Skip to content

Instantly share code, notes, and snippets.

@isuldor

isuldor/openwrt.rules

Created April 2, 2016 22:51
Show Gist options
  • Save isuldor/4c0095b04ed55f8c8336a3e9a7a19389 to your computer and use it in GitHub Desktop.
Save isuldor/4c0095b04ed55f8c8336a3e9a7a19389 to your computer and use it in GitHub Desktop.
Download ZIP
The default iptables ruleset in OpenWrt
Raw
openwrt.rules
# Generated by iptables-save v1.4.21 on Sun Mar 20 20:06:57 2016
*nat
:PREROUTING ACCEPT [181:25653]
:INPUT ACCEPT [1:60]
:OUTPUT ACCEPT [29:1972]
:POSTROUTING ACCEPT [29:1972]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m id --id 0x66773300 -m comment --comment "user chain for prerouting" -j prerouting_rule
-A PREROUTING -i br-lan -m id --id 0x66773300 -j zone_lan_prerouting
-A PREROUTING -i eth0.1 -m id --id 0x66773300 -j zone_wan_prerouting
-A POSTROUTING -m id --id 0x66773300 -m comment --comment "user chain for postrouting" -j postrouting_rule
-A POSTROUTING -o br-lan -m id --id 0x66773300 -j zone_lan_postrouting
-A POSTROUTING -o eth0.1 -m id --id 0x66773300 -j zone_wan_postrouting
-A zone_lan_postrouting -m id --id 0x66773300 -m comment --comment "user chain for postrouting" -j postrouting_lan_rule
-A zone_lan_prerouting -m id --id 0x66773300 -m comment --comment "user chain for prerouting" -j prerouting_lan_rule
-A zone_wan_postrouting -m id --id 0x66773300 -m comment --comment "user chain for postrouting" -j postrouting_wan_rule
-A zone_wan_postrouting -m id --id 0x66773300 -j MASQUERADE
-A zone_wan_prerouting -m id --id 0x66773300 -m comment --comment "user chain for prerouting" -j prerouting_wan_rule
COMMIT
# Completed on Sun Mar 20 20:06:57 2016
# Generated by iptables-save v1.4.21 on Sun Mar 20 20:06:57 2016
*raw
:PREROUTING ACCEPT [8630:973100]
:OUTPUT ACCEPT [4164:751636]
COMMIT
# Completed on Sun Mar 20 20:06:57 2016
# Generated by iptables-save v1.4.21 on Sun Mar 20 20:06:57 2016
*mangle
:PREROUTING ACCEPT [1678:184776]
:INPUT ACCEPT [1531:162854]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [834:133762]
:POSTROUTING ACCEPT [834:133762]
-A FORWARD -o eth0.1 -p tcp -m id --id 0x66773300 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sun Mar 20 20:06:57 2016
# Generated by iptables-save v1.4.21 on Sun Mar 20 20:06:57 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m id --id 0x66773300 -j ACCEPT
-A INPUT -m id --id 0x66773300 -m comment --comment "user chain for input" -j input_rule
-A INPUT -m id --id 0x66773300 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m id --id 0x66773300 -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp -m id --id 0x66773300 -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A INPUT -i br-lan -m id --id 0x66773300 -j zone_lan_input
-A INPUT -i eth0.1 -m id --id 0x66773300 -j zone_wan_input
-A FORWARD -m id --id 0x66773300 -m comment --comment "user chain for forwarding" -j forwarding_rule
-A FORWARD -m id --id 0x66773300 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m id --id 0x66773300 -m conntrack --ctstate INVALID -j DROP
-A FORWARD -i br-lan -m id --id 0x66773300 -j zone_lan_forward
-A FORWARD -i eth0.1 -m id --id 0x66773300 -j zone_wan_forward
-A FORWARD -m id --id 0x66773300 -j reject
-A OUTPUT -o lo -m id --id 0x66773300 -j ACCEPT
-A OUTPUT -m id --id 0x66773300 -m comment --comment "user chain for output" -j output_rule
-A OUTPUT -m id --id 0x66773300 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m id --id 0x66773300 -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -o br-lan -m id --id 0x66773300 -j zone_lan_output
-A OUTPUT -o eth0.1 -m id --id 0x66773300 -j zone_wan_output
-A reject -p tcp -m id --id 0x66773300 -j REJECT --reject-with tcp-reset
-A reject -m id --id 0x66773300 -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m id --id 0x66773300 -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
-A syn_flood -m id --id 0x66773300 -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m id --id 0x66773300 -j ACCEPT
-A zone_lan_forward -m id --id 0x66773300 -m comment --comment "user chain for forwarding" -j forwarding_lan_rule
-A zone_lan_forward -m id --id 0x66773300 -m comment --comment "forwarding lan -> wan" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m id --id 0x66773300 -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_lan_forward -m id --id 0x66773300 -j zone_lan_dest_ACCEPT
-A zone_lan_input -m id --id 0x66773300 -m comment --comment "user chain for input" -j input_lan_rule
-A zone_lan_input -m id --id 0x66773300 -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_lan_input -m id --id 0x66773300 -j zone_lan_src_ACCEPT
-A zone_lan_output -m id --id 0x66773300 -m comment --comment "user chain for output" -j output_lan_rule
-A zone_lan_output -m id --id 0x66773300 -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m id --id 0x66773300 -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.1 -m id --id 0x66773300 -j ACCEPT
-A zone_wan_dest_REJECT -o eth0.1 -m id --id 0x66773300 -j reject
-A zone_wan_forward -m id --id 0x66773300 -m comment --comment "user chain for forwarding" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m id --id 0x66773300 -m comment --comment "@rule[8]" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m id --id 0x66773300 -m udp --dport 500 -m comment --comment "@rule[9]" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m id --id 0x66773300 -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_wan_forward -m id --id 0x66773300 -j zone_wan_dest_REJECT
-A zone_wan_input -m id --id 0x66773300 -m comment --comment "user chain for input" -j input_wan_rule
-A zone_wan_input -p tcp -m id --id 0x66773300 -m tcp --dport 22 -m comment --comment Allow-SSH -j ACCEPT
-A zone_wan_input -p udp -m id --id 0x66773300 -m udp --dport 68 -m comment --comment Allow-DHCP-Renew -j ACCEPT
-A zone_wan_input -p icmp -m id --id 0x66773300 -m icmp --icmp-type 8 -m comment --comment Allow-Ping -j ACCEPT
-A zone_wan_input -p igmp -m id --id 0x66773300 -m comment --comment Allow-IGMP -j ACCEPT
-A zone_wan_input -m id --id 0x66773300 -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_wan_input -m id --id 0x66773300 -j zone_wan_src_REJECT
-A zone_wan_output -m id --id 0x66773300 -m comment --comment "user chain for output" -j output_wan_rule
-A zone_wan_output -m id --id 0x66773300 -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0.1 -m id --id 0x66773300 -j reject
COMMIT
# Completed on Sun Mar 20 20:06:57 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment