]>
Commit | Line | Data |
---|---|---|
3a1019f6 | 1 | #!/bin/sh |
66c36198 PM |
2 | ############################################################################### |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
3a1019f6 | 21 | |
0f5c5ce7 MT |
22 | . /etc/sysconfig/rc |
23 | . ${rc_functions} | |
24 | ||
3a1019f6 MT |
25 | eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings) |
26 | eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) | |
fe0cd647 | 27 | eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) |
e5a77641 EK |
28 | if [ -r "/var/ipfire/tor/settings" ]; then |
29 | eval $(/usr/local/bin/readhash /var/ipfire/tor/settings) | |
30 | fi | |
3a1019f6 | 31 | IFACE=`/bin/cat /var/ipfire/red/iface 2> /dev/null | /usr/bin/tr -d '\012'` |
5462658e | 32 | if [ -z $IFACE ]; then |
5b0eca95 AF |
33 | IFACE="red0" |
34 | fi | |
3a1019f6 MT |
35 | |
36 | if [ -f /var/ipfire/red/device ]; then | |
37 | DEVICE=`/bin/cat /var/ipfire/red/device 2> /dev/null | /usr/bin/tr -d '\012'` | |
38 | fi | |
39 | ||
ce31144c MT |
40 | NAT_MASK="0x0f000000" |
41 | ||
3fa8300e MT |
42 | IPS_REPEAT_MARK="0x80000000" |
43 | IPS_REPEAT_MASK="0x80000000" | |
44 | IPS_BYPASS_MARK="0x40000000" | |
45 | IPS_BYPASS_MASK="0x40000000" | |
46 | ||
83085ae9 SS |
47 | IPSET_DB_DIR="/var/lib/location/ipset" |
48 | ||
c581b670 MT |
49 | function iptables() { |
50 | /sbin/iptables --wait "$@" | |
51 | } | |
52 | ||
3a1019f6 MT |
53 | iptables_init() { |
54 | # Flush all rules and delete all custom chains | |
c581b670 MT |
55 | iptables -F |
56 | iptables -t nat -F | |
57 | iptables -t mangle -F | |
b1109b8a | 58 | iptables -t raw -F |
c581b670 MT |
59 | iptables -X |
60 | iptables -t nat -X | |
61 | iptables -t mangle -X | |
b1109b8a | 62 | iptables -t raw -X |
3a1019f6 MT |
63 | |
64 | # Set up policies | |
c581b670 MT |
65 | iptables -P INPUT DROP |
66 | iptables -P FORWARD DROP | |
67 | iptables -P OUTPUT ACCEPT | |
3a1019f6 | 68 | |
78b65ea7 MT |
69 | # Enable TRACE logging to syslog |
70 | modprobe nf_log_ipv4 | |
71 | sysctl -q -w net.netfilter.nf_log.2=nf_log_ipv4 | |
72 | ||
3fa8300e MT |
73 | # IPS Bypass Chain which stores the BYPASS bit in connection tracking |
74 | iptables -N IPSBYPASS | |
19357bc5 | 75 | iptables -A IPSBYPASS -j CONNMARK --save-mark --mask "$(( ~IPS_REPEAT_MASK & 0xffffffff ))" |
3fa8300e MT |
76 | |
77 | # Jump into bypass chain when the BYPASS bit is set | |
78 | for chain in INPUT FORWARD OUTPUT; do | |
79 | iptables -A "${chain}" -m mark \ | |
80 | --mark "$(( IPS_REPEAT_MARK | IPS_BYPASS_MARK ))/$(( IPS_REPEAT_MASK | IPS_BYPASS_MASK ))" -j IPSBYPASS | |
81 | done | |
82 | ||
3a1019f6 | 83 | # Empty LOG_DROP and LOG_REJECT chains |
c581b670 | 84 | iptables -N LOG_DROP |
8ee3a135 | 85 | iptables -A LOG_DROP -m limit --limit 10/second -j LOG |
c581b670 MT |
86 | iptables -A LOG_DROP -j DROP |
87 | iptables -N LOG_REJECT | |
8ee3a135 | 88 | iptables -A LOG_REJECT -m limit --limit 10/second -j LOG |
c581b670 | 89 | iptables -A LOG_REJECT -j REJECT |
3a1019f6 MT |
90 | |
91 | # This chain will log, then DROPs packets with certain bad combinations | |
ef7e9e52 | 92 | # of flags might indicate a port-scan attempt (xmas, null, etc.) |
c581b670 | 93 | iptables -N PSCAN |
5595bc03 | 94 | if [ "$DROPPORTSCAN" == "on" ]; then |
ef7e9e52 PM |
95 | iptables -A PSCAN -p tcp -m limit --limit 10/second -j LOG --log-prefix "DROP_TCP Scan " -m comment --comment "DROP_TCP PScan" |
96 | iptables -A PSCAN -p udp -m limit --limit 10/second -j LOG --log-prefix "DROP_UDP Scan " -m comment --comment "DROP_UDP PScan" | |
8ee3a135 PM |
97 | iptables -A PSCAN -p icmp -m limit --limit 10/second -j LOG --log-prefix "DROP_ICMP Scan " -m comment --comment "DROP_ICMP PScan" |
98 | iptables -A PSCAN -f -m limit --limit 10/second -j LOG --log-prefix "DROP_FRAG Scan " -m comment --comment "DROP_FRAG PScan" | |
5595bc03 | 99 | fi |
c581b670 | 100 | iptables -A PSCAN -j DROP -m comment --comment "DROP_PScan" |
3a1019f6 MT |
101 | |
102 | # New tcp packets without SYN set - could well be an obscure type of port scan | |
ef7e9e52 | 103 | # that's not covered above, may just be a broken Windows machine |
c581b670 | 104 | iptables -N NEWNOTSYN |
5595bc03 | 105 | if [ "$DROPNEWNOTSYN" == "on" ]; then |
8ee3a135 | 106 | iptables -A NEWNOTSYN -m limit --limit 10/second -j LOG --log-prefix "DROP_NEWNOTSYN " |
5595bc03 | 107 | fi |
c581b670 | 108 | iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN" |
3a1019f6 | 109 | |
a36cd34e PM |
110 | # Log and subsequently drop spoofed packets or "martians", arriving from sources |
111 | # on interfaces where we don't expect them | |
112 | iptables -N SPOOFED_MARTIAN | |
113 | if [ "$DROPSPOOFEDMARTIAN" == "on" ]; then | |
114 | iptables -A SPOOFED_MARTIAN -m limit --limit 10/second -j LOG --log-prefix "DROP_SPOOFED_MARTIAN " | |
115 | fi | |
116 | iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_MARTIAN" | |
117 | ||
3a1019f6 | 118 | # Chain to contain all the rules relating to bad TCP flags |
c581b670 | 119 | iptables -N BADTCP |
3a1019f6 | 120 | |
c581b670 MT |
121 | # Don't check loopback |
122 | iptables -A BADTCP -i lo -j RETURN | |
d8158ca6 | 123 | |
3a1019f6 | 124 | # Disallow packets frequently used by port-scanners |
dccbf1bf AF |
125 | # NMAP FIN/URG/PSH (XMAS scan) |
126 | iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN | |
127 | # SYN/RST/ACK/FIN/URG | |
128 | iptables -A BADTCP -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j PSCAN | |
129 | # ALL/ALL | |
130 | iptables -A BADTCP -p tcp --tcp-flags ALL ALL -j PSCAN | |
131 | # FIN Stealth | |
c581b670 | 132 | iptables -A BADTCP -p tcp --tcp-flags ALL FIN -j PSCAN |
3a1019f6 | 133 | # SYN/RST (also catches xmas variants that set SYN+RST+...) |
c581b670 | 134 | iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j PSCAN |
3a1019f6 | 135 | # SYN/FIN (QueSO or nmap OS probe) |
c581b670 | 136 | iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN |
dccbf1bf AF |
137 | # Null |
138 | iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN | |
3a1019f6 | 139 | # NEW TCP without SYN |
c581b670 | 140 | iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN |
b85d2a98 | 141 | |
c581b670 MT |
142 | iptables -A INPUT -p tcp -j BADTCP |
143 | iptables -A FORWARD -p tcp -j BADTCP | |
c0359d6d | 144 | |
b1109b8a | 145 | # Connection tracking chains |
5ca74566 | 146 | iptables -N CTINVALID |
8269c831 PM |
147 | if [ "$LOGDROPCTINVALID" == "on" ]; then |
148 | iptables -A CTINVALID -m limit --limit 10/second -j LOG --log-prefix "DROP_CTINVALID " | |
149 | fi | |
5ca74566 PM |
150 | iptables -A CTINVALID -j DROP -m comment --comment "DROP_CTINVALID" |
151 | ||
c581b670 | 152 | iptables -N CONNTRACK |
b1109b8a | 153 | iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED -j ACCEPT |
5ca74566 | 154 | iptables -A CONNTRACK -m conntrack --ctstate INVALID -j CTINVALID |
0f535060 | 155 | iptables -A CONNTRACK -p icmp -m conntrack --ctstate RELATED -j ACCEPT |
b1109b8a | 156 | |
c825fcef MT |
157 | # Restore any connection marks |
158 | iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark | |
159 | ||
ef7e9e52 | 160 | # Fix for braindead ISPs |
c581b670 | 161 | iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu |
3a1019f6 MT |
162 | |
163 | # CUSTOM chains, can be used by the users themselves | |
c581b670 MT |
164 | iptables -N CUSTOMINPUT |
165 | iptables -A INPUT -j CUSTOMINPUT | |
166 | iptables -N CUSTOMFORWARD | |
167 | iptables -A FORWARD -j CUSTOMFORWARD | |
168 | iptables -N CUSTOMOUTPUT | |
169 | iptables -A OUTPUT -j CUSTOMOUTPUT | |
170 | iptables -t nat -N CUSTOMPREROUTING | |
171 | iptables -t nat -A PREROUTING -j CUSTOMPREROUTING | |
172 | iptables -t nat -N CUSTOMPOSTROUTING | |
173 | iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING | |
3a1019f6 | 174 | |
247e9780 PM |
175 | # Chains for networks known as being hostile, posing a technical threat to our users |
176 | # (i. e. listed at Spamhaus DROP et al.) | |
177 | iptables -N HOSTILE | |
178 | iptables -A INPUT -j HOSTILE | |
179 | iptables -A FORWARD -j HOSTILE | |
180 | iptables -A OUTPUT -j HOSTILE | |
181 | ||
37c5b4b6 AB |
182 | iptables -N HOSTILE_DROP_IN |
183 | if [ "$LOGDROPHOSTILEIN" == "on" ]; then | |
184 | iptables -A HOSTILE_DROP_IN -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " | |
185 | fi | |
186 | iptables -A HOSTILE_DROP_IN -j DROP -m comment --comment "DROP_HOSTILE" | |
187 | ||
188 | iptables -N HOSTILE_DROP_OUT | |
189 | if [ "$LOGDROPHOSTILEOUT" == "on" ]; then | |
190 | iptables -A HOSTILE_DROP_OUT -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " | |
191 | fi | |
192 | iptables -A HOSTILE_DROP_OUT -j DROP -m comment --comment "DROP_HOSTILE" | |
193 | ||
247e9780 | 194 | |
733267f3 TF |
195 | # IP Address Blocklist chains |
196 | iptables -N BLOCKLISTIN | |
197 | iptables -N BLOCKLISTOUT | |
198 | iptables -A INPUT ! -p icmp -j BLOCKLISTIN | |
199 | iptables -A FORWARD ! -p icmp -j BLOCKLISTIN | |
200 | iptables -A FORWARD ! -p icmp -j BLOCKLISTOUT | |
201 | iptables -A OUTPUT ! -p icmp -j BLOCKLISTOUT | |
202 | ||
ef7e9e52 | 203 | # IPS (Guardian) chains |
c581b670 MT |
204 | iptables -N GUARDIAN |
205 | iptables -A INPUT -j GUARDIAN | |
206 | iptables -A FORWARD -j GUARDIAN | |
815eaff4 | 207 | |
80fbd899 MT |
208 | # Block non-established IPsec networks |
209 | iptables -N IPSECBLOCK | |
210 | iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK | |
211 | iptables -A OUTPUT -m policy --dir out --pol none -j IPSECBLOCK | |
212 | ||
1e555330 | 213 | # Block OpenVPN transfer networks |
c581b670 | 214 | iptables -N OVPNBLOCK |
a0a5c14f | 215 | iptables -A INPUT -i tun+ -j OVPNBLOCK |
a0a5c14f MT |
216 | iptables -A FORWARD -i tun+ -j OVPNBLOCK |
217 | iptables -A FORWARD -o tun+ -j OVPNBLOCK | |
1e555330 | 218 | |
ef7e9e52 | 219 | # IPS (Suricata) chains |
5dba8382 PM |
220 | iptables -N IPS_INPUT |
221 | iptables -N IPS_FORWARD | |
222 | iptables -N IPS_OUTPUT | |
3fa8300e MT |
223 | |
224 | for chain in INPUT FORWARD OUTPUT; do | |
225 | iptables -A "${chain}" -m mark --mark "0x0/$(( IPS_REPEAT_MASK | IPS_BYPASS_MASK ))" -j "IPS_${chain}" | |
226 | done | |
5dba8382 | 227 | |
51ab1de1 | 228 | # OpenVPN transfer network translation |
c581b670 MT |
229 | iptables -t nat -N OVPNNAT |
230 | iptables -t nat -A POSTROUTING -j OVPNNAT | |
51ab1de1 | 231 | |
daa1ceba | 232 | # IPTV chains for IGMPPROXY |
c581b670 MT |
233 | iptables -N IPTVINPUT |
234 | iptables -A INPUT -j IPTVINPUT | |
235 | iptables -N IPTVFORWARD | |
236 | iptables -A FORWARD -j IPTVFORWARD | |
daa1ceba | 237 | |
8e59a602 MT |
238 | # Allow to ping the firewall. |
239 | iptables -N ICMPINPUT | |
240 | iptables -A INPUT -j ICMPINPUT | |
241 | iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT | |
3a1019f6 | 242 | |
2b44044b | 243 | # Accept everything on loopback |
c581b670 | 244 | iptables -N LOOPBACK |
2b44044b AF |
245 | iptables -A LOOPBACK -i lo -j ACCEPT |
246 | iptables -A LOOPBACK -o lo -j ACCEPT | |
afc611d4 | 247 | |
a36cd34e PM |
248 | # Filter all packets with loopback addresses on non-loopback interfaces (spoofed) |
249 | iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN | |
250 | iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN | |
3b9a23ce MT |
251 | |
252 | for i in INPUT FORWARD OUTPUT; do | |
c581b670 | 253 | iptables -A ${i} -j LOOPBACK |
3b9a23ce | 254 | done |
afc611d4 | 255 | |
bbaa3613 AM |
256 | # Captive portal |
257 | iptables -N CAPTIVE_PORTAL | |
258 | iptables -N CAPTIVE_PORTAL_CLIENTS | |
259 | for i in INPUT FORWARD; do | |
260 | iptables -A ${i} -j CAPTIVE_PORTAL | |
261 | done | |
262 | ||
3a1019f6 | 263 | # Accept everything connected |
b85d2a98 | 264 | for i in INPUT FORWARD OUTPUT; do |
c581b670 | 265 | iptables -A ${i} -j CONNTRACK |
b85d2a98 MT |
266 | done |
267 | ||
8490e496 MT |
268 | # Allow DHCP |
269 | iptables -N DHCPINPUT | |
270 | iptables -A DHCPINPUT -p udp --sport 68 --dport 67 -j ACCEPT | |
271 | iptables -A DHCPINPUT -p tcp --sport 68 --dport 67 -j ACCEPT | |
272 | ||
273 | iptables -N DHCPOUTPUT | |
274 | iptables -A DHCPOUTPUT -p udp --sport 67 --dport 68 -j ACCEPT | |
275 | iptables -A DHCPOUTPUT -p tcp --sport 67 --dport 68 -j ACCEPT | |
276 | ||
277 | # Allow DHCP on GREEN | |
278 | iptables -N DHCPGREENINPUT | |
279 | iptables -N DHCPGREENOUTPUT | |
280 | if [ -n "${GREEN_DEV}" ]; then | |
281 | iptables -A INPUT -i "${GREEN_DEV}" -j DHCPGREENINPUT | |
282 | iptables -A OUTPUT -o "${GREEN_DEV}" -j DHCPGREENOUTPUT | |
283 | fi | |
284 | ||
ef7e9e52 | 285 | # Allow DHCP on BLUE to be turned on/off |
8490e496 MT |
286 | iptables -N DHCPBLUEINPUT |
287 | iptables -N DHCPBLUEOUTPUT | |
288 | if [ -n "${BLUE_DEV}" ]; then | |
289 | iptables -A INPUT -i "${BLUE_DEV}" -j DHCPBLUEINPUT | |
290 | iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT | |
291 | fi | |
292 | ||
4d25c1f3 PM |
293 | # Tor (inbound) |
294 | iptables -N TOR_INPUT | |
295 | iptables -A INPUT -j TOR_INPUT | |
296 | ||
0e6eca78 MT |
297 | # Location Block |
298 | iptables -N LOCATIONBLOCK | |
299 | iptables -A INPUT -j LOCATIONBLOCK | |
300 | iptables -A FORWARD -j LOCATIONBLOCK | |
cab02e2a | 301 | |
5fd30232 | 302 | # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything |
c581b670 MT |
303 | iptables -N IPSECINPUT |
304 | iptables -N IPSECFORWARD | |
305 | iptables -N IPSECOUTPUT | |
306 | iptables -A INPUT -j IPSECINPUT | |
307 | iptables -A FORWARD -j IPSECFORWARD | |
308 | iptables -A OUTPUT -j IPSECOUTPUT | |
309 | iptables -t nat -N IPSECNAT | |
310 | iptables -t nat -A POSTROUTING -j IPSECNAT | |
b68e5c14 | 311 | |
3a1019f6 | 312 | # localhost and ethernet. |
c0e0848f MT |
313 | # Always allow accessing the web GUI from GREEN. |
314 | iptables -N GUIINPUT | |
315 | iptables -A INPUT -j GUIINPUT | |
48a7737f MT |
316 | if [ -n "${GREEN_DEV}" ]; then |
317 | iptables -A GUIINPUT -i "${GREEN_DEV}" -p tcp --dport 444 -j ACCEPT | |
318 | fi | |
8490e496 | 319 | |
81393987 | 320 | # WIRELESS chains |
c581b670 MT |
321 | iptables -N WIRELESSINPUT |
322 | iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT | |
323 | iptables -N WIRELESSFORWARD | |
324 | iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD | |
987b75bc | 325 | |
ab4876ad | 326 | # OpenVPN |
c581b670 MT |
327 | iptables -N OVPNINPUT |
328 | iptables -A INPUT -j OVPNINPUT | |
ab4876ad | 329 | |
4d25c1f3 | 330 | # Tor (outbound) |
5fc5f703 PM |
331 | iptables -N TOR_OUTPUT |
332 | iptables -A OUTPUT -j TOR_OUTPUT | |
0e7bfb13 | 333 | |
d5f1422d | 334 | # Jump into the actual firewall ruleset. |
c581b670 MT |
335 | iptables -N INPUTFW |
336 | iptables -A INPUT -j INPUTFW | |
d5f1422d | 337 | |
c581b670 MT |
338 | iptables -N OUTGOINGFW |
339 | iptables -A OUTPUT -j OUTGOINGFW | |
d5f1422d | 340 | |
c581b670 MT |
341 | iptables -N FORWARDFW |
342 | iptables -A FORWARD -j FORWARDFW | |
d5f1422d | 343 | |
fac38614 | 344 | # SNAT rules |
c581b670 MT |
345 | iptables -t nat -N NAT_SOURCE |
346 | iptables -t nat -A POSTROUTING -j NAT_SOURCE | |
fac38614 | 347 | |
9bb40553 MT |
348 | # Captive Portal |
349 | iptables -t nat -N CAPTIVE_PORTAL | |
350 | iptables -t nat -A PREROUTING -j CAPTIVE_PORTAL | |
351 | ||
bb12dd7b | 352 | # Custom prerouting chains (for transparent proxy) |
c581b670 MT |
353 | iptables -t nat -N SQUID |
354 | iptables -t nat -A PREROUTING -j SQUID | |
bb12dd7b MT |
355 | |
356 | # DNAT rules | |
c581b670 MT |
357 | iptables -t nat -N NAT_DESTINATION |
358 | iptables -t nat -A PREROUTING -j NAT_DESTINATION | |
99f11a16 | 359 | iptables -t nat -A OUTPUT -j NAT_DESTINATION |
bb12dd7b | 360 | |
6e87f0aa MT |
361 | iptables -t mangle -N NAT_DESTINATION |
362 | iptables -t mangle -A PREROUTING -j NAT_DESTINATION | |
363 | ||
364 | iptables -t nat -N NAT_DESTINATION_FIX | |
365 | iptables -t nat -A POSTROUTING -j NAT_DESTINATION_FIX | |
366 | ||
48a7737f MT |
367 | if [ -n "${GREEN_ADDRESS}" ]; then |
368 | iptables -t nat -A NAT_DESTINATION_FIX \ | |
ce31144c | 369 | -m mark --mark "0x01000000/${NAT_MASK}" -j SNAT --to-source "${GREEN_ADDRESS}" |
48a7737f | 370 | fi |
6e87f0aa MT |
371 | |
372 | if [ -n "${BLUE_ADDRESS}" ]; then | |
373 | iptables -t nat -A NAT_DESTINATION_FIX \ | |
ce31144c | 374 | -m mark --mark "0x02000000/${NAT_MASK}" -j SNAT --to-source "${BLUE_ADDRESS}" |
6e87f0aa MT |
375 | fi |
376 | ||
377 | if [ -n "${ORANGE_ADDRESS}" ]; then | |
378 | iptables -t nat -A NAT_DESTINATION_FIX \ | |
ce31144c | 379 | -m mark --mark "0x04000000/${NAT_MASK}" -j SNAT --to-source "${ORANGE_ADDRESS}" |
6e87f0aa MT |
380 | fi |
381 | ||
6e87f0aa MT |
382 | # RED chain, used for the red interface |
383 | iptables -N REDINPUT | |
384 | iptables -A INPUT -j REDINPUT | |
385 | iptables -N REDFORWARD | |
386 | iptables -A FORWARD -j REDFORWARD | |
387 | iptables -t nat -N REDNAT | |
388 | iptables -t nat -A POSTROUTING -j REDNAT | |
389 | ||
6c920b19 MT |
390 | # Populate IPsec chains |
391 | /usr/lib/firewall/ipsec-policy | |
80fbd899 | 392 | |
ab4876ad MT |
393 | # Apply OpenVPN firewall rules |
394 | /usr/local/bin/openvpnctrl --firewall-rules | |
ff4770c7 AM |
395 | |
396 | # run wirelessctrl | |
397 | /usr/local/bin/wirelessctrl | |
398 | ||
1722701a AM |
399 | # run captivectrl |
400 | /usr/local/bin/captivectrl | |
401 | ||
e5a77641 EK |
402 | # If a Tor relay is enabled apply firewall rules |
403 | if [ "${TOR_RELAY_ENABLED}" = "on" -a -n "${TOR_RELAY_PORT}" ]; then | |
404 | /usr/local/bin/torctrl restart 1> /dev/null | |
405 | fi | |
406 | ||
c581b670 MT |
407 | # POLICY CHAIN |
408 | iptables -N POLICYIN | |
409 | iptables -A INPUT -j POLICYIN | |
410 | iptables -N POLICYFWD | |
411 | iptables -A FORWARD -j POLICYFWD | |
412 | iptables -N POLICYOUT | |
413 | iptables -A OUTPUT -j POLICYOUT | |
b324de14 | 414 | |
bb383423 | 415 | # Initialize firewall policies. |
5d7faa45 | 416 | /usr/sbin/firewall-policy |
690b0bd7 | 417 | |
bb383423 | 418 | # Install firewall rules for the red interface. |
4b12aa41 TE |
419 | iptables_red_up |
420 | ||
421 | # If red has not been brought up yet, we will | |
422 | # add the blocking rules for MASQUERADE | |
423 | if [ ! -e "/var/ipfire/red/active" ]; then | |
424 | iptables_red_down | |
425 | fi | |
ff4770c7 | 426 | } |
3a1019f6 | 427 | |
4b12aa41 | 428 | iptables_red_up() { |
c581b670 MT |
429 | iptables -F REDINPUT |
430 | iptables -F REDFORWARD | |
431 | iptables -t nat -F REDNAT | |
3a1019f6 | 432 | |
e83ae0d4 PM |
433 | # Prohibit spoofing our own IP address on RED |
434 | if [ -f /var/ipfire/red/active ]; then | |
435 | REDIP="$( cat /var/ipfire/red/local-ipaddress )"; | |
436 | ||
437 | if [ "$IFACE" != "" ]; then | |
438 | iptables -A REDINPUT -s $REDIP -i $IFACE -j SPOOFED_MARTIAN | |
439 | elif [ "$DEVICE" != "" ]; then | |
440 | iptables -A REDINPUT -s $REDIP -i $DEVICE -j SPOOFED_MARTIAN | |
441 | fi | |
442 | fi | |
443 | ||
ff4770c7 AM |
444 | # PPTP over DHCP |
445 | if [ "$DEVICE" != "" -a "$TYPE" == "PPTP" -a "$METHOD" == "DHCP" ]; then | |
c581b670 MT |
446 | iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT |
447 | iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT | |
3a1019f6 MT |
448 | fi |
449 | ||
ff4770c7 AM |
450 | if [ "$IFACE" != "" -a -f /var/ipfire/red/active ]; then |
451 | # DHCP | |
452 | if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then | |
c581b670 MT |
453 | iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT |
454 | iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
ff4770c7 AM |
455 | fi |
456 | if [ "$METHOD" == "DHCP" -a "$PROTOCOL" == "RFC1483" ]; then | |
c581b670 MT |
457 | iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT |
458 | iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
ff4770c7 AM |
459 | fi |
460 | ||
51c4b73f | 461 | # Outgoing masquerading (don't masqerade IPsec) |
e850a614 | 462 | iptables -t nat -A REDNAT -m policy --pol ipsec --dir=out -o "${IFACE}" -j RETURN |
c926c637 | 463 | |
60fcb241 AF |
464 | if [ "${IFACE}" = "${GREEN_DEV}" ]; then |
465 | iptables -t nat -A REDNAT -i "${GREEN_DEV}" -o "${IFACE}" -j RETURN | |
c926c637 | 466 | fi |
c400fe4c | 467 | |
983d471f | 468 | local NO_MASQ_NETWORKS |
83ef9c40 MT |
469 | |
470 | if [ "${MASQUERADE_GREEN}" = "off" ]; then | |
983d471f | 471 | NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${GREEN_NETADDRESS}/${GREEN_NETMASK}" |
83ef9c40 MT |
472 | fi |
473 | ||
474 | if [ "${MASQUERADE_BLUE}" = "off" ]; then | |
983d471f | 475 | NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${BLUE_NETADDRESS}/${BLUE_NETMASK}" |
83ef9c40 MT |
476 | fi |
477 | ||
478 | if [ "${MASQUERADE_ORANGE}" = "off" ]; then | |
983d471f | 479 | NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${ORANGE_NETADDRESS}/${ORANGE_NETMASK}" |
83ef9c40 MT |
480 | fi |
481 | ||
983d471f MT |
482 | local network |
483 | for network in ${NO_MASQ_NETWORKS}; do | |
484 | iptables -t nat -A REDNAT -s "${network}" -o "${IFACE}" -j RETURN | |
83ef9c40 MT |
485 | done |
486 | ||
487 | # Masquerade everything else | |
488 | iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE | |
6be0579b | 489 | fi |
66f6b279 MT |
490 | |
491 | # Reload all rules. | |
55a5bcae | 492 | /usr/local/bin/firewallctrl |
ff4770c7 AM |
493 | } |
494 | ||
4b12aa41 TE |
495 | iptables_red_down() { |
496 | # Prohibit packets to reach the masquerading rule | |
e01e07ec | 497 | # while the WAN interface is down - this is required to |
4b12aa41 TE |
498 | # circumvent udp related NAT issues |
499 | # http://forum.ipfire.org/index.php?topic=11127.0 | |
e7204c2d MT |
500 | if [ -n "${IFACE}" ]; then |
501 | iptables -F REDFORWARD | |
502 | iptables -A REDFORWARD -o "${IFACE}" -j DROP | |
503 | fi | |
4b12aa41 TE |
504 | |
505 | # Reload all rules. | |
506 | /usr/local/bin/firewallctrl | |
507 | } | |
508 | ||
ff4770c7 AM |
509 | # See how we were called. |
510 | case "$1" in | |
511 | start) | |
7d7740a4 | 512 | boot_mesg "Setting up firewall" |
ff4770c7 | 513 | iptables_init |
7d7740a4 | 514 | evaluate_retval |
6be0579b | 515 | ;; |
4b12aa41 | 516 | reload|up) |
7d7740a4 | 517 | boot_mesg "Reloading firewall" |
4b12aa41 | 518 | iptables_red_up |
7d7740a4 | 519 | evaluate_retval |
3a1019f6 | 520 | ;; |
4b12aa41 TE |
521 | down) |
522 | boot_mesg "Disabling firewall access to RED" | |
523 | iptables_red_down | |
524 | evaluate_retval | |
525 | ;; | |
3a1019f6 | 526 | restart) |
3a1019f6 MT |
527 | $0 start |
528 | ;; | |
529 | *) | |
ff4770c7 | 530 | echo "Usage: $0 {start|reload|restart}" |
3a1019f6 MT |
531 | exit 1 |
532 | ;; | |
533 | esac | |
534 | ||
535 | exit 0 |