]>
Commit | Line | Data |
---|---|---|
5d7faa45 AM |
1 | #!/bin/sh |
2 | ||
3 | eval $(/usr/local/bin/readhash /var/ipfire/forward/settings) | |
4 | eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) | |
5 | ||
6 | iptables -F POLICYFWD | |
7 | iptables -F POLICYOUT | |
d47bb8a1 | 8 | iptables -F POLICYIN |
5d7faa45 | 9 | |
ef6f983b | 10 | #FORWARDFW |
5d7faa45 AM |
11 | if [ "$POLICY" == "MODE1" ]; then |
12 | if [ "$FWPOLICY" == "REJECT" ]; then | |
13 | if [ "$DROPFORWARD" == "on" ]; then | |
14 | /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD" | |
15 | fi | |
93b75f31 | 16 | /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD" |
5d7faa45 AM |
17 | fi |
18 | if [ "$FWPOLICY" == "DROP" ]; then | |
19 | if [ "$DROPFORWARD" == "on" ]; then | |
20 | /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" | |
21 | fi | |
22 | /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" | |
23 | fi | |
93b75f31 | 24 | else |
6b681c40 | 25 | /sbin/iptables -A POLICYFWD -j ACCEPT -m comment --comment "DROP_FORWARD" |
5d7faa45 | 26 | fi |
93b75f31 | 27 | |
ef6f983b | 28 | #OUTGOINGFW |
5d7faa45 | 29 | if [ "$POLICY1" == "MODE1" ]; then |
ef6f983b AM |
30 | if [ "$FWPOLICY1" == "REJECT" ]; then |
31 | if [ "$DROPOUTGOING" == "on" ]; then | |
32 | /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT" | |
5d7faa45 | 33 | fi |
93b75f31 | 34 | /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT" |
ef6f983b AM |
35 | fi |
36 | if [ "$FWPOLICY1" == "DROP" ]; then | |
37 | if [ "$DROPOUTGOING" == "on" ]; then | |
38 | /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT" | |
5d7faa45 | 39 | fi |
ef6f983b AM |
40 | /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" |
41 | fi | |
93b75f31 | 42 | else |
6b681c40 | 43 | /sbin/iptables -A POLICYOUT -j ACCEPT -m comment --comment "DROP_OUTPUT" |
5d7faa45 | 44 | fi |
d47bb8a1 AM |
45 | #INPUT |
46 | if [ "$FWPOLICY2" == "REJECT" ]; then | |
47 | if [ "$DROPINPUT" == "on" ]; then | |
48 | /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT" | |
49 | fi | |
93b75f31 | 50 | /sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT" |
d47bb8a1 AM |
51 | fi |
52 | if [ "$FWPOLICY2" == "DROP" ]; then | |
53 | if [ "$DROPINPUT" == "on" ]; then | |
93b75f31 | 54 | /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT" |
d47bb8a1 | 55 | fi |
93b75f31 | 56 | /sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT" |
d47bb8a1 | 57 | fi |