Adding setup files and combining all in one folder

[lede.git] / sentinel_setup / setup / startup.sh

diff --git a/sentinel_setup/setup/startup.sh b/sentinel_setup/setup/startup.sh
new file mode 100755 (executable)
index 0000000..fee2e02
--- /dev/null
+++ b/sentinel_setup/setup/startup.sh
@@ -0,0 +1,60 @@
+#!/bin/sh
+
+# Do IP mangling for checksum error issue after disable_dgaf=1
+iptables -A POSTROUTING -t mangle -p udp --dport 68 -j CHECKSUM --checksum-fill
+
+# Do block ARP from ESP8266 to itself to avoid DHCPDECLINE
+arptables -A INPUT -j DROP --source-mac 18:fe:34:db:59:72 --destination-mac 18:fe:34:db:59:72
+arptables -A OUTPUT -j DROP --source-mac 18:fe:34:db:59:72 --destination-mac 18:fe:34:db:59:72
+arptables -A FORWARD -j DROP --source-mac 18:fe:34:db:59:72 --destination-mac 18:fe:34:db:59:72
+
+# block everything except ssh, icmp, http, and dhcp
+# Configure NAT
+iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+
+# Protocol ICMP
+iptables -A FORWARD -j ACCEPT -p icmp;
+iptables -A INPUT -j ACCEPT -s 192.168.2.108 -d 192.168.2.1 -p icmp;
+iptables -A INPUT -j ACCEPT -s 192.168.2.1 -d 192.168.2.108 -p icmp;
+iptables -A OUTPUT -j ACCEPT -s 192.168.2.108 -d 192.168.2.1 -p icmp;
+iptables -A OUTPUT -j ACCEPT -s 192.168.2.1 -d 192.168.2.108 -p icmp;
+
+# SSH port 22
+#iptables -A INPUT -j ACCEPT -s 192.168.2.108 -d 192.168.2.1 -p tcp --dport ssh;
+#iptables -A INPUT -j ACCEPT -s 192.168.2.108 -d 192.168.2.1 -p tcp --sport ssh;
+#iptables -A INPUT -j ACCEPT -s 192.168.2.1 -d 192.168.2.108 -p tcp --dport ssh;
+#iptables -A INPUT -j ACCEPT -s 192.168.2.1 -d 192.168.2.108 -p tcp --sport ssh;
+#iptables -A OUTPUT -j ACCEPT -s 192.168.2.108 -d 192.168.2.1 -p tcp --dport ssh;
+#iptables -A OUTPUT -j ACCEPT -s 192.168.2.108 -d 192.168.2.1 -p tcp --sport ssh;
+#iptables -A OUTPUT -j ACCEPT -s 192.168.2.1 -d 192.168.2.108 -p tcp --dport ssh;
+#iptables -A OUTPUT -j ACCEPT -s 192.168.2.1 -d 192.168.2.108 -p tcp --sport ssh;
+iptables -A INPUT -j ACCEPT -p tcp --dport ssh;                                
+iptables -A INPUT -j ACCEPT -p tcp --sport ssh;
+iptables -A OUTPUT -j ACCEPT -p tcp --dport ssh;                                
+iptables -A OUTPUT -j ACCEPT -p tcp --sport ssh;
+
+iptables -A FORWARD -j ACCEPT -p tcp --dport ssh;
+iptables -A FORWARD -j ACCEPT -p tcp --sport ssh;
+
+# DNS UDP and TCP port 53
+iptables -A INPUT -j ACCEPT -p tcp --dport domain
+iptables -A INPUT -j ACCEPT -p tcp --sport domain
+iptables -A OUTPUT -j ACCEPT -p tcp --dport domain
+iptables -A OUTPUT -j ACCEPT -p tcp --sport domain
+iptables -A INPUT -j ACCEPT -p udp --dport domain
+iptables -A INPUT -j ACCEPT -p udp --sport domain
+iptables -A OUTPUT -j ACCEPT -p udp --dport domain
+iptables -A OUTPUT -j ACCEPT -p udp --sport domain
+# BOOTP Client port 68
+iptables -A INPUT -j ACCEPT -p udp --dport bootpc
+iptables -A INPUT -j ACCEPT -p udp --sport bootpc;
+# BOOTP Server port 67
+iptables -A OUTPUT -j ACCEPT -p udp --dport bootps
+iptables -A OUTPUT -j ACCEPT -p udp --sport bootps;
+iptables -A FORWARD -j REJECT
+iptables -A INPUT -j REJECT
+iptables -A OUTPUT -j REJECT
+
+# bridge hairpin mode
+#/usr/sbin/brctl hairpin br-wifi wlan0 on
+