Gitiles
Code Review Sign In
192.168.1.100 / T106_DC / fa506f62f88ea670566f1b8ba5e88b2ca22b8443 / . / ap / app / Script / scripts / firewall_init.sh
blob: b28f88564e7cea2d19cd9a68367db149392360db [file] [log] [blame]
lh9ed821d2023-04-07 01:36:19 -0700[diff] [blame]1#!/bin/sh
2# Created by LiuWei @ 2010.8.27
3# init firewall
4#
5
6path_sh=`nv get path_sh`
7. $path_sh/global.sh
8echo "Info: firewall_init.sh start" >> $test_log
9
10
11ZTE_FILTER_CHAIN=macipport_filter
12ZTE_WEB_FILTER_CHAIN=web_filter
13ZTE_CLILDREN_CHAIN=children_filter
14ZTE_CLILDREN_WEB_CHAIN=children_web_filter
15ZTE_CLILDREN_WEB_PHONECHAIN=children_web_filter_phone
16
17#clear filter
18iptables -t filter -F
19iptables -t filter -X $ZTE_FILTER_CHAIN
20iptables -t filter -X $ZTE_WEB_FILTER_CHAIN
21iptables -t filter -X $ZTE_CLILDREN_CHAIN
22iptables -t filter -X $ZTE_CLILDREN_WEB_CHAIN
23iptables -t filter -X $ZTE_CLILDREN_WEB_PHONECHAIN
24
25ip6tables -t filter -F
26ip6tables -t filter -X $ZTE_FILTER_CHAIN
27
28#make a new chain for filter
29iptables -t filter -N $ZTE_FILTER_CHAIN
30iptables -t filter -N $ZTE_WEB_FILTER_CHAIN
31iptables -t filter -N $ZTE_CLILDREN_CHAIN
32iptables -t filter -N $ZTE_CLILDREN_WEB_CHAIN
33iptables -t filter -N $ZTE_CLILDREN_WEB_PHONECHAIN
34ip6tables -t filter -N $ZTE_FILTER_CHAIN
35
36iptables -t filter -A FORWARD -j $ZTE_WEB_FILTER_CHAIN
37iptables -t filter -A FORWARD -j $ZTE_FILTER_CHAIN
38iptables -t filter -A FORWARD -j $ZTE_CLILDREN_CHAIN
39iptables -t filter -A INPUT -j $ZTE_CLILDREN_WEB_CHAIN
40iptables -t filter -A FORWARD -j $ZTE_CLILDREN_WEB_PHONECHAIN
41ip6tables -t filter -A FORWARD -j $ZTE_FILTER_CHAIN
42
43ip6tables -t filter -A $ZTE_FILTER_CHAIN -m state --state RELATED,ESTABLISHED -j ACCEPT
44
45#Close unused port
46iptables -t filter -A INPUT -i $defwan_rel -p udp --dport 53 -j DROP
47iptables -t filter -A INPUT -i $defwan_rel -p tcp --dport 53 -j DROP
48iptables -t filter -A INPUT -p tcp --dport 7777 -j DROP
49iptables -t filter -A INPUT -p udp --dport 7777 -j DROP
50iptables -t filter -I INPUT -i $defwan_rel -p icmp --icmp-type echo-reply -j ACCEPT
51
52permit_gw=`nv get permit_gw`
53permit_nm=`nv get permit_nm`
54if [ "-${permit_gw}" != "-" ]; then
55 iptables -A FORWARD -o $defwan_rel -d $permit_gw/$permit_nm -j ACCEPT
56 iptables -A FORWARD -o $defwan_rel -j DROP
57 iptables -A OUTPUT -o $defwan_rel -d $permit_gw/$permit_nm -j ACCEPT
58 iptables -A OUTPUT -o $defwan_rel -j DROP
59fi
60
61permit_ip6=`nv get permit_ip6`
62if [ "-${permit_ip6}" != "-" ]; then
63 ip6tables -A FORWARD -o $defwan6_rel -d $permit_ip6 -j ACCEPT
64 ip6tables -A FORWARD -o $defwan6_rel -j DROP
65 ip6tables -A OUTPUT -o $defwan6_rel -d $permit_ip6 -j ACCEPT
66 ip6tables -A OUTPUT -o $defwan6_rel -j DROP
67fi
68
69
70if [ "-$defwan_rel" == "-ppp0" ]; then
71 mtu=`nv get mtu`
72 pppoe_mtu=`expr $mtu - 60`
73 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $pppoe_mtu
74else
75 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
76fi
77# firewall will flush nat and filter, so upnp should run after it.
78#sh $path_sh/upnp.sh
79