Created
November 15, 2021 20:25
-
-
Save dlakelan/4b661ad36682b340fa056280cd7757c5 to your computer and use it in GitHub Desktop.
An OpenWrt firewall and DSCP tagging script example
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # A simple stateful firewall with some packet tagging, | |
| # based originally on nftables archlinux wiki | |
| # https://wiki.archlinux.org/index.php/nftables | |
| ## this assumes eth0 is LAN and eth1 is WAN, modify as needed | |
| flush ruleset | |
| ## change these | |
| define wan = eth1 | |
| define lan = eth0 | |
| table inet filter { | |
| chain input { | |
| type filter hook input priority 0; policy drop; | |
| # established/related connections | |
| ct state established,related accept | |
| # loopback interface | |
| iifname lo accept | |
| ## icmpv6 is a critical part of the protocol, we just | |
| ## accept everything, you can lookin to making this | |
| ## more restrictive but be careful | |
| ip6 nexthdr icmpv6 accept | |
| # we are more restrictive for ipv4 icmp | |
| ip protocol icmp icmp type { destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept | |
| ip protocol igmp accept | |
| ip protocol icmp meta iifname $lan accept | |
| ## ntp protocol accept from LAN | |
| udp dport ntp iifname $lan accept | |
| ## DHCP accept | |
| iifname $lan ip protocol udp udp sport bootpc udp dport bootps log prefix "FIREWALL ACCEPT DHCP: " accept | |
| ## DHCPv6 accept from LAN | |
| iifname $lan udp sport dhcpv6-client udp dport dhcpv6-server accept | |
| ## allow dhcpv6 from router to ISP | |
| iifname $wan udp sport dhcpv6-server udp dport dhcpv6-client accept | |
| # SSH (port 22), limited to 10 connections per minute, | |
| # you might prefer to not allow this from WAN for | |
| # OpenWrt, in which case you should also add an | |
| # iifname eth0 filter in the front so we're only | |
| # allowing from LAN | |
| ct state new tcp dport ssh meter ssh-meter4 {ip saddr limit rate 10/minute burst 15 packets} accept | |
| ct state new ip6 nexthdr tcp tcp dport ssh meter ssh-meter6 {ip6 saddr limit rate 10/minute burst 15 packets} accept | |
| ## allow access to LUCI from LAN | |
| iifname $lan tcp dport {http,https} accept | |
| ## DNS for main LAN, we limit the rates allowed from each LAN host to reduce chance of denial of service | |
| iifname $lan udp dport domain meter dommeter4 { ip saddr limit rate 240/minute burst 240 packets} accept | |
| iifname $lan udp dport domain meter dommeter6 { ip6 saddr limit rate 240/minute burst 240 packets} accept | |
| iifname $lan tcp dport domain meter dommeter4tcp { ip saddr limit rate 240/minute burst 240 packets} accept | |
| iifname $lan tcp dport domain meter dommeter6tcp { ip6 saddr limit rate 240/minute burst 240 packets} accept | |
| ## allow remote syslog input? you might want this, or remove this | |
| # iifname $lan udp dport 514 accept | |
| counter log prefix "FIREWALL INPUT DROP: " drop | |
| } | |
| chain forward { | |
| type filter hook forward priority 0; policy drop; | |
| ct state established,related accept | |
| iifname lo accept | |
| iifname $lan oifname $wan accept ## allow LAN to forward to WAN | |
| counter log prefix "FIREWALL FAIL FORWARDING: " drop | |
| } | |
| } | |
| ## masquerading for ipv4 output on WAN | |
| table ip masq { | |
| chain masqout { | |
| type nat hook postrouting priority 0; policy accept; | |
| oifname $wan masquerade | |
| } | |
| ## this empty table is required to make the kernel do the unmasquerading | |
| chain masqin { | |
| type nat hook prerouting priority 0; policy accept; | |
| } | |
| } | |
| ## lets create a tagger table | |
| table inet tag { | |
| chain wanin { | |
| type filter hook ingress device $wan priority 0; | |
| jump tagchain | |
| } | |
| chain lanin { | |
| type filter hook ingress device $lan priority 0; | |
| jump tagchain | |
| } | |
| chain tagchain { | |
| ## just some example tags for Steam games | |
| ip protocol udp udp dport {7000-9000, 27000-27200} ip dscp set cs5 | |
| ip6 nexthdr udp udp dport {7000-9000, 27000-27200} ip6 dscp set cs5 | |
| ip protocol udp udp sport {7000-9000, 27000-27200} ip dscp set cs5 | |
| ip6 nexthdr udp udp sport {7000-9000, 27000-27200} ip6 dscp set cs5 | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Very good idea daniel the call of duty use port 3074 but in wireshark the udp port tagged prio is 30000-45000
so you make
ip protocol udp udp dport {3074, 30000-45000} ip dscp set cs5
but sometimes ip src and dst like this
iptables -t mangle -A POSTROUTING -p udp --dst 192.168.2.135 -j DSCP --sport 30000:45000 --dport 3074 --set-dscp-class CS5 -m comment --comment "Dopam-IT_1987-UDP-1-CALL-OF-DUTY"
iptables -t mangle -A POSTROUTING -p udp --src 192.168.2.135 -j DSCP --sport 3074 --dport 30000:45000 --set-dscp-class CS5 -m comment --comment "Dopam-IT_1987-UDP-2-CALL-OF-DUTY"