search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
do not try load IMQ modules
[tomato.git] / release / src-rt-6.x.4708 / router / rc / firewall.c
blobd771b463286db3ee577b8d5e74aa6ad1081f95d3
1 /*
2
3 Copyright 2003-2005, CyberTAN Inc. All Rights Reserved
4
5 This is UNPUBLISHED PROPRIETARY SOURCE CODE of CyberTAN Inc.
6 the contents of this file may not be disclosed to third parties,
7 copied or duplicated in any form without the prior written
8 permission of CyberTAN Inc.
9
10 This software should be used as a reference only, and it not
11 intended for production use!
12
13 THIS SOFTWARE IS OFFERED "AS IS", AND CYBERTAN GRANTS NO WARRANTIES OF ANY
14 KIND, EXPRESS OR IMPLIED, BY STATUTE, COMMUNICATION OR OTHERWISE. CYBERTAN
15 SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS
16 FOR A SPECIFIC PURPOSE OR NONINFRINGEMENT CONCERNING THIS SOFTWARE
17
18 */
19 /*
20
21 Modified for Tomato Firmware
22 Portions, Copyright (C) 2006-2009 Jonathan Zarate
23
24 */
25
26 #include "rc.h"
27
28 #include <stdarg.h>
29 #include <arpa/inet.h>
30 #include <dirent.h>
31
32 static int web_lanport;
33 wanface_list_t wanfaces;
34 char lanface[IFNAMSIZ + 1];
35 char lan1face[IFNAMSIZ + 1];
36 char lan2face[IFNAMSIZ + 1];
37 char lan3face[IFNAMSIZ + 1];
38 #ifdef TCONFIG_IPV6
39 char wan6face[IFNAMSIZ + 1];
40 #endif
41 char lan_cclass[sizeof("xxx.xxx.xxx.") + 1];
42 #ifdef LINUX26
43 static int can_enable_fastnat;
44 #endif
45
46 #ifdef DEBUG_IPTFILE
47 static int debug_only = 0;
48 #endif
49
50 static int gateway_mode;
51 static int remotemanage;
52 static int wanup;
53
54 const char *chain_in_drop;
55 const char *chain_in_accept;
56 const char *chain_out_drop;
57 const char *chain_out_accept;
58 const char *chain_out_reject;
59
60 const char chain_wan_prerouting[] = "WANPREROUTING";
61 const char ipt_fname[] = "/etc/iptables";
62 FILE *ipt_file;
63
64 #ifdef TCONFIG_IPV6
65 const char ip6t_fname[] = "/etc/ip6tables";
66 FILE *ip6t_file;
67
68 // RFC-4890, sec. 4.3.1
69 const int allowed_icmpv6[] = { 1, 2, 3, 4, 128, 129 };
70 #endif
71
72 static int is_sta(int idx, int unit, int subunit, void *param)
73 {
74 return (nvram_match(wl_nvname("mode", unit, subunit), "sta") && (nvram_match(wl_nvname("bss_enabled", unit, subunit), "1")));
75 }
76
77 /*
78 struct {
79 } firewall_data;
80 */
81
82 // -----------------------------------------------------------------------------
83
84 #ifdef LINUX26
85 static const char *fastnat_run_dir = "/var/run/fastnat";
86
87 void allow_fastnat(const char *service, int allow)
88 {
89 char p[128];
90
91 snprintf(p, sizeof(p), "%s/%s", fastnat_run_dir, service);
92 if (allow) {
93 unlink(p);
94 }
95 else {
96 mkdir_if_none(fastnat_run_dir);
97 f_write_string(p, "", 0, 0);
98 }
99 }
100
101 static inline int fastnat_allowed(void)
102 {
103 DIR *dir;
104 struct dirent *dp;
105 int enabled;
106
107 enabled = !nvram_get_int("qos_enable") && !nvram_get_int("fastnat_disable");
108
109 if (enabled && (dir = opendir(fastnat_run_dir))) {
110 while ((dp = readdir(dir))) {
111 if (strcmp(dp->d_name, ".") == 0 || strcmp(dp->d_name, "..") == 0)
112 continue;
113 enabled = 0;
114 break;
115 }
116 closedir(dir);
117 }
118
119 return (enabled);
120 }
121
122 void try_enabling_fastnat(void)
123 {
124 f_write_string("/proc/sys/net/ipv4/netfilter/ip_conntrack_fastnat",
125 fastnat_allowed() ? "1" : "0", 0, 0);
126 }
127 #endif
128
129 void enable_ip_forward(void)
130 {
131 /*
132 ip_forward - BOOLEAN
133 0 - disabled (default)
134 not 0 - enabled
135
136 Forward Packets between interfaces.
137
138 This variable is special, its change resets all configuration
139 parameters to their default state (RFC1122 for hosts, RFC1812
140 for routers)
141 */
142 f_write_string("/proc/sys/net/ipv4/ip_forward", "1", 0, 0);
143
144 }
145
146 #ifdef TCONFIG_IPV6
147 void enable_ip6_forward(void)
148 {
149 if (ipv6_enabled()) {
150 f_write_string("/proc/sys/net/ipv6/conf/default/forwarding", "1", 0, 0);
151 f_write_string("/proc/sys/net/ipv6/conf/all/forwarding", "1", 0, 0);
152 }
153 else {
154 f_write_string("/proc/sys/net/ipv6/conf/default/forwarding", "0", 0, 0);
155 f_write_string("/proc/sys/net/ipv6/conf/all/forwarding", "0", 0, 0);
156 }
157 }
158 #endif
159
160
161 // -----------------------------------------------------------------------------
162
163 /*
164 static int ip2cclass(char *ipaddr, char *new, int count)
165 {
166 int ip[4];
167
168 if (sscanf(ipaddr,"%d.%d.%d.%d",&ip[0],&ip[1],&ip[2],&ip[3]) != 4) return 0;
169 return snprintf(new, count, "%d.%d.%d.",ip[0],ip[1],ip[2]);
170 }
171 */
172
173
174 static int dmz_dst(char *s)
175 {
176 struct in_addr ia;
177 char *p;
178 int n;
179
180 if (nvram_get_int("dmz_enable") <= 0) return 0;
181
182 p = nvram_safe_get("dmz_ipaddr");
183 if ((ia.s_addr = inet_addr(p)) == (in_addr_t)-1) {
184 if (((n = atoi(p)) <= 0) || (n >= 255)) return 0;
185 if (s) sprintf(s, "%s%d", lan_cclass, n);
186 return 1;
187 }
188
189 if (s) strcpy(s, inet_ntoa(ia));
190 return 1;
191 }
192
193 void ipt_log_unresolved(const char *addr, const char *addrtype, const char *categ, const char *name)
194 {
195 char *pre, *post;
196
197 pre = (name && *name) ? " for \"" : "";
198 post = (name && *name) ? "\"" : "";
199
200 syslog(LOG_WARNING, "firewall: "
201 "%s: not using %s%s%s%s (could not resolve as valid %s address)",
202 categ, addr, pre, (name) ? : "", post, (addrtype) ? : "IP");
203 }
204
205 int ipt_addr(char *addr, int maxlen, const char *s, const char *dir, int af,
206 int strict, const char *categ, const char *name)
207 {
208 char p[INET6_ADDRSTRLEN * 2];
209 int r = 0;
210
211 if ((s) && (*s) && (*dir))
212 {
213 if (sscanf(s, "%[0-9.]-%[0-9.]", p, p) == 2) {
214 snprintf(addr, maxlen, "-m iprange --%s-range %s", dir, s);
215 r = IPT_V4;
216 }
217 #ifdef TCONFIG_IPV6
218 else if (sscanf(s, "%[0-9A-Fa-f:]-%[0-9A-Fa-f:]", p, p) == 2) {
219 snprintf(addr, maxlen, "-m iprange --%s-range %s", dir, s);
220 r = IPT_V6;
221 }
222 #endif
223 else {
224 snprintf(addr, maxlen, "-%c %s", dir[0], s);
225 if (sscanf(s, "%[^/]/", p)) {
226 #ifdef TCONFIG_IPV6
227 r = host_addrtypes(p, strict ? af : (IPT_V4 | IPT_V6));
228 #else
229 r = host_addrtypes(p, IPT_V4);
230 #endif
231 }
232 }
233 }
234 else
235 {
236 *addr = 0;
237 r = (IPT_V4 | IPT_V6);
238 }
239
240 if ((r == 0 || (strict && ((r & af) != af))) && (categ && *categ)) {
241 ipt_log_unresolved(s, categ, name,
242 (af & IPT_V4 & ~r) ? "IPv4" : ((af & IPT_V6 & ~r) ? "IPv6" : NULL));
243 }
244
245 return (r & af);
246 }
247
248 #define ipt_source_strict(s, src, categ, name) ipt_addr(src, 64, s, "src", IPT_V4, 1, categ, name)
249 #define ipt_source(s, src, categ, name) ipt_addr(src, 64, s, "src", IPT_V4, 0, categ, name)
250 #define ip6t_source(s, src, categ, name) ipt_addr(src, 128, s, "src", IPT_V6, 0, categ, name)
251
252 /*
253 static void get_src(const char *nv, char *src)
254 {
255 char *p;
256
257 if (((p = nvram_get(nv)) != NULL) && (*p) && (strlen(p) < 32)) {
258 sprintf(src, "-%s %s", strchr(p, '-') ? "m iprange --src-range" : "s", p);
259 }
260 else {
261 *src = 0;
262 }
263 }
264 */
265
266 void ipt_write(const char *format, ...)
267 {
268 va_list args;
269
270 va_start(args, format);
271 vfprintf(ipt_file, format, args);
272 va_end(args);
273 }
274
275 void ip6t_write(const char *format, ...)
276 {
277 #ifdef TCONFIG_IPV6
278 va_list args;
279
280 va_start(args, format);
281 vfprintf(ip6t_file, format, args);
282 va_end(args);
283 #endif
284 }
285
286 // -----------------------------------------------------------------------------
287
288 int ipt_dscp(const char *v, char *opt)
289 {
290 unsigned int n;
291
292 if (*v == 0) {
293 *opt = 0;
294 return 0;
295 }
296
297 n = strtoul(v, NULL, 0);
298 if (n > 63) n = 63;
299 sprintf(opt, " -m dscp --dscp 0x%02X", n);
300
301 #ifdef LINUX26
302 modprobe("xt_dscp");
303 #else
304 modprobe("ipt_dscp");
305 #endif
306 return 1;
307 }
308
309 // -----------------------------------------------------------------------------
310
311
312 int ipt_ipp2p(const char *v, char *opt)
313 {
314 int n = atoi(v);
315
316 if (n == 0) {
317 *opt = 0;
318 return 0;
319 }
320
321 strcpy(opt, " -m ipp2p ");
322 if ((n & 0xFFF) == 0xFFF) {
323 strcat(opt, "--ipp2p");
324 }
325 else {
326 // x12
327 if (n & 0x0001) strcat(opt, "--apple ");
328 if (n & 0x0002) strcat(opt, "--ares ");
329 if (n & 0x0004) strcat(opt, "--bit ");
330 if (n & 0x0008) strcat(opt, "--dc ");
331 if (n & 0x0010) strcat(opt, "--edk ");
332 if (n & 0x0020) strcat(opt, "--gnu ");
333 if (n & 0x0040) strcat(opt, "--kazaa ");
334 if (n & 0x0080) strcat(opt, "--mute ");
335 if (n & 0x0100) strcat(opt, "--soul ");
336 if (n & 0x0200) strcat(opt, "--waste ");
337 if (n & 0x0400) strcat(opt, "--winmx ");
338 if (n & 0x0800) strcat(opt, "--xdcc ");
339 #ifdef LINUX26
340 if (n & 0x1000) strcat(opt, "--pp ");
341 if (n & 0x2000) strcat(opt, "--xunlei ");
342 #endif
343 }
344
345 modprobe("ipt_ipp2p");
346 return 1;
347 }
348
349
350 // -----------------------------------------------------------------------------
351
352
353 char **layer7_in;
354
355 // This L7 matches inbound traffic, caches the results, then the L7 outbound
356 // should read the cached result and set the appropriate marks -- zzz
357 void ipt_layer7_inbound(void)
358 {
359 int en, i;
360 char **p;
361
362 if (!layer7_in) return;
363
364 en = nvram_match("nf_l7in", "1");
365 if (en) {
366 ipt_write(":L7in - [0:0]\n");
367 for (i = 0; i < wanfaces.count; ++i) {
368 if (*(wanfaces.iface[i].name)) {
369 ipt_write("-A FORWARD -i %s -j L7in\n",
370 wanfaces.iface[i].name);
371 }
372 }
373 }
374
375 p = layer7_in;
376 while (*p) {
377 if (en) {
378 ipt_write("-A L7in %s -j RETURN\n", *p);
379 #ifdef LINUX26
380 can_enable_fastnat = 0;
381 #endif
382 }
383 free(*p);
384 ++p;
385 }
386 free(layer7_in);
387 layer7_in = NULL;
388 }
389
390 int ipt_layer7(const char *v, char *opt)
391 {
392 char s[128];
393 char *path;
394
395 *opt = 0;
396 if (*v == 0) return 0;
397 if (strlen(v) > 32) return -1;
398
399 path = "/etc/l7-extra";
400 sprintf(s, "%s/%s.pat", path, v);
401 if (!f_exists(s)) {
402 path = "/etc/l7-protocols";
403 sprintf(s, "%s/%s.pat", path, v);
404 if (!f_exists(s)) {
405 syslog(LOG_ERR, "L7 %s was not found", v);
406 return -1;
407 }
408 }
409
410 sprintf(opt, " -m layer7 --l7dir %s --l7proto %s", path, v);
411
412 if (nvram_match("nf_l7in", "1")) {
413 if (!layer7_in) layer7_in = calloc(51, sizeof(char *));
414 if (layer7_in) {
415 char **p;
416
417 p = layer7_in;
418 while (*p) {
419 if (strcmp(*p, opt) == 0) return 1;
420 ++p;
421 }
422 if (((p - layer7_in) / sizeof(char *)) < 50) *p = strdup(opt);
423 }
424 }
425
426 #ifdef LINUX26
427 modprobe("xt_layer7");
428 #else
429 modprobe("ipt_layer7");
430 #endif
431 return 1;
432 }
433
434 // -----------------------------------------------------------------------------
435
436 static void ipt_account(void) {
437 struct in_addr ipaddr, netmask, network;
438 char lanN_ifname[] = "lanXX_ifname";
439 char lanN_ipaddr[] = "lanXX_ipaddr";
440 char lanN_netmask[] = "lanXX_netmask";
441 char lanN[] = "lanXX";
442 char netaddrnetmask[] = "255.255.255.255/255.255.255.255 ";
443 char br;
444 // If the IP Address changes, the below rule will cause things to choke, and blocking rules don't get applied
445 // As a workaround, flush the entire FORWARD chain
446 system("iptables -F FORWARD");
447
448 for(br=0 ; br<=3 ; br++) {
449 char bridge[2] = "0";
450 if (br!=0)
451 bridge[0]+=br;
452 else
453 strcpy(bridge, "");
454
455 sprintf(lanN_ifname, "lan%s_ifname", bridge);
456
457 if (strcmp(nvram_safe_get(lanN_ifname), "")!=0) {
458
459 sprintf(lanN_ipaddr, "lan%s_ipaddr", bridge);
460 sprintf(lanN_netmask, "lan%s_netmask", bridge);
461 sprintf(lanN, "lan%s", bridge);
462
463 inet_aton(nvram_safe_get(lanN_ipaddr), &ipaddr);
464 inet_aton(nvram_safe_get(lanN_netmask), &netmask);
465
466 // bitwise AND of ip and netmask gives the network
467 network.s_addr = ipaddr.s_addr & netmask.s_addr;
468
469 sprintf(netaddrnetmask, "%s/%s", inet_ntoa(network), nvram_safe_get(lanN_netmask));
470
471 //ipv4 only
472 ipt_write("-A FORWARD -m account --aaddr %s --aname %s\n", netaddrnetmask, lanN);
473 }
474 }
475 }
476
477 // -----------------------------------------------------------------------------
478
479 static void save_webmon(void)
480 {
481 eval("cp", "/proc/webmon_recent_domains", "/var/webmon/domain");
482 eval("cp", "/proc/webmon_recent_searches", "/var/webmon/search");
483 }
484
485 static void ipt_webmon()
486 {
487 int wmtype, clear, i;
488 char t[512];
489 char src[128];
490 char *p, *c;
491 int ok;
492
493 if (!nvram_get_int("log_wm")) return;
494
495 #ifdef LINUX26
496 can_enable_fastnat = 0;
497 #endif
498 wmtype = nvram_get_int("log_wmtype");
499 clear = nvram_get_int("log_wmclear");
500
501 // ip46t_write(":monitor - [0:0]\n"); shibby-arm
502 ipt_write(":monitor - [0:0]\n");
503
504 // include IPs
505 strlcpy(t, wmtype == 1 ? nvram_safe_get("log_wmip") : "", sizeof(t));
506 p = t;
507 do {
508 if ((c = strchr(p, ',')) != NULL) *c = 0;
509
510 if ((ok = ipt_addr(src, sizeof(src), p, "src", IPT_V4|IPT_V6, 0, "webmon", NULL))) {
511 /* shibby-arm
512 #ifdef TCONFIG_IPV6
513 if (*wan6face && (ok & IPT_V6))
514 ip6t_write("-A FORWARD -o %s %s -j monitor\n", wan6face, src);
515 #endif
516 */
517 if (ok & IPT_V4) {
518 for (i = 0; i < wanfaces.count; ++i) {
519 if (*(wanfaces.iface[i].name)) {
520 ipt_write("-A FORWARD -o %s %s -j monitor\n",
521 wanfaces.iface[i].name, src);
522 }
523 }
524 }
525 }
526
527 if (!c) break;
528 p = c + 1;
529 } while (*p);
530
531 // exclude IPs
532 if (wmtype == 2) {
533 strlcpy(t, nvram_safe_get("log_wmip"), sizeof(t));
534 p = t;
535 do {
536 if ((c = strchr(p, ',')) != NULL) *c = 0;
537 if ((ok = ipt_addr(src, sizeof(src), p, "src", IPT_V4|IPT_V6, 0, "webmon", NULL))) {
538 if (*src)
539 // ip46t_flagged_write(ok, "-A monitor %s -j RETURN\n", src); shibby-arm
540 ipt_flagged_write(ok, "-A monitor %s -j RETURN\n", src);
541 }
542 if (!c) break;
543 p = c + 1;
544 } while (*p);
545 }
546
547 char webdomain[100];
548 char websearch[100];
549
550 if( nvram_match( "webmon_bkp", "1" ) ) {
551 xstart( "/usr/sbin/webmon_bkp", "add" ); // add jobs to cru
552
553 sprintf(webdomain, "--domain_load_file %s/webmon_recent_domains", nvram_safe_get("webmon_dir"));
554 sprintf(websearch, "--search_load_file %s/webmon_recent_searches", nvram_safe_get("webmon_dir"));
555 } else {
556 sprintf(webdomain, "--domain_load_file /var/webmon/domain");
557 sprintf(websearch, "--search_load_file /var/webmon/search");
558 }
559
560 // ip46t_write( shibby-arm
561 ipt_write(
562 "-A monitor -p tcp -m webmon "
563 "--max_domains %d --max_searches %d %s %s -j RETURN\n",
564 nvram_get_int("log_wmdmax") ? : 1, nvram_get_int("log_wmsmax") ? : 1,
565 (clear & 1) == 0 ? webdomain : "--clear_domain",
566 (clear & 2) == 0 ? websearch : "--clear_search");
567
568 if( nvram_match( "webmon_bkp", "1" ) )
569 xstart( "/usr/sbin/webmon_bkp", "hourly" ); // make a copy immediately
570
571
572 //#ifdef LINUX26
573 // modprobe("xt_webmon");
574 //#else
575 modprobe("ipt_webmon");
576 //#endif
577
578 }
579
580
581 // -----------------------------------------------------------------------------
582 // MANGLE
583 // -----------------------------------------------------------------------------
584
585 static void mangle_table(void)
586 {
587 int ttl;
588 char *p, *wanface;
589
590 ip46t_write(
591 "*mangle\n"
592 ":PREROUTING ACCEPT [0:0]\n"
593 ":OUTPUT ACCEPT [0:0]\n");
594
595 if (wanup) {
596
597 ipt_qos();
598 //1 for mangle
599 ipt_qoslimit(1);
600
601 p = nvram_safe_get("nf_ttl");
602 if (strncmp(p, "c:", 2) == 0) {
603 p += 2;
604 ttl = atoi(p);
605 p = (ttl >= 0 && ttl <= 255) ? "set" : NULL;
606 }
607 else if ((ttl = atoi(p)) != 0) {
608 if (ttl > 0) {
609 p = "inc";
610 }
611 else {
612 ttl = -ttl;
613 p = "dec";
614 }
615 if (ttl > 255) p = NULL;
616 }
617 else p = NULL;
618
619 if (p) {
620 #ifdef LINUX26
621 modprobe("xt_HL");
622 #else
623 modprobe("ipt_TTL");
624 #endif
625 // set TTL on primary WAN iface only
626 wanface = wanfaces.iface[0].name;
627 ipt_write(
628 "-I PREROUTING -i %s -j TTL --ttl-%s %d\n"
629 "-I POSTROUTING -o %s -j TTL --ttl-%s %d\n",
630 wanface, p, ttl,
631 wanface, p, ttl);
632 #ifdef TCONFIG_IPV6
633 // FIXME: IPv6 HL should be configurable separately from TTL.
634 // disable it until GUI setting is implemented.
635 #if 0
636 ip6t_write(
637 "-I PREROUTING -i %s -j HL --hl-%s %d\n"
638 "-I POSTROUTING -o %s -j HL --hl-%s %d\n",
639 wan6face, p, ttl,
640 wan6face, p, ttl);
641 #endif
642 #endif
643
644 // Reset Incoming DSCP to 0x00
645 if (nvram_match("DSCP_fix_enable", "1")) {
646 #ifdef LINUX26
647 modprobe("xt_DSCP");
648 #else
649 modprobe("ipt_DSCP");
650 #endif
651 ipt_write("-I PREROUTING -i %s -j DSCP --set-dscp 0\n", wanface);
652 }
653
654 }
655
656
657 //shibby-arm
658 char lanaddr[32];
659 char lanmask[32];
660 char lan1addr[32];
661 char lan1mask[32];
662 char lan2addr[32];
663 char lan2mask[32];
664 char lan3addr[32];
665 char lan3mask[32];
666 int i;
667
668 strlcpy(lanaddr, nvram_safe_get("lan_ipaddr"), sizeof(lanaddr));
669 strlcpy(lanmask, nvram_safe_get("lan_netmask"), sizeof(lanmask));
670 strlcpy(lan1addr, nvram_safe_get("lan1_ipaddr"), sizeof(lan1addr));
671 strlcpy(lan1mask, nvram_safe_get("lan1_netmask"), sizeof(lan1mask));
672 strlcpy(lan2addr, nvram_safe_get("lan2_ipaddr"), sizeof(lan2addr));
673 strlcpy(lan2mask, nvram_safe_get("lan2_netmask"), sizeof(lan2mask));
674 strlcpy(lan3addr, nvram_safe_get("lan3_ipaddr"), sizeof(lan3addr));
675 strlcpy(lan3mask, nvram_safe_get("lan3_netmask"), sizeof(lan3mask));
676
677
678 for (i = 0; i < wanfaces.count; ++i) {
679 if (*(wanfaces.iface[i].name)) {
680 // chain_wan_prerouting
681 if (wanup) {
682
683 // Drop incoming packets which destination IP address is to our LAN side directly
684 ipt_write("-A PREROUTING -i %s -d %s/%s -j DROP\n",
685 wanfaces.iface[i].name,
686 lanaddr, lanmask); // note: ipt will correct lanaddr
687 if(strcmp(lan1addr,"")!=0)
688 ipt_write("-A PREROUTING -i %s -d %s/%s -j DROP\n",
689 wanfaces.iface[i].name,
690 lan1addr, lan1mask);
691 if(strcmp(lan2addr,"")!=0)
692 ipt_write("-A PREROUTING -i %s -d %s/%s -j DROP\n",
693 wanfaces.iface[i].name,
694 lan2addr, lan2mask);
695 if(strcmp(lan3addr,"")!=0)
696 ipt_write("-A PREROUTING -i %s -d %s/%s -j DROP\n",
697 wanfaces.iface[i].name,
698 lan3addr, lan3mask);
699 }
700 }
701 }
702 //
703 }
704
705 ip46t_write("COMMIT\n");
706 }
707
708 // -----------------------------------------------------------------------------
709 // NAT
710 // -----------------------------------------------------------------------------
711
712 static void nat_table(void)
713 {
714 char lanaddr[32];
715 char lanmask[32];
716 char lan1addr[32];
717 char lan1mask[32];
718 char lan2addr[32];
719 char lan2mask[32];
720 char lan3addr[32];
721 char lan3mask[32];
722 char dst[64];
723 char src[64];
724 char t[512];
725 char *p, *c;
726 int i;
727
728 ipt_write("*nat\n"
729 ":PREROUTING ACCEPT [0:0]\n"
730 ":POSTROUTING ACCEPT [0:0]\n"
731 ":OUTPUT ACCEPT [0:0]\n"
732 ":%s - [0:0]\n",
733 chain_wan_prerouting);
734
735 //2 for nat
736 ipt_qoslimit(2);
737
738 if (gateway_mode) {
739 strlcpy(lanaddr, nvram_safe_get("lan_ipaddr"), sizeof(lanaddr));
740 strlcpy(lanmask, nvram_safe_get("lan_netmask"), sizeof(lanmask));
741 strlcpy(lan1addr, nvram_safe_get("lan1_ipaddr"), sizeof(lan1addr));
742 strlcpy(lan1mask, nvram_safe_get("lan1_netmask"), sizeof(lan1mask));
743 strlcpy(lan2addr, nvram_safe_get("lan2_ipaddr"), sizeof(lan2addr));
744 strlcpy(lan2mask, nvram_safe_get("lan2_netmask"), sizeof(lan2mask));
745 strlcpy(lan3addr, nvram_safe_get("lan3_ipaddr"), sizeof(lan3addr));
746 strlcpy(lan3mask, nvram_safe_get("lan3_netmask"), sizeof(lan3mask));
747
748
749 for (i = 0; i < wanfaces.count; ++i) {
750 if (*(wanfaces.iface[i].name)) {
751 // chain_wan_prerouting
752 if (wanup) {
753 ipt_write("-A PREROUTING -d %s -j %s\n",
754 wanfaces.iface[i].ip, chain_wan_prerouting);
755 }
756 //shibby-arm
757 }
758 }
759
760 if (wanup) {
761 if (nvram_match("dns_intcpt", "1")) {
762 ipt_write("-A PREROUTING -p udp -s %s/%s ! -d %s/%s --dport 53 -j DNAT --to-destination %s\n",
763 lanaddr, lanmask,
764 lanaddr, lanmask,
765 lanaddr);
766 if(strcmp(lan1addr,"")!=0)
767 ipt_write("-A PREROUTING -p udp -s %s/%s ! -d %s/%s --dport 53 -j DNAT --to-destination %s\n",
768 lan1addr, lan1mask,
769 lan1addr, lan1mask,
770 lan1addr);
771 if(strcmp(lan2addr,"")!=0)
772 ipt_write("-A PREROUTING -p udp -s %s/%s ! -d %s/%s --dport 53 -j DNAT --to-destination %s\n",
773 lan2addr, lan2mask,
774 lan2addr, lan2mask,
775 lan2addr);
776 if(strcmp(lan3addr,"")!=0)
777 ipt_write("-A PREROUTING -p udp -s %s/%s ! -d %s/%s --dport 53 -j DNAT --to-destination %s\n",
778 lan3addr, lan3mask,
779 lan3addr, lan3mask,
780 lan3addr);
781 }
782
783 // ICMP packets are always redirected to INPUT chains
784 ipt_write("-A %s -p icmp -j DNAT --to-destination %s\n", chain_wan_prerouting, lanaddr);
785
786
787 //force remote access to router if DMZ is enabled - shibby
788 if( (nvram_match("dmz_enable", "1")) && (nvram_match("dmz_ra", "1")) ) {
789 strlcpy(t, nvram_safe_get("rmgt_sip"), sizeof(t));
790 p = t;
791 do {
792 if ((c = strchr(p, ',')) != NULL) *c = 0;
793 ipt_source(p, src, "ra", NULL);
794
795 if (remotemanage) {
796 ipt_write("-A %s -p tcp -m tcp %s --dport %s -j DNAT --to-destination %s:%d\n",
797 chain_wan_prerouting, src, nvram_safe_get("http_wanport"), lanaddr, web_lanport);
798 }
799
800 if (nvram_get_int("sshd_remote")) {
801 ipt_write("-A %s %s -p tcp -m tcp --dport %s -j DNAT --to-destination %s:%s\n",
802 chain_wan_prerouting, src, nvram_safe_get("sshd_rport"), lanaddr, nvram_safe_get("sshd_port"));
803 }
804
805 if (!c) break;
806 p = c + 1;
807 } while (*p);
808 }
809
810
811 ipt_forward(IPT_TABLE_NAT);
812 ipt_triggered(IPT_TABLE_NAT);
813 }
814
815 if (nvram_get_int("upnp_enable") & 3) {
816 ipt_write(":upnp - [0:0]\n");
817
818 for (i = 0; i < wanfaces.count; ++i) {
819 if (*(wanfaces.iface[i].name)) {
820 if (wanup) {
821 // ! for loopback (all) to work
822 ipt_write("-A PREROUTING -d %s -j upnp\n", wanfaces.iface[i].ip);
823 }
824 else {
825 ipt_write("-A PREROUTING -i %s -j upnp\n", wanfaces.iface[i].name);
826 }
827 }
828 }
829 }
830
831 #ifdef TCONFIG_TOR
832 //TOR
833 if (nvram_match("tor_enable", "1")) {
834 if (nvram_match("tor_iface", "br0")) {
835 ipt_write("-A PREROUTING -i %s -p tcp --dport 80 ! -d %s -j DNAT --to-destination %s:%s\n",
836 nvram_safe_get("tor_iface"), nvram_safe_get("lan_ipaddr"), nvram_safe_get("lan_ipaddr"), nvram_safe_get("tor_transport") );
837 } else if (nvram_match("tor_iface", "br1")) {
838 ipt_write("-A PREROUTING -i %s -p tcp --dport 80 ! -d %s -j DNAT --to-destination %s:%s\n",
839 nvram_safe_get("tor_iface"), nvram_safe_get("lan1_ipaddr"), nvram_safe_get("lan1_ipaddr"), nvram_safe_get("tor_transport") );
840 } else if (nvram_match("tor_iface", "br2")) {
841 ipt_write("-A PREROUTING -i %s -p tcp --dport 80 ! -d %s -j DNAT --to-destination %s:%s\n",
842 nvram_safe_get("tor_iface"), nvram_safe_get("lan2_ipaddr"), nvram_safe_get("lan2_ipaddr"), nvram_safe_get("tor_transport") );
843 } else if (nvram_match("tor_iface", "br3")) {
844 ipt_write("-A PREROUTING -i %s -p tcp --dport 80 ! -d %s -j DNAT --to-destination %s:%s\n",
845 nvram_safe_get("tor_iface"), nvram_safe_get("lan3_ipaddr"), nvram_safe_get("lan3_ipaddr"), nvram_safe_get("tor_transport") );
846 } else {
847 strlcpy(t, nvram_safe_get("tor_users"), sizeof(t));
848 p = t;
849 do {
850 if ((c = strchr(p, ',')) != NULL) *c = 0;
851
852 if (ipt_source_strict(p, src, "tor", NULL))
853 ipt_write("-A PREROUTING %s -p tcp --dport 80 ! -d %s -j DNAT --to-destination %s:%s\n",
854 src, nvram_safe_get("lan_ipaddr"), nvram_safe_get("lan_ipaddr"), nvram_safe_get("tor_transport") );
855
856 if (!c) break;
857 p = c + 1;
858 } while (*p);
859 }
860 }
861 #endif
862
863 if (wanup) {
864 if (dmz_dst(dst)) {
865 strlcpy(t, nvram_safe_get("dmz_sip"), sizeof(t));
866 p = t;
867 do {
868 if ((c = strchr(p, ',')) != NULL) *c = 0;
869 if (ipt_source_strict(p, src, "dmz", NULL))
870 ipt_write("-A %s %s -j DNAT --to-destination %s\n", chain_wan_prerouting, src, dst);
871 if (!c) break;
872 p = c + 1;
873 } while (*p);
874 }
875 }
876
877 p = "";
878 #ifdef TCONFIG_IPV6
879 switch (get_ipv6_service()) {
880 case IPV6_6IN4:
881 // avoid NATing proto-41 packets when using 6in4 tunnel
882 p = "! -p 41";
883 break;
884 }
885 #endif
886
887 for (i = 0; i < wanfaces.count; ++i) {
888 if (*(wanfaces.iface[i].name)) {
889 if ((!wanup) || (nvram_get_int("ne_snat") != 1))
890 ipt_write("-A POSTROUTING %s -o %s -j MASQUERADE\n", p, wanfaces.iface[i].name);
891 else
892 ipt_write("-A POSTROUTING %s -o %s -j SNAT --to-source %s\n", p, wanfaces.iface[i].name, wanfaces.iface[i].ip);
893 }
894 }
895
896 char *modem_ipaddr;
897 if ( (nvram_match("wan_proto", "pppoe") || nvram_match("wan_proto", "dhcp") || nvram_match("wan_proto", "static") )
898 && (modem_ipaddr = nvram_safe_get("modem_ipaddr")) && *modem_ipaddr && !nvram_match("modem_ipaddr","0.0.0.0")
899 && (!foreach_wif(1, NULL, is_sta)) )
900 ipt_write("-A POSTROUTING -o %s -d %s -j MASQUERADE\n", nvram_safe_get("wan_ifname"), modem_ipaddr);
901
902 switch (nvram_get_int("nf_loopback")) {
903 case 1: // 1 = forwarded-only
904 case 2: // 2 = disable
905 break;
906 default: // 0 = all (same as block_loopback=0)
907 ipt_write("-A POSTROUTING -o %s -s %s/%s -d %s/%s -j SNAT --to-source %s\n",
908 lanface,
909 lanaddr, lanmask,
910 lanaddr, lanmask,
911 lanaddr);
912 if (strcmp(lan1face,"")!=0)
913 ipt_write("-A POSTROUTING -o %s -s %s/%s -d %s/%s -j SNAT --to-source %s\n",
914 lan1face,
915 lan1addr, lan1mask,
916 lan1addr, lan1mask,
917 lan1addr);
918 if (strcmp(lan2face,"")!=0)
919 ipt_write("-A POSTROUTING -o %s -s %s/%s -d %s/%s -j SNAT --to-source %s\n",
920 lan2face,
921 lan2addr, lan2mask,
922 lan2addr, lan2mask,
923 lan2addr);
924 if (strcmp(lan3face,"")!=0)
925 ipt_write("-A POSTROUTING -o %s -s %s/%s -d %s/%s -j SNAT --to-source %s\n",
926 lan3face,
927 lan3addr, lan3mask,
928 lan3addr, lan3mask,
929 lan3addr);
930 break;
931 }
932 }
933 ipt_write("COMMIT\n");
934 }
935
936 // -----------------------------------------------------------------------------
937 // FILTER
938 // -----------------------------------------------------------------------------
939
940 static void filter_input(void)
941 {
942 char s[64];
943 char t[512];
944 char *en;
945 char *sec;
946 char *hit;
947 int n;
948 char *p, *c;
949
950 if ((nvram_get_int("nf_loopback") != 0) && (wanup)) { // 0 = all
951 for (n = 0; n < wanfaces.count; ++n) {
952 if (*(wanfaces.iface[n].name)) {
953 ipt_write("-A INPUT -i %s -d %s -j DROP\n", lanface, wanfaces.iface[n].ip);
954 if (strcmp(lan1face,"")!=0)
955 ipt_write("-A INPUT -i %s -d %s -j DROP\n", lan1face, wanfaces.iface[n].ip);
956 if (strcmp(lan2face,"")!=0)
957 ipt_write("-A INPUT -i %s -d %s -j DROP\n", lan2face, wanfaces.iface[n].ip);
958 if (strcmp(lan3face,"")!=0)
959 ipt_write("-A INPUT -i %s -d %s -j DROP\n", lan3face, wanfaces.iface[n].ip);
960 }
961 }
962 }
963
964 ipt_write(
965 "-A INPUT -m state --state INVALID -j DROP\n"
966 "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n");
967
968 strlcpy(s, nvram_safe_get("ne_shlimit"), sizeof(s));
969 if ((vstrsep(s, ",", &en, &hit, &sec) == 3) && ((n = atoi(en) & 3) != 0)) {
970 /*
971 ? what if the user uses the start button in GUI ?
972 if (nvram_get_int("telnetd_eas"))
973 if (nvram_get_int("sshd_eas"))
974 */
975 #ifdef LINUX26
976 modprobe("xt_recent");
977 #else
978 modprobe("ipt_recent");
979 #endif
980
981 ipt_write(
982 "-N shlimit\n"
983 "-A shlimit -m recent --set --name shlimit\n"
984 "-A shlimit -m recent --update --hitcount %d --seconds %s --name shlimit -j %s\n",
985 atoi(hit) + 1, sec, chain_in_drop);
986
987 if (n & 1) {
988 ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("sshd_port"));
989 if (nvram_get_int("sshd_remote") && nvram_invmatch("sshd_rport", nvram_safe_get("sshd_port"))) {
990 ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("sshd_rport"));
991 }
992 }
993 if (n & 2) ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("telnetd_port"));
994 }
995
996 #ifdef TCONFIG_FTP
997 strlcpy(s, nvram_safe_get("ftp_limit"), sizeof(s));
998 if ((vstrsep(s, ",", &en, &hit, &sec) == 3) && (atoi(en)) && (nvram_get_int("ftp_enable") == 1)) {
999 #ifdef LINUX26
1000 modprobe("xt_recent");
1001 #else
1002 modprobe("ipt_recent");
1003 #endif
1004
1005 ipt_write(
1006 "-N ftplimit\n"
1007 "-A ftplimit -m recent --set --name ftp\n"
1008 "-A ftplimit -m recent --update --hitcount %d --seconds %s --name ftp -j %s\n",
1009 atoi(hit) + 1, sec, chain_in_drop);
1010 ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j ftplimit\n", nvram_safe_get("ftp_port"));
1011 }
1012 #endif
1013
1014 ipt_write(
1015 "-A INPUT -i lo -j ACCEPT\n"
1016 "-A INPUT -i %s -j ACCEPT\n",
1017 lanface);
1018 if (strcmp(lan1face,"")!=0)
1019 ipt_write(
1020 "-A INPUT -i %s -j ACCEPT\n",
1021 lan1face);
1022 if (strcmp(lan2face,"")!=0)
1023 ipt_write(
1024 "-A INPUT -i %s -j ACCEPT\n",
1025 lan2face);
1026 if (strcmp(lan3face,"")!=0)
1027 ipt_write(
1028 "-A INPUT -i %s -j ACCEPT\n",
1029 lan3face);
1030
1031 #ifdef TCONFIG_IPV6
1032 n = get_ipv6_service();
1033 switch (n) {
1034 case IPV6_ANYCAST_6TO4:
1035 case IPV6_6IN4:
1036 // Accept ICMP requests from the remote tunnel endpoint
1037 if (n == IPV6_ANYCAST_6TO4)
1038 sprintf(s, "192.88.99.%d", nvram_get_int("ipv6_relay"));
1039 else
1040 strlcpy(s, nvram_safe_get("ipv6_tun_v4end"), sizeof(s));
1041 if (*s && strcmp(s, "0.0.0.0") != 0)
1042 ipt_write("-A INPUT -p icmp -s %s -j %s\n", s, chain_in_accept);
1043 ipt_write("-A INPUT -p 41 -j %s\n", chain_in_accept);
1044 break;
1045 }
1046 #endif
1047
1048 // ICMP request from WAN interface
1049 if (nvram_match("block_wan", "0")) {
1050 if (nvram_match("block_wan_limit", "0")) {
1051 // allow ICMP packets to be received
1052 ipt_write("-A INPUT -p icmp -j %s\n", chain_in_accept);
1053 // allow udp traceroute packets
1054 ipt_write("-A INPUT -p udp --dport 33434:33534 -j %s\n", chain_in_accept);
1055 } else {
1056 // allow ICMP packets to be received, but restrict the flow to avoid ping flood attacks
1057 ipt_write("-A INPUT -p icmp -m limit --limit %d/second -j %s\n", nvram_get_int("block_wan_limit_icmp"), chain_in_accept);
1058 // allow udp traceroute packets, but restrict the flow to avoid ping flood attacks
1059 ipt_write("-A INPUT -p udp --dport 33434:33534 -m limit --limit %d/second -j %s\n", nvram_get_int("block_wan_limit_tr"), chain_in_accept);
1060 }
1061 }
1062
1063 /* Accept incoming packets from broken dhcp servers, which are sending replies
1064 * from addresses other than used for query. This could lead to a lower level
1065 * of security, so allow to disable it via nvram variable.
1066 */
1067 if (nvram_invmatch("dhcp_pass", "0") && using_dhcpc()) {
1068 ipt_write("-A INPUT -p udp --sport 67 --dport 68 -j %s\n", chain_in_accept);
1069 }
1070
1071 strlcpy(t, nvram_safe_get("rmgt_sip"), sizeof(t));
1072 p = t;
1073 do {
1074 if ((c = strchr(p, ',')) != NULL) *c = 0;
1075
1076 if (ipt_source(p, s, "remote management", NULL)) {
1077
1078 if (remotemanage) {
1079 ipt_write("-A INPUT -p tcp %s --dport %s -j %s\n",
1080 s, nvram_safe_get("http_wanport"), chain_in_accept);
1081 }
1082
1083 if (nvram_get_int("sshd_remote")) {
1084 ipt_write("-A INPUT -p tcp %s --dport %s -j %s\n",
1085 s, nvram_safe_get("sshd_rport"), chain_in_accept);
1086 }
1087 }
1088
1089 if (!c) break;
1090 p = c + 1;
1091 } while (*p);
1092
1093 #ifdef TCONFIG_NGINX //Tomato RAF - Web Server
1094 if (nvram_match("nginx_enable", "1") && nvram_match("nginx_remote", "1"))
1095 ipt_write("-A INPUT -p tcp --dport %s -j ACCEPT\n", nvram_safe_get( "nginx_port" ));
1096 #endif
1097
1098 #ifdef TCONFIG_FTP // !!TB - FTP Server
1099 if (nvram_match("ftp_enable", "1")) { // FTP WAN access enabled
1100 strlcpy(t, nvram_safe_get("ftp_sip"), sizeof(t));
1101 p = t;
1102 do {
1103 if ((c = strchr(p, ',')) != NULL) *c = 0;
1104 if (ipt_source(p, s, "ftp", "remote access")) {
1105 ipt_write("-A INPUT -p tcp %s --dport %s -j %s\n",
1106 s, nvram_safe_get("ftp_port"), chain_in_accept);
1107 }
1108 if (!c) break;
1109 p = c + 1;
1110 } while (*p);
1111 }
1112 #endif
1113
1114 #ifdef TCONFIG_SNMP
1115 if( nvram_match( "snmp_enable", "1" ) && nvram_match("snmp_remote", "1"))
1116 {
1117 strlcpy(t, nvram_safe_get("snmp_remote_sip"), sizeof(t));
1118 p = t;
1119 do {
1120 if ((c = strchr(p, ',')) != NULL) *c = 0;
1121
1122 if (ipt_source(p, s, "snmp", "remote")) {
1123 ipt_write("-A INPUT -p udp %s --dport %s -j %s\n",
1124 s, nvram_safe_get("snmp_port"), chain_in_accept);
1125 }
1126
1127 if (!c) break;
1128 p = c + 1;
1129 } while (*p);
1130 }
1131 #endif
1132
1133 // IGMP query from WAN interface
1134 if ((nvram_match("multicast_pass", "1")) || (nvram_match("udpxy_enable", "1"))) {
1135 ipt_write("-A INPUT -p igmp -d 224.0.0.0/4 -j ACCEPT\n");
1136 ipt_write("-A INPUT -p udp -d 224.0.0.0/4 ! --dport 1900 -j ACCEPT\n");
1137 }
1138
1139 // Routing protocol, RIP, accept
1140 if (nvram_invmatch("dr_wan_rx", "0")) {
1141 ipt_write("-A INPUT -p udp --dport 520 -j ACCEPT\n");
1142 }
1143
1144 //BT Client ports from WAN interface
1145 if (nvram_match("bt_enable", "1")) {
1146 ipt_write( "-A INPUT -p tcp --dport %s -j ACCEPT\n", nvram_safe_get( "bt_port" ) );
1147 if (nvram_match( "bt_rpc_wan", "1") )
1148 {
1149 ipt_write( "-A INPUT -p tcp --dport %s -j ACCEPT\n", nvram_safe_get( "bt_port_gui" ) );
1150 }
1151 }
1152
1153 // if logging
1154 if (*chain_in_drop == 'l') {
1155 ipt_write( "-A INPUT -j %s\n", chain_in_drop);
1156 }
1157
1158 // default policy: DROP
1159 }
1160
1161 // clamp TCP MSS to PMTU of WAN interface (IPv4 only?)
1162 static void clampmss(void)
1163 {
1164 ipt_write("-A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n");
1165 #ifdef TCONFIG_IPV6
1166 switch (get_ipv6_service()) {
1167 case IPV6_ANYCAST_6TO4:
1168 case IPV6_6IN4:
1169 ip6t_write("-A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n");
1170 break;
1171 }
1172 #endif
1173 }
1174
1175 static void filter_forward(void)
1176 {
1177 char dst[64];
1178 char src[64];
1179 char t[512];
1180 char *p, *c;
1181 int i;
1182
1183 #ifdef TCONFIG_IPV6
1184 ip6t_write(
1185 "-A FORWARD -m rt --rt-type 0 -j DROP\n");
1186 #endif
1187
1188 if (nvram_match("cstats_enable", "1")) {
1189 ipt_account();
1190 }
1191
1192 ip46t_write(
1193 "-A FORWARD -i %s -o %s -j ACCEPT\n", // accept all lan to lan
1194 lanface, lanface);
1195 if (strcmp(lan1face,"")!=0)
1196 ip46t_write(
1197 "-A FORWARD -i %s -o %s -j ACCEPT\n",
1198 lan1face, lan1face);
1199 if (strcmp(lan2face,"")!=0)
1200 ip46t_write(
1201 "-A FORWARD -i %s -o %s -j ACCEPT\n",
1202 lan2face, lan2face);
1203 if (strcmp(lan3face,"")!=0)
1204 ip46t_write(
1205 "-A FORWARD -i %s -o %s -j ACCEPT\n",
1206 lan3face, lan3face);
1207
1208 char lanAccess[17] = "0000000000000000";
1209
1210 const char *d, *sbr, *saddr, *dbr, *daddr, *desc;
1211 char *nv, *nvp, *b;
1212 int n;
1213 nvp = nv = strdup(nvram_safe_get("lan_access"));
1214 if (nv) {
1215 while ((b = strsep(&nvp, ">")) != NULL) {
1216 /*
1217 1<0<1.2.3.4<1<5.6.7.8<30,45-50<desc
1218
1219 1 = enabled
1220 0 = src bridge
1221 1.2.3.4 = src addr
1222 1 = dst bridge
1223 5.6.7.8 = dst addr
1224 desc = desc
1225 */
1226 n = vstrsep(b, "<", &d, &sbr, &saddr, &dbr, &daddr, &desc);
1227 if (*d != '1')
1228 continue;
1229 if (!ipt_addr(src, sizeof(src), saddr, "src", IPT_V4|IPT_V6, 0, "LAN access", desc))
1230 continue;
1231 if (!ipt_addr(dst, sizeof(dst), daddr, "dst", IPT_V4|IPT_V6, 0, "LAN access", desc))
1232 continue;
1233
1234 //ipv4 only
1235 ipt_write("-A FORWARD -i %s%s -o %s%s %s %s -j ACCEPT\n",
1236 "br",
1237 sbr,
1238 "br",
1239 dbr,
1240 src,
1241 dst);
1242
1243 if ((strcmp(src,"")==0) && (strcmp(dst,"")==0))
1244 lanAccess[((*sbr-48)+(*dbr-48)*4)] = '1';
1245
1246 }
1247 }
1248 free(nv);
1249
1250 ip46t_write(
1251 "-A FORWARD -m state --state INVALID -j DROP\n"); // drop if INVALID state
1252
1253 // clamp tcp mss to pmtu
1254 clampmss();
1255
1256 if (wanup) {
1257 ipt_restrictions();
1258
1259 ipt_layer7_inbound();
1260 }
1261
1262 ipt_webmon();
1263
1264 ip46t_write(
1265 ":wanin - [0:0]\n"
1266 ":wanout - [0:0]\n"
1267 "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT\n"); // already established or related (via helper)
1268
1269 char lanN_ifname[] = "lanXX_ifname";
1270 char br;
1271 for(br=0 ; br<=3 ; br++) {
1272 char bridge[2] = "0";
1273 if (br!=0)
1274 bridge[0]+=br;
1275 else
1276 strcpy(bridge, "");
1277
1278 sprintf(lanN_ifname, "lan%s_ifname", bridge);
1279 if (strncmp(nvram_safe_get(lanN_ifname), "br", 2) == 0) {
1280 char lanN_ifname2[] = "lanXX_ifname";
1281 char br2;
1282 for(br2=0 ; br2<=3 ; br2++) {
1283 if (br==br2) continue;
1284
1285 if (lanAccess[((br)+(br2)*4)] == '1') continue;
1286
1287 char bridge2[2] = "0";
1288 if (br2!=0)
1289 bridge2[0]+=br2;
1290 else
1291 strcpy(bridge2, "");
1292
1293 sprintf(lanN_ifname2, "lan%s_ifname", bridge2);
1294 if (strncmp(nvram_safe_get(lanN_ifname2), "br", 2) == 0) {
1295 ipt_write("-A FORWARD -i %s -o %s -j DROP\n",
1296 nvram_safe_get(lanN_ifname),
1297 nvram_safe_get(lanN_ifname2));
1298 }
1299 }
1300 // ip46t_write("-A FORWARD -i %s -j %s\n", nvram_safe_get(lanN_ifname), chain_out_accept);
1301 }
1302 }
1303
1304 #ifdef TCONFIG_PPTPD
1305 //Add for pptp server
1306 if (nvram_match("pptpd_enable", "1")) {
1307 ipt_write("-A INPUT -p tcp --dport 1723 -j ACCEPT\n");
1308 ipt_write("-A INPUT -p 47 -j ACCEPT\n");
1309 }
1310 #endif
1311
1312 #ifdef TCONFIG_IPV6
1313 // Filter out invalid WAN->WAN connections
1314 if (*wan6face)
1315 // ip6t_write("-A FORWARD -o %s ! -i %s -j %s\n", wan6face, lanface, chain_in_drop); //shibby - we cant drop connections from WAN to LAN1-3
1316 ip6t_write("-A FORWARD -o %s -i %s -j %s\n", wan6face, wan6face, chain_in_drop); //shibby - drop connection from WAN -> WAN only
1317
1318 #ifdef LINUX26
1319 modprobe("xt_length");
1320 ip6t_write("-A FORWARD -p ipv6-nonxt -m length --length 40 -j ACCEPT\n");
1321 #endif
1322
1323 // ICMPv6 rules
1324 for (i = 0; i < sizeof(allowed_icmpv6)/sizeof(int); ++i) {
1325 ip6t_write("-A FORWARD -p ipv6-icmp --icmpv6-type %i -j %s\n", allowed_icmpv6[i], chain_in_accept);
1326 }
1327
1328 //IPv6
1329 if (*wan6face) {
1330 ip6t_write(
1331 "-A FORWARD -i %s -j wanin\n" // generic from wan
1332 "-A FORWARD -o %s -j wanout\n", // generic to wan
1333 wan6face, wan6face);
1334 }
1335 #endif
1336
1337 //IPv4
1338 for (i = 0; i < wanfaces.count; ++i) {
1339 if (*(wanfaces.iface[i].name)) {
1340 ipt_write(
1341 "-A FORWARD -i %s -j wanin\n" // generic from wan
1342 "-A FORWARD -o %s -j wanout\n", // generic to wan
1343 wanfaces.iface[i].name, wanfaces.iface[i].name);
1344 }
1345 }
1346
1347 for(br=0 ; br<=3 ; br++) {
1348 char bridge[2] = "0";
1349 if (br!=0)
1350 bridge[0]+=br;
1351 else
1352 strcpy(bridge, "");
1353
1354 sprintf(lanN_ifname, "lan%s_ifname", bridge);
1355 if (strncmp(nvram_safe_get(lanN_ifname), "br", 2) == 0) {
1356 ip46t_write("-A FORWARD -i %s -j %s\n", nvram_safe_get(lanN_ifname), chain_out_accept);
1357 }
1358 }
1359
1360 #ifdef TCONFIG_IPV6
1361 //IPv6 forward LAN->WAN accept
1362 ip6t_write("-A FORWARD -i %s -o %s -j %s\n", lanface, wan6face, chain_out_accept);
1363
1364 if (strcmp(lan1face,"")!=0)
1365 ip6t_write("-A FORWARD -i %s -o %s -j %s\n", lan1face, wan6face, chain_out_accept);
1366 if (strcmp(lan2face,"")!=0)
1367 ip6t_write("-A FORWARD -i %s -o %s -j %s\n", lan2face, wan6face, chain_out_accept);
1368 if (strcmp(lan3face,"")!=0)
1369 ip6t_write("-A FORWARD -i %s -o %s -j %s\n", lan3face, wan6face, chain_out_accept);
1370 #endif
1371
1372 // IPv4 only
1373 if (nvram_get_int("upnp_enable") & 3) {
1374 ipt_write(":upnp - [0:0]\n");
1375 for (i = 0; i < wanfaces.count; ++i) {
1376 if (*(wanfaces.iface[i].name)) {
1377 ipt_write("-A FORWARD -i %s -j upnp\n",
1378 wanfaces.iface[i].name);
1379 }
1380 }
1381 }
1382
1383 if (wanup) {
1384 if ((nvram_match("multicast_pass", "1")) || (nvram_match("udpxy_enable", "1"))) {
1385 ipt_write("-A wanin -p udp -d 224.0.0.0/4 -j %s\n", chain_in_accept);
1386 }
1387 ipt_triggered(IPT_TABLE_FILTER);
1388 ipt_forward(IPT_TABLE_FILTER);
1389 #ifdef TCONFIG_IPV6
1390 ip6t_forward();
1391 #endif
1392
1393 if (dmz_dst(dst)) {
1394 char dmz_ifname[IFNAMSIZ+1];
1395 strlcpy(dmz_ifname, nvram_safe_get("dmz_ifname"), sizeof(dmz_ifname));
1396 if(strcmp(dmz_ifname, "") == 0)
1397 strlcpy(dmz_ifname, lanface, sizeof(lanface));
1398 strlcpy(t, nvram_safe_get("dmz_sip"), sizeof(t));
1399 p = t;
1400 do {
1401 if ((c = strchr(p, ',')) != NULL) *c = 0;
1402 if (ipt_source(p, src, "dmz", NULL))
1403 ipt_write("-A FORWARD -o %s %s -d %s -j %s\n", dmz_ifname, src, dst, chain_in_accept);
1404 if (!c) break;
1405 p = c + 1;
1406 } while (*p);
1407 }
1408 }
1409
1410 // default policy: DROP
1411 }
1412
1413 static void filter_log(void)
1414 {
1415 int n;
1416 char limit[128];
1417
1418 n = nvram_get_int("log_limit");
1419 if ((n >= 1) && (n <= 9999)) {
1420 sprintf(limit, "-m limit --limit %d/m", n);
1421 }
1422 else {
1423 limit[0] = 0;
1424 }
1425
1426 #ifdef TCONFIG_IPV6
1427 modprobe("ip6t_LOG");
1428 #endif
1429 if ((*chain_in_drop == 'l') || (*chain_out_drop == 'l')) {
1430 ip46t_write(
1431 ":logdrop - [0:0]\n"
1432 "-A logdrop -m state --state NEW %s -j LOG --log-prefix \"DROP \""
1433 #ifdef LINUX26
1434 " --log-macdecode"
1435 #endif
1436 " --log-tcp-sequence --log-tcp-options --log-ip-options\n"
1437 "-A logdrop -j DROP\n"
1438 ":logreject - [0:0]\n"
1439 "-A logreject %s -j LOG --log-prefix \"REJECT \""
1440 #ifdef LINUX26
1441 " --log-macdecode"
1442 #endif
1443 " --log-tcp-sequence --log-tcp-options --log-ip-options\n"
1444 "-A logreject -p tcp -j REJECT --reject-with tcp-reset\n",
1445 limit, limit);
1446 }
1447 if ((*chain_in_accept == 'l') || (*chain_out_accept == 'l')) {
1448 ip46t_write(
1449 ":logaccept - [0:0]\n"
1450 "-A logaccept -m state --state NEW %s -j LOG --log-prefix \"ACCEPT \""
1451 #ifdef LINUX26
1452 " --log-macdecode"
1453 #endif
1454 " --log-tcp-sequence --log-tcp-options --log-ip-options\n"
1455 "-A logaccept -j ACCEPT\n",
1456 limit);
1457 }
1458 }
1459
1460 #ifdef TCONFIG_IPV6
1461 static void filter6_input(void)
1462 {
1463 char s[128];
1464 char t[512];
1465 char *en;
1466 char *sec;
1467 char *hit;
1468 int n;
1469 char *p, *c;
1470
1471 // RFC-4890, sec. 4.4.1
1472 const int allowed_local_icmpv6[] =
1473 { 130, 131, 132, 133, 134, 135, 136,
1474 141, 142, 143,
1475 148, 149, 151, 152, 153 };
1476
1477 ip6t_write(
1478 "-A INPUT -m rt --rt-type 0 -j %s\n"
1479 /* "-A INPUT -m state --state INVALID -j DROP\n" */
1480 "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n",
1481 chain_in_drop);
1482
1483 #ifdef LINUX26
1484 modprobe("xt_length");
1485 ip6t_write("-A INPUT -p ipv6-nonxt -m length --length 40 -j ACCEPT\n");
1486 #endif
1487
1488 strlcpy(s, nvram_safe_get("ne_shlimit"), sizeof(s));
1489 if ((vstrsep(s, ",", &en, &hit, &sec) == 3) && ((n = atoi(en) & 3) != 0)) {
1490 #ifdef LINUX26
1491 modprobe("xt_recent");
1492 #else
1493 modprobe("ipt_recent");
1494 #endif
1495
1496 ip6t_write(
1497 "-N shlimit\n"
1498 "-A shlimit -m recent --set --name shlimit\n"
1499 "-A shlimit -m recent --update --hitcount %d --seconds %s --name shlimit -j %s\n",
1500 atoi(hit) + 1, sec, chain_in_drop);
1501
1502 if (n & 1) {
1503 ip6t_write("-A INPUT -i %s -p tcp --dport %s -m state --state NEW -j shlimit\n", lanface, nvram_safe_get("sshd_port"));
1504 if (nvram_get_int("sshd_remote") && nvram_invmatch("sshd_rport", nvram_safe_get("sshd_port"))) {
1505 ip6t_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("sshd_rport"));
1506 }
1507 }
1508 if (n & 2) ip6t_write("-A INPUT -i %s -p tcp --dport %s -m state --state NEW -j shlimit\n", lanface, nvram_safe_get("telnetd_port"));
1509 }
1510
1511 #ifdef TCONFIG_FTP
1512 strlcpy(s, nvram_safe_get("ftp_limit"), sizeof(s));
1513 if ((vstrsep(s, ",", &en, &hit, &sec) == 3) && (atoi(en)) && (nvram_get_int("ftp_enable") == 1)) {
1514 #ifdef LINUX26
1515 modprobe("xt_recent");
1516 #else
1517 modprobe("ipt_recent");
1518 #endif
1519
1520 ip6t_write(
1521 "-N ftplimit\n"
1522 "-A ftplimit -m recent --set --name ftp\n"
1523 "-A ftplimit -m recent --update --hitcount %d --seconds %s --name ftp -j %s\n",
1524 atoi(hit) + 1, sec, chain_in_drop);
1525 ip6t_write("-A INPUT -p tcp --dport %s -m state --state NEW -j ftplimit\n", nvram_safe_get("ftp_port"));
1526 }
1527 #endif // TCONFIG_FTP
1528
1529 ip6t_write(
1530 "-A INPUT -i %s -j ACCEPT\n" // anything coming from LAN
1531 "-A INPUT -i lo -j ACCEPT\n",
1532 lanface );
1533
1534 switch (get_ipv6_service()) {
1535 case IPV6_ANYCAST_6TO4:
1536 case IPV6_NATIVE_DHCP:
1537 // allow responses from the dhcpv6 server
1538 ip6t_write("-A INPUT -p udp --dport 546 -j %s\n", chain_in_accept);
1539 break;
1540 }
1541
1542 // ICMPv6 rules
1543 for (n = 0; n < sizeof(allowed_icmpv6)/sizeof(int); n++) {
1544 ip6t_write("-A INPUT -p ipv6-icmp --icmpv6-type %i -j %s\n", allowed_icmpv6[n], chain_in_accept);
1545 }
1546 for (n = 0; n < sizeof(allowed_local_icmpv6)/sizeof(int); n++) {
1547 ip6t_write("-A INPUT -p ipv6-icmp --icmpv6-type %i -j %s\n", allowed_local_icmpv6[n], chain_in_accept);
1548 }
1549
1550 // Remote Managment
1551 strlcpy(t, nvram_safe_get("rmgt_sip"), sizeof(t));
1552 p = t;
1553 do {
1554 if ((c = strchr(p, ',')) != NULL) *c = 0;
1555
1556 if (ip6t_source(p, s, "remote management", NULL)) {
1557
1558 if (remotemanage) {
1559 ip6t_write("-A INPUT -p tcp %s --dport %s -j %s\n",
1560 s, nvram_safe_get("http_wanport"), chain_in_accept);
1561 }
1562
1563 if (nvram_get_int("sshd_remote")) {
1564 ip6t_write("-A INPUT -p tcp %s --dport %s -j %s\n",
1565 s, nvram_safe_get("sshd_rport"), chain_in_accept);
1566 }
1567 }
1568
1569 if (!c) break;
1570 p = c + 1;
1571 } while (*p);
1572
1573 #ifdef TCONFIG_FTP
1574 // FTP server
1575 if (nvram_match("ftp_enable", "1")) { // FTP WAN access enabled
1576 strlcpy(t, nvram_safe_get("ftp_sip"), sizeof(t));
1577 p = t;
1578 do {
1579 if ((c = strchr(p, ',')) != NULL) *c = 0;
1580 if (ip6t_source(p, s, "ftp", "remote access")) {
1581 ip6t_write("-A INPUT -p tcp %s --dport %s -j %s\n",
1582 s, nvram_safe_get("ftp_port"), chain_in_accept);
1583 }
1584 if (!c) break;
1585 p = c + 1;
1586 } while (*p);
1587 }
1588 #endif
1589
1590 // if logging
1591 if (*chain_in_drop == 'l') {
1592 ip6t_write( "-A INPUT -j %s\n", chain_in_drop);
1593 }
1594
1595 // default policy: DROP
1596 }
1597
1598 #endif
1599
1600 static void filter_table(void)
1601 {
1602 ip46t_write(
1603 "*filter\n"
1604 ":INPUT DROP [0:0]\n"
1605 ":OUTPUT ACCEPT [0:0]\n"
1606 );
1607
1608 filter_log();
1609
1610 filter_input();
1611 #ifdef TCONFIG_IPV6
1612 filter6_input();
1613 ip6t_write("-A OUTPUT -m rt --rt-type 0 -j %s\n", chain_in_drop);
1614 #endif
1615
1616 if ((gateway_mode) || (nvram_match("wk_mode_x", "1"))) {
1617 ip46t_write(":FORWARD DROP [0:0]\n");
1618 filter_forward();
1619 }
1620 else {
1621 ip46t_write(":FORWARD ACCEPT [0:0]\n");
1622 clampmss();
1623 }
1624 ip46t_write("COMMIT\n");
1625 }
1626
1627 // -----------------------------------------------------------------------------
1628
1629 int start_firewall(void)
1630 {
1631 DIR *dir;
1632 struct dirent *dirent;
1633 char s[256];
1634 char *c, *wanface;
1635 int n;
1636 int wanproto;
1637 char *iptrestore_argv[] = { "iptables-restore", (char *)ipt_fname, NULL };
1638 #ifdef TCONFIG_IPV6
1639 char *ip6trestore_argv[] = { "ip6tables-restore", (char *)ip6t_fname, NULL };
1640 #endif
1641
1642 simple_lock("firewall");
1643 simple_lock("restrictions");
1644
1645 wanup = check_wanup();
1646
1647 f_write_string("/proc/sys/net/ipv4/tcp_syncookies", nvram_get_int("ne_syncookies") ? "1" : "0", 0, 0);
1648
1649 /* NAT performance tweaks
1650 * These values can be overriden later if needed via firewall script
1651 */
1652 f_write_string("/proc/sys/net/core/netdev_max_backlog", "3072", 0, 0);
1653 f_write_string("/proc/sys/net/core/somaxconn", "3072", 0, 0);
1654 f_write_string("/proc/sys/net/ipv4/tcp_max_syn_backlog", "8192", 0, 0);
1655 f_write_string("/proc/sys/net/ipv4/tcp_fin_timeout", "30", 0, 0);
1656 f_write_string("/proc/sys/net/ipv4/tcp_keepalive_intvl", "24", 0, 0);
1657 f_write_string("/proc/sys/net/ipv4/tcp_keepalive_probes", "3", 0, 0);
1658 f_write_string("/proc/sys/net/ipv4/tcp_keepalive_time", "1800", 0, 0);
1659 f_write_string("/proc/sys/net/ipv4/tcp_retries2", "5", 0, 0);
1660 f_write_string("/proc/sys/net/ipv4/tcp_syn_retries", "3", 0, 0);
1661 f_write_string("/proc/sys/net/ipv4/tcp_synack_retries", "3", 0, 0);
1662 #if defined(TCONFIG_BCMARM)
1663 f_write_string("/proc/sys/net/ipv4/tcp_tw_recycle", "0", 0, 0);
1664 #else
1665 f_write_string("/proc/sys/net/ipv4/tcp_tw_recycle", "1", 0, 0);
1666 #endif
1667 f_write_string("/proc/sys/net/ipv4/tcp_tw_reuse", "1", 0, 0);
1668
1669 /* DoS-related tweaks */
1670 f_write_string("/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses", "1", 0, 0);
1671 f_write_string("/proc/sys/net/ipv4/tcp_rfc1337", "1", 0, 0);
1672 f_write_string("/proc/sys/net/ipv4/ip_local_port_range", "1024 65535", 0, 0);
1673
1674 wanproto = get_wan_proto();
1675 f_write_string("/proc/sys/net/ipv4/ip_dynaddr", (wanproto == WP_DISABLED || wanproto == WP_STATIC) ? "0" : "1", 0, 0);
1676
1677 #ifdef TCONFIG_EMF
1678 /* Force IGMPv2 due EMF limitations */
1679 if (nvram_get_int("emf_enable")) {
1680 f_write_string("/proc/sys/net/ipv4/conf/default/force_igmp_version", "2", 0, 0);
1681 f_write_string("/proc/sys/net/ipv4/conf/all/force_igmp_version", "2", 0, 0);
1682 }
1683 #endif
1684
1685 n = nvram_get_int("log_in");
1686 chain_in_drop = (n & 1) ? "logdrop" : "DROP";
1687 chain_in_accept = (n & 2) ? "logaccept" : "ACCEPT";
1688
1689 n = nvram_get_int("log_out");
1690 chain_out_drop = (n & 1) ? "logdrop" : "DROP";
1691 chain_out_reject = (n & 1) ? "logreject" : "REJECT --reject-with tcp-reset";
1692 chain_out_accept = (n & 2) ? "logaccept" : "ACCEPT";
1693
1694 // if (nvram_match("nf_drop_reset", "1")) chain_out_drop = chain_out_reject;
1695
1696 strlcpy(lanface, nvram_safe_get("lan_ifname"), IFNAMSIZ);
1697 strlcpy(lan1face, nvram_safe_get("lan1_ifname"), IFNAMSIZ);
1698 strlcpy(lan2face, nvram_safe_get("lan2_ifname"), IFNAMSIZ);
1699 strlcpy(lan3face, nvram_safe_get("lan3_ifname"), IFNAMSIZ);
1700
1701 memcpy(&wanfaces, get_wanfaces(), sizeof(wanfaces));
1702 wanface = wanfaces.iface[0].name;
1703 #ifdef TCONFIG_IPV6
1704 strlcpy(wan6face, get_wan6face(), sizeof(wan6face));
1705 #endif
1706
1707 #ifdef LINUX26
1708 can_enable_fastnat = 1;
1709 #endif
1710
1711 strlcpy(s, nvram_safe_get("lan_ipaddr"), sizeof(s));
1712 if ((c = strrchr(s, '.')) != NULL) *(c + 1) = 0;
1713 strlcpy(lan_cclass, s, sizeof(lan_cclass));
1714 /*
1715 strlcpy(s, nvram_safe_get("lan1_ipaddr"), sizeof(s));
1716 if ((c = strrchr(s, '.')) != NULL) *(c + 1) = 0;
1717 strlcpy(lan1_cclass, s, sizeof(lan1_cclass));
1718
1719 strlcpy(s, nvram_safe_get("lan2_ipaddr"), sizeof(s));
1720 if ((c = strrchr(s, '.')) != NULL) *(c + 1) = 0;
1721 strlcpy(lan2_cclass, s, sizeof(lan2_cclass));
1722
1723 strlcpy(s, nvram_safe_get("lan3_ipaddr"), sizeof(s));
1724 if ((c = strrchr(s, '.')) != NULL) *(c + 1) = 0;
1725 strlcpy(lan3_cclass, s, sizeof(lan3_cclass));
1726 */
1727
1728 /*
1729 block obviously spoofed IP addresses
1730
1731 rp_filter - BOOLEAN
1732 1 - do source validation by reversed path, as specified in RFC1812
1733 Recommended option for single homed hosts and stub network
1734 routers. Could cause troubles for complicated (not loop free)
1735 networks running a slow unreliable protocol (sort of RIP),
1736 or using static routes.
1737 0 - No source validation.
1738 */
1739 c = nvram_get("wan_ifname");
1740 /* mcast needs rp filter to be turned off only for non default iface */
1741 if (!(nvram_match("multicast_pass", "1")) || !(nvram_match("udpxy_enable", "1")) || strcmp(wanface, c) == 0) c = NULL;
1742
1743 if ((dir = opendir("/proc/sys/net/ipv4/conf")) != NULL) {
1744 while ((dirent = readdir(dir)) != NULL) {
1745 sprintf(s, "/proc/sys/net/ipv4/conf/%s/rp_filter", dirent->d_name);
1746 f_write_string(s, (c && strcmp(dirent->d_name, c) == 0) ? "0" : "1", 0, 0);
1747 }
1748 closedir(dir);
1749 }
1750
1751 remotemanage = 0;
1752 gateway_mode = !nvram_match("wk_mode", "router");
1753 if (gateway_mode) {
1754 /* Remote management */
1755 if (nvram_match("remote_management", "1") && nvram_invmatch("http_wanport", "") &&
1756 nvram_invmatch("http_wanport", "0")) remotemanage = 1;
1757
1758 if (nvram_match("remote_mgt_https", "1")) {
1759 web_lanport = nvram_get_int("https_lanport");
1760 if (web_lanport <= 0) web_lanport = 443;
1761 } else {
1762 web_lanport = nvram_get_int("http_lanport");
1763 if (web_lanport <= 0) web_lanport = 80;
1764 }
1765 }
1766
1767 if ((ipt_file = fopen(ipt_fname, "w")) == NULL) {
1768 notice_set("iptables", "Unable to create iptables restore file");
1769 simple_unlock("firewall");
1770 return 0;
1771 }
1772
1773 #ifdef TCONFIG_IPV6
1774 if ((ip6t_file = fopen(ip6t_fname, "w")) == NULL) {
1775 notice_set("ip6tables", "Unable to create ip6tables restore file");
1776 simple_unlock("firewall");
1777 return 0;
1778 }
1779 modprobe("nf_conntrack_ipv6");
1780 modprobe("ip6t_REJECT");
1781 #endif
1782
1783 //shibby
1784 //if (nvram_match("imq_enable", "1")) {
1785 // char numdevs[10];
1786 // sprintf(numdevs, "numdevs=%d", nvram_get_int("imq_numdevs"));
1787 // modprobe("imq", numdevs );
1788
1789 // modprobe("imq");
1790 //#ifdef LINUX26
1791 // modprobe("xt_IMQ");
1792 //#else
1793 // modprobe("ipt_IMQ");
1794 //#endif
1795 // }
1796
1797
1798 mangle_table();
1799 nat_table();
1800 filter_table();
1801
1802 fclose(ipt_file);
1803 ipt_file = NULL;
1804
1805 #ifdef TCONFIG_IPV6
1806 fclose(ip6t_file);
1807 ip6t_file = NULL;
1808 #endif
1809
1810 #ifdef DEBUG_IPTFILE
1811 if (debug_only) {
1812 simple_unlock("firewall");
1813 simple_unlock("restrictions");
1814 return 0;
1815 }
1816 #endif
1817
1818 save_webmon();
1819
1820 if (nvram_get_int("upnp_enable") & 3) {
1821 f_write("/etc/upnp/save", NULL, 0, 0, 0);
1822 if (killall("miniupnpd", SIGUSR2) == 0) {
1823 f_wait_notexists("/etc/upnp/save", 5);
1824 }
1825 }
1826
1827 notice_set("iptables", "");
1828 if (_eval(iptrestore_argv, ">/var/notice/iptables", 0, NULL) == 0) {
1829 led(LED_DIAG, 0);
1830 notice_set("iptables", "");
1831 }
1832 else {
1833 sprintf(s, "%s.error", ipt_fname);
1834 rename(ipt_fname, s);
1835 syslog(LOG_CRIT, "Error while loading rules. See %s file.", s);
1836 led(LED_DIAG, 1);
1837
1838 /*
1839
1840 -P INPUT DROP
1841 -F INPUT
1842 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
1843 -A INPUT -i br0 -j ACCEPT
1844
1845 -P FORWARD DROP
1846 -F FORWARD
1847 -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
1848 -A FORWARD -i br0 -j ACCEPT
1849
1850 */
1851 }
1852
1853 #ifdef TCONFIG_IPV6
1854 if (ipv6_enabled()) {
1855 notice_set("ip6tables", "");
1856 if (_eval(ip6trestore_argv, ">/var/notice/ip6tables", 0, NULL) == 0) {
1857 notice_set("ip6tables", "");
1858 }
1859 else {
1860 sprintf(s, "%s.error", ip6t_fname);
1861 rename(ip6t_fname, s);
1862 syslog(LOG_CRIT, "Error while loading rules. See %s file.", s);
1863 led(LED_DIAG, 1);
1864 }
1865 }
1866 else {
1867 eval("ip6tables", "-F");
1868 eval("ip6tables", "-t", "mangle", "-F");
1869 }
1870 #endif
1871
1872 if (nvram_get_int("upnp_enable") & 3) {
1873 f_write("/etc/upnp/load", NULL, 0, 0, 0);
1874 killall("miniupnpd", SIGUSR2);
1875 }
1876
1877 simple_unlock("restrictions");
1878 sched_restrictions();
1879 enable_ip_forward();
1880 #ifdef TCONFIG_IPV6
1881 if (ipv6_enabled()) enable_ip6_forward();
1882 #endif
1883
1884 led(LED_DMZ, dmz_dst(NULL));
1885
1886 #ifdef TCONFIG_IPV6
1887 modprobe_r("nf_conntrack_ipv6");
1888 modprobe_r("ip6t_LOG");
1889 modprobe_r("ip6t_REJECT");
1890 #endif
1891 #ifdef LINUX26
1892 modprobe_r("xt_layer7");
1893 modprobe_r("xt_recent");
1894 modprobe_r("xt_HL");
1895 modprobe_r("xt_length");
1896 modprobe_r("xt_web");
1897 // modprobe_r("xt_webmon");
1898 modprobe_r("ipt_webmon");
1899 modprobe_r("xt_dscp");
1900 #else
1901 modprobe_r("ipt_layer7");
1902 modprobe_r("ipt_recent");
1903 modprobe_r("ipt_TTL");
1904 modprobe_r("ipt_web");
1905 modprobe_r("ipt_webmon");
1906 modprobe_r("ipt_dscp");
1907 #endif
1908 modprobe_r("ipt_ipp2p");
1909
1910 unlink("/var/webmon/domain");
1911 unlink("/var/webmon/search");
1912
1913 #ifdef TCONFIG_OPENVPN
1914 run_vpn_firewall_scripts();
1915 #endif
1916
1917 #ifdef TCONFIG_TINC
1918 run_tinc_firewall_script();
1919 #endif
1920
1921 run_nvscript("script_fire", NULL, 1);
1922
1923 #ifdef LINUX26
1924 allow_fastnat("firewall", can_enable_fastnat);
1925 try_enabling_fastnat();
1926 #endif
1927 simple_unlock("firewall");
1928 return 0;
1929 }
1930
1931 int stop_firewall(void)
1932 {
1933 led(LED_DMZ, 0);
1934 return 0;
1935 }
1936
1937 #ifdef DEBUG_IPTFILE
1938 void create_test_iptfile(void)
1939 {
1940 debug_only = 1;
1941 start_firewall();
1942 debug_only = 0;
1943 }
1944 #endif
1945
Tomato firmware and modifications.