[ipfire-3.x.git] / firewall / src / functions.zones

#!/bin/bash
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2009  Michael Tremer & Christian Schmidt                      #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

include zones.green
include zones.orange
include zones.red

function zones_global_add() {
	local device
	local name

	device=$1

	vecho "Adding zone \"$device\""

	name=$(uppercase "ZONE_$device")

	### FILTER
	chain_create $name
	iptables -A INPUT   -i $device -j $name
	iptables -A FORWARD -i $device -j $name
	iptables -A FORWARD -o $device -j $name
	iptables -A OUTPUT  -o $device -j $name

	# Leave some space for own rules
	chain_create ${name}_CUSTOM
	iptables -A $name -j ${name}_CUSTOM

	# Intrusion Preventions System
	chain_create ${name}_IPS
	iptables -A $name -i $device -j ${name}_IPS

	# Portforwarding
	chain_create ${name}_PORTFW
	iptables -A $name -i $device -j ${name}_PORTFW

	# Outgoing firewall
	chain_create ${name}_OUTFW
	iptables -A $name -o $device -j ${name}_OUTFW

	# Policy rules
	chain_create ${name}_POLICY
	iptables -A $name -j ${name}_POLICY

	### MANGLE
	chain_create -t mangle $name
	iptables -t mangle -A PREROUTING  -i $device -j $name
	iptables -t mangle -A POSTROUTING -o $device -j $name

	# Quality of Service
	chain_create -t mangle ${name}_QOS_INC
	iptables -t mangle -A $name -i $device -j ${name}_QOS_INC
	chain_create -t mangle ${name}_QOS_OUT
	iptables -t mangle -A $name -o $device -j ${name}_QOS_OUT

	### NAT
	chain_create -t nat ${name}
	iptables -t nat -A PREROUTING  -i $device -j ${name}
	iptables -t nat -A POSTROUTING -o $device -j ${name}

    # Network Address Translation
	chain_create -t nat ${name}_NAT
	iptables -t nat -A $name -i $device -j ${name}_NAT

    # Portforwarding
	chain_create -t nat ${name}_PORTFW
	iptables -t nat -A $name -i $device -j ${name}_PORTFW

    # UPNP
	chain_create -t nat ${name}_UPNP
	iptables -t nat -A $name -j ${name}_UPNP
}


### LOCAL ZONE
function zones_local_add() {

	decho "Adding zone \"local\""

	# Accept everything on lo
	iptables -A INPUT  -i lo -j ACCEPT
	iptables -A OUTPUT -o lo -j ACCEPT

}
Commit	Line	Data
8838c71a MT	1	#!/bin/bash
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2009 Michael Tremer & Christian Schmidt #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
2534973b	22	include zones.green
2534973b	23	include zones.orange
dbfeda6c	24	include zones.red
8838c71a	25
2534973b	26	function zones_global_add() {
8838c71a MT	27	local device
	28	local name
	29
	30	device=$1
2534973b	31
dbfeda6c	32	vecho "Adding zone \"$device\""
8838c71a MT	33
8838c71a MT	34	name=$(uppercase "ZONE_$device")
dbfeda6c MT	35
dbfeda6c MT	36	### FILTER
8838c71a	37	chain_create $name
2534973b	38	iptables -A INPUT -i $device -j $name
8838c71a MT	39	iptables -A FORWARD -i $device -j $name
8838c71a MT	40	iptables -A FORWARD -o $device -j $name
2534973b MT	41	iptables -A OUTPUT -o $device -j $name
	42
	43	# Leave some space for own rules
8838c71a MT	44	chain_create ${name}_CUSTOM
8838c71a MT	45	iptables -A $name -j ${name}_CUSTOM
2534973b	46
2534973b MT	47	# Intrusion Preventions System
	48	chain_create ${name}_IPS
	49	iptables -A $name -i $device -j ${name}_IPS
	50
dbfeda6c	51	# Portforwarding
2534973b MT	52	chain_create ${name}_PORTFW
2534973b MT	53	iptables -A $name -i $device -j ${name}_PORTFW
dbfeda6c	54
2534973b MT	55	# Outgoing firewall
	56	chain_create ${name}_OUTFW
	57	iptables -A $name -o $device -j ${name}_OUTFW
dbfeda6c MT	58
	59	# Policy rules
	60	chain_create ${name}_POLICY
	61	iptables -A $name -j ${name}_POLICY
	62
	63	### MANGLE
	64	chain_create -t mangle $name
	65	iptables -t mangle -A PREROUTING -i $device -j $name
	66	iptables -t mangle -A POSTROUTING -o $device -j $name
	67
	68	# Quality of Service
	69	chain_create -t mangle ${name}_QOS_INC
	70	iptables -t mangle -A $name -i $device -j ${name}_QOS_INC
	71	chain_create -t mangle ${name}_QOS_OUT
	72	iptables -t mangle -A $name -o $device -j ${name}_QOS_OUT
	73
	74	### NAT
	75	chain_create -t nat ${name}
	76	iptables -t nat -A PREROUTING -i $device -j ${name}
	77	iptables -t nat -A POSTROUTING -o $device -j ${name}
	78
	79	# Network Address Translation
	80	chain_create -t nat ${name}_NAT
	81	iptables -t nat -A $name -i $device -j ${name}_NAT
	82
	83	# Portforwarding
	84	chain_create -t nat ${name}_PORTFW
	85	iptables -t nat -A $name -i $device -j ${name}_PORTFW
	86
	87	# UPNP
	88	chain_create -t nat ${name}_UPNP
	89	iptables -t nat -A $name -j ${name}_UPNP
8838c71a MT	90	}
8838c71a MT	91
dbfeda6c MT	92
	93	### LOCAL ZONE
	94	function zones_local_add() {
	95
	96	decho "Adding zone \"local\""
	97
	98	# Accept everything on lo
	99	iptables -A INPUT -i lo -j ACCEPT
	100	iptables -A OUTPUT -o lo -j ACCEPT
	101
8838c71a	102	}