Index

OpenWRT Firewall Configuration

OpenWRT S45firewall Script

I'll try to explain this more in the future, but the following text is a slightly modified version of the S45firewall script that I use at home.

#!/bin/sh
. /etc/functions.sh
WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)
WIFI=$(nvram get wifi_ifname)

## CLEAR TABLES
for T in filter nat mangle; do
iptables -t $T -F
iptables -t $T -X
done

# set default policy to ACCEPT
iptables -t nat -P PREROUTING ACCEPT
#forward port (some obscureport of your choosing, I'll use 15555) 15555 from wan to server ssh
iptables -t nat -A PREROUTING -d $(wan_external_ip) -i $WAN -p tcp -m tcp --dport 15555 -j DNAT --to-destination $(lan_server_ip):22
iptables -t nat -A PREROUTING -d $(wlan_external_ip) -i $WLAN -p tcp -m tcp --dport 15555 -j DNAT --to-destination $(lan_server_ip):22
# forward BitTorrent port connections to katana
iptables -t nat -A PREROUTING -d $(wan_external_ip) -i $WAN -p tcp -m tcp --dport 6880:6889 -j DNAT --to-destination $(lan_desktop_ip)

# set deault policy to ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
# Masquerade all traqffic going out to wan
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE


# set deault policy to ACCEPT
iptables -t nat -P OUTPUT ACCEPT
#not really sure what this one does, just accept


# set deault policy to DROP
iptables -t filter -P INPUT DROP
#accept all local and lan traffic, but log seperately
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A INPUT -i $LAN -j ACCEPT
#accept all wan and wifi established and related traffic, but log seperately
iptables -t filter -A INPUT -i $WAN -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -i $WIFI -m state --state RELATED,ESTABLISHED -j ACCEPT
# allow ICMP
iptables -A INPUT -i $WIFI -p icmp -j ACCEPT
#iptables -A INPUT -p icmp -j ACCEPT
# allow GRE
iptables -A INPUT -i $WIFI -p gre -j ACCEPT
#iptables -A INPUT -p gre -j ACCEPT
# allow dhcp from wifi (already accepted for lan)
iptables -t filter -A INPUT -i $WIFI -p udp -m udp --dport 67:68 -j ACCEPT
#allo dns lookups to router from wifi
iptables -t filter -A INPUT -i $WIFI -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
# allow access to router http
#iptables -t filter -A INPUT -i $WIFI -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT

# set deault policy to DROP
iptables -t filter -P FORWARD DROP
#forward all related and established traffic, but log seperate
iptables -t filter -A FORWARD -i $WAN -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i $WIFI -m state --state RELATED,ESTABLISHED -j ACCEPT
#forward any new connection from lan (to wan or wifi)
iptables -t filter -A FORWARD -i $LAN -m state --state NEW -j ACCEPT
#forward new connections from wifi to wan (not lan)
iptables -t filter -A FORWARD -i $WIFI -o $WAN -m state --state NEW -j ACCEPT
#forward (NAT TRANSLATED) connections to ssh on lan_server_ip
iptables -t filter -A FORWARD -d $(lan_server_ip) -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
#forward (NAT TRANSLATED) connections to bittorrent on lan_desktop_ip
iptables -t filter -A FORWARD -d $(lan_desktop_ip) -p tcp -m tcp --dport 6880:6889 -m state --state NEW -j ACCEPT
#drop all other traffic (drops invalid states, drops new connections from wan and wifi to lan except for one ssh hole,

# set deault policy to ACCEPT
iptables -t filter -P OUTPUT ACCEPT
#allow all localhost traffic out

Web Design

Coming ... meh, who am I kidding? it's said coming soon for over 2 years now. :)

Astro Empires Battle Calc

Hey! I made a greasemonkey script: ae_bc.user.js