source: trunk/debian/packages/debwrt-net/tags/0.7~debwrtSTRETCH+7/etc/firewall/firewall.sh @ 886

#!/bin/sh
#
# Minimal firewal script 
#
# Johan van Zoomeren <amain@debwrt.net>

astop=
astart=
aflush=

. /lib/lsb/init-functions

# Remove # here and below to enable transparent sslh support
#. $(dirname ${0})/sslh.inc.sh

IPT=/sbin/iptables

modules() {
    log_warning_msg 'Loading iptables/netfilter kernel modules manually. Auto loading is broken...'

    modprobe -a nf_conntrack_ipv4 \
                xt_state \
                xt_multiport \
                xt_mark
}

flush() {
    $IPT -t filter -F
    $IPT -t filter -X
    $IPT -t nat    -F
    $IPT -t nat    -X

    for flush in ${aflush}
    do
        ${flush}
    done
}

start() {
    flush

    $IPT -t filter -A INPUT       -m state --state RELATED,ESTABLISHED -i wan -j ACCEPT
    # sslh on port 443
    #$IPT -t filter -A INPUT       -p tcp   --dport 443                 -i wan -j ACCEPT
    $IPT -t filter -A INPUT       -i wan -j DROP

    $IPT -t filter -A FORWARD     -m state --state RELATED,ESTABLISHED -i wan -j ACCEPT
    $IPT -t filter -A FORWARD     -i wan -j DROP

    #$IPT -t nat    -A POSTROUTING -o wan -j SNAT --to-source "replace: WAN-IF-IP"
    $IPT -t nat    -A POSTROUTING -o wan -j MASQUERADE

    for start in ${astart}
    do
        ${start}
    done

    log_action_end_msg 0
}

stop() {
        flush
        log_action_end_msg 0
}

case $1 in
        start)
                modules
                log_action_begin_msg 'Loading firewall - starting'
                start
        ;;
        stop)
                log_action_begin_msg 'Loading firewall - stopping'
                stop
        ;;
        *)
                echo "usage: `basename $0` start|stop"
        ;;
esac