From 39d8800fe63c5bb69a9ecc088f59b59566c6e71e Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Sun, 11 Apr 2010 23:37:42 +0200 Subject: firewall.conf: minor fixups - Apply drop policy to the OUTPUT chain, too (the actual behaviour should not have changed, as all now unhandled packets were explicitly dropped before). - The TCPMSS target is only valid in the mangle table, which is not enabled by default. So fix the statement and comment it out to leave it up to the user to decide whether he really needs it. --- package/iptables/files/firewall.conf | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'package/iptables') diff --git a/package/iptables/files/firewall.conf b/package/iptables/files/firewall.conf index 2c8faaa34..15794dece 100644 --- a/package/iptables/files/firewall.conf +++ b/package/iptables/files/firewall.conf @@ -20,6 +20,7 @@ iptables -t nat -N postrouting_rule ### Default policy iptables -P INPUT DROP iptables -P FORWARD DROP +iptables -P OUTPUT DROP ### INPUT ### (connections with the router as destination) @@ -45,17 +46,19 @@ iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable ### (connections with the router as source) # base case -iptables -A OUTPUT -m state --state INVALID -j DROP -iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +iptables -A OUTPUT -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT +iptables -A OUTPUT -p icmp -j ACCEPT ### FORWARD ### (connections routed through the router) # base case iptables -A FORWARD -m state --state INVALID -j DROP -iptables -A FORWARD -p tcp -o $WAN --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT +# fix for broken ISPs blocking ICMP "fragmentation needed" packets +#iptables -t mangle -A FORWARD -p tcp -o $WAN --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + # custom rules iptables -A FORWARD -j forwarding_rule iptables -t nat -A PREROUTING -j prerouting_rule -- cgit v1.2.3