]>
Commit | Line | Data |
---|---|---|
1 | #!/bin/sh | |
2 | ||
3 | . /etc/sysconfig/rc | |
4 | . ${rc_functions} | |
5 | ||
6 | eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings) | |
7 | eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) | |
8 | eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) | |
9 | IFACE=`/bin/cat /var/ipfire/red/iface 2> /dev/null | /usr/bin/tr -d '\012'` | |
10 | ||
11 | if [ -f /var/ipfire/red/device ]; then | |
12 | DEVICE=`/bin/cat /var/ipfire/red/device 2> /dev/null | /usr/bin/tr -d '\012'` | |
13 | fi | |
14 | ||
15 | function iptables() { | |
16 | /sbin/iptables --wait "$@" | |
17 | } | |
18 | ||
19 | iptables_init() { | |
20 | # Flush all rules and delete all custom chains | |
21 | iptables -F | |
22 | iptables -t nat -F | |
23 | iptables -t mangle -F | |
24 | iptables -t raw -F | |
25 | iptables -X | |
26 | iptables -t nat -X | |
27 | iptables -t mangle -X | |
28 | iptables -t raw -X | |
29 | ||
30 | # Set up policies | |
31 | iptables -P INPUT DROP | |
32 | iptables -P FORWARD DROP | |
33 | iptables -P OUTPUT ACCEPT | |
34 | ||
35 | # Empty LOG_DROP and LOG_REJECT chains | |
36 | iptables -N LOG_DROP | |
37 | iptables -A LOG_DROP -m limit --limit 10/minute -j LOG | |
38 | iptables -A LOG_DROP -j DROP | |
39 | iptables -N LOG_REJECT | |
40 | iptables -A LOG_REJECT -m limit --limit 10/minute -j LOG | |
41 | iptables -A LOG_REJECT -j REJECT | |
42 | ||
43 | # This chain will log, then DROPs packets with certain bad combinations | |
44 | # of flags might indicate a port-scan attempt (xmas, null, etc) | |
45 | iptables -N PSCAN | |
46 | if [ "$DROPPORTSCAN" == "on" ]; then | |
47 | iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix "DROP_TCP Scan " -m comment --comment "DROP_TCP PScan" | |
48 | iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix "DROP_UDP Scan " -m comment --comment "DROP_UDP PScan" | |
49 | iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "DROP_ICMP Scan " -m comment --comment "DROP_ICMP PScan" | |
50 | iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix "DROP_FRAG Scan " -m comment --comment "DROP_FRAG PScan" | |
51 | fi | |
52 | iptables -A PSCAN -j DROP -m comment --comment "DROP_PScan" | |
53 | ||
54 | # New tcp packets without SYN set - could well be an obscure type of port scan | |
55 | # that's not covered above, may just be a broken windows machine | |
56 | iptables -N NEWNOTSYN | |
57 | if [ "$DROPNEWNOTSYN" == "on" ]; then | |
58 | iptables -A NEWNOTSYN -m limit --limit 10/minute -j LOG --log-prefix "DROP_NEWNOTSYN " | |
59 | fi | |
60 | iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN" | |
61 | ||
62 | # Chain to contain all the rules relating to bad TCP flags | |
63 | iptables -N BADTCP | |
64 | ||
65 | # Don't check loopback | |
66 | iptables -A BADTCP -i lo -j RETURN | |
67 | ||
68 | # Disallow packets frequently used by port-scanners | |
69 | # NMAP FIN/URG/PSH (XMAS scan) | |
70 | iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN | |
71 | # SYN/RST/ACK/FIN/URG | |
72 | iptables -A BADTCP -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j PSCAN | |
73 | # ALL/ALL | |
74 | iptables -A BADTCP -p tcp --tcp-flags ALL ALL -j PSCAN | |
75 | # FIN Stealth | |
76 | iptables -A BADTCP -p tcp --tcp-flags ALL FIN -j PSCAN | |
77 | # SYN/RST (also catches xmas variants that set SYN+RST+...) | |
78 | iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j PSCAN | |
79 | # SYN/FIN (QueSO or nmap OS probe) | |
80 | iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN | |
81 | # Null | |
82 | iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN | |
83 | # NEW TCP without SYN | |
84 | iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN | |
85 | ||
86 | iptables -A INPUT -p tcp -j BADTCP | |
87 | iptables -A FORWARD -p tcp -j BADTCP | |
88 | ||
89 | # Connection tracking chains | |
90 | iptables -N CONNTRACK | |
91 | iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
92 | iptables -A CONNTRACK -m conntrack --ctstate INVALID -j DROP | |
93 | iptables -A CONNTRACK -p icmp -m conntrack --ctstate RELATED -j ACCEPT | |
94 | iptables -t raw -N CONNTRACK | |
95 | iptables -t raw -A PREROUTING -j CONNTRACK | |
96 | ||
97 | # Conntrack helpers (https://home.regit.org/netfilter-en/secure-use-of-helpers/) | |
98 | ||
99 | # SIP | |
100 | if [ "${CONNTRACK_SIP}" = "on" ]; then | |
101 | modprobe nf_nat_sip | |
102 | iptables -A CONNTRACK -m conntrack --ctstate RELATED \ | |
103 | -m helper --helper sip -j ACCEPT | |
104 | for proto in udp tcp; do | |
105 | iptables -t raw -A CONNTRACK -p "${proto}" --dport 5060 -j CT --helper sip | |
106 | done | |
107 | fi | |
108 | ||
109 | # H.323 | |
110 | if [ "${CONNTRACK_H323}" = "on" ]; then | |
111 | modprobe nf_nat_h323 | |
112 | iptables -A CONNTRACK -m conntrack --ctstate RELATED \ | |
113 | -m helper --helper h323 -j ACCEPT | |
114 | ||
115 | # Gatekeeper RAS | |
116 | iptables -t raw -A CONNTRACK -p udp --dport 1719 -j CT --helper RAS | |
117 | ||
118 | # Q.931 | |
119 | iptables -t raw -A CONNTRACK -p tcp --dport 1720 -j CT --helper Q.931 | |
120 | fi | |
121 | ||
122 | # FTP | |
123 | if [ "${CONNTRACK_FTP}" = "on" ]; then | |
124 | modprobe nf_nat_ftp | |
125 | iptables -A CONNTRACK -m conntrack --ctstate RELATED \ | |
126 | -m helper --helper ftp -p tcp --dport 1024: -j ACCEPT | |
127 | iptables -t raw -A CONNTRACK -p tcp --dport 21 -j CT --helper ftp | |
128 | fi | |
129 | ||
130 | # PPTP | |
131 | if [ "${CONNTRACK_PPTP}" = "on" ]; then | |
132 | modprobe nf_nat_pptp | |
133 | iptables -A CONNTRACK -m conntrack --ctstate RELATED \ | |
134 | -m helper --helper pptp -j ACCEPT | |
135 | iptables -t raw -A CONNTRACK -p tcp --dport 1723 -j CT --helper pptp | |
136 | fi | |
137 | ||
138 | # TFTP | |
139 | if [ "${CONNTRACK_TFTP}" = "on" ]; then | |
140 | modprobe nf_nat_tftp | |
141 | iptables -A CONNTRACK -m conntrack --ctstate RELATED \ | |
142 | -m helper --helper tftp -j ACCEPT | |
143 | iptables -t raw -A CONNTRACK -p udp --dport 69 -j CT --helper tftp | |
144 | fi | |
145 | ||
146 | # IRC | |
147 | if [ "${CONNTRACK_IRC}" = "on" ]; then | |
148 | modprobe nf_nat_irc | |
149 | iptables -A CONNTRACK -m conntrack --ctstate RELATED \ | |
150 | -m helper --helper irc -j ACCEPT | |
151 | iptables -t raw -A CONNTRACK -p tcp --dport 6667 -j CT --helper irc | |
152 | fi | |
153 | ||
154 | # Amanda | |
155 | if [ "${CONNTRACK_AMANDA}" = "on" ]; then | |
156 | modprobe nf_nat_amanda | |
157 | iptables -A CONNTRACK -m conntrack --ctstate RELATED \ | |
158 | -m helper --helper amanda -j ACCEPT | |
159 | iptables -t raw -A CONNTRACK -p tcp -j CT --helper amanda | |
160 | fi | |
161 | ||
162 | # Fix for braindead ISP's | |
163 | iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | |
164 | ||
165 | # CUSTOM chains, can be used by the users themselves | |
166 | iptables -N CUSTOMINPUT | |
167 | iptables -A INPUT -j CUSTOMINPUT | |
168 | iptables -N CUSTOMFORWARD | |
169 | iptables -A FORWARD -j CUSTOMFORWARD | |
170 | iptables -N CUSTOMOUTPUT | |
171 | iptables -A OUTPUT -j CUSTOMOUTPUT | |
172 | iptables -t nat -N CUSTOMPREROUTING | |
173 | iptables -t nat -A PREROUTING -j CUSTOMPREROUTING | |
174 | iptables -t nat -N CUSTOMPOSTROUTING | |
175 | iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING | |
176 | ||
177 | # P2PBLOCK | |
178 | iptables -N P2PBLOCK | |
179 | iptables -A INPUT -j P2PBLOCK | |
180 | iptables -A FORWARD -j P2PBLOCK | |
181 | iptables -A OUTPUT -j P2PBLOCK | |
182 | ||
183 | # Guardian (IPS) chains | |
184 | iptables -N GUARDIAN | |
185 | iptables -A INPUT -j GUARDIAN | |
186 | iptables -A FORWARD -j GUARDIAN | |
187 | ||
188 | # IPS (suricata) chains | |
189 | iptables -N IPS_INPUT | |
190 | iptables -N IPS_FORWARD | |
191 | iptables -N IPS_OUTPUT | |
192 | iptables -A INPUT -j IPS_INPUT | |
193 | iptables -A FORWARD -j IPS_FORWARD | |
194 | iptables -A OUTPUT -j IPS_OUTPUT | |
195 | ||
196 | # Block non-established IPsec networks | |
197 | iptables -N IPSECBLOCK | |
198 | iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK | |
199 | iptables -A OUTPUT -m policy --dir out --pol none -j IPSECBLOCK | |
200 | ||
201 | # Block OpenVPN transfer networks | |
202 | iptables -N OVPNBLOCK | |
203 | iptables -A INPUT -i tun+ -j OVPNBLOCK | |
204 | iptables -A FORWARD -i tun+ -j OVPNBLOCK | |
205 | iptables -A FORWARD -o tun+ -j OVPNBLOCK | |
206 | ||
207 | # OpenVPN transfer network translation | |
208 | iptables -t nat -N OVPNNAT | |
209 | iptables -t nat -A POSTROUTING -j OVPNNAT | |
210 | ||
211 | # IPTV chains for IGMPPROXY | |
212 | iptables -N IPTVINPUT | |
213 | iptables -A INPUT -j IPTVINPUT | |
214 | iptables -N IPTVFORWARD | |
215 | iptables -A FORWARD -j IPTVFORWARD | |
216 | ||
217 | # Allow to ping the firewall. | |
218 | iptables -N ICMPINPUT | |
219 | iptables -A INPUT -j ICMPINPUT | |
220 | iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT | |
221 | ||
222 | # Accept everything on loopback | |
223 | iptables -N LOOPBACK | |
224 | iptables -A LOOPBACK -i lo -j ACCEPT | |
225 | iptables -A LOOPBACK -o lo -j ACCEPT | |
226 | ||
227 | # Filter all packets with loopback addresses on non-loopback interfaces. | |
228 | iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP | |
229 | iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP | |
230 | ||
231 | for i in INPUT FORWARD OUTPUT; do | |
232 | iptables -A ${i} -j LOOPBACK | |
233 | done | |
234 | ||
235 | # Captive portal | |
236 | iptables -N CAPTIVE_PORTAL | |
237 | iptables -N CAPTIVE_PORTAL_CLIENTS | |
238 | for i in INPUT FORWARD; do | |
239 | iptables -A ${i} -j CAPTIVE_PORTAL | |
240 | done | |
241 | ||
242 | # Accept everything connected | |
243 | for i in INPUT FORWARD OUTPUT; do | |
244 | iptables -A ${i} -j CONNTRACK | |
245 | done | |
246 | ||
247 | # Allow DHCP | |
248 | iptables -N DHCPINPUT | |
249 | iptables -A DHCPINPUT -p udp --sport 68 --dport 67 -j ACCEPT | |
250 | iptables -A DHCPINPUT -p tcp --sport 68 --dport 67 -j ACCEPT | |
251 | ||
252 | iptables -N DHCPOUTPUT | |
253 | iptables -A DHCPOUTPUT -p udp --sport 67 --dport 68 -j ACCEPT | |
254 | iptables -A DHCPOUTPUT -p tcp --sport 67 --dport 68 -j ACCEPT | |
255 | ||
256 | # Allow DHCP on GREEN | |
257 | iptables -N DHCPGREENINPUT | |
258 | iptables -N DHCPGREENOUTPUT | |
259 | if [ -n "${GREEN_DEV}" ]; then | |
260 | iptables -A INPUT -i "${GREEN_DEV}" -j DHCPGREENINPUT | |
261 | iptables -A OUTPUT -o "${GREEN_DEV}" -j DHCPGREENOUTPUT | |
262 | fi | |
263 | ||
264 | # allow DHCP on BLUE to be turned on/off | |
265 | iptables -N DHCPBLUEINPUT | |
266 | iptables -N DHCPBLUEOUTPUT | |
267 | if [ -n "${BLUE_DEV}" ]; then | |
268 | iptables -A INPUT -i "${BLUE_DEV}" -j DHCPBLUEINPUT | |
269 | iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT | |
270 | fi | |
271 | ||
272 | # GeoIP block | |
273 | iptables -N GEOIPBLOCK | |
274 | iptables -A INPUT -j GEOIPBLOCK | |
275 | iptables -A FORWARD -j GEOIPBLOCK | |
276 | ||
277 | # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything | |
278 | iptables -N IPSECINPUT | |
279 | iptables -N IPSECFORWARD | |
280 | iptables -N IPSECOUTPUT | |
281 | iptables -A INPUT -j IPSECINPUT | |
282 | iptables -A FORWARD -j IPSECFORWARD | |
283 | iptables -A OUTPUT -j IPSECOUTPUT | |
284 | iptables -t nat -N IPSECNAT | |
285 | iptables -t nat -A POSTROUTING -j IPSECNAT | |
286 | ||
287 | # localhost and ethernet. | |
288 | # Always allow accessing the web GUI from GREEN. | |
289 | iptables -N GUIINPUT | |
290 | iptables -A INPUT -j GUIINPUT | |
291 | if [ -n "${GREEN_DEV}" ]; then | |
292 | iptables -A GUIINPUT -i "${GREEN_DEV}" -p tcp --dport 444 -j ACCEPT | |
293 | fi | |
294 | ||
295 | # WIRELESS chains | |
296 | iptables -N WIRELESSINPUT | |
297 | iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT | |
298 | iptables -N WIRELESSFORWARD | |
299 | iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD | |
300 | ||
301 | # OpenVPN | |
302 | iptables -N OVPNINPUT | |
303 | iptables -A INPUT -j OVPNINPUT | |
304 | ||
305 | # Tor (inbound and outbound) | |
306 | iptables -N TOR_INPUT | |
307 | iptables -A INPUT -j TOR_INPUT | |
308 | iptables -N TOR_OUTPUT | |
309 | iptables -A OUTPUT -j TOR_OUTPUT | |
310 | ||
311 | # Jump into the actual firewall ruleset. | |
312 | iptables -N INPUTFW | |
313 | iptables -A INPUT -j INPUTFW | |
314 | ||
315 | iptables -N OUTGOINGFW | |
316 | iptables -A OUTPUT -j OUTGOINGFW | |
317 | ||
318 | iptables -N FORWARDFW | |
319 | iptables -A FORWARD -j FORWARDFW | |
320 | ||
321 | # SNAT rules | |
322 | iptables -t nat -N NAT_SOURCE | |
323 | iptables -t nat -A POSTROUTING -j NAT_SOURCE | |
324 | ||
325 | # Captive Portal | |
326 | iptables -t nat -N CAPTIVE_PORTAL | |
327 | iptables -t nat -A PREROUTING -j CAPTIVE_PORTAL | |
328 | ||
329 | # Custom prerouting chains (for transparent proxy) | |
330 | iptables -t nat -N SQUID | |
331 | iptables -t nat -A PREROUTING -j SQUID | |
332 | ||
333 | # DNAT rules | |
334 | iptables -t nat -N NAT_DESTINATION | |
335 | iptables -t nat -A PREROUTING -j NAT_DESTINATION | |
336 | iptables -t nat -A OUTPUT -j NAT_DESTINATION | |
337 | ||
338 | iptables -t mangle -N NAT_DESTINATION | |
339 | iptables -t mangle -A PREROUTING -j NAT_DESTINATION | |
340 | ||
341 | iptables -t nat -N NAT_DESTINATION_FIX | |
342 | iptables -t nat -A POSTROUTING -j NAT_DESTINATION_FIX | |
343 | ||
344 | if [ -n "${GREEN_ADDRESS}" ]; then | |
345 | iptables -t nat -A NAT_DESTINATION_FIX \ | |
346 | -m mark --mark 1 -j SNAT --to-source "${GREEN_ADDRESS}" | |
347 | fi | |
348 | ||
349 | if [ -n "${BLUE_ADDRESS}" ]; then | |
350 | iptables -t nat -A NAT_DESTINATION_FIX \ | |
351 | -m mark --mark 2 -j SNAT --to-source "${BLUE_ADDRESS}" | |
352 | fi | |
353 | ||
354 | if [ -n "${ORANGE_ADDRESS}" ]; then | |
355 | iptables -t nat -A NAT_DESTINATION_FIX \ | |
356 | -m mark --mark 3 -j SNAT --to-source "${ORANGE_ADDRESS}" | |
357 | fi | |
358 | ||
359 | # upnp chain for our upnp daemon | |
360 | iptables -t nat -N UPNPFW | |
361 | iptables -t nat -A PREROUTING -j UPNPFW | |
362 | iptables -N UPNPFW | |
363 | iptables -A FORWARD -m conntrack --ctstate NEW -j UPNPFW | |
364 | ||
365 | # RED chain, used for the red interface | |
366 | iptables -N REDINPUT | |
367 | iptables -A INPUT -j REDINPUT | |
368 | iptables -N REDFORWARD | |
369 | iptables -A FORWARD -j REDFORWARD | |
370 | iptables -t nat -N REDNAT | |
371 | iptables -t nat -A POSTROUTING -j REDNAT | |
372 | ||
373 | # Populate IPsec chains | |
374 | /usr/lib/firewall/ipsec-policy | |
375 | ||
376 | # Apply OpenVPN firewall rules | |
377 | /usr/local/bin/openvpnctrl --firewall-rules | |
378 | ||
379 | # run wirelessctrl | |
380 | /usr/local/bin/wirelessctrl | |
381 | ||
382 | # run captivectrl | |
383 | /usr/local/bin/captivectrl | |
384 | ||
385 | # POLICY CHAIN | |
386 | iptables -N POLICYIN | |
387 | iptables -A INPUT -j POLICYIN | |
388 | iptables -N POLICYFWD | |
389 | iptables -A FORWARD -j POLICYFWD | |
390 | iptables -N POLICYOUT | |
391 | iptables -A OUTPUT -j POLICYOUT | |
392 | ||
393 | # Initialize firewall policies. | |
394 | /usr/sbin/firewall-policy | |
395 | ||
396 | # Install firewall rules for the red interface. | |
397 | iptables_red_up | |
398 | ||
399 | # If red has not been brought up yet, we will | |
400 | # add the blocking rules for MASQUERADE | |
401 | if [ ! -e "/var/ipfire/red/active" ]; then | |
402 | iptables_red_down | |
403 | fi | |
404 | } | |
405 | ||
406 | iptables_red_up() { | |
407 | iptables -F REDINPUT | |
408 | iptables -F REDFORWARD | |
409 | iptables -t nat -F REDNAT | |
410 | ||
411 | # PPPoE / PPTP Device | |
412 | if [ "$IFACE" != "" ]; then | |
413 | # PPPoE / PPTP | |
414 | if [ "$DEVICE" != "" ]; then | |
415 | iptables -A REDINPUT -i $DEVICE -j ACCEPT | |
416 | fi | |
417 | if [ "$RED_TYPE" == "PPTP" -o "$RED_TYPE" == "PPPOE" ]; then | |
418 | if [ "$RED_DEV" != "" ]; then | |
419 | iptables -A REDINPUT -i $RED_DEV -j ACCEPT | |
420 | fi | |
421 | fi | |
422 | fi | |
423 | ||
424 | # PPTP over DHCP | |
425 | if [ "$DEVICE" != "" -a "$TYPE" == "PPTP" -a "$METHOD" == "DHCP" ]; then | |
426 | iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT | |
427 | iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT | |
428 | fi | |
429 | ||
430 | if [ "$IFACE" != "" -a -f /var/ipfire/red/active ]; then | |
431 | # DHCP | |
432 | if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then | |
433 | iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
434 | iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
435 | fi | |
436 | if [ "$METHOD" == "DHCP" -a "$PROTOCOL" == "RFC1483" ]; then | |
437 | iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
438 | iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
439 | fi | |
440 | ||
441 | # Outgoing masquerading (don't masqerade IPSEC (mark 50)) | |
442 | iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN | |
443 | ||
444 | if [ "${IFACE}" = "${GREEN_DEV}" ]; then | |
445 | iptables -t nat -A REDNAT -i "${GREEN_DEV}" -o "${IFACE}" -j RETURN | |
446 | fi | |
447 | ||
448 | local NO_MASQ_NETWORKS | |
449 | ||
450 | if [ "${MASQUERADE_GREEN}" = "off" ]; then | |
451 | NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${GREEN_NETADDRESS}/${GREEN_NETMASK}" | |
452 | fi | |
453 | ||
454 | if [ "${MASQUERADE_BLUE}" = "off" ]; then | |
455 | NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${BLUE_NETADDRESS}/${BLUE_NETMASK}" | |
456 | fi | |
457 | ||
458 | if [ "${MASQUERADE_ORANGE}" = "off" ]; then | |
459 | NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${ORANGE_NETADDRESS}/${ORANGE_NETMASK}" | |
460 | fi | |
461 | ||
462 | local network | |
463 | for network in ${NO_MASQ_NETWORKS}; do | |
464 | iptables -t nat -A REDNAT -s "${network}" -o "${IFACE}" -j RETURN | |
465 | done | |
466 | ||
467 | # Masquerade everything else | |
468 | iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE | |
469 | fi | |
470 | ||
471 | # Reload all rules. | |
472 | /usr/local/bin/firewallctrl | |
473 | } | |
474 | ||
475 | iptables_red_down() { | |
476 | # Prohibit packets to reach the masquerading rule | |
477 | # while the WAN interface is down - this is required to | |
478 | # circumvent udp related NAT issues | |
479 | # http://forum.ipfire.org/index.php?topic=11127.0 | |
480 | if [ -n "${IFACE}" ]; then | |
481 | iptables -F REDFORWARD | |
482 | iptables -A REDFORWARD -o "${IFACE}" -j DROP | |
483 | fi | |
484 | ||
485 | # Reload all rules. | |
486 | /usr/local/bin/firewallctrl | |
487 | } | |
488 | ||
489 | # See how we were called. | |
490 | case "$1" in | |
491 | start) | |
492 | boot_mesg "Setting up firewall" | |
493 | iptables_init | |
494 | evaluate_retval | |
495 | ;; | |
496 | reload|up) | |
497 | boot_mesg "Reloading firewall" | |
498 | iptables_red_up | |
499 | evaluate_retval | |
500 | ;; | |
501 | down) | |
502 | boot_mesg "Disabling firewall access to RED" | |
503 | iptables_red_down | |
504 | evaluate_retval | |
505 | ;; | |
506 | restart) | |
507 | $0 start | |
508 | ;; | |
509 | *) | |
510 | echo "Usage: $0 {start|reload|restart}" | |
511 | exit 1 | |
512 | ;; | |
513 | esac | |
514 | ||
515 | exit 0 |