]>
Commit | Line | Data |
---|---|---|
5d7faa45 AM |
1 | #!/bin/sh |
2 | ||
dc21519f AM |
3 | ############################################################################### |
4 | # # | |
5 | # IPFire.org - A linux based firewall # | |
5bee9a9d | 6 | # Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> # |
dc21519f AM |
7 | # # |
8 | # This program is free software: you can redistribute it and/or modify # | |
9 | # it under the terms of the GNU General Public License as published by # | |
10 | # the Free Software Foundation, either version 3 of the License, or # | |
11 | # (at your option) any later version. # | |
12 | # # | |
13 | # This program is distributed in the hope that it will be useful, # | |
14 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
15 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
16 | # GNU General Public License for more details. # | |
17 | # # | |
18 | # You should have received a copy of the GNU General Public License # | |
19 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
20 | # # | |
21 | ############################################################################### | |
dc21519f AM |
22 | |
23 | ||
5d7faa45 AM |
24 | eval $(/usr/local/bin/readhash /var/ipfire/forward/settings) |
25 | eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) | |
53f4c74d | 26 | eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) |
5d7faa45 AM |
27 | |
28 | iptables -F POLICYFWD | |
29 | iptables -F POLICYOUT | |
d47bb8a1 | 30 | iptables -F POLICYIN |
53f4c74d AM |
31 | |
32 | if [ -f "/var/ipfire/red/iface" ]; then | |
33 | IFACE=`cat /var/ipfire/red/iface` | |
34 | fi | |
5d7faa45 | 35 | |
ef6f983b | 36 | #FORWARDFW |
5d7faa45 AM |
37 | if [ "$POLICY" == "MODE1" ]; then |
38 | if [ "$FWPOLICY" == "REJECT" ]; then | |
39 | if [ "$DROPFORWARD" == "on" ]; then | |
40 | /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD" | |
41 | fi | |
93b75f31 | 42 | /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD" |
5d7faa45 AM |
43 | fi |
44 | if [ "$FWPOLICY" == "DROP" ]; then | |
45 | if [ "$DROPFORWARD" == "on" ]; then | |
46 | /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" | |
47 | fi | |
48 | /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" | |
49 | fi | |
93b75f31 | 50 | else |
53f4c74d AM |
51 | if [ "$BLUE_DEV" ] && [ "$IFACE" ]; then |
52 | /sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP | |
53 | fi | |
a6485463 | 54 | /sbin/iptables -A POLICYFWD -i orange0 ! -o $IFACE -j DROP |
94ea1f03 | 55 | /sbin/iptables -A POLICYFWD -j ACCEPT |
aff15def | 56 | /sbin/iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP |
5d7faa45 | 57 | fi |
93b75f31 | 58 | |
ef6f983b | 59 | #OUTGOINGFW |
5d7faa45 | 60 | if [ "$POLICY1" == "MODE1" ]; then |
ef6f983b AM |
61 | if [ "$FWPOLICY1" == "REJECT" ]; then |
62 | if [ "$DROPOUTGOING" == "on" ]; then | |
63 | /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT" | |
5d7faa45 | 64 | fi |
93b75f31 | 65 | /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT" |
ef6f983b AM |
66 | fi |
67 | if [ "$FWPOLICY1" == "DROP" ]; then | |
68 | if [ "$DROPOUTGOING" == "on" ]; then | |
69 | /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT" | |
5d7faa45 | 70 | fi |
ef6f983b AM |
71 | /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" |
72 | fi | |
93b75f31 | 73 | else |
94ea1f03 | 74 | /sbin/iptables -A POLICYOUT -j ACCEPT |
aff15def | 75 | /sbin/iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP |
5d7faa45 | 76 | fi |
d47bb8a1 AM |
77 | #INPUT |
78 | if [ "$FWPOLICY2" == "REJECT" ]; then | |
79 | if [ "$DROPINPUT" == "on" ]; then | |
80 | /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT" | |
81 | fi | |
93b75f31 | 82 | /sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT" |
d47bb8a1 AM |
83 | fi |
84 | if [ "$FWPOLICY2" == "DROP" ]; then | |
85 | if [ "$DROPINPUT" == "on" ]; then | |
93b75f31 | 86 | /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT" |
d47bb8a1 | 87 | fi |
93b75f31 | 88 | /sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT" |
d47bb8a1 | 89 | fi |
aff15def AM |
90 | |
91 | exit 0 |