1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

TomatoRAF 1.28.121006 Firewall Script

Discussion in 'Tomato Firmware' started by JodelJoe, Jan 27, 2014.

  1. JodelJoe

    JodelJoe Networkin' Nut Member

    Hello all..
    I´m having a problem to get the following Script working.
    It seems not to work properly, but i am not sure.
    May someone take a look at it? I put it at Scripts/Firewall.


    #!/bin/sh
    #######################
    ### Firewall Script ###
    #######################
    ## get wan interface
    WANIF=`nvram get wan_ifname`
    WANMASK=`nvram get wan netmask`
    ## nat
    ### POSTROUTING
    ## Add route to access external modem over WAN-Port
    #ip addr add 192.168.178.254/24 dev "$WANIF" brd +
    iptables -t nat -A POSTROUTING -o "$WANIF" -d 192.168.178.0/24 -j MASQUERADE
    ## nat
    ### PREROUTING
    # fragmented ICMP packets
    iptables -t nat -I PREROUTING 1 -i "$WANIF" -p icmp --fragment -j DROP
    # invalid packet size
    iptables -t nat -I PREROUTING 2 -i "$WANIF" -p tcp --tcp-option 64 -j DROP
    iptables -t nat -I PREROUTING 3 -i "$WANIF" -p tcp --tcp-option 128 -j DROP
    ## portscans / bad tcp flags
    # XMAS scan
    iptables -t nat -I PREROUTING 4 -i "$WANIF" -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
    # XMAS-PSH scan
    iptables -t nat -I PREROUTING 5 -i "$WANIF" -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
    # XMAS-ALL scan
    iptables -t nat -I PREROUTING 6 -i "$WANIF" -p tcp --tcp-flags ALL ALL -j DROP
    # FIN scan
    iptables -t nat -I PREROUTING 7 -i "$WANIF" -p tcp --tcp-flags ALL FIN -j DROP
    # SYN/RST scan
    iptables -t nat -I PREROUTING 8 -i "$WANIF" -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
    # SYN/FIN scan
    iptables -t nat -I PREROUTING 9 -i "$WANIF" -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
    # Null scan
    iptables -t nat -I PREROUTING 10 -i "$WANIF" -p tcp --tcp-flags ALL NONE -j DROP
    ###
    # private networks
    iptables -t nat -I PREROUTING 11 -i "$WANIF" -s 10.0.0.0/8 -j DROP
    iptables -t nat -I PREROUTING 12 -i "$WANIF" -s 127.0.0.0/8 -j DROP
    iptables -t nat -I PREROUTING 13 -i "$WANIF" -s 172.16.0.0/12 -j DROP
    iptables -t nat -I PREROUTING 14 -i "$WANIF" -s 169.254.0.0/16 -j DROP
    iptables -t nat -I PREROUTING 15 -i "$WANIF" -s 192.168.0.0/16 -j DROP
    # multicast adresses
    iptables -t nat -I PREROUTING 16 -i "$WANIF" -s 224.0.0.0/4 -j DROP
    iptables -t nat -I PREROUTING 17 -i "$WANIF" -d 224.0.0.0/4 -j DROP
    iptables -t nat -I PREROUTING 18 -i "$WANIF" -s 240.0.0.0/5 -j DROP
    iptables -t nat -I PREROUTING 19 -i "$WANIF" -d 240.0.0.0/5 -j DROP
    iptables -t nat -I PREROUTING 20 -i "$WANIF" -s 0.0.0.0/8 -j DROP
    iptables -t nat -I PREROUTING 21 -i "$WANIF" -d 0.0.0.0/8 -j DROP
    iptables -t nat -I PREROUTING 22 -i "$WANIF" -d 239.255.255.0/24 -j DROP
    iptables -t nat -I PREROUTING 23 -i "$WANIF" -d 255.255.255.255 -j DROP
    #######################
    ### End of Script ###
    #######################
     
  2. koitsu

    koitsu Network Guru Member

    1. What exactly is the problem?

    2. What exactly is the intention of this script? Tinkering around in the nat table is usually not what people want, but it depends on what you're trying to achieve.
     

Share This Page