I would like to disable luci firewall and use this firewall script in rc.local - would someone assist me to adjust this script so that each line will work in OpenWRT?
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# p4p1 is WAN interface, #p1p1 is LAN interface
-A POSTROUTING -o p4p1 -j MASQUERADE
# NAT pinhole: HTTP from WAN to LAN
-A PREROUTING -p tcp -m tcp -i p4p1 --dport 80 -j DNAT --to-destination 192.168.99.100:80
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Service rules
# basic global accept rules - ICMP, loopback, traceroute, established all accepted
-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# enable traceroute rejections to get sent out
-A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable
# DNS - accept from LAN
-A INPUT -i p1p1 -p tcp --dport 53 -j ACCEPT
-A INPUT -i p1p1 -p udp --dport 53 -j ACCEPT
# SSH - accept from LAN
-A INPUT -i p1p1 -p tcp --dport 22 -j ACCEPT
# DHCP client requests - accept from LAN
-A INPUT -i p1p1 -p udp --dport 67:68 -j ACCEPT
# drop all other inbound traffic
-A INPUT -j DROP
# Forwarding rules
# forward packets along established/related connections
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# forward from LAN (p1p1) to WAN (p4p1)
-A FORWARD -i p1p1 -o p4p1 -j ACCEPT
# allow traffic from our NAT pinhole
-A FORWARD -p tcp -d 192.168.99.100 --dport 80 -j ACCEPT
# drop all other forwarded traffic
-A FORWARD -j DROP
LAN_INTERFACE_NAME="br-lan"
WAN_INTERFACE_NAME="pppoe-wan"
Is this config correct?
*nat
iptables -A PREROUTING ACCEPT
iptables -A INPUT ACCEPT
iptables -A OUTPUT ACCEPT
iptables -A POSTROUTING ACCEPT
# p4p1 is WAN interface, #p1p1 is LAN interface
iptables -A POSTROUTING -o pppoe-wan -j MASQUERADE
# NAT pinhole: HTTP from WAN to LAN
iptables -A PREROUTING -p tcp -m tcp -i pppoe-wan --dport 80 -j DNAT --to-destination 192.168.99.100:80
*filter
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# Service rules
# basic global accept rules - ICMP, loopback, traceroute, established all accepted
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
# enable traceroute rejections to get sent out
iptables -A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable
# DNS - accept from LAN
iptables -A INPUT -i br-lan -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -i br-lan -p udp --dport 53 -j ACCEPT
# SSH - accept from LAN
iptables -A INPUT -i br-lan -p tcp --dport 22 -j ACCEPT
# DHCP client requests - accept from LAN
iptables -A INPUT -i br-lan -p udp --dport 67:68 -j ACCEPT
# drop all other inbound traffic
iptables -A INPUT -j DROP
# Forwarding rules
# forward packets along established/related connections
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# forward from LAN (p1p1) to WAN (p4p1)
iptables -A FORWARD -i br-lan -o pppoe-wan -j ACCEPT
# allow traffic from our NAT pinhole
iptables -A FORWARD -p tcp -d 192.168.99.100 --dport 80 -j ACCEPT
# drop all other forwarded traffic
iptables -A FORWARD -j ACCEPT
# drop all other forwarded traffic
iptables -A OUTPUT -j ACCEPT
iptables -A FORWARD -s 192.168.1.2
iptables -A FORWARD -d 192.168.1.2
iptables -t mangle -A PREROUTING -s 192.168.1.2 -j DSCP --set-dscp-class CS6
iptables -t mangle -A PREROUTING -d 192.168.1.2 -j DSCP --set-dscp-class CS6