#!/bin/sh ### # # FreeWLAN Addons - http://www.freewlan.info # # This Script is based on the original La Fonera Firmware version 0.7.1r2 # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, # MA 02110-1301, USA # # http://www.gnu.org/copyleft/gpl.html # ### # Copyright (C) 2006 OpenWrt.org . /tmp/network-config . /etc/functions.sh config_load remote config_get ssh method ssh config_get webif method webif config_get rssh method rssh config_get ssh_port method ssh_port WAN="$wan_ifname" LAN="$lan_ifname" config_load fon config_get mode wan mode; [ "$mode" = "wlan" ] && mode="WLAN" config_get bridge wan bridge config_load router config_get eth0_on eth0 eth0_on config_get eth0_nat eth0 eth0_nat config_get eth0_ip eth0 eth0_ip config_get eth0_mask eth0 eth0_mask iptables -F input_rule iptables -F output_rule iptables -F forwarding_rule iptables -t nat -F prerouting_rule iptables -t nat -F postrouting_rule ### BIG FAT DISCLAIMER ## The "-i $WAN" is used to match packets that come in via the $WAN interface. ## it WILL NOT MATCH packets sent from the $WAN ip address -- you won't be able ## to see the effects from within the LAN. ### Open port to WAN and LAN ## -- This allows port 22 to be answered by (dropbear on) the router #iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT #iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT ### Open Webinterface to WAN (available to LAN only by default) #iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 80 -j ACCEPT #iptables -A input_rule -i $WAN -p tcp --dport 80 -j ACCEPT ### Port forwarding ## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.2 # iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 8080 -j DNAT --to 192.168.1.2:80 # iptables -A forwarding_rule -i $WAN -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT ### DMZ ## -- Connections to ports not handled above will be forwarded to 192.168.1.2 # iptables -t nat -A prerouting_rule -i $WAN -j DNAT --to 192.168.1.2 # iptables -A forwarding_rule -i $WAN -d 192.168.1.2 -j ACCEPT if enabled $rssh && enabled $ssh then iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT [ ${#ssh_port} = "0" ] || { iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport $ssh_port -j ACCEPT iptables -A input_rule -i $WAN -p tcp --dport $ssh_port -j ACCEPT } fi if [ "$webif" = "1" -o "$bridge" = "1" ]; then iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 80 -j ACCEPT iptables -A input_rule -i $WAN -p tcp --dport 80 -j ACCEPT else iptables -I input_rule -i $WAN -p tcp --dport 80 -j DROP iptables -I input_rule -s 169.254.0.0/16 -p tcp --dport 80 -j ACCEPT fi if [ "$mode" = "WLAN" -a "x$eth0_on" = "x1" ]; then iptables -A FORWARD -i $WAN -o $LAN -j ACCEPT iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT [ "$bridge" != "1" ] && { iptables -A FORWARD -i eth0 -o $LAN -j ACCEPT iptables -A FORWARD -i $LAN -o eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o $WAN -j ACCEPT iptables -A FORWARD -i $WAN -o eth0 -j ACCEPT } # disable nat in qrm for the eth0 if [ "x$eth0_nat" = "x0" ]; then iptables -I FORWARD -i $WAN -o eth0 -j ACCEPT eth0_net=`ipcalc $eth0_ip $eth0_mask |grep NETWORK` eth0_net=${eth0_net#*=} iptables -I postrouting_rule -j ACCEPT -t nat -s $eth0_net/$eth0_mask -o $WAN fi fi