diff options
| -rw-r--r-- | package/iptables/files/firewall.conf | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/package/iptables/files/firewall.conf b/package/iptables/files/firewall.conf index 2c8faaa34..15794dece 100644 --- a/package/iptables/files/firewall.conf +++ b/package/iptables/files/firewall.conf @@ -20,6 +20,7 @@ iptables -t nat -N postrouting_rule ### Default policy iptables -P INPUT DROP iptables -P FORWARD DROP +iptables -P OUTPUT DROP ### INPUT ### (connections with the router as destination) @@ -45,17 +46,19 @@ iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable ### (connections with the router as source) # base case -iptables -A OUTPUT -m state --state INVALID -j DROP -iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +iptables -A OUTPUT -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT +iptables -A OUTPUT -p icmp -j ACCEPT ### FORWARD ### (connections routed through the router) # base case iptables -A FORWARD -m state --state INVALID -j DROP -iptables -A FORWARD -p tcp -o $WAN --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT +# fix for broken ISPs blocking ICMP "fragmentation needed" packets +#iptables -t mangle -A FORWARD -p tcp -o $WAN --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + # custom rules iptables -A FORWARD -j forwarding_rule iptables -t nat -A PREROUTING -j prerouting_rule |