mirror of
git://projects.qi-hardware.com/openwrt-xburst.git
synced 2024-12-25 15:06:47 +02:00
cleanup login script, change firewall example
git-svn-id: svn://svn.openwrt.org/openwrt/trunk/openwrt@881 3c298f89-4303-0410-b956-a3cf2f4a3e73
This commit is contained in:
parent
9867fb3338
commit
dd755e947f
@ -1,21 +1,20 @@
|
||||
#!/bin/sh
|
||||
[ "$FAILSAFE" = "true" ] && exec /bin/ash --login
|
||||
|
||||
[ -f /etc/sysconf ] && . /etc/sysconf
|
||||
|
||||
if [ "$BR2_SYSCONF_TELNET_FAILSAFE_ONLY" = "y" ]; then
|
||||
if grep '^root:!' /etc/passwd > /dev/null 2>/dev/null; then
|
||||
echo "You need to set a login password to protect your"
|
||||
echo "Router from unauthorized access."
|
||||
echo
|
||||
echo "Use 'passwd' to set your password."
|
||||
echo "telnet login will be disabled afterwards,"
|
||||
echo "You can then login using SSH."
|
||||
echo
|
||||
else
|
||||
echo "Login failed."
|
||||
exit 0
|
||||
fi
|
||||
fi
|
||||
. /etc/sysconf 2>&-
|
||||
|
||||
[ "$FAILSAFE" != "true" ] &&
|
||||
[ "$BR2_SYSCONF_TELNET_FAILSAFE_ONLY" = "y" ] &&
|
||||
{
|
||||
grep '^root:[^!]' /etc/passwd >&- 2>&- &&
|
||||
{
|
||||
echo "Login failed."
|
||||
exit 0
|
||||
} || {
|
||||
cat << EOF
|
||||
=== IMPORTANT ============================
|
||||
Use 'passwd' to set your login password
|
||||
this will disable telnet and enable SSH
|
||||
------------------------------------------
|
||||
EOF
|
||||
}
|
||||
}
|
||||
exec /bin/ash --login
|
||||
|
@ -1,7 +1,7 @@
|
||||
#!/bin/sh
|
||||
. /etc/functions.sh
|
||||
export WAN=$(nvram get wan_ifname)
|
||||
export LAN=$(nvram get lan_ifname)
|
||||
WAN=$(nvram get wan_ifname)
|
||||
LAN=$(nvram get lan_ifname)
|
||||
|
||||
## CLEAR TABLES
|
||||
for T in filter nat mangle; do
|
||||
@ -17,8 +17,8 @@ iptables -t nat -N prerouting_rule
|
||||
iptables -t nat -N postrouting_rule
|
||||
|
||||
### Port forwarding
|
||||
# iptables -t nat -A prerouting_rule -p tcp --dport 22 -j DNAT --to 192.168.1.2
|
||||
# iptables -A forwarding_rule -p tcp --dport 22 -d 192.168.1.2 -j ACCEPT
|
||||
# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j DNAT --to 192.168.1.2
|
||||
# iptables -A forwarding_rule -i $WAN -p tcp --dport 22 -d 192.168.1.2 -j ACCEPT
|
||||
|
||||
### INPUT
|
||||
### (connections with the router as destination)
|
||||
@ -27,12 +27,12 @@ iptables -t nat -N postrouting_rule
|
||||
iptables -P INPUT DROP
|
||||
iptables -A INPUT -m state --state INVALID -j DROP
|
||||
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
iptables -A INPUT -p tcp --syn --tcp-option \! 2 -j DROP
|
||||
|
||||
# allow
|
||||
iptables -A INPUT -i \! $WAN -j ACCEPT # allow from lan/wifi interfaces
|
||||
iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
|
||||
iptables -A INPUT -p 47 -j ACCEPT # allow GRE
|
||||
iptables -A INPUT -p tcp --syn --tcp-option \! 2 -j DROP
|
||||
iptables -A INPUT -i \! $WAN -j ACCEPT # allow from lan/wifi interfaces
|
||||
iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
|
||||
iptables -A INPUT -p gre -j ACCEPT # allow GRE
|
||||
#
|
||||
# insert accept rule or to jump to new accept-check table here
|
||||
#
|
||||
|
Loading…
Reference in New Issue
Block a user