------------------------------------------------------------
906 static void filter_input(void)
916 if ((nvram_get_int("nf_loopback") != 0) && (wanup
)) { // 0 = all
917 for (n
= 0; n
< wanfaces
.count
; ++n
) {
918 if (*(wanfaces
.iface
[n
].name
)) {
919 ipt_write("-A INPUT -i %s -d %s -j DROP\n", lanface
, wanfaces
.iface
[n
].ip
);
920 if (strcmp(lan1face
,"")!=0)
921 ipt_write("-A INPUT -i %s -d %s -j DROP\n", lan1face
, wanfaces
.iface
[n
].ip
);
922 if (strcmp(lan2face
,"")!=0)
923 ipt_write("-A INPUT -i %s -d %s -j DROP\n", lan2face
, wanfaces
.iface
[n
].ip
);
924 if (strcmp(lan3face
,"")!=0)
925 ipt_write("-A INPUT -i %s -d %s -j DROP\n", lan3face
, wanfaces
.iface
[n
].ip
);
931 "-A INPUT -m state --state INVALID -j DROP\n"
932 "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n");
934 strlcpy(s
, nvram_safe_get("ne_shlimit"), sizeof(s
));
935 if ((vstrsep(s
, ",", &en
, &hit
, &sec
) == 3) && ((n
= atoi(en
) & 3) != 0)) {
937 ? what if the user uses the start button in GUI ?
938 if (nvram_get_int("telnetd_eas"))
939 if (nvram_get_int("sshd_eas"))
942 modprobe("xt_recent");
944 modprobe("ipt_recent");
949 "-A shlimit -m recent --set --name shlimit\n"
950 "-A shlimit -m recent --update --hitcount %d --seconds %s --name shlimit -j %s\n",
951 atoi(hit
) + 1, sec
, chain_in_drop
);
954 ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("sshd_port"));
955 if (nvram_get_int("sshd_remote") && nvram_invmatch("sshd_rport", nvram_safe_get("sshd_port"))) {
956 ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("sshd_rport"));
959 if (n
& 2) ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("telnetd_port"));
963 strlcpy(s
, nvram_safe_get("ftp_limit"), sizeof(s
));
964 if ((vstrsep(s
, ",", &en
, &hit
, &sec
) == 3) && (atoi(en
)) && (nvram_get_int("ftp_enable") == 1)) {
966 modprobe("xt_recent");
968 modprobe("ipt_recent");
973 "-A ftplimit -m recent --set --name ftp\n"
974 "-A ftplimit -m recent --update --hitcount %d --seconds %s --name ftp -j %s\n",
975 atoi(hit
) + 1, sec
, chain_in_drop
);
976 ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j ftplimit\n", nvram_safe_get("ftp_port"));
981 "-A INPUT -i lo -j ACCEPT\n"
982 "-A INPUT -i %s -j ACCEPT\n",
984 if (strcmp(lan1face
,"")!=0)
986 "-A INPUT -i %s -j ACCEPT\n",
988 if (strcmp(lan2face
,"")!=0)
990 "-A INPUT -i %s -j ACCEPT\n",
992 if (strcmp(lan3face
,"")!=0)
994 "-A INPUT -i %s -j ACCEPT\n",
998 n
= get_ipv6_service();
1000 case IPV6_ANYCAST_6TO4
:
1002 // Accept ICMP requests from the remote tunnel endpoint
1003 if (n
== IPV6_ANYCAST_6TO4
)
1004 sprintf(s
, "192.88.99.%d", nvram_get_int("ipv6_relay"));
1006 strlcpy(s
, nvram_safe_get("ipv6_tun_v4end"), sizeof(s
));
1007 if (*s
&& strcmp(s
, "0.0.0.0") != 0)
1008 ipt_write("-A INPUT -p icmp -s %s -j %s\n", s
, chain_in_accept
);
1009 ipt_write("-A INPUT -p 41 -j %s\n", chain_in_accept
);
1014 // ICMP request from WAN interface
1015 if (nvram_match("block_wan", "0")) {
1016 if (nvram_match("block_wan_limit", "0")) {
1017 // allow ICMP packets to be received
1018 ipt_write("-A INPUT -p icmp -j %s\n", chain_in_accept
);
1019 // allow udp traceroute packets
1020 ipt_write("-A INPUT -p udp --dport 33434:33534 -j %s\n", chain_in_accept
);
1022 // allow ICMP packets to be received, but restrict the flow to avoid ping flood attacks
1023 ipt_write("-A INPUT -p icmp -m limit --limit %d/second -j %s\n", nvram_get_int("block_wan_limit_icmp"), chain_in_accept
);
1024 // allow udp traceroute packets, but restrict the flow to avoid ping flood attacks
1025 ipt_write("-A INPUT -p udp --dport 33434:33534 -m limit --limit %d/second -j %s\n", nvram_get_int("block_wan_limit_tr"), chain_in_accept
);
1029 /* Accept incoming packets from broken dhcp servers, which are sending replies
1030 * from addresses other than used for query. This could lead to a lower level
1031 * of security, so allow to disable it via nvram variable.
1033 if (nvram_invmatch("dhcp_pass", "0") && using_dhcpc()) {
1034 ipt_write("-A INPUT -p udp --sport 67 --dport 68 -j %s\n", chain_in_accept
);
1037 strlcpy(t
, nvram_safe_get("rmgt_sip"), sizeof(t
));
1040 if ((c
= strchr(p
, ',')) != NULL
) *c
= 0;
1042 if (ipt_source(p
, s
, "remote management", NULL
)) {
1045 ipt_write("-A INPUT -p tcp %s --dport %s -j %s\n",
1046 s
, nvram_safe_get("http_wanport"), chain_in_accept
);
1049 if (nvram_get_int("sshd_remote")) {
1050 ipt_write("-A INPUT -p tcp %s --dport %s -j %s\n",
1051 s
, nvram_safe_get("sshd_rport"), chain_in_accept
);
1059 #ifdef TCONFIG_NGINX //Tomato RAF - Web Server
1060 if (nvram_match("nginx_enable", "1") && nvram_match("nginx_remote", "1"))
1061 ipt_write("-A INPUT -p tcp --dport %s -j ACCEPT\n", nvram_safe_get( "nginx_port" ));
1064 #ifdef TCONFIG_FTP // !!TB - FTP Server
1065 if (nvram_match("ftp_enable", "1")) { // FTP WAN access enabled
1066 strlcpy(t
, nvram_safe_get("ftp_sip"), sizeof(t
));
1069 if ((c
= strchr(p
, ',')) != NULL
) *c
= 0;
1070 if (ipt_source(p
, s
, "ftp", "remote access")) {
1071 ipt_write("-A INPUT -p tcp %s --dport %s -j %s\n",
1072 s
, nvram_safe_get("ftp_port"), chain_in_accept
);
1081 if( nvram_match( "snmp_enable", "1" ) && nvram_match("snmp_remote", "1"))
1083 strlcpy(t
, nvram_safe_get("snmp_remote_sip"), sizeof(t
));
1086 if ((c
= strchr(p
, ',')) != NULL
) *c
= 0;
1088 if (ipt_source(p
, s
, "snmp", "remote")) {
1089 ipt_write("-A INPUT -p udp %s --dport %s -j %s\n",
1090 s
, nvram_safe_get("snmp_port"), chain_in_accept
);
1099 // IGMP query from WAN interface
1100 if ((nvram_match("multicast_pass", "1")) || (nvram_match("udpxy_enable", "1"))) {
1101 ipt_write("-A INPUT -p igmp -d 224.0.0.0/4 -j ACCEPT\n");
1102 ipt_write("-A INPUT -p udp -d 224.0.0.0/4 ! --dport 1900 -j ACCEPT\n");
1105 // Routing protocol, RIP, accept
1106 if (nvram_invmatch("dr_wan_rx", "0")) {
1107 ipt_write("-A INPUT -p udp --dport 520 -j ACCEPT\n");
1110 //BT Client ports from WAN interface
1111 if (nvram_match("bt_enable", "1")) {
1112 ipt_write( "-A INPUT -p tcp --dport %s -j ACCEPT\n", nvram_safe_get( "bt_port" ) );
1113 if (nvram_match( "bt_rpc_wan", "1") )
1115 ipt_write( "-A INPUT -p tcp --dport %s -j ACCEPT\n", nvram_safe_get( "bt_port_gui" ) );
1120 if (*chain_in_drop
== 'l') {
1121 ipt_write( "-A INPUT -j %s\n", chain_in_drop
);
1124 // default policy: DROP
1127 static void filter_forward(void)
1137 "-A FORWARD -m rt --rt-type 0 -j DROP\n");
1140 if (nvram_match("cstats_enable", "1")) {
1145 "-A FORWARD -i %s -o %s -j ACCEPT\n", // accept all lan to lan
1147 if (strcmp(lan1face
,"")!=0)
1149 "-A FORWARD -i %s -o %s -j ACCEPT\n",
1150 lan1face
, lan1face
);
1151 if (strcmp(lan2face
,"")!=0)
1153 "-A FORWARD -i %s -o %s -j ACCEPT\n",
1154 lan2face
, lan2face
);
1155 if (strcmp(lan3face
,"")!=0)
1157 "-A FORWARD -i %s -o %s -j ACCEPT\n",
1158 lan3face
, lan3face
);
1160 char lanAccess
[17] = "0000000000000000";
1162 const char *d
, *sbr
, *saddr
, *dbr
, *daddr
, *desc
;
1165 nvp
= nv
= strdup(nvram_safe_get("lan_access"));
1167 while ((b
= strsep(&nvp
, ">")) != NULL
) {
1169 1<0<1.2.3.4<1<5.6.7.8<30,45-50<desc
1178 n
= vstrsep(b
, "<", &d
, &sbr
, &saddr
, &dbr
, &daddr
, &desc
);
1181 if (!ipt_addr(src
, sizeof(src
), saddr
, "src", IPT_V4
|IPT_V6
, 0, "LAN access", desc
))
1183 if (!ipt_addr(dst
, sizeof(dst
), daddr
, "dst", IPT_V4
|IPT_V6
, 0, "LAN access", desc
))
1187 ipt_write("-A FORWARD -i %s%s -o %s%s %s %s -j ACCEPT\n",
1195 if ((strcmp(src
,"")==0) && (strcmp(dst
,"")==0))
1196 lanAccess
[((*sbr
-48)+(*dbr
-48)*4)] = '1';
1203 "-A FORWARD -m state --state INVALID -j DROP\n"); // drop if INVALID state
1208 ipt_layer7_inbound();
1216 "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT\n"); // already established or related (via helper)
1218 char lanN_ifname
[] = "lanXX_ifname";
1220 for(br
=0 ; br
<=3 ; br
++) {
1221 char bridge
[2] = "0";
1227 sprintf(lanN_ifname
, "lan%s_ifname", bridge
);
1228 if (strncmp(nvram_safe_get(lanN_ifname
), "br", 2) == 0) {
1229 char lanN_ifname2
[] = "lanXX_ifname";
1231 for(br2
=0 ; br2
<=3 ; br2
++) {
1232 if (br
==br2
) continue;
1234 if (lanAccess
[((br
)+(br2
)*4)] == '1') continue;
1236 char bridge2
[2] = "0";
1240 strcpy(bridge2
, "");
1242 sprintf(lanN_ifname2
, "lan%s_ifname", bridge2
);
1243 if (strncmp(nvram_safe_get(lanN_ifname2
), "br", 2) == 0) {
1244 ipt_write("-A FORWARD -i %s -o %s -j DROP\n",
1245 nvram_safe_get(lanN_ifname
),
1246 nvram_safe_get(lanN_ifname2
));
1249 // ip46t_write("-A FORWARD -i %s -j %s\n", nvram_safe_get(lanN_ifname), chain_out_accept);
1253 #ifdef TCONFIG_PPTPD
1254 //Add for pptp server
1255 if (nvram_match("pptpd_enable", "1")) {
1256 ipt_write("-A INPUT -p tcp --dport 1723 -j ACCEPT\n");
1257 ipt_write("-A INPUT -p 47 -j ACCEPT\n");
1262 // Filter out invalid WAN->WAN connections
1264 // ip6t_write("-A FORWARD -o %s ! -i %s -j %s\n", wan6face, lanface, chain_in_drop); //shibby - we cant drop connections from WAN to LAN1-3
1265 ip6t_write("-A FORWARD -o %s -i %s -j %s\n", wan6face
, wan6face
, chain_in_drop
); //shibby - drop connection from WAN -> WAN only
1268 modprobe("xt_length");
1269 ip6t_write("-A FORWARD -p ipv6-nonxt -m length --length 40 -j ACCEPT\n");
1273 for (i
= 0; i
< sizeof(allowed_icmpv6
)/sizeof(int); ++i
) {
1274 ip6t_write("-A FORWARD -p ipv6-icmp --icmpv6-type %i -j %s\n", allowed_icmpv6
[i
], chain_in_accept
);
1277 //IPv6 IPSec - RFC 6092
1278 if (nvram_match("ipv6_ipsec", "1")) {
1281 "-A FORWARD -i %s -p esp -j ACCEPT\n" //ESP
1282 "-A FORWARD -i %s -p udp --dport 500 -j ACCEPT\n", //IKE
1283 wan6face
, wan6face
);
1290 "-A FORWARD -i %s -j wanin\n" // generic from wan
1291 "-A FORWARD -o %s -j wanout\n", // generic to wan
1292 wan6face
, wan6face
);
1297 for (i
= 0; i
< wanfaces
.count
; ++i
) {
1298 if (*(wanfaces
.iface
[i
].name
)) {
1300 "-A FORWARD -i %s -j wanin\n" // generic from wan
1301 "-A FORWARD -o %s -j wanout\n", // generic to wan
1302 wanfaces
.iface
[i
].name
, wanfaces
.iface
[i
].name
);
1306 for(br
=0 ; br
<=3 ; br
++) {
1307 char bridge
[2] = "0";
1313 sprintf(lanN_ifname
, "lan%s_ifname", bridge
);
1314 if (strncmp(nvram_safe_get(lanN_ifname
), "br", 2) == 0) {
1315 ip46t_write("-A FORWARD -i %s -j %s\n", nvram_safe_get(lanN_ifname
), chain_out_accept
);
1320 //IPv6 forward LAN->WAN accept
1321 ip6t_write("-A FORWARD -i %s -o %s -j %s\n", lanface
, wan6face
, chain_out_accept
);
1323 if (strcmp(lan1face
,"")!=0)
1324 ip6t_write("-A FORWARD -i %s -o %s -j %s\n", lan1face
, wan6face
, chain_out_accept
);
1325 if (strcmp(lan2face
,"")!=0)
1326 ip6t_write("-A FORWARD -i %s -o %s -j %s\n", lan2face
, wan6face
, chain_out_accept
);
1327 if (strcmp(lan3face
,"")!=0)
1328 ip6t_write("-A FORWARD -i %s -o %s -j %s\n", lan3face
, wan6face
, chain_out_accept
);
1332 if (nvram_get_int("upnp_enable") & 3) {
1333 ipt_write(":upnp - [0:0]\n");
1334 for (i
= 0; i
< wanfaces
.count
; ++i
) {
1335 if (*(wanfaces
.iface
[i
].name
)) {
1336 ipt_write("-A FORWARD -i %s -j upnp\n",
1337 wanfaces
.iface
[i
].name
);
1343 if ((nvram_match("multicast_pass", "1")) || (nvram_match("udpxy_enable", "1"))) {
1344 ipt_write("-A wanin -p udp -d 224.0.0.0/4 -j %s\n", chain_in_accept
);
1346 ipt_triggered(IPT_TABLE_FILTER
);
1347 ipt_forward(IPT_TABLE_FILTER
);
1353 char dmz_ifname
[IFNAMSIZ
+1];
1354 strlcpy(dmz_ifname
, nvram_safe_get("dmz_ifname"), sizeof(dmz_ifname
));
1355 if(strcmp(dmz_ifname
, "") == 0)
1356 strlcpy(dmz_ifname
, lanface
, sizeof(lanface
));
1357 strlcpy(t
, nvram_safe_get("dmz_sip"), sizeof(t
));
1360 if ((c
= strchr(p
, ',')) != NULL
) *c
= 0;
1361 if (ipt_source(p
, src
, "dmz", NULL
))
1362 ipt_write("-A FORWARD -o %s %s -d %s -j %s\n", dmz_ifname
, src
, dst
, chain_in_accept
);
1369 // default policy: DROP
1372 static void filter_log(void)
1377 n
= nvram_get_int("log_limit");
1378 if ((n
>= 1) && (n
<= 9999)) {
1379 sprintf(limit
, "-m limit --limit %d/m", n
);
1386 modprobe("ip6t_LOG");
1388 if ((*chain_in_drop
== 'l') || (*chain_out_drop
== 'l')) {
1390 ":logdrop - [0:0]\n"
1391 "-A logdrop -m state --state NEW %s -j LOG --log-prefix \"DROP \""
1395 " --log-tcp-sequence --log-tcp-options --log-ip-options\n"
1396 "-A logdrop -j DROP\n"
1397 ":logreject - [0:0]\n"
1398 "-A logreject %s -j LOG --log-prefix \"REJECT \""
1402 " --log-tcp-sequence --log-tcp-options --log-ip-options\n"
1403 "-A logreject -p tcp -j REJECT --reject-with tcp-reset\n",
1406 if ((*chain_in_accept
== 'l') || (*chain_out_accept
== 'l')) {
1408 ":logaccept - [0:0]\n"
1409 "-A logaccept -m state --state NEW %s -j LOG --log-prefix \"ACCEPT \""
1413 " --log-tcp-sequence --log-tcp-options --log-ip-options\n"
1414 "-A logaccept -j ACCEPT\n",
1420 static void filter6_input(void)
1430 // RFC-4890, sec. 4.4.1
1431 const int allowed_local_icmpv6
[] =
1432 { 130, 131, 132, 133, 134, 135, 136,
1434 148, 149, 151, 152, 153 };
1437 "-A INPUT -m rt --rt-type 0 -j %s\n"
1438 /* "-A INPUT -m state --state INVALID -j DROP\n" */
1439 "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n",
1443 modprobe("xt_length");
1444 ip6t_write("-A INPUT -p ipv6-nonxt -m length --length 40 -j ACCEPT\n");
1447 strlcpy(s
, nvram_safe_get("ne_shlimit"), sizeof(s
));
1448 if ((vstrsep(s
, ",", &en
, &hit
, &sec
) == 3) && ((n
= atoi(en
) & 3) != 0)) {
1450 modprobe("xt_recent");
1452 modprobe("ipt_recent");
1457 "-A shlimit -m recent --set --name shlimit\n"
1458 "-A shlimit -m recent --update --hitcount %d --seconds %s --name shlimit -j %s\n",
1459 atoi(hit
) + 1, sec
, chain_in_drop
);
1462 ip6t_write("-A INPUT -i %s -p tcp --dport %s -m state --state NEW -j shlimit\n", lanface
, nvram_safe_get("sshd_port"));
1463 if (nvram_get_int("sshd_remote") && nvram_invmatch("sshd_rport", nvram_safe_get("sshd_port"))) {
1464 ip6t_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("sshd_rport"));
1467 if (n
& 2) ip6t_write("-A INPUT -i %s -p tcp --dport %s -m state --state NEW -j shlimit\n", lanface
, nvram_safe_get("telnetd_port"));
1471 strlcpy(s
, nvram_safe_get("ftp_limit"), sizeof(s
));
1472 if ((vstrsep(s
, ",", &en
, &hit
, &sec
) == 3) && (atoi(en
)) && (nvram_get_int("ftp_enable") == 1)) {
1474 modprobe("xt_recent");
1476 modprobe("ipt_recent");
1481 "-A ftplimit -m recent --set --name ftp\n"
1482 "-A ftplimit -m recent --update --hitcount %d --seconds %s --name ftp -j %s\n",
1483 atoi(hit
) + 1, sec
, chain_in_drop
);
1484 ip6t_write("-A INPUT -p tcp --dport %s -m state --state NEW -j ftplimit\n", nvram_safe_get("ftp_port"));
1486 #endif // TCONFIG_FTP
1489 "-A INPUT -i %s -j ACCEPT\n" // anything coming from LAN
1490 "-A INPUT -i lo -j ACCEPT\n",
1493 switch (get_ipv6_service()) {
1494 case IPV6_ANYCAST_6TO4
:
1495 case IPV6_NATIVE_DHCP
:
1496 // allow responses from the dhcpv6 server
1497 ip6t_write("-A INPUT -p udp --dport 546 -j %s\n", chain_in_accept
);
1502 for (n
= 0; n
< sizeof(allowed_icmpv6
)/sizeof(int); n
++) {
1503 ip6t_write("-A INPUT -p ipv6-icmp --icmpv6-type %i -j %s\n", allowed_icmpv6
[n
], chain_in_accept
);
1505 for (n
= 0; n
< sizeof(allowed_local_icmpv6
)/sizeof(int); n
++) {
1506 ip6t_write("-A INPUT -p ipv6-icmp --icmpv6-type %i -j %s\n", allowed_local_icmpv6
[n
], chain_in_accept
);
1510 strlcpy(t
, nvram_safe_get("rmgt_sip"), sizeof(t
));
1513 if ((c
= strchr(p
, ',')) != NULL
) *c
= 0;
1515 if (ip6t_source(p
, s
, "remote management", NULL
)) {
1518 ip6t_write("-A INPUT -p tcp %s --dport %s -j %s\n",
1519 s
, nvram_safe_get("http_wanport"), chain_in_accept
);
1522 if (nvram_get_int("sshd_remote")) {
1523 ip6t_write("-A INPUT -p tcp %s --dport %s -j %s\n",
1524 s
, nvram_safe_get("sshd_rport"), chain_in_accept
);
1534 if (nvram_match("ftp_enable", "1")) { // FTP WAN access enabled
1535 strlcpy(t
, nvram_safe_get("ftp_sip"), sizeof(t
));
1538 if ((c
= strchr(p
, ',')) != NULL
) *c
= 0;
1539 if (ip6t_source(p
, s
, "ftp", "remote access")) {
1540 ip6t_write("-A INPUT -p tcp %s --dport %s -j %s\n",
1541 s
, nvram_safe_get("ftp_port"), chain_in_accept
);
1550 if (*chain_in_drop
== 'l') {
1551 ip6t_write( "-A INPUT -j %s\n", chain_in_drop
);
1554 // default policy: DROP
1559 static void filter_table(void)
1563 ":INPUT DROP [0:0]\n"
1564 ":OUTPUT ACCEPT [0:0]\n"
1572 ip6t_write("-A OUTPUT -m rt --rt-type 0 -j %s\n", chain_in_drop
);
1575 if ((gateway_mode
) || (nvram_match("wk_mode_x", "1"))) {
1576 ip46t_write(":FORWARD DROP [0:0]\n");
1580 ip46t_write(":FORWARD ACCEPT [0:0]\n");
1582 ip46t_write("COMMIT\n");
1585 // -----------------------------------------------------------------------------
1587 int start_firewall(void)
1590 struct dirent
*dirent
;
1595 char *iptrestore_argv
[] = { "iptables-restore", (char *)ipt_fname
, NULL
};
1597 char *ip6trestore_argv
[] = { "ip6tables-restore", (char *)ip6t_fname
, NULL
};
1600 simple_lock("firewall");
1601 simple_lock("restrictions");
1603 wanup
= check_wanup();
1605 f_write_string("/proc/sys/net/ipv4/tcp_syncookies", nvram_get_int("ne_syncookies") ? "1" : "0", 0, 0);
1607 /* NAT performance tweaks
1608 * These values can be overriden later if needed via firewall script
1610 f_write_string("/proc/sys/net/core/netdev_max_backlog", "3072", 0, 0);
1611 f_write_string("/proc/sys/net/core/somaxconn", "3072", 0, 0);
1612 f_write_string("/proc/sys/net/ipv4/tcp_max_syn_backlog", "8192", 0, 0);
1613 f_write_string("/proc/sys/net/ipv4/tcp_fin_timeout", "30", 0, 0);
1614 f_write_string("/proc/sys/net/ipv4/tcp_keepalive_intvl", "24", 0, 0);
1615 f_write_string("/proc/sys/net/ipv4/tcp_keepalive_probes", "3", 0, 0);
1616 f_write_string("/proc/sys/net/ipv4/tcp_keepalive_time", "1800", 0, 0);
1617 f_write_string("/proc/sys/net/ipv4/tcp_retries2", "5", 0, 0);
1618 f_write_string("/proc/sys/net/ipv4/tcp_syn_retries", "3", 0, 0);
1619 f_write_string("/proc/sys/net/ipv4/tcp_synack_retries", "3", 0, 0);
1620 f_write_string("/proc/sys/net/ipv4/tcp_tw_recycle", "1", 0, 0);
1621 f_write_string("/proc/sys/net/ipv4/tcp_tw_reuse", "1", 0, 0);
1623 /* DoS-related tweaks */
1624 f_write_string("/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses", "1", 0, 0);
1625 f_write_string("/proc/sys/net/ipv4/tcp_rfc1337", "1", 0, 0);
1626 f_write_string("/proc/sys/net/ipv4/ip_local_port_range", "1024 65535", 0, 0);
1628 wanproto
= get_wan_proto();
1629 f_write_string("/proc/sys/net/ipv4/ip_dynaddr", (wanproto
== WP_DISABLED
|| wanproto
== WP_STATIC
) ? "0" : "1", 0, 0);
1632 /* Force IGMPv2 due EMF limitations */
1633 if (nvram_get_int("emf_enable")) {
1634 f_write_string("/proc/sys/net/ipv4/conf/default/force_igmp_version", "2", 0, 0);
1635 f_write_string("/proc/sys/net/ipv4/conf/all/force_igmp_version", "2", 0, 0);
1639 n
= nvram_get_int("log_in");
1640 chain_in_drop
= (n
& 1) ? "logdrop" : "DROP";
1641 chain_in_accept
= (n
& 2) ? "logaccept" : "ACCEPT";
1643 n
= nvram_get_int("log_out");
1644 chain_out_drop
= (n
& 1) ? "logdrop" : "DROP";
1645 chain_out_reject
= (n
& 1) ? "logreject" : "REJECT --reject-with tcp-reset";
1646 chain_out_accept
= (n
& 2) ? "logaccept" : "ACCEPT";
1648 // if (nvram_match("nf_drop_reset", "1")) chain_out_drop = chain_out_reject;
1650 strlcpy(lanface
, nvram_safe_get("lan_ifname"), IFNAMSIZ
);
1651 strlcpy(lan1face
, nvram_safe_get("lan1_ifname"), IFNAMSIZ
);
1652 strlcpy(lan2face
, nvram_safe_get("lan2_ifname"), IFNAMSIZ
);
1653 strlcpy(lan3face
, nvram_safe_get("lan3_ifname"), IFNAMSIZ
);
1655 memcpy(&wanfaces
, get_wanfaces(), sizeof(wanfaces
));
1656 wanface
= wanfaces
.iface
[0].name
;
1658 strlcpy(wan6face
, get_wan6face(), sizeof(wan6face
));
1662 can_enable_fastnat
= 1;
1665 strlcpy(s
, nvram_safe_get("lan_ipaddr"), sizeof(s
));
1666 if ((c
= strrchr(s
, '.')) != NULL
) *(c
+ 1) = 0;
1667 strlcpy(lan_cclass
, s
, sizeof(lan_cclass
));
1669 strlcpy(s, nvram_safe_get("lan1_ipaddr"), sizeof(s));
1670 if ((c = strrchr(s, '.')) != NULL) *(c + 1) = 0;
1671 strlcpy(lan1_cclass, s, sizeof(lan1_cclass));
1673 strlcpy(s, nvram_safe_get("lan2_ipaddr"), sizeof(s));
1674 if ((c = strrchr(s, '.')) != NULL) *(c + 1) = 0;
1675 strlcpy(lan2_cclass, s, sizeof(lan2_cclass));
1677 strlcpy(s, nvram_safe_get("lan3_ipaddr"), sizeof(s));
1678 if ((c = strrchr(s, '.')) != NULL) *(c + 1) = 0;
1679 strlcpy(lan3_cclass, s, sizeof(lan3_cclass));
1683 block obviously spoofed IP addresses
1686 1 - do source validation by reversed path, as specified in RFC1812
1687 Recommended option for single homed hosts and stub network
1688 routers. Could cause troubles for complicated (not loop free)
1689 networks running a slow unreliable protocol (sort of RIP),
1690 or using static routes.
1691 0 - No source validation.
1693 c
= nvram_get("wan_ifname");
1694 /* mcast needs rp filter to be turned off only for non default iface */
1695 if (!(nvram_match("multicast_pass", "1")) || !(nvram_match("udpxy_enable", "1")) || strcmp(wanface
, c
) == 0) c
= NULL
;
1697 if ((dir
= opendir("/proc/sys/net/ipv4/conf")) != NULL
) {
1698 while ((dirent
= readdir(dir
)) != NULL
) {
1699 sprintf(s
, "/proc/sys/net/ipv4/conf/%s/rp_filter", dirent
->d_name
);
1700 f_write_string(s
, (c
&& strcmp(dirent
->d_name
, c
) == 0) ? "0" : "1", 0, 0);
1706 gateway_mode
= !nvram_match("wk_mode", "router");
1708 /* Remote management */
1709 if (nvram_match("remote_management", "1") && nvram_invmatch("http_wanport", "") &&
1710 nvram_invmatch("http_wanport", "0")) remotemanage
= 1;
1712 if (nvram_match("remote_mgt_https", "1")) {
1713 web_lanport
= nvram_get_int("https_lanport");
1714 if (web_lanport
<= 0) web_lanport
= 443;
1716 web_lanport
= nvram_get_int("http_lanport");
1717 if (web_lanport
<= 0) web_lanport
= 80;
1721 if ((ipt_file
= fopen(ipt_fname
, "w")) == NULL
) {
1722 notice_set("iptables", "Unable to create iptables restore file");
1723 simple_unlock("firewall");
1728 if ((ip6t_file
= fopen(ip6t_fname
, "w")) == NULL
) {
1729 notice_set("ip6tables", "Unable to create ip6tables restore file");
1730 simple_unlock("firewall");
1733 modprobe("nf_conntrack_ipv6");
1734 modprobe("ip6t_REJECT");
1738 //if (nvram_match("imq_enable", "1")) {
1739 // char numdevs[10];
1740 // sprintf(numdevs, "numdevs=%d", nvram_get_int("imq_numdevs"));
1741 // modprobe("imq", numdevs );
1747 modprobe("ipt_IMQ");
1764 #ifdef DEBUG_IPTFILE
1766 simple_unlock("firewall");
1767 simple_unlock("restrictions");
1774 if (nvram_get_int("upnp_enable") & 3) {
1775 f_write("/etc/upnp/save", NULL
, 0, 0, 0);
1776 if (killall("miniupnpd", SIGUSR2
) == 0) {
1777 f_wait_notexists("/etc/upnp/save", 5);
1781 notice_set("iptables", "");
1782 if (_eval(iptrestore_argv
, ">/var/notice/iptables", 0, NULL
) == 0) {
1784 notice_set("iptables", "");
1787 sprintf(s
, "%s.error", ipt_fname
);
1788 rename(ipt_fname
, s
);
1789 syslog(LOG_CRIT
, "Error while loading rules. See %s file.", s
);
1796 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
1797 -A INPUT -i br0 -j ACCEPT
1801 -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
1802 -A FORWARD -i br0 -j ACCEPT
1808 if (ipv6_enabled()) {
1809 notice_set("ip6tables", "");
1810 if (_eval(ip6trestore_argv
, ">/var/notice/ip6tables", 0, NULL
) == 0) {
1811 notice_set("ip6tables", "");
1814 sprintf(s
, "%s.error", ip6t_fname
);
1815 rename(ip6t_fname
, s
);
1816 syslog(LOG_CRIT
, "Error while loading rules. See %s file.", s
);
1821 eval("ip6tables", "-F");
1822 eval("ip6tables", "-t", "mangle", "-F");
1826 if (nvram_get_int("upnp_enable") & 3) {
1827 f_write("/etc/upnp/load", NULL
, 0, 0, 0);
1828 killall("miniupnpd", SIGUSR2
);
1831 simple_unlock("restrictions");
1832 sched_restrictions();
1833 enable_ip_forward();
1835 if (ipv6_enabled()) enable_ip6_forward();
1838 led(LED_DMZ
, dmz_dst(NULL
));
1841 modprobe_r("nf_conntrack_ipv6");
1842 modprobe_r("ip6t_LOG");
1843 modprobe_r("ip6t_REJECT");
1846 modprobe_r("xt_layer7");
1847 modprobe_r("xt_recent");
1848 modprobe_r("xt_HL");
1849 modprobe_r("xt_length");
1850 modprobe_r("xt_web");
1851 modprobe_r("xt_webmon");
1852 modprobe_r("xt_dscp");
1854 modprobe_r("ipt_layer7");
1855 modprobe_r("ipt_recent");
1856 modprobe_r("ipt_TTL");
1857 modprobe_r("ipt_web");
1858 modprobe_r("ipt_webmon");
1859 modprobe_r("ipt_dscp");
1861 modprobe_r("ipt_ipp2p");
1863 unlink("/var/webmon/domain");
1864 unlink("/var/webmon/search");
1866 #ifdef TCONFIG_OPENVPN
1867 run_vpn_firewall_scripts();
1871 run_tinc_firewall_script();
1874 run_nvscript("script_fire", NULL
, 1);
1877 allow_fastnat("firewall", can_enable_fastnat
);
1878 try_enabling_fastnat();
1880 simple_unlock("firewall");
1884 int stop_firewall(void)
1890 #ifdef DEBUG_IPTFILE
1891 void create_test_iptfile(void)