Sure you bet. Here are the pasted commands. They're separated, mainly for my own clarity. This should be sufficiently anonimized.
First line:
root@OpenWrt:~# ubus call system board
{
"kernel": "4.14.221",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 2 (v7l)",
"model": "Linksys WRT1900AC",
"board_name": "linksys,mamba",
"release": {
"distribution": "OpenWrt",
"version": "19.07.7",
"revision": "r11306-c4a6851c72",
"target": "mvebu/cortexa9",
"description": "OpenWrt 19.07.7 r11306-c4a6851c72"
}
}
root@OpenWrt:~#
Second line, command 1:
root@OpenWrt:~# uci export network
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'ssss:tttt:uuuu::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.1.1'
config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
root@OpenWrt:~#
Second line, command 2:
root@OpenWrt:~# uci export dhcp;
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
root@OpenWrt:~#
Second line, command 3:
root@OpenWrt:~# uci export firewall;
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option enabled '0'
config include
option path '/etc/firewall.user'
config redirect
option dest_port '123'
option src 'wan'
option name 'NTP'
option src_dport '123'
option target 'DNAT'
option dest_ip '192.168.1.rrr'
option dest 'lan'
list proto 'udp'
config redirect
option dest_port '22'
option src 'wan'
option name 'ssh'
option src_dport '22'
option target 'DNAT'
option dest_ip '192.168.1.rrr'
option dest 'lan'
list proto 'tcp'
config redirect
option dest_port 'vvvv-wwwww'
option src 'wan'
option name 'MoVE telemetry'
option src_dport 'vvvv-wwwww'
option target 'DNAT'
option dest_ip '192.168.1.rrr'
option dest 'lan'
list proto 'udp'
option enabled '0'
root@OpenWrt:~#
Third line:
root@OpenWrt:~# head -n -0 /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
root@OpenWrt:~#
Fourth line:
root@OpenWrt:~# ip6tables-save -c
# Generated by ip6tables-save v1.8.3 on Fri Jun 4 10:36:54 2021
*mangle
:PREROUTING ACCEPT [206889:24440018]
:INPUT ACCEPT [158992:11897173]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [32761:4810362]
:POSTROUTING ACCEPT [32761:4810362]
[0:0] -A FORWARD -o eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri Jun 4 10:36:54 2021
# Generated by ip6tables-save v1.8.3 on Fri Jun 4 10:36:54 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[126:26068] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[158866:11871105] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[78:7290] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[37587:3137343] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[121201:8726472] -A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[126:26068] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[32635:4784294] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[21936:3857109] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[10699:927185] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[121201:8726472] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[10699:927185] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[37587:3137343] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[37587:3137343] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[10699:927185] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[10699:927185] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[37587:3137343] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[121201:8726472] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[121201:8726472] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[121201:8726472] -A zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri Jun 4 10:36:54 2021
root@OpenWrt:~#
Fifth line, command 1:
root@OpenWrt:~# ip -6 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 532
inet6 mmmm::nnnn:oooo:pppp:b5b/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 532
inet6 mmmm::nnnn:oooo:pppp:b5b/64 scope link
valid_lft forever preferred_lft forever
9: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 eeee:ffff:gggg:hh:iiii:jjjj:kkkk:llll/128 scope global dynamic
valid_lft 355321sec preferred_lft 355321sec
inet6 mmmm::nnnn:oooo:pppp:b5b/64 scope link
valid_lft forever preferred_lft forever
10: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 mmmm::nnnn:oooo:pppp:b5c/64 scope link
valid_lft forever preferred_lft forever
11: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 mmmm::nnnn:oooo:pppp:b5d/64 scope link
valid_lft forever preferred_lft forever
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 aaaa:bbbb:cccc:dddd::1/64 scope global dynamic
valid_lft 355321sec preferred_lft 355321sec
inet6 ssss:tttt:uuuu::1/60 scope global
valid_lft forever preferred_lft forever
inet6 mmmm::nnnn:oooo:pppp:b5b/64 scope link
valid_lft forever preferred_lft forever
root@OpenWrt:~#
Fifth line, command 2:
root@OpenWrt:~# ip -6 ro li tab all
aaaa:bbbb:cccc:dddd::/64 dev br-lan metric 1024
unreachable aaaa:bbbb:cccc:dddd::/64 dev lo metric 2147483647 error -113
ssss:tttt:uuuu::/64 dev br-lan metric 1024
unreachable ssss:tttt:uuuu::/48 dev lo metric 2147483647 error -113
fe80::/64 dev eth1.2 metric 256
fe80::/64 dev eth1 metric 256
fe80::/64 dev wlan0 metric 256
fe80::/64 dev wlan1 metric 256
fe80::/64 dev eth0 metric 256
fe80::/64 dev br-lan metric 256
local ::1 dev lo table local metric 0
anycast aaaa:bbbb:cccc:dddd:: dev br-lan table local metric 0
local aaaa:bbbb:cccc:dddd::1 dev br-lan table local metric 0
local eeee:ffff:gggg:hh:iiii:jjjj:kkkk:llll dev eth1.2 table local metric 0
anycast ssss:tttt:uuuu:: dev br-lan table local metric 0
local ssss:tttt:uuuu::1 dev br-lan table local metric 0
anycast fe80:: dev eth1 table local metric 0
anycast fe80:: dev eth1.2 table local metric 0
anycast fe80:: dev wlan0 table local metric 0
anycast fe80:: dev wlan1 table local metric 0
anycast fe80:: dev eth0 table local metric 0
anycast fe80:: dev br-lan table local metric 0
local mmmm::nnnn:oooo:pppp:b5b dev eth1 table local metric 0
local mmmm::nnnn:oooo:pppp:b5b dev eth1.2 table local metric 0
local mmmm::nnnn:oooo:pppp:b5b dev eth0 table local metric 0
local mmmm::nnnn:oooo:pppp:b5b dev br-lan table local metric 0
local mmmm::nnnn:oooo:pppp:b5c dev wlan0 table local metric 0
local mmmm::nnnn:oooo:pppp:b5d dev wlan1 table local metric 0
ff00::/8 dev eth1.2 table local metric 256
ff00::/8 dev eth1 table local metric 256
ff00::/8 dev wlan0 table local metric 256
ff00::/8 dev wlan1 table local metric 256
ff00::/8 dev eth0 table local metric 256
ff00::/8 dev br-lan table local metric 256
root@OpenWrt:~#
Fifth line, command 3:
root@OpenWrt:~# ip -6 ru
0: from all lookup local
32766: from all lookup main
4200000000: from aaaa:bbbb:cccc:dddd::1/64 iif br-lan lookup unspec unreachable
4200000001: from all iif lo lookup unspec 12
4200000009: from all iif eth1.2 lookup unspec 12
4200000009: from all iif eth1.2 lookup unspec 12
4200000012: from all iif br-lan lookup unspec 12
root@OpenWrt:~#
that should do it.
clear as mud