I am using 19.07 x86. I attempted to use this firewall ruleset. I lost ssh connection and had to rewrite the x86 file. I need direction to make this ruleset functional. These are the steps I took.
- Navigated from luci web interface to system>startup> disabled firewall service
- ssh into x86, use vi to write new firewall into
/etc/rc.local
- reboot
- no connection
This is the ruleset I used. eth0 is LAN eth1 is WAN.
# clear iptable rules
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# reset counters
iptables -Z
# set default policies
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD REJECT
iptables -t nat -A PREROUTING ACCEPT
iptables -t nat -A INPUT ACCEPT
iptables -t nat -A OUTPUT ACCEPT
iptables -t nat -A POSTROUTING ACCEPT
# wan MTU fixing
iptables -t mangle -A FORWARD -p tcp -o eth1 -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# NAT traffic going out the WAN interface.
iptables -A POSTROUTING -o eth1 -j MASQUERADE
# forward from LAN to WAN
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
# Fix loopback settings
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
# Allow traffic on lan
iptables -A INPUT -i eth0 -j ACCEPT
# SSH - accept from LAN
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
# enable traceroute rejections to get sent out
iptables -A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable
# DNS - accept from LAN
iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
# SSH - accept from LAN
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
# DHCP client requests - accept from LAN
iptables -A INPUT -i eth0 -p udp --dport 67:68 -j ACCEPT
# allow known connections
iptables -A -m conntrack --ctstate DNAT -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow incoming traffic from the firewall
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing traffic from the firewall
iptables -A OUTPUT -m conntrack --ctstate NEW -j ACCEPT
# User initiated and related traffic
# Allow forwardings from WAN to LAN for established and related connections aswell as for DNAT
iptables -A FORWARD -i eth1 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED,DNAT -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Internet access from subnets
iptables -A FORWARD -m conntrack --ctstate NEW -j ACCEPT
I did forget to include one of these two bits but I am not sure which one will work.
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
and
iptables -A INPUT -s 10.1.1.2/32 -j ACCEPT
Any help is much appreciated.