3 Copyright 2003-2005, CyberTAN Inc. All Rights Reserved
5 This is UNPUBLISHED PROPRIETARY SOURCE CODE of CyberTAN Inc.
6 the contents of this file may not be disclosed to third parties,
7 copied or duplicated in any form without the prior written
8 permission of CyberTAN Inc.
10 This software should be used as a reference only, and it not
11 intended for production use!
13 THIS SOFTWARE IS OFFERED "AS IS", AND CYBERTAN GRANTS NO WARRANTIES OF ANY
14 KIND, EXPRESS OR IMPLIED, BY STATUTE, COMMUNICATION OR OTHERWISE. CYBERTAN
15 SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS
16 FOR A SPECIFIC PURPOSE OR NONINFRINGEMENT CONCERNING THIS SOFTWARE
21 Modified for Tomato Firmware
22 Portions, Copyright (C) 2006-2009 Jonathan Zarate
29 #include <arpa/inet.h>
32 static int web_lanport
;
33 wanface_list_t wanfaces
;
34 char lanface
[IFNAMSIZ
+ 1];
35 char lan1face
[IFNAMSIZ
+ 1];
36 char lan2face
[IFNAMSIZ
+ 1];
37 char lan3face
[IFNAMSIZ
+ 1];
39 char wan6face
[IFNAMSIZ
+ 1];
41 char lan_cclass
[sizeof("xxx.xxx.xxx.") + 1];
43 static int can_enable_fastnat
;
47 static int debug_only
= 0;
50 static int gateway_mode
;
51 static int remotemanage
;
54 const char *chain_in_drop
;
55 const char *chain_in_accept
;
56 const char *chain_out_drop
;
57 const char *chain_out_accept
;
58 const char *chain_out_reject
;
60 const char chain_wan_prerouting
[] = "WANPREROUTING";
61 const char ipt_fname
[] = "/etc/iptables";
65 const char ip6t_fname
[] = "/etc/ip6tables";
68 // RFC-4890, sec. 4.3.1
69 const int allowed_icmpv6
[] = { 1, 2, 3, 4, 128, 129 };
72 static int is_sta(int idx
, int unit
, int subunit
, void *param
)
74 return (nvram_match(wl_nvname("mode", unit
, subunit
), "sta") && (nvram_match(wl_nvname("bss_enabled", unit
, subunit
), "1")));
82 // -----------------------------------------------------------------------------
85 static const char *fastnat_run_dir
= "/var/run/fastnat";
87 void allow_fastnat(const char *service
, int allow
)
91 snprintf(p
, sizeof(p
), "%s/%s", fastnat_run_dir
, service
);
96 mkdir_if_none(fastnat_run_dir
);
97 f_write_string(p
, "", 0, 0);
101 static inline int fastnat_allowed(void)
107 enabled
= !nvram_get_int("qos_enable") && !nvram_get_int("fastnat_disable");
109 if (enabled
&& (dir
= opendir(fastnat_run_dir
))) {
110 while ((dp
= readdir(dir
))) {
111 if (strcmp(dp
->d_name
, ".") == 0 || strcmp(dp
->d_name
, "..") == 0)
122 void try_enabling_fastnat(void)
124 f_write_string("/proc/sys/net/ipv4/netfilter/ip_conntrack_fastnat",
125 fastnat_allowed() ? "1" : "0", 0, 0);
129 void enable_ip_forward(void)
133 0 - disabled (default)
136 Forward Packets between interfaces.
138 This variable is special, its change resets all configuration
139 parameters to their default state (RFC1122 for hosts, RFC1812
142 f_write_string("/proc/sys/net/ipv4/ip_forward", "1", 0, 0);
147 void enable_ip6_forward(void)
149 if (ipv6_enabled()) {
150 f_write_string("/proc/sys/net/ipv6/conf/default/forwarding", "1", 0, 0);
151 f_write_string("/proc/sys/net/ipv6/conf/all/forwarding", "1", 0, 0);
154 f_write_string("/proc/sys/net/ipv6/conf/default/forwarding", "0", 0, 0);
155 f_write_string("/proc/sys/net/ipv6/conf/all/forwarding", "0", 0, 0);
161 // -----------------------------------------------------------------------------
164 static int ip2cclass(char *ipaddr, char *new, int count)
168 if (sscanf(ipaddr,"%d.%d.%d.%d",&ip[0],&ip[1],&ip[2],&ip[3]) != 4) return 0;
169 return snprintf(new, count, "%d.%d.%d.",ip[0],ip[1],ip[2]);
174 static int dmz_dst(char *s
)
180 if (nvram_get_int("dmz_enable") <= 0) return 0;
182 p
= nvram_safe_get("dmz_ipaddr");
183 if ((ia
.s_addr
= inet_addr(p
)) == (in_addr_t
)-1) {
184 if (((n
= atoi(p
)) <= 0) || (n
>= 255)) return 0;
185 if (s
) sprintf(s
, "%s%d", lan_cclass
, n
);
189 if (s
) strcpy(s
, inet_ntoa(ia
));
193 void ipt_log_unresolved(const char *addr
, const char *addrtype
, const char *categ
, const char *name
)
197 pre
= (name
&& *name
) ? " for \"" : "";
198 post
= (name
&& *name
) ? "\"" : "";
200 syslog(LOG_WARNING
, "firewall: "
201 "%s: not using %s%s%s%s (could not resolve as valid %s address)",
202 categ
, addr
, pre
, (name
) ? : "", post
, (addrtype
) ? : "IP");
205 int ipt_addr(char *addr
, int maxlen
, const char *s
, const char *dir
, int af
,
206 int strict
, const char *categ
, const char *name
)
208 char p
[INET6_ADDRSTRLEN
* 2];
211 if ((s
) && (*s
) && (*dir
))
213 if (sscanf(s
, "%[0-9.]-%[0-9.]", p
, p
) == 2) {
214 snprintf(addr
, maxlen
, "-m iprange --%s-range %s", dir
, s
);
218 else if (sscanf(s
, "%[0-9A-Fa-f:]-%[0-9A-Fa-f:]", p
, p
) == 2) {
219 snprintf(addr
, maxlen
, "-m iprange --%s-range %s", dir
, s
);
224 snprintf(addr
, maxlen
, "-%c %s", dir
[0], s
);
225 if (sscanf(s
, "%[^/]/", p
)) {
227 r
= host_addrtypes(p
, strict
? af
: (IPT_V4
| IPT_V6
));
229 r
= host_addrtypes(p
, IPT_V4
);
237 r
= (IPT_V4
| IPT_V6
);
240 if ((r
== 0 || (strict
&& ((r
& af
) != af
))) && (categ
&& *categ
)) {
241 ipt_log_unresolved(s
, categ
, name
,
242 (af
& IPT_V4
& ~r
) ? "IPv4" : ((af
& IPT_V6
& ~r
) ? "IPv6" : NULL
));
248 #define ipt_source_strict(s, src, categ, name) ipt_addr(src, 64, s, "src", IPT_V4, 1, categ, name)
249 #define ipt_source(s, src, categ, name) ipt_addr(src, 64, s, "src", IPT_V4, 0, categ, name)
250 #define ip6t_source(s, src, categ, name) ipt_addr(src, 128, s, "src", IPT_V6, 0, categ, name)
253 static void get_src(const char *nv, char *src)
257 if (((p = nvram_get(nv)) != NULL) && (*p) && (strlen(p) < 32)) {
258 sprintf(src, "-%s %s", strchr(p, '-') ? "m iprange --src-range" : "s", p);
266 void ipt_write(const char *format
, ...)
270 va_start(args
, format
);
271 vfprintf(ipt_file
, format
, args
);
275 void ip6t_write(const char *format
, ...)
280 va_start(args
, format
);
281 vfprintf(ip6t_file
, format
, args
);
286 // -----------------------------------------------------------------------------
288 int ipt_dscp(const char *v
, char *opt
)
297 n
= strtoul(v
, NULL
, 0);
299 sprintf(opt
, " -m dscp --dscp 0x%02X", n
);
304 modprobe("ipt_dscp");
309 // -----------------------------------------------------------------------------
312 int ipt_ipp2p(const char *v
, char *opt
)
321 strcpy(opt
, "-m ipp2p ");
322 if ((n
& 0xFFF) == 0xFFF) {
323 strcat(opt
, "--ipp2p");
327 if (n
& 0x0001) strcat(opt
, "--apple ");
328 if (n
& 0x0002) strcat(opt
, "--ares ");
329 if (n
& 0x0004) strcat(opt
, "--bit ");
330 if (n
& 0x0008) strcat(opt
, "--dc ");
331 if (n
& 0x0010) strcat(opt
, "--edk ");
332 if (n
& 0x0020) strcat(opt
, "--gnu ");
333 if (n
& 0x0040) strcat(opt
, "--kazaa ");
334 if (n
& 0x0080) strcat(opt
, "--mute ");
335 if (n
& 0x0100) strcat(opt
, "--soul ");
336 if (n
& 0x0200) strcat(opt
, "--waste ");
337 if (n
& 0x0400) strcat(opt
, "--winmx ");
338 if (n
& 0x0800) strcat(opt
, "--xdcc ");
340 if (n
& 0x1000) strcat(opt
, "--pp ");
341 if (n
& 0x2000) strcat(opt
, "--xunlei ");
345 modprobe("ipt_ipp2p");
350 // -----------------------------------------------------------------------------
355 // This L7 matches inbound traffic, caches the results, then the L7 outbound
356 // should read the cached result and set the appropriate marks -- zzz
357 void ipt_layer7_inbound(void)
362 if (!layer7_in
) return;
364 en
= nvram_match("nf_l7in", "1");
366 ipt_write(":L7in - [0:0]\n");
367 for (i
= 0; i
< wanfaces
.count
; ++i
) {
368 if (*(wanfaces
.iface
[i
].name
)) {
369 ipt_write("-A FORWARD -i %s -j L7in\n",
370 wanfaces
.iface
[i
].name
);
378 ipt_write("-A L7in %s -j RETURN\n", *p
);
380 can_enable_fastnat
= 0;
390 int ipt_layer7(const char *v
, char *opt
)
396 if (*v
== 0) return 0;
397 if (strlen(v
) > 32) return -1;
399 path
= "/etc/l7-extra";
400 sprintf(s
, "%s/%s.pat", path
, v
);
402 path
= "/etc/l7-protocols";
403 sprintf(s
, "%s/%s.pat", path
, v
);
405 syslog(LOG_ERR
, "L7 %s was not found", v
);
410 sprintf(opt
, "-m layer7 --l7dir %s --l7proto %s", path
, v
);
412 if (nvram_match("nf_l7in", "1")) {
413 if (!layer7_in
) layer7_in
= calloc(51, sizeof(char *));
419 if (strcmp(*p
, opt
) == 0) return 1;
422 if (((p
- layer7_in
) / sizeof(char *)) < 50) *p
= strdup(opt
);
427 modprobe("xt_layer7");
429 modprobe("ipt_layer7");
434 // -----------------------------------------------------------------------------
436 static void ipt_account(void) {
437 struct in_addr ipaddr
, netmask
, network
;
438 char lanN_ifname
[] = "lanXX_ifname";
439 char lanN_ipaddr
[] = "lanXX_ipaddr";
440 char lanN_netmask
[] = "lanXX_netmask";
441 char lanN
[] = "lanXX";
442 char netaddrnetmask
[] = "255.255.255.255/255.255.255.255 ";
444 // If the IP Address changes, the below rule will cause things to choke, and blocking rules don't get applied
445 // As a workaround, flush the entire FORWARD chain
446 system("iptables -F FORWARD");
448 for(br
=0 ; br
<=3 ; br
++) {
449 char bridge
[2] = "0";
455 sprintf(lanN_ifname
, "lan%s_ifname", bridge
);
457 if (strcmp(nvram_safe_get(lanN_ifname
), "")!=0) {
459 sprintf(lanN_ipaddr
, "lan%s_ipaddr", bridge
);
460 sprintf(lanN_netmask
, "lan%s_netmask", bridge
);
461 sprintf(lanN
, "lan%s", bridge
);
463 inet_aton(nvram_safe_get(lanN_ipaddr
), &ipaddr
);
464 inet_aton(nvram_safe_get(lanN_netmask
), &netmask
);
466 // bitwise AND of ip and netmask gives the network
467 network
.s_addr
= ipaddr
.s_addr
& netmask
.s_addr
;
469 sprintf(netaddrnetmask
, "%s/%s", inet_ntoa(network
), nvram_safe_get(lanN_netmask
));
472 ipt_write("-A FORWARD -m account --aaddr %s --aname %s\n", netaddrnetmask
, lanN
);
477 // -----------------------------------------------------------------------------
479 static void save_webmon(void)
481 eval("cp", "/proc/webmon_recent_domains", "/var/webmon/domain");
482 eval("cp", "/proc/webmon_recent_searches", "/var/webmon/search");
485 static void ipt_webmon()
487 int wmtype
, clear
, i
;
493 if (!nvram_get_int("log_wm")) return;
496 can_enable_fastnat
= 0;
498 wmtype
= nvram_get_int("log_wmtype");
499 clear
= nvram_get_int("log_wmclear");
501 ip46t_write(":monitor - [0:0]\n");
504 strlcpy(t
, wmtype
== 1 ? nvram_safe_get("log_wmip") : "", sizeof(t
));
507 if ((c
= strchr(p
, ',')) != NULL
) *c
= 0;
509 if ((ok
= ipt_addr(src
, sizeof(src
), p
, "src", IPT_V4
|IPT_V6
, 0, "webmon", NULL
))) {
511 if (*wan6face
&& (ok
& IPT_V6
))
512 ip6t_write("-A FORWARD -o %s %s -j monitor\n", wan6face
, src
);
515 for (i
= 0; i
< wanfaces
.count
; ++i
) {
516 if (*(wanfaces
.iface
[i
].name
)) {
517 ipt_write("-A FORWARD -o %s %s -j monitor\n",
518 wanfaces
.iface
[i
].name
, src
);
530 strlcpy(t
, nvram_safe_get("log_wmip"), sizeof(t
));
533 if ((c
= strchr(p
, ',')) != NULL
) *c
= 0;
534 if ((ok
= ipt_addr(src
, sizeof(src
), p
, "src", IPT_V4
|IPT_V6
, 0, "webmon", NULL
))) {
536 ip46t_flagged_write(ok
, "-A monitor %s -j RETURN\n", src
);
546 if( nvram_match( "webmon_bkp", "1" ) ) {
547 xstart( "/usr/sbin/webmon_bkp", "add" ); // add jobs to cru
549 sprintf(webdomain
, "--domain_load_file %s/webmon_recent_domains", nvram_safe_get("webmon_dir"));
550 sprintf(websearch
, "--search_load_file %s/webmon_recent_searches", nvram_safe_get("webmon_dir"));
552 sprintf(webdomain
, "--domain_load_file /var/webmon/domain");
553 sprintf(websearch
, "--search_load_file /var/webmon/search");
557 "-A monitor -p tcp -m webmon "
558 "--max_domains %d --max_searches %d %s %s -j RETURN\n",
559 nvram_get_int("log_wmdmax") ? : 1, nvram_get_int("log_wmsmax") ? : 1,
560 (clear
& 1) == 0 ? webdomain
: "--clear_domain",
561 (clear
& 2) == 0 ? websearch
: "--clear_search");
563 if( nvram_match( "webmon_bkp", "1" ) )
564 xstart( "/usr/sbin/webmon_bkp", "hourly" ); // make a copy immediately
568 modprobe("xt_webmon");
570 modprobe("ipt_webmon");
576 // -----------------------------------------------------------------------------
578 // -----------------------------------------------------------------------------
580 static void mangle_table(void)
587 ":PREROUTING ACCEPT [0:0]\n"
588 ":OUTPUT ACCEPT [0:0]\n");
596 p
= nvram_safe_get("nf_ttl");
597 if (strncmp(p
, "c:", 2) == 0) {
600 p
= (ttl
>= 0 && ttl
<= 255) ? "set" : NULL
;
602 else if ((ttl
= atoi(p
)) != 0) {
610 if (ttl
> 255) p
= NULL
;
620 // set TTL on primary WAN iface only
621 wanface
= wanfaces
.iface
[0].name
;
623 "-I PREROUTING -i %s -j TTL --ttl-%s %d\n"
624 "-I POSTROUTING -o %s -j TTL --ttl-%s %d\n",
628 // FIXME: IPv6 HL should be configurable separately from TTL.
629 // disable it until GUI setting is implemented.
632 "-I PREROUTING -i %s -j HL --hl-%s %d\n"
633 "-I POSTROUTING -o %s -j HL --hl-%s %d\n",
639 // Reset Incoming DSCP to 0x00
643 modprobe("ipt_DSCP");
645 ipt_write("-I PREROUTING -i %s -j DSCP --set-dscp 0\n", wanface
);
648 ip46t_write("COMMIT\n");
651 // -----------------------------------------------------------------------------
653 // -----------------------------------------------------------------------------
655 static void nat_table(void)
672 ":PREROUTING ACCEPT [0:0]\n"
673 ":POSTROUTING ACCEPT [0:0]\n"
674 ":OUTPUT ACCEPT [0:0]\n"
676 chain_wan_prerouting
);
682 strlcpy(lanaddr
, nvram_safe_get("lan_ipaddr"), sizeof(lanaddr
));
683 strlcpy(lanmask
, nvram_safe_get("lan_netmask"), sizeof(lanmask
));
684 strlcpy(lan1addr
, nvram_safe_get("lan1_ipaddr"), sizeof(lan1addr
));
685 strlcpy(lan1mask
, nvram_safe_get("lan1_netmask"), sizeof(lan1mask
));
686 strlcpy(lan2addr
, nvram_safe_get("lan2_ipaddr"), sizeof(lan2addr
));
687 strlcpy(lan2mask
, nvram_safe_get("lan2_netmask"), sizeof(lan2mask
));
688 strlcpy(lan3addr
, nvram_safe_get("lan3_ipaddr"), sizeof(lan3addr
));
689 strlcpy(lan3mask
, nvram_safe_get("lan3_netmask"), sizeof(lan3mask
));
692 for (i
= 0; i
< wanfaces
.count
; ++i
) {
693 if (*(wanfaces
.iface
[i
].name
)) {
694 // chain_wan_prerouting
696 ipt_write("-A PREROUTING -d %s -j %s\n",
697 wanfaces
.iface
[i
].ip
, chain_wan_prerouting
);
700 // Drop incoming packets which destination IP address is to our LAN side directly
701 ipt_write("-A PREROUTING -i %s -d %s/%s -j DROP\n",
702 wanfaces
.iface
[i
].name
,
703 lanaddr
, lanmask
); // note: ipt will correct lanaddr
704 if(strcmp(lan1addr
,"")!=0)
705 ipt_write("-A PREROUTING -i %s -d %s/%s -j DROP\n",
706 wanfaces
.iface
[i
].name
,
708 if(strcmp(lan2addr
,"")!=0)
709 ipt_write("-A PREROUTING -i %s -d %s/%s -j DROP\n",
710 wanfaces
.iface
[i
].name
,
712 if(strcmp(lan3addr
,"")!=0)
713 ipt_write("-A PREROUTING -i %s -d %s/%s -j DROP\n",
714 wanfaces
.iface
[i
].name
,
720 if (nvram_match("dns_intcpt", "1")) {
721 ipt_write("-A PREROUTING -p udp -s %s/%s ! -d %s/%s --dport 53 -j DNAT --to-destination %s\n",
725 if(strcmp(lan1addr
,"")!=0)
726 ipt_write("-A PREROUTING -p udp -s %s/%s ! -d %s/%s --dport 53 -j DNAT --to-destination %s\n",
730 if(strcmp(lan2addr
,"")!=0)
731 ipt_write("-A PREROUTING -p udp -s %s/%s ! -d %s/%s --dport 53 -j DNAT --to-destination %s\n",
735 if(strcmp(lan3addr
,"")!=0)
736 ipt_write("-A PREROUTING -p udp -s %s/%s ! -d %s/%s --dport 53 -j DNAT --to-destination %s\n",
742 // ICMP packets are always redirected to INPUT chains
743 ipt_write("-A %s -p icmp -j DNAT --to-destination %s\n", chain_wan_prerouting
, lanaddr
);
746 //force remote access to router if DMZ is enabled - shibby
747 if( (nvram_match("dmz_enable", "1")) && (nvram_match("dmz_ra", "1")) ) {
748 strlcpy(t
, nvram_safe_get("rmgt_sip"), sizeof(t
));
751 if ((c
= strchr(p
, ',')) != NULL
) *c
= 0;
752 ipt_source(p
, src
, "ra", NULL
);
755 ipt_write("-A %s -p tcp -m tcp %s --dport %s -j DNAT --to-destination %s:%d\n",
756 chain_wan_prerouting
, src
, nvram_safe_get("http_wanport"), lanaddr
, web_lanport
);
759 if (nvram_get_int("sshd_remote")) {
760 ipt_write("-A %s %s -p tcp -m tcp --dport %s -j DNAT --to-destination %s:%s\n",
761 chain_wan_prerouting
, src
, nvram_safe_get("sshd_rport"), lanaddr
, nvram_safe_get("sshd_port"));
770 ipt_forward(IPT_TABLE_NAT
);
771 ipt_triggered(IPT_TABLE_NAT
);
774 if (nvram_get_int("upnp_enable") & 3) {
775 ipt_write(":upnp - [0:0]\n");
777 for (i
= 0; i
< wanfaces
.count
; ++i
) {
778 if (*(wanfaces
.iface
[i
].name
)) {
780 // ! for loopback (all) to work
781 ipt_write("-A PREROUTING -d %s -j upnp\n", wanfaces
.iface
[i
].ip
);
784 ipt_write("-A PREROUTING -i %s -j upnp\n", wanfaces
.iface
[i
].name
);
792 if (nvram_match("tor_enable", "1")) {
793 if (nvram_match("tor_iface", "br0")) {
794 ipt_write("-A PREROUTING -i %s -p tcp --dport 80 ! -d %s -j DNAT --to-destination %s:%s\n",
795 nvram_safe_get("tor_iface"), nvram_safe_get("lan_ipaddr"), nvram_safe_get("lan_ipaddr"), nvram_safe_get("tor_transport") );
796 } else if (nvram_match("tor_iface", "br1")) {
797 ipt_write("-A PREROUTING -i %s -p tcp --dport 80 ! -d %s -j DNAT --to-destination %s:%s\n",
798 nvram_safe_get("tor_iface"), nvram_safe_get("lan1_ipaddr"), nvram_safe_get("lan1_ipaddr"), nvram_safe_get("tor_transport") );
799 } else if (nvram_match("tor_iface", "br2")) {
800 ipt_write("-A PREROUTING -i %s -p tcp --dport 80 ! -d %s -j DNAT --to-destination %s:%s\n",
801 nvram_safe_get("tor_iface"), nvram_safe_get("lan2_ipaddr"), nvram_safe_get("lan2_ipaddr"), nvram_safe_get("tor_transport") );
802 } else if (nvram_match("tor_iface", "br3")) {
803 ipt_write("-A PREROUTING -i %s -p tcp --dport 80 ! -d %s -j DNAT --to-destination %s:%s\n",
804 nvram_safe_get("tor_iface"), nvram_safe_get("lan3_ipaddr"), nvram_safe_get("lan3_ipaddr"), nvram_safe_get("tor_transport") );
806 strlcpy(t
, nvram_safe_get("tor_users"), sizeof(t
));
809 if ((c
= strchr(p
, ',')) != NULL
) *c
= 0;
811 if (ipt_source_strict(p
, src
, "tor", NULL
))
812 ipt_write("-A PREROUTING %s -p tcp --dport 80 ! -d %s -j DNAT --to-destination %s:%s\n",
813 src
, nvram_safe_get("lan_ipaddr"), nvram_safe_get("lan_ipaddr"), nvram_safe_get("tor_transport") );
824 strlcpy(t
, nvram_safe_get("dmz_sip"), sizeof(t
));
827 if ((c
= strchr(p
, ',')) != NULL
) *c
= 0;
828 if (ipt_source_strict(p
, src
, "dmz", NULL
))
829 ipt_write("-A %s %s -j DNAT --to-destination %s\n", chain_wan_prerouting
, src
, dst
);
838 switch (get_ipv6_service()) {
840 // avoid NATing proto-41 packets when using 6in4 tunnel
846 for (i
= 0; i
< wanfaces
.count
; ++i
) {
847 if (*(wanfaces
.iface
[i
].name
)) {
848 if ((!wanup
) || (nvram_get_int("ne_snat") != 1))
849 ipt_write("-A POSTROUTING %s -o %s -j MASQUERADE\n", p
, wanfaces
.iface
[i
].name
);
851 ipt_write("-A POSTROUTING %s -o %s -j SNAT --to-source %s\n", p
, wanfaces
.iface
[i
].name
, wanfaces
.iface
[i
].ip
);
856 if ( (nvram_match("wan_proto", "pppoe") || nvram_match("wan_proto", "dhcp") || nvram_match("wan_proto", "static") )
857 && (modem_ipaddr
= nvram_safe_get("modem_ipaddr")) && *modem_ipaddr
&& !nvram_match("modem_ipaddr","0.0.0.0")
858 && (!foreach_wif(1, NULL
, is_sta
)) )
859 ipt_write("-A POSTROUTING -o %s -d %s -j MASQUERADE\n", nvram_safe_get("wan_ifname"), modem_ipaddr
);
861 switch (nvram_get_int("nf_loopback")) {
862 case 1: // 1 = forwarded-only
863 case 2: // 2 = disable
865 default: // 0 = all (same as block_loopback=0)
866 ipt_write("-A POSTROUTING -o %s -s %s/%s -d %s/%s -j SNAT --to-source %s\n",
871 if (strcmp(lan1face
,"")!=0)
872 ipt_write("-A POSTROUTING -o %s -s %s/%s -d %s/%s -j SNAT --to-source %s\n",
877 if (strcmp(lan2face
,"")!=0)
878 ipt_write("-A POSTROUTING -o %s -s %s/%s -d %s/%s -j SNAT --to-source %s\n",
883 if (strcmp(lan3face
,"")!=0)
884 ipt_write("-A POSTROUTING -o %s -s %s/%s -d %s/%s -j SNAT --to-source %s\n",
892 ipt_write("COMMIT\n");
895 // -----------------------------------------------------------------------------
897 // -----------------------------------------------------------------------------
899 static void filter_input(void)
909 if ((nvram_get_int("nf_loopback") != 0) && (wanup
)) { // 0 = all
910 for (n
= 0; n
< wanfaces
.count
; ++n
) {
911 if (*(wanfaces
.iface
[n
].name
)) {
912 ipt_write("-A INPUT -i %s -d %s -j DROP\n", lanface
, wanfaces
.iface
[n
].ip
);
913 if (strcmp(lan1face
,"")!=0)
914 ipt_write("-A INPUT -i %s -d %s -j DROP\n", lan1face
, wanfaces
.iface
[n
].ip
);
915 if (strcmp(lan2face
,"")!=0)
916 ipt_write("-A INPUT -i %s -d %s -j DROP\n", lan2face
, wanfaces
.iface
[n
].ip
);
917 if (strcmp(lan3face
,"")!=0)
918 ipt_write("-A INPUT -i %s -d %s -j DROP\n", lan3face
, wanfaces
.iface
[n
].ip
);
924 "-A INPUT -m state --state INVALID -j DROP\n"
925 "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n");
927 strlcpy(s
, nvram_safe_get("ne_shlimit"), sizeof(s
));
928 if ((vstrsep(s
, ",", &en
, &hit
, &sec
) == 3) && ((n
= atoi(en
) & 3) != 0)) {
930 ? what if the user uses the start button in GUI ?
931 if (nvram_get_int("telnetd_eas"))
932 if (nvram_get_int("sshd_eas"))
935 modprobe("xt_recent");
937 modprobe("ipt_recent");
942 "-A shlimit -m recent --set --name shlimit\n"
943 "-A shlimit -m recent --update --hitcount %d --seconds %s --name shlimit -j %s\n",
944 atoi(hit
) + 1, sec
, chain_in_drop
);
947 ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("sshd_port"));
948 if (nvram_get_int("sshd_remote") && nvram_invmatch("sshd_rport", nvram_safe_get("sshd_port"))) {
949 ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("sshd_rport"));
952 if (n
& 2) ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("telnetd_port"));
956 strlcpy(s
, nvram_safe_get("ftp_limit"), sizeof(s
));
957 if ((vstrsep(s
, ",", &en
, &hit
, &sec
) == 3) && (atoi(en
)) && (nvram_get_int("ftp_enable") == 1)) {
959 modprobe("xt_recent");
961 modprobe("ipt_recent");
966 "-A ftplimit -m recent --set --name ftp\n"
967 "-A ftplimit -m recent --update --hitcount %d --seconds %s --name ftp -j %s\n",
968 atoi(hit
) + 1, sec
, chain_in_drop
);
969 ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j ftplimit\n", nvram_safe_get("ftp_port"));
974 "-A INPUT -i lo -j ACCEPT\n"
975 "-A INPUT -i %s -j ACCEPT\n",
977 if (strcmp(lan1face
,"")!=0)
979 "-A INPUT -i %s -j ACCEPT\n",
981 if (strcmp(lan2face
,"")!=0)
983 "-A INPUT -i %s -j ACCEPT\n",
985 if (strcmp(lan3face
,"")!=0)
987 "-A INPUT -i %s -j ACCEPT\n",
991 n
= get_ipv6_service();
993 case IPV6_ANYCAST_6TO4
:
995 // Accept ICMP requests from the remote tunnel endpoint
996 if (n
== IPV6_ANYCAST_6TO4
)
997 sprintf(s
, "192.88.99.%d", nvram_get_int("ipv6_relay"));
999 strlcpy(s
, nvram_safe_get("ipv6_tun_v4end"), sizeof(s
));
1000 if (*s
&& strcmp(s
, "0.0.0.0") != 0)
1001 ipt_write("-A INPUT -p icmp -s %s -j %s\n", s
, chain_in_accept
);
1002 ipt_write("-A INPUT -p 41 -j %s\n", chain_in_accept
);
1007 // ICMP request from WAN interface
1008 if (nvram_match("block_wan", "0")) {
1009 if (nvram_match("block_wan_limit", "0")) {
1010 // allow ICMP packets to be received
1011 ipt_write("-A INPUT -p icmp -j %s\n", chain_in_accept
);
1012 // allow udp traceroute packets
1013 ipt_write("-A INPUT -p udp --dport 33434:33534 -j %s\n", chain_in_accept
);
1015 // allow ICMP packets to be received, but restrict the flow to avoid ping flood attacks
1016 ipt_write("-A INPUT -p icmp -m limit --limit %d/second -j %s\n", nvram_get_int("block_wan_limit_icmp"), chain_in_accept
);
1017 // allow udp traceroute packets, but restrict the flow to avoid ping flood attacks
1018 ipt_write("-A INPUT -p udp --dport 33434:33534 -m limit --limit %d/second -j %s\n", nvram_get_int("block_wan_limit_tr"), chain_in_accept
);
1022 /* Accept incoming packets from broken dhcp servers, which are sending replies
1023 * from addresses other than used for query. This could lead to a lower level
1024 * of security, so allow to disable it via nvram variable.
1026 if (nvram_invmatch("dhcp_pass", "0") && using_dhcpc()) {
1027 ipt_write("-A INPUT -p udp --sport 67 --dport 68 -j %s\n", chain_in_accept
);
1030 strlcpy(t
, nvram_safe_get("rmgt_sip"), sizeof(t
));
1033 if ((c
= strchr(p
, ',')) != NULL
) *c
= 0;
1035 if (ipt_source(p
, s
, "remote management", NULL
)) {
1038 ipt_write("-A INPUT -p tcp %s --dport %s -j %s\n",
1039 s
, nvram_safe_get("http_wanport"), chain_in_accept
);
1042 if (nvram_get_int("sshd_remote")) {
1043 ipt_write("-A INPUT -p tcp %s --dport %s -j %s\n",
1044 s
, nvram_safe_get("sshd_rport"), chain_in_accept
);
1052 #ifdef TCONFIG_NGINX //Tomato RAF - Web Server
1053 if (nvram_match("nginx_enable", "1"))
1054 ipt_write("-A INPUT -p tcp --dport %s -j ACCEPT\n", nvram_safe_get( "nginx_port" ));
1057 #ifdef TCONFIG_FTP // !!TB - FTP Server
1058 if (nvram_match("ftp_enable", "1")) { // FTP WAN access enabled
1059 strlcpy(t
, nvram_safe_get("ftp_sip"), sizeof(t
));
1062 if ((c
= strchr(p
, ',')) != NULL
) *c
= 0;
1063 if (ipt_source(p
, s
, "ftp", "remote access")) {
1064 ipt_write("-A INPUT -p tcp %s --dport %s -j %s\n",
1065 s
, nvram_safe_get("ftp_port"), chain_in_accept
);
1074 if( nvram_match( "snmp_enable", "1" ) && nvram_match("snmp_remote", "1"))
1076 strlcpy(t
, nvram_safe_get("snmp_remote_sip"), sizeof(t
));
1079 if ((c
= strchr(p
, ',')) != NULL
) *c
= 0;
1081 if (ipt_source(p
, s
, "snmp", "remote")) {
1082 ipt_write("-A INPUT -p udp %s --dport %s -j %s\n",
1083 s
, nvram_safe_get("snmp_port"), chain_in_accept
);
1092 // IGMP query from WAN interface
1093 if ((nvram_match("multicast_pass", "1")) || (nvram_match("udpxy_enable", "1"))) {
1094 ipt_write("-A INPUT -p igmp -d 224.0.0.0/4 -j ACCEPT\n");
1095 ipt_write("-A INPUT -p udp -d 224.0.0.0/4 ! --dport 1900 -j ACCEPT\n");
1098 // Routing protocol, RIP, accept
1099 if (nvram_invmatch("dr_wan_rx", "0")) {
1100 ipt_write("-A INPUT -p udp --dport 520 -j ACCEPT\n");
1103 //BT Client ports from WAN interface
1104 if (nvram_match("bt_enable", "1")) {
1105 ipt_write( "-A INPUT -p tcp --dport %s -j ACCEPT\n", nvram_safe_get( "bt_port" ) );
1106 if (nvram_match( "bt_rpc_wan", "1") )
1108 ipt_write( "-A INPUT -p tcp --dport %s -j ACCEPT\n", nvram_safe_get( "bt_port_gui" ) );
1113 if (*chain_in_drop
== 'l') {
1114 ipt_write( "-A INPUT -j %s\n", chain_in_drop
);
1117 // default policy: DROP
1120 // clamp TCP MSS to PMTU of WAN interface (IPv4 only?)
1121 static void clampmss(void)
1124 ipt_write("-A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n");
1126 int rmtu
= nvram_get_int("wan_run_mtu");
1127 ipt_write("-A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss %d: -j TCPMSS ", rmtu
- 39);
1129 ipt_write("--clamp-mss-to-pmtu\n");
1132 ipt_write("--set-mss %d\n", rmtu
- 40);
1137 static void filter_forward(void)
1147 "-A FORWARD -m rt --rt-type 0 -j DROP\n");
1150 if (nvram_match("cstats_enable", "1")) {
1155 "-A FORWARD -i %s -o %s -j ACCEPT\n", // accept all lan to lan
1157 if (strcmp(lan1face
,"")!=0)
1159 "-A FORWARD -i %s -o %s -j ACCEPT\n",
1160 lan1face
, lan1face
);
1161 if (strcmp(lan2face
,"")!=0)
1163 "-A FORWARD -i %s -o %s -j ACCEPT\n",
1164 lan2face
, lan2face
);
1165 if (strcmp(lan3face
,"")!=0)
1167 "-A FORWARD -i %s -o %s -j ACCEPT\n",
1168 lan3face
, lan3face
);
1170 char lanAccess
[17] = "0000000000000000";
1172 const char *d
, *sbr
, *saddr
, *dbr
, *daddr
, *desc
;
1175 nvp
= nv
= strdup(nvram_safe_get("lan_access"));
1177 while ((b
= strsep(&nvp
, ">")) != NULL
) {
1179 1<0<1.2.3.4<1<5.6.7.8<30,45-50<desc
1188 n
= vstrsep(b
, "<", &d
, &sbr
, &saddr
, &dbr
, &daddr
, &desc
);
1191 if (!ipt_addr(src
, sizeof(src
), saddr
, "src", IPT_V4
|IPT_V6
, 0, "LAN access", desc
))
1193 if (!ipt_addr(dst
, sizeof(dst
), daddr
, "dst", IPT_V4
|IPT_V6
, 0, "LAN access", desc
))
1197 ipt_write("-A FORWARD -i %s%s -o %s%s %s %s -j ACCEPT\n",
1205 if ((strcmp(src
,"")==0) && (strcmp(dst
,"")==0))
1206 lanAccess
[((*sbr
-48)+(*dbr
-48)*4)] = '1';
1213 "-A FORWARD -m state --state INVALID -j DROP\n"); // drop if INVALID state
1215 // clamp tcp mss to pmtu
1221 ipt_layer7_inbound();
1229 "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT\n"); // already established or related (via helper)
1231 char lanN_ifname
[] = "lanXX_ifname";
1233 for(br
=0 ; br
<=3 ; br
++) {
1234 char bridge
[2] = "0";
1240 sprintf(lanN_ifname
, "lan%s_ifname", bridge
);
1241 if (strncmp(nvram_safe_get(lanN_ifname
), "br", 2) == 0) {
1242 char lanN_ifname2
[] = "lanXX_ifname";
1244 for(br2
=0 ; br2
<=3 ; br2
++) {
1245 if (br
==br2
) continue;
1247 if (lanAccess
[((br
)+(br2
)*4)] == '1') continue;
1249 char bridge2
[2] = "0";
1253 strcpy(bridge2
, "");
1255 sprintf(lanN_ifname2
, "lan%s_ifname", bridge2
);
1256 if (strncmp(nvram_safe_get(lanN_ifname2
), "br", 2) == 0) {
1257 ipt_write("-A FORWARD -i %s -o %s -j DROP\n",
1258 nvram_safe_get(lanN_ifname
),
1259 nvram_safe_get(lanN_ifname2
));
1262 // ip46t_write("-A FORWARD -i %s -j %s\n", nvram_safe_get(lanN_ifname), chain_out_accept);
1266 #ifdef TCONFIG_PPTPD
1267 //Add for pptp server
1268 if (nvram_match("pptpd_enable", "1")) {
1269 ipt_write("-A INPUT -p tcp --dport 1723 -j ACCEPT\n");
1270 ipt_write("-A INPUT -p 47 -j ACCEPT\n");
1275 // Filter out invalid WAN->WAN connections
1277 // ip6t_write("-A FORWARD -o %s ! -i %s -j %s\n", wan6face, lanface, chain_in_drop); //shibby - we cant drop connections from WAN to LAN1-3
1278 ip6t_write("-A FORWARD -o %s -i %s -j %s\n", wan6face
, wan6face
, chain_in_drop
); //shibby - drop connection from WAN -> WAN only
1281 modprobe("xt_length");
1282 ip6t_write("-A FORWARD -p ipv6-nonxt -m length --length 40 -j ACCEPT\n");
1286 for (i
= 0; i
< sizeof(allowed_icmpv6
)/sizeof(int); ++i
) {
1287 ip6t_write("-A FORWARD -p ipv6-icmp --icmpv6-type %i -j %s\n", allowed_icmpv6
[i
], chain_in_accept
);
1293 "-A FORWARD -i %s -j wanin\n" // generic from wan
1294 "-A FORWARD -o %s -j wanout\n", // generic to wan
1295 wan6face
, wan6face
);
1300 for (i
= 0; i
< wanfaces
.count
; ++i
) {
1301 if (*(wanfaces
.iface
[i
].name
)) {
1303 "-A FORWARD -i %s -j wanin\n" // generic from wan
1304 "-A FORWARD -o %s -j wanout\n", // generic to wan
1305 wanfaces
.iface
[i
].name
, wanfaces
.iface
[i
].name
);
1309 for(br
=0 ; br
<=3 ; br
++) {
1310 char bridge
[2] = "0";
1316 sprintf(lanN_ifname
, "lan%s_ifname", bridge
);
1317 if (strncmp(nvram_safe_get(lanN_ifname
), "br", 2) == 0) {
1318 ip46t_write("-A FORWARD -i %s -j %s\n", nvram_safe_get(lanN_ifname
), chain_out_accept
);
1323 //IPv6 forward LAN->WAN accept
1324 ip6t_write("-A FORWARD -i %s -o %s -j %s\n", lanface
, wan6face
, chain_out_accept
);
1326 if (strcmp(lan1face
,"")!=0)
1327 ip6t_write("-A FORWARD -i %s -o %s -j %s\n", lan1face
, wan6face
, chain_out_accept
);
1328 if (strcmp(lan2face
,"")!=0)
1329 ip6t_write("-A FORWARD -i %s -o %s -j %s\n", lan2face
, wan6face
, chain_out_accept
);
1330 if (strcmp(lan3face
,"")!=0)
1331 ip6t_write("-A FORWARD -i %s -o %s -j %s\n", lan3face
, wan6face
, chain_out_accept
);
1335 if (nvram_get_int("upnp_enable") & 3) {
1336 ipt_write(":upnp - [0:0]\n");
1337 for (i
= 0; i
< wanfaces
.count
; ++i
) {
1338 if (*(wanfaces
.iface
[i
].name
)) {
1339 ipt_write("-A FORWARD -i %s -j upnp\n",
1340 wanfaces
.iface
[i
].name
);
1346 if ((nvram_match("multicast_pass", "1")) || (nvram_match("udpxy_enable", "1"))) {
1347 ipt_write("-A wanin -p udp -d 224.0.0.0/4 -j %s\n", chain_in_accept
);
1349 ipt_triggered(IPT_TABLE_FILTER
);
1350 ipt_forward(IPT_TABLE_FILTER
);
1356 char dmz_ifname
[IFNAMSIZ
+1];
1357 strlcpy(dmz_ifname
, nvram_safe_get("dmz_ifname"), sizeof(dmz_ifname
));
1358 if(strcmp(dmz_ifname
, "") == 0)
1359 strlcpy(dmz_ifname
, lanface
, sizeof(lanface
));
1360 strlcpy(t
, nvram_safe_get("dmz_sip"), sizeof(t
));
1363 if ((c
= strchr(p
, ',')) != NULL
) *c
= 0;
1364 if (ipt_source(p
, src
, "dmz", NULL
))
1365 ipt_write("-A FORWARD -o %s %s -d %s -j %s\n", dmz_ifname
, src
, dst
, chain_in_accept
);
1372 // default policy: DROP
1375 static void filter_log(void)
1380 n
= nvram_get_int("log_limit");
1381 if ((n
>= 1) && (n
<= 9999)) {
1382 sprintf(limit
, "-m limit --limit %d/m", n
);
1389 modprobe("ip6t_LOG");
1391 if ((*chain_in_drop
== 'l') || (*chain_out_drop
== 'l')) {
1393 ":logdrop - [0:0]\n"
1394 "-A logdrop -m state --state NEW %s -j LOG --log-prefix \"DROP \""
1398 " --log-tcp-sequence --log-tcp-options --log-ip-options\n"
1399 "-A logdrop -j DROP\n"
1400 ":logreject - [0:0]\n"
1401 "-A logreject %s -j LOG --log-prefix \"REJECT \""
1405 " --log-tcp-sequence --log-tcp-options --log-ip-options\n"
1406 "-A logreject -p tcp -j REJECT --reject-with tcp-reset\n",
1409 if ((*chain_in_accept
== 'l') || (*chain_out_accept
== 'l')) {
1411 ":logaccept - [0:0]\n"
1412 "-A logaccept -m state --state NEW %s -j LOG --log-prefix \"ACCEPT \""
1416 " --log-tcp-sequence --log-tcp-options --log-ip-options\n"
1417 "-A logaccept -j ACCEPT\n",
1423 static void filter6_input(void)
1433 // RFC-4890, sec. 4.4.1
1434 const int allowed_local_icmpv6
[] =
1435 { 130, 131, 132, 133, 134, 135, 136,
1437 148, 149, 151, 152, 153 };
1440 "-A INPUT -m rt --rt-type 0 -j %s\n"
1441 /* "-A INPUT -m state --state INVALID -j DROP\n" */
1442 "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n",
1446 modprobe("xt_length");
1447 ip6t_write("-A INPUT -p ipv6-nonxt -m length --length 40 -j ACCEPT\n");
1450 strlcpy(s
, nvram_safe_get("ne_shlimit"), sizeof(s
));
1451 if ((vstrsep(s
, ",", &en
, &hit
, &sec
) == 3) && ((n
= atoi(en
) & 3) != 0)) {
1453 modprobe("xt_recent");
1455 modprobe("ipt_recent");
1460 "-A shlimit -m recent --set --name shlimit\n"
1461 "-A shlimit -m recent --update --hitcount %d --seconds %s --name shlimit -j %s\n",
1462 atoi(hit
) + 1, sec
, chain_in_drop
);
1465 ip6t_write("-A INPUT -i %s -p tcp --dport %s -m state --state NEW -j shlimit\n", lanface
, nvram_safe_get("sshd_port"));
1466 if (nvram_get_int("sshd_remote") && nvram_invmatch("sshd_rport", nvram_safe_get("sshd_port"))) {
1467 ip6t_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("sshd_rport"));
1470 if (n
& 2) ip6t_write("-A INPUT -i %s -p tcp --dport %s -m state --state NEW -j shlimit\n", lanface
, nvram_safe_get("telnetd_port"));
1474 strlcpy(s
, nvram_safe_get("ftp_limit"), sizeof(s
));
1475 if ((vstrsep(s
, ",", &en
, &hit
, &sec
) == 3) && (atoi(en
)) && (nvram_get_int("ftp_enable") == 1)) {
1477 modprobe("xt_recent");
1479 modprobe("ipt_recent");
1484 "-A ftplimit -m recent --set --name ftp\n"
1485 "-A ftplimit -m recent --update --hitcount %d --seconds %s --name ftp -j %s\n",
1486 atoi(hit
) + 1, sec
, chain_in_drop
);
1487 ip6t_write("-A INPUT -p tcp --dport %s -m state --state NEW -j ftplimit\n", nvram_safe_get("ftp_port"));
1489 #endif // TCONFIG_FTP
1492 "-A INPUT -i %s -j ACCEPT\n" // anything coming from LAN
1493 "-A INPUT -i lo -j ACCEPT\n",
1496 switch (get_ipv6_service()) {
1497 case IPV6_ANYCAST_6TO4
:
1498 case IPV6_NATIVE_DHCP
:
1499 // allow responses from the dhcpv6 server
1500 ip6t_write("-A INPUT -p udp --dport 546 -j %s\n", chain_in_accept
);
1505 for (n
= 0; n
< sizeof(allowed_icmpv6
)/sizeof(int); n
++) {
1506 ip6t_write("-A INPUT -p ipv6-icmp --icmpv6-type %i -j %s\n", allowed_icmpv6
[n
], chain_in_accept
);
1508 for (n
= 0; n
< sizeof(allowed_local_icmpv6
)/sizeof(int); n
++) {
1509 ip6t_write("-A INPUT -p ipv6-icmp --icmpv6-type %i -j %s\n", allowed_local_icmpv6
[n
], chain_in_accept
);
1513 strlcpy(t
, nvram_safe_get("rmgt_sip"), sizeof(t
));
1516 if ((c
= strchr(p
, ',')) != NULL
) *c
= 0;
1518 if (ip6t_source(p
, s
, "remote management", NULL
)) {
1521 ip6t_write("-A INPUT -p tcp %s --dport %s -j %s\n",
1522 s
, nvram_safe_get("http_wanport"), chain_in_accept
);
1525 if (nvram_get_int("sshd_remote")) {
1526 ip6t_write("-A INPUT -p tcp %s --dport %s -j %s\n",
1527 s
, nvram_safe_get("sshd_rport"), chain_in_accept
);
1537 if (nvram_match("ftp_enable", "1")) { // FTP WAN access enabled
1538 strlcpy(t
, nvram_safe_get("ftp_sip"), sizeof(t
));
1541 if ((c
= strchr(p
, ',')) != NULL
) *c
= 0;
1542 if (ip6t_source(p
, s
, "ftp", "remote access")) {
1543 ip6t_write("-A INPUT -p tcp %s --dport %s -j %s\n",
1544 s
, nvram_safe_get("ftp_port"), chain_in_accept
);
1553 if (*chain_in_drop
== 'l') {
1554 ip6t_write( "-A INPUT -j %s\n", chain_in_drop
);
1557 // default policy: DROP
1562 static void filter_table(void)
1566 ":INPUT DROP [0:0]\n"
1567 ":OUTPUT ACCEPT [0:0]\n"
1575 ip6t_write("-A OUTPUT -m rt --rt-type 0 -j %s\n", chain_in_drop
);
1578 if ((gateway_mode
) || (nvram_match("wk_mode_x", "1"))) {
1579 ip46t_write(":FORWARD DROP [0:0]\n");
1583 ip46t_write(":FORWARD ACCEPT [0:0]\n");
1586 ip46t_write("COMMIT\n");
1589 // -----------------------------------------------------------------------------
1591 int start_firewall(void)
1594 struct dirent
*dirent
;
1599 char *iptrestore_argv
[] = { "iptables-restore", (char *)ipt_fname
, NULL
};
1601 char *ip6trestore_argv
[] = { "ip6tables-restore", (char *)ip6t_fname
, NULL
};
1604 simple_lock("firewall");
1605 simple_lock("restrictions");
1607 wanup
= check_wanup();
1609 f_write_string("/proc/sys/net/ipv4/tcp_syncookies", nvram_get_int("ne_syncookies") ? "1" : "0", 0, 0);
1611 /* NAT performance tweaks
1612 * These values can be overriden later if needed via firewall script
1614 f_write_string("/proc/sys/net/core/netdev_max_backlog", "3072", 0, 0);
1615 f_write_string("/proc/sys/net/core/somaxconn", "3072", 0, 0);
1616 f_write_string("/proc/sys/net/ipv4/tcp_max_syn_backlog", "8192", 0, 0);
1617 f_write_string("/proc/sys/net/ipv4/tcp_fin_timeout", "30", 0, 0);
1618 f_write_string("/proc/sys/net/ipv4/tcp_keepalive_intvl", "24", 0, 0);
1619 f_write_string("/proc/sys/net/ipv4/tcp_keepalive_probes", "3", 0, 0);
1620 f_write_string("/proc/sys/net/ipv4/tcp_keepalive_time", "1800", 0, 0);
1621 f_write_string("/proc/sys/net/ipv4/tcp_retries2", "5", 0, 0);
1622 f_write_string("/proc/sys/net/ipv4/tcp_syn_retries", "3", 0, 0);
1623 f_write_string("/proc/sys/net/ipv4/tcp_synack_retries", "3", 0, 0);
1624 f_write_string("/proc/sys/net/ipv4/tcp_tw_recycle", "1", 0, 0);
1625 f_write_string("/proc/sys/net/ipv4/tcp_tw_reuse", "1", 0, 0);
1627 /* DoS-related tweaks */
1628 f_write_string("/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses", "1", 0, 0);
1629 f_write_string("/proc/sys/net/ipv4/tcp_rfc1337", "1", 0, 0);
1630 f_write_string("/proc/sys/net/ipv4/ip_local_port_range", "1024 65535", 0, 0);
1632 wanproto
= get_wan_proto();
1633 f_write_string("/proc/sys/net/ipv4/ip_dynaddr", (wanproto
== WP_DISABLED
|| wanproto
== WP_STATIC
) ? "0" : "1", 0, 0);
1636 /* Force IGMPv2 due EMF limitations */
1637 if (nvram_get_int("emf_enable")) {
1638 f_write_string("/proc/sys/net/ipv4/conf/default/force_igmp_version", "2", 0, 0);
1639 f_write_string("/proc/sys/net/ipv4/conf/all/force_igmp_version", "2", 0, 0);
1643 n
= nvram_get_int("log_in");
1644 chain_in_drop
= (n
& 1) ? "logdrop" : "DROP";
1645 chain_in_accept
= (n
& 2) ? "logaccept" : "ACCEPT";
1647 n
= nvram_get_int("log_out");
1648 chain_out_drop
= (n
& 1) ? "logdrop" : "DROP";
1649 chain_out_reject
= (n
& 1) ? "logreject" : "REJECT --reject-with tcp-reset";
1650 chain_out_accept
= (n
& 2) ? "logaccept" : "ACCEPT";
1652 // if (nvram_match("nf_drop_reset", "1")) chain_out_drop = chain_out_reject;
1654 strlcpy(lanface
, nvram_safe_get("lan_ifname"), IFNAMSIZ
);
1655 strlcpy(lan1face
, nvram_safe_get("lan1_ifname"), IFNAMSIZ
);
1656 strlcpy(lan2face
, nvram_safe_get("lan2_ifname"), IFNAMSIZ
);
1657 strlcpy(lan3face
, nvram_safe_get("lan3_ifname"), IFNAMSIZ
);
1659 memcpy(&wanfaces
, get_wanfaces(), sizeof(wanfaces
));
1660 wanface
= wanfaces
.iface
[0].name
;
1662 strlcpy(wan6face
, get_wan6face(), sizeof(wan6face
));
1666 can_enable_fastnat
= 1;
1669 strlcpy(s
, nvram_safe_get("lan_ipaddr"), sizeof(s
));
1670 if ((c
= strrchr(s
, '.')) != NULL
) *(c
+ 1) = 0;
1671 strlcpy(lan_cclass
, s
, sizeof(lan_cclass
));
1673 strlcpy(s, nvram_safe_get("lan1_ipaddr"), sizeof(s));
1674 if ((c = strrchr(s, '.')) != NULL) *(c + 1) = 0;
1675 strlcpy(lan1_cclass, s, sizeof(lan1_cclass));
1677 strlcpy(s, nvram_safe_get("lan2_ipaddr"), sizeof(s));
1678 if ((c = strrchr(s, '.')) != NULL) *(c + 1) = 0;
1679 strlcpy(lan2_cclass, s, sizeof(lan2_cclass));
1681 strlcpy(s, nvram_safe_get("lan3_ipaddr"), sizeof(s));
1682 if ((c = strrchr(s, '.')) != NULL) *(c + 1) = 0;
1683 strlcpy(lan3_cclass, s, sizeof(lan3_cclass));
1687 block obviously spoofed IP addresses
1690 1 - do source validation by reversed path, as specified in RFC1812
1691 Recommended option for single homed hosts and stub network
1692 routers. Could cause troubles for complicated (not loop free)
1693 networks running a slow unreliable protocol (sort of RIP),
1694 or using static routes.
1695 0 - No source validation.
1697 c
= nvram_get("wan_ifname");
1698 /* mcast needs rp filter to be turned off only for non default iface */
1699 if (!(nvram_match("multicast_pass", "1")) || !(nvram_match("udpxy_enable", "1")) || strcmp(wanface
, c
) == 0) c
= NULL
;
1701 if ((dir
= opendir("/proc/sys/net/ipv4/conf")) != NULL
) {
1702 while ((dirent
= readdir(dir
)) != NULL
) {
1703 sprintf(s
, "/proc/sys/net/ipv4/conf/%s/rp_filter", dirent
->d_name
);
1704 f_write_string(s
, (c
&& strcmp(dirent
->d_name
, c
) == 0) ? "0" : "1", 0, 0);
1710 gateway_mode
= !nvram_match("wk_mode", "router");
1712 /* Remote management */
1713 if (nvram_match("remote_management", "1") && nvram_invmatch("http_wanport", "") &&
1714 nvram_invmatch("http_wanport", "0")) remotemanage
= 1;
1716 if (nvram_match("remote_mgt_https", "1")) {
1717 web_lanport
= nvram_get_int("https_lanport");
1718 if (web_lanport
<= 0) web_lanport
= 443;
1720 web_lanport
= nvram_get_int("http_lanport");
1721 if (web_lanport
<= 0) web_lanport
= 80;
1725 if ((ipt_file
= fopen(ipt_fname
, "w")) == NULL
) {
1726 notice_set("iptables", "Unable to create iptables restore file");
1727 simple_unlock("firewall");
1732 if ((ip6t_file
= fopen(ip6t_fname
, "w")) == NULL
) {
1733 notice_set("ip6tables", "Unable to create ip6tables restore file");
1734 simple_unlock("firewall");
1737 modprobe("nf_conntrack_ipv6");
1738 modprobe("ip6t_REJECT");
1742 //if (nvram_match("imq_enable", "1")) {
1743 // char numdevs[10];
1744 // sprintf(numdevs, "numdevs=%d", nvram_get_int("imq_numdevs"));
1745 // modprobe("imq", numdevs );
1751 modprobe("ipt_IMQ");
1768 #ifdef DEBUG_IPTFILE
1770 simple_unlock("firewall");
1771 simple_unlock("restrictions");
1778 if (nvram_get_int("upnp_enable") & 3) {
1779 f_write("/etc/upnp/save", NULL
, 0, 0, 0);
1780 if (killall("miniupnpd", SIGUSR2
) == 0) {
1781 f_wait_notexists("/etc/upnp/save", 5);
1785 notice_set("iptables", "");
1786 if (_eval(iptrestore_argv
, ">/var/notice/iptables", 0, NULL
) == 0) {
1788 notice_set("iptables", "");
1791 sprintf(s
, "%s.error", ipt_fname
);
1792 rename(ipt_fname
, s
);
1793 syslog(LOG_CRIT
, "Error while loading rules. See %s file.", s
);
1800 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
1801 -A INPUT -i br0 -j ACCEPT
1805 -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
1806 -A FORWARD -i br0 -j ACCEPT
1812 if (ipv6_enabled()) {
1813 notice_set("ip6tables", "");
1814 if (_eval(ip6trestore_argv
, ">/var/notice/ip6tables", 0, NULL
) == 0) {
1815 notice_set("ip6tables", "");
1818 sprintf(s
, "%s.error", ip6t_fname
);
1819 rename(ip6t_fname
, s
);
1820 syslog(LOG_CRIT
, "Error while loading rules. See %s file.", s
);
1825 eval("ip6tables", "-F");
1826 eval("ip6tables", "-t", "mangle", "-F");
1830 if (nvram_get_int("upnp_enable") & 3) {
1831 f_write("/etc/upnp/load", NULL
, 0, 0, 0);
1832 killall("miniupnpd", SIGUSR2
);
1835 simple_unlock("restrictions");
1836 sched_restrictions();
1837 enable_ip_forward();
1839 if (ipv6_enabled()) enable_ip6_forward();
1842 led(LED_DMZ
, dmz_dst(NULL
));
1845 modprobe_r("nf_conntrack_ipv6");
1846 modprobe_r("ip6t_LOG");
1847 modprobe_r("ip6t_REJECT");
1850 modprobe_r("xt_layer7");
1851 modprobe_r("xt_recent");
1852 modprobe_r("xt_HL");
1853 modprobe_r("xt_length");
1854 modprobe_r("xt_web");
1855 modprobe_r("xt_webmon");
1856 modprobe_r("xt_dscp");
1858 modprobe_r("ipt_layer7");
1859 modprobe_r("ipt_recent");
1860 modprobe_r("ipt_TTL");
1861 modprobe_r("ipt_web");
1862 modprobe_r("ipt_webmon");
1863 modprobe_r("ipt_dscp");
1865 modprobe_r("ipt_ipp2p");
1867 unlink("/var/webmon/domain");
1868 unlink("/var/webmon/search");
1870 #ifdef TCONFIG_OPENVPN
1871 run_vpn_firewall_scripts();
1873 run_nvscript("script_fire", NULL
, 1);
1876 allow_fastnat("firewall", can_enable_fastnat
);
1877 try_enabling_fastnat();
1879 simple_unlock("firewall");
1883 int stop_firewall(void)
1889 #ifdef DEBUG_IPTFILE
1890 void create_test_iptfile(void)