Created
November 6, 2021 18:53
-
-
Save djeraseit/5b12d6dc004e0b16974b91be4cc60386 to your computer and use it in GitHub Desktop.
OpenWRT Bridge Firewall Rules
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This file is interpreted as shell script. | |
| # Put your custom iptables rules here, they will | |
| # be executed with each firewall (re-)start. | |
| # Internal uci firewall chains are flushed and recreated on reload, so | |
| # put custom rules into the root chains e.g. INPUT or FORWARD or into the | |
| # special user chains, e.g. input_wan_rule or postrouting_lan_rule. | |
| # Comma seperated list of blocked tcp ports. These can be anything, | |
| # but we're using the ports VNC and X Windows use since these services | |
| # can be tunneled over SSH. | |
| #blocked_tcp_ports=5900:5910,6000:6063 | |
| # A UDP port to block. | |
| #blocked_udp_ports=5353 | |
| # Flush chains | |
| #ip6tables -F INPUT | |
| #ip6tables -F FORWARD | |
| #ip6tables -F OUTPUT | |
| #ip6tables -F | |
| # Set up default policies | |
| #ip6tables -P INPUT DROP | |
| #ip6tables -P FORWARD DROP | |
| #ip6tables -P OUTPUT DROP | |
| # Block all ipv6 network solicitation from Xfinity modem | |
| ip6tables -A INPUT -m mac --mac-source fc:91:14:77:7b:26 -m comment --comment "Deny Input" -j DROP | |
| ip6tables -I FORWARD -m mac --mac-source fc:91:14:77:7b:26 -m comment --comment "Block_Xfinity_Router_IPv6" -j DROP | |
| # Allow DHCP ACK response from Xfinity modem | |
| iptables -A INPUT -p udp --source-port 67 --destination-port 68 -m mac --mac-source fc:91:14:77:7b:26 -m comment --comment "Allow DHCP ACK From Xfinity" -j ACCEPT | |
| # Allow DHCP Request from Xfinity modem | |
| iptables -A INPUT -p udp --source-port 68 --destination-port 67 -m mac --mac-source fc:91:14:77:7b:26 -m comment --comment "Allow DHCP Boot Request From Xfinity" -j ACCEPT | |
| # Always allow loopback | |
| iptables -A INPUT -i lo -j ACCEPT | |
| ip6tables -A INPUT -i lo -j ACCEPT | |
| # Allow localhost traffic. This rule is for all protocols. | |
| iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT | |
| ip6tables -A INPUT -s ::1 -d ::1 -j ACCEPT | |
| # Bridge Firwall Rules | |
| iptables -A INPUT -p tcp --destination-port 443 -m mac --mac-source f0:de:f1:b6:cd:1f -j ACCEPT | |
| iptables -A INPUT -i eth0.1 -p tcp --destination-port 443 -m mac --mac-source f0:de:f1:b6:cd:1f -j ACCEPT | |
| # DoS Rule Block where all tcp flags is none (Maybe same as drop invalid?) | |
| iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP | |
| ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP | |
| iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP | |
| ip6tables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP | |
| # DOS Prevention | |
| # Block XMAS null | |
| iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP | |
| ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP | |
| iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP | |
| ip6tables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP | |
| # Reject connection attempts not initiated from this router | |
| #iptables -A INPUT -p tcp --syn -j DROP | |
| #ip6tables -A INPUT -p tcp --syn -j DROP | |
| # Allow return connections initiated from this router | |
| iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| # Don't syn with me (TESTING) | |
| #iptables -A FORWARD -p tcp --syn -j DROP | |
| #ip6tables -A FORWARD -p tcp --syn -j DROP | |
| # Allow some ICMPv6 types in the INPUT chain | |
| # Using ICMPv6 type names to be clear. | |
| #ip6tables -A INPUT -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT | |
| #ip6tables -A INPUT -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT | |
| #ip6tables -A INPUT -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT | |
| #ip6tables -A INPUT -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT | |
| # Allow some other types in the INPUT chain, but rate limit. | |
| #ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 900/min -j ACCEPT | |
| #ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-reply -m limit --limit 900/min -j ACCEPT | |
| # Allow others ICMPv6 types but only if the hop limit field is 255. | |
| #ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT | |
| #ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT | |
| #ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT | |
| #ip6tables -A INPUT -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT | |
| # When there isn't a match, the default policy (DROP) will be applied. | |
| # To be sure, drop all other ICMPv6 types. | |
| # We're dropping enough icmpv6 types to break RFC compliance. | |
| #ip6tables -A INPUT -p icmpv6 -j LOG --log-prefix "dropped ICMPv6" | |
| #ip6tables -A INPUT -p icmpv6 -j DROP | |
| # Accept all ICMP v6 packets Unlike with IPv4, it's not a good idea to block ICMPv6 traffic as IPv6 is much more heavily dependent on it | |
| #ip6tables -A INPUT -p ipv6-icmp -j ACCEPT | |
| #ip6tables -A FORWARD -p ipv6-icmp -j ACCEPT | |
| # Accept DHCPv6 traffic. If you use stateless autoconfiguration, or statically configure your machines, this is not necessary: | |
| #ip6tables -A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT | |
| # DoS Rule to Block syn-flood (just opening a SYN connection) | |
| # need to install module for state tracking | |
| #iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP | |
| #ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP | |
| # Tethering | |
| # temp disable | |
| #iptables -t mangle -I POSTROUTING -m physdev --physdev-out usb0 -j TTL --ttl-set 65 | |
| # Allow ICMPv6 types that should be sent through the Internet. | |
| ip6tables -A OUTPUT -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT | |
| ip6tables -A OUTPUT -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT | |
| ip6tables -A OUTPUT -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT | |
| ip6tables -A OUTPUT -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT | |
| # Limit most NDP messages to the local network. | |
| ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT | |
| ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT | |
| ip6tables -A OUTPUT -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT | |
| # If we're acting like a router, this could be a sign of problems. | |
| ip6tables -A OUTPUT -p icmpv6 --icmpv6-type router-advertisement -j LOG --log-prefix "ra ICMPv6 type" | |
| ip6tables -A OUTPUT -p icmpv6 --icmpv6-type redirect -j LOG --log-prefix "redirect ICMPv6 type" | |
| ip6tables -A OUTPUT -p icmpv6 --icmpv6-type router-advertisement -j REJECT | |
| ip6tables -A OUTPUT -p icmpv6 --icmpv6-type redirect -j REJECT | |
| # Accept all other ICMPv6 types in the OUTPUT chain. | |
| #ip6tables -A OUTPUT -p icmpv6 -j ACCEPT | |
| # Reject in the FORWARD chain. This rule is probably not needed | |
| # due to the FORWARD policy. | |
| ip6tables -A FORWARD -p icmpv6 -j REJECT | |
| # Enough ICMPv6! :-D | |
| # At the end of our rules, we reject all traffic that didn't match a rule, using "port unreachable". | |
| # This results in the standard "Connection refused" message at the other end, and effectively hides the fact that we have a firewall. | |
| # Tools such as nmap will report that all our ports are "closed" rather than "filtered" | |
| # and have a much more difficult time determining that we even have a firewall. | |
| ip6tables -A INPUT -j REJECT --reject-with icmp6-adm-prohibited | |
| ip6tables -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited | |
| # | |
| # Some sample TCP rules. <These are for example purposes only.> | |
| # The REJECT is for politeness on the local network. | |
| #ip6tables -A INPUT -m multiport -p tcp --dport $blocked_tcp_ports -m hl --hl-eq 255 -j REJECT | |
| #ip6tables -A OUTPUT -m multiport -p tcp --dport $blocked_tcp_ports -m hl --hl-eq 255 -j REJECT | |
| #ip6tables -A INPUT -m multiport -p tcp --dport $blocked_tcp_ports -m hl --hl-lt 255 -j DROP | |
| #ip6tables -A OUTPUT -m multiport -p tcp --dport $blocked_tcp_ports -m hl --hl-lt 255 -j DROP | |
| # Block mdns | |
| # for mobile systems add script for location-aware fules | |
| # like iwconfig, ifconfig, ip, route2 date | |
| iptables -A INPUT -p udp --dport 5353 -j ACCEPT | |
| ip6tables -A OUTPUT -p udp --dport 5353 -j REJECT | |
| iptables -A FORWARD -p udp --dport 5353 -j ACCEPT | |
| ip6tables -A FORWARD -p udp --dport 5353 -j REJECT | |
| # REJECT everything in the FORWARD chain. | |
| ip6tables -A FORWARD -p tcp -j REJECT | |
| ip6tables -A FORWARD -p udp -j REJECT | |
| iptables -A FORWARD -p tcp -j REJECT | |
| iptables -A FORWARD -p udp -j REJECT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment