Initial commit

conf/usr/local/etc/IPv4_default_fw_rules

@@ -0,0 +1,37 @@
+# Generated by xtables-save v1.8.2 on Tue Mar 28 12:43:45 2023
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+# Completed on Tue Mar 28 12:43:45 2023
+# Generated by xtables-save v1.8.2 on Tue Mar 28 12:43:45 2023
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+# Completed on Tue Mar 28 12:43:45 2023
+# Generated by xtables-save v1.8.2 on Tue Mar 28 12:43:45 2023
+*raw
+:PREROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+# Completed on Tue Mar 28 12:43:45 2023
+# Generated by xtables-save v1.8.2 on Tue Mar 28 12:43:45 2023
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT
+# Completed on Tue Mar 28 12:43:45 2023
+# Generated by xtables-save v1.8.2 on Tue Mar 28 12:43:45 2023
+*security
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+# Completed on Tue Mar 28 12:43:45 2023

conf/usr/local/etc/IPv4_fw_rules

@@ -0,0 +1,62 @@
+# Generated by xtables-save v1.8.2 on Thu Mar 30 23:00:39 2023
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A POSTROUTING -s 192.168.0.0/24 -o wan0 -j MASQUERADE
+-A POSTROUTING -s 192.168.0.0/24 -o wwan0 -j MASQUERADE
+COMMIT
+# Completed on Thu Mar 30 23:00:39 2023
+# Generated by xtables-save v1.8.2 on Thu Mar 30 23:00:39 2023
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:SSH - [0:0]
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+-A INPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT
+-A INPUT -p udp -m udp --dport 33434:33534 -m comment --comment "traceroute in UDP mode" -j REJECT --reject-with icmp-port-unreachable
+-A INPUT -d 224.0.0.0/4 -i wan0.4 -p igmp -j ACCEPT
+-A INPUT -i br0 -p tcp -m tcp --dport 22 -j SSH
+-A INPUT -i br0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
+-A INPUT -i br0 -p udp -m udp --dport 53 -j ACCEPT
+-A INPUT -i br0 -p tcp -m tcp --dport 53 -j ACCEPT
+-A INPUT -d 224.0.0.2/32 -i br0 -p igmp -j ACCEPT
+-A FORWARD -i br0 -o wan0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i wan0 -o br0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i br0 -o wwan0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i wwan0 -o br0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i br0 -o wan0.4 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m comment --comment "IPTV - unicast" -j ACCEPT
+-A FORWARD -i wan0.4 -o br0 -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "IPTV - unicast" -j ACCEPT
+-A FORWARD -d 224.0.0.0/4 -i wan0.4 -o br0 -m comment --comment "IPTV - multicast" -j ACCEPT
+-A SSH -m recent --set --name SSH --mask 255.255.255.255 --rsource 
+-A SSH -m recent --update --seconds 30 --hitcount 10 --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "SSH bruteforce: "
+-A SSH -m recent --update --seconds 30 --hitcount 10 --name SSH --mask 255.255.255.255 --rsource -j DROP
+-A SSH -j ACCEPT
+COMMIT
+# Completed on Thu Mar 30 23:00:39 2023
+# Generated by xtables-save v1.8.2 on Thu Mar 30 23:00:39 2023
+*raw
+:PREROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+# Completed on Thu Mar 30 23:00:39 2023
+# Generated by xtables-save v1.8.2 on Thu Mar 30 23:00:39 2023
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT
+# Completed on Thu Mar 30 23:00:39 2023
+# Generated by xtables-save v1.8.2 on Thu Mar 30 23:00:39 2023
+*security
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+# Completed on Thu Mar 30 23:00:39 2023

conf/usr/local/etc/IPv6_default_fw_rules

@@ -0,0 +1,37 @@
+# Generated by xtables-save v1.8.2 on Tue Mar 28 14:40:57 2023
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+# Completed on Tue Mar 28 14:40:57 2023
+# Generated by xtables-save v1.8.2 on Tue Mar 28 14:40:57 2023
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+# Completed on Tue Mar 28 14:40:57 2023
+# Generated by xtables-save v1.8.2 on Tue Mar 28 14:40:57 2023
+*raw
+:PREROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+# Completed on Tue Mar 28 14:40:57 2023
+# Generated by xtables-save v1.8.2 on Tue Mar 28 14:40:57 2023
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT
+# Completed on Tue Mar 28 14:40:57 2023
+# Generated by xtables-save v1.8.2 on Tue Mar 28 14:40:57 2023
+*security
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+# Completed on Tue Mar 28 14:40:57 2023

conf/usr/local/etc/IPv6_fw_rules

@@ -0,0 +1,59 @@
+# Generated by xtables-save v1.8.2 on Fri Mar 31 17:02:25 2023
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:SSH - [0:0]
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 10/sec -m comment --comment "Echo Request" -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m comment --comment "Echo Request" -j DROP
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -m comment --comment "Neighbor Solicitation" -j ACCEPT
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -m comment --comment "Neighbor Advertisement" -j ACCEPT
+-A INPUT -i wan0 -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -m comment --comment "Router Advertisement" -j ACCEPT
+-A INPUT -i wan0 -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -m comment --comment "Redirect" -j ACCEPT
+-A INPUT -i wan0 -p udp -m udp --sport 547 --dport 546 -d fe80::/64 -m comment --comment "DHCPv6 server/relayagent -> DHCPv6 client" -j ACCEPT
+-A INPUT -p udp -m udp --dport 33434:33534 -m comment --comment "traceroute in UDP mode" -j REJECT --reject-with icmp6-port-unreachable
+-A INPUT -i br0 -p tcp -m tcp --dport 22 -m comment --comment "new SSH connections from LAN" -j SSH
+-A INPUT -i br0 -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -m comment --comment "Router Solicitation" -j ACCEPT
+-A INPUT -i br0 -p udp -m udp --dport 53 -j ACCEPT
+-A INPUT -i br0 -p tcp -m tcp --dport 53 -j ACCEPT
+-A FORWARD -i br0 -o wan0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i wan0 -o br0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A SSH -m recent --set --name SSH --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource 
+-A SSH -m recent --update --seconds 30 --hitcount 10 --name SSH --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j LOG --log-prefix "SSH bruteforce: "
+-A SSH -m recent --update --seconds 30 --hitcount 10 --name SSH --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j DROP
+-A SSH -j ACCEPT
+COMMIT
+# Completed on Fri Mar 31 17:02:25 2023
+# Generated by xtables-save v1.8.2 on Fri Mar 31 17:02:25 2023
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+# Completed on Fri Mar 31 17:02:25 2023
+# Generated by xtables-save v1.8.2 on Fri Mar 31 17:02:25 2023
+*raw
+:PREROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+# Completed on Fri Mar 31 17:02:25 2023
+# Generated by xtables-save v1.8.2 on Fri Mar 31 17:02:25 2023
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+COMMIT
+# Completed on Fri Mar 31 17:02:25 2023
+# Generated by xtables-save v1.8.2 on Fri Mar 31 17:02:25 2023
+*security
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+# Completed on Fri Mar 31 17:02:25 2023