#!/bin/sh ip rule flush ip rule add lookup main prio 32766 ip rule add lookup default prio 32767 ip rule add from $(nvram get wan_ipaddr) table 100 prio 100 ip rule add fwmark 0x100 table 100 prio 101 ip rule add from $(nvram get wan2_ipaddr) table 200 prio 200 ip rule add fwmark 0x200 table 200 prio 201 ip route flush table 100 ip route flush table 200 for TABLE in 100 200 do ip route | grep link | while read ROUTE do ip route add table $TABLE to $ROUTE done done ip route add table 100 default via $(nvram get wan_gateway) ip route add table 200 default via $(nvram get wan2_gateway) ip route delete default ip route add default scope global equalize nexthop via $(nvram get wan_gateway) dev $(nvram get wan_ifname) nexthop via $(nvram get wan2_gateway) dev $(nvram get wan2_ifname) insmod ipt_CONNMARK IPTABLES="/usr/sbin/iptables" #DD-WRT firewall rules #BEGIN #apply simple forward rules for RULE in $(nvram get forward_spec) do FROM=`echo $RULE | cut -d '>' -f 1` TO=`echo $RULE | cut -d '>' -f 2` STATE=`echo $FROM | cut -d ':' -f 2` PROTO=`echo $FROM | cut -d ':' -f 3` SPORT=`echo $FROM | cut -d ':' -f 4` DEST=`echo $TO | cut -d ':' -f 1` DPORT=`echo $TO | cut -d ':' -f 2` if [ "$STATE" = "on" ]; then if [ "$PROTO" = "both" ]; then iptables -A PREROUTING -t nat -p udp -d $(nvram get wan2_ipaddr) --dport $SPORT -j DNAT --to $DEST:$DPORT iptables -A PREROUTING -t nat -p tcp -d $(nvram get wan2_ipaddr) --dport $SPORT -j DNAT --to $DEST:$DPORT else iptables -A PREROUTING -t nat -p $PROTO -d $(nvram get wan2_ipaddr) --dport $SPORT -j DNAT --to $DEST:$DPORT fi fi done #apply range forward rules for RULE in $(nvram get forward_port) do FROM=`echo $RULE | cut -d '>' -f 1` TO=`echo $RULE | cut -d '>' -f 2` STATE=`echo $FROM | cut -d ':' -f 2` PROTO=`echo $FROM | cut -d ':' -f 3` SPORT=`echo $FROM | cut -d ':' -f 4` EPORT=`echo $FROM | cut -d ':' -f 5` if [ "$STATE" = "on" ]; then if [ "$PROTO" = "both" ]; then iptables -A PREROUTING -t nat -p udp -d $(nvram get wan2_ipaddr) --dport $SPORT:$EPORT -j DNAT --to $TO iptables -A PREROUTING -t nat -p tcp -d $(nvram get wan2_ipaddr) --dport $SPORT:$EPORT -j DNAT --to $TO else iptables -A PREROUTING -t nat -p $PROTO -d $(nvram get wan2_ipaddr) --dport $SPORT:$EPORT -j DNAT --to $TO fi fi done iptables -A PREROUTING -t nat -p icmp -d $(nvram get wan2_ipaddr) -j DNAT --to $(nvram get lan_ipaddr) if [ $(nvram get remote_management) -eq 1 ]; then iptables -A PREROUTING -t nat -p tcp -d $(nvram get wan2_ipaddr) --dport $(nvram get http_wanport) -j DNAT --to $(nvram get lan_ipaddr):$(nvram get http_lanport) fi if [ $(nvram get dmz_enable) -eq 1 ]; then DMZ_IP=$(nvram get lan_ipaddr | sed -r 's/[0-9]+$//')$(nvram get dmz_ipaddr) iptables -A PREROUTING -t nat -d $(nvram get wan2_ipaddr) -j DNAT --to $DMZ_IP fi iptables -A PREROUTING -t nat --dest $(nvram get wan2_ipaddr) -j TRIGGER --trigger-type dnat iptables -A FORWARD -i $(nvram get wan2_ifname) -o $(nvram get lan_ifname) -j TRIGGER --trigger-type in #DD-WRT END $IPTABLES -F POSTROUTING -t nat $IPTABLES -t mangle -N ETH1 $IPTABLES -t mangle -F ETH1 $IPTABLES -t mangle -A ETH1 -j MARK --set-mark 0x100 $IPTABLES -t mangle -N ETH2 $IPTABLES -t mangle -F ETH2 $IPTABLES -t mangle -A ETH2 -j MARK --set-mark 0x200 $IPTABLES -t nat -N SPOOF_ETH1 $IPTABLES -t nat -F SPOOF_ETH1 $IPTABLES -t nat -A SPOOF_ETH1 -j LOG --log-prefix " SPOOF_ETH1 " $IPTABLES -t nat -A SPOOF_ETH1 -j SNAT --to $(nvram get wan_ipaddr) $IPTABLES -t nat -N SPOOF_ETH2 $IPTABLES -t nat -F SPOOF_ETH2 $IPTABLES -t nat -A SPOOF_ETH2 -j LOG --log-prefix " SPOOF_ETH2 " $IPTABLES -t nat -A SPOOF_ETH2 -j SNAT --to $(nvram get wan2_ipaddr) $IPTABLES -A INPUT -p icmp -s 192.168.1.0/24 -d 192.168.1.1 -j ACCEPT #Save the gateway in the connection mark for new incoming connections $IPTABLES -t mangle -A PREROUTING -i $(nvram get wan_ifname) -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x100 $IPTABLES -t mangle -A PREROUTING -i $(nvram get wan2_ifname) -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x200 $IPTABLES -A POSTROUTING -t mangle -o $(nvram get wan_ifname) -j MARK --set-mark 0x100 $IPTABLES -A POSTROUTING -t mangle -o $(nvram get wan2_ifname) -j MARK --set-mark 0x200 $IPTABLES -t nat -A POSTROUTING -o $(nvram get wan_ifname) -j SPOOF_ETH1 $IPTABLES -t nat -A POSTROUTING -o $(nvram get wan2_ifname) -j SPOOF_ETH2 $IPTABLES -t mangle -A POSTROUTING -j CONNMARK --save-mark $IPTABLES -t mangle -A PREROUTING -i br0 -m state --state RELATED,ESTABLISHED -j CONNMARK --restore-mark # Use the correct gateway for reply packets from local connections $IPTABLES -t mangle -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark ## Allow AIM to always go out vlan1 (causes connection/login issues). iptables -t nat -I POSTROUTING -p tcp -m multiport --destination-ports 5190 -j SPOOF_ETH1 iptables -t mangle -I PREROUTING -p tcp -m multiport --destination-ports 5190 -j ETH1 iptables -t mangle -I OUTPUT -p tcp -m multiport --destination-ports 5190 -j ETH1 RP_PATH=/proc/sys/net/ipv4/conf for IFACE in `ls $RP_PATH`; do echo 0 > $RP_PATH/$IFACE/rp_filter done