]>
Commit | Line | Data |
---|---|---|
98146c00 MT |
1 | #!/bin/bash |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2012 IPFire Network Development Team # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
22 | function policy_add_zone() { | |
23 | local zone=${1} | |
24 | assert isset zone | |
25 | ||
26 | log DEBUG "Creating firewall policy for zone '${zone}'." | |
27 | ||
28 | local chain="ZONE_${zone}" | |
29 | chain=${chain^^} | |
30 | ||
31 | # Create filter chain. | |
32 | iptables_chain_create ${chain} | |
33 | iptables -A INPUT -i ${zone} -j ${chain} | |
34 | iptables -A FORWARD -i ${zone} -j ${chain} | |
35 | iptables -A FORWARD -o ${zone} -j ${chain} | |
36 | iptables -A OUTPUT -o ${zone} -j ${chain} | |
37 | ||
38 | # Leave some space for own rules right at the beginning | |
39 | # to make it possible to overwrite _everything_. | |
40 | iptables_chain_create ${chain}_CUSTOM | |
41 | iptables -A ${chain} -j ${chain}_CUSTOM | |
42 | ||
43 | # Intrusion Prevention System | |
44 | iptables_chain_create ${chain}_IPS | |
45 | iptables -A ${chain} -i ${zone} -j ${chain}_IPS | |
46 | ||
afb7d704 MT |
47 | # Rules for incoming packets. |
48 | iptables_chain_create ${chain}_RULES_INC | |
49 | iptables -A ${chain} -i ${zone} -j ${chain}_RULES_INC | |
98146c00 | 50 | |
afb7d704 MT |
51 | # Rules for outgoing packets. |
52 | iptables_chain_create ${chain}_RULES_OUT | |
53 | iptables -A ${chain} -o ${zone} -j ${chain}_RULES_OUT | |
98146c00 MT |
54 | |
55 | # Policy rules | |
56 | iptables_chain_create ${chain}_POLICY | |
57 | iptables -A ${chain} -j ${chain}_POLICY | |
58 | ||
59 | # Create mangle chain. | |
60 | iptables_chain_create -t mangle ${chain} | |
61 | iptables -t mangle -A PREROUTING -i ${zone} -j ${chain} | |
62 | iptables -t mangle -A POSTROUTING -o ${zone} -j ${chain} | |
63 | ||
64 | # Quality of Service | |
65 | iptables_chain_create -t mangle ${chain}_QOS_INC | |
66 | iptables -t mangle -A ${chain} -i ${zone} -j ${chain}_QOS_INC | |
67 | iptables_chain_create -t mangle ${chain}_QOS_OUT | |
68 | iptables -t mangle -A ${chain} -o ${zone} -j ${chain}_QOS_OUT | |
69 | ||
70 | # Create NAT chain. | |
afb7d704 MT |
71 | iptables_chain_create -4 -t nat ${chain} |
72 | iptables -4 -t nat -A PREROUTING -i ${zone} -j ${chain} | |
73 | iptables -4 -t nat -A POSTROUTING -o ${zone} -j ${chain} | |
98146c00 MT |
74 | |
75 | # Network Address Translation | |
afb7d704 MT |
76 | iptables_chain_create -4 -t nat ${chain}_NAT |
77 | iptables -4 -t nat -A ${chain} -i ${zone} -j ${chain}_NAT | |
98146c00 | 78 | |
afb7d704 MT |
79 | # Port forwarding |
80 | iptables_chain_create -4 -t nat ${chain}_PORTFW | |
81 | iptables -4 -t nat -A ${chain} -i ${zone} -j ${chain}_PORTFW | |
98146c00 MT |
82 | |
83 | # UPNP | |
afb7d704 MT |
84 | iptables_chain_create -4 -t nat ${chain}_UPNP |
85 | iptables -4 -t nat -A ${chain} -j ${chain}_UPNP | |
98146c00 MT |
86 | |
87 | # After the chains that are always available have been | |
88 | # created, we will add a custom policy to every single | |
89 | # zone. | |
90 | ||
91 | # Local zones are currently allowed to access everything. | |
92 | if zone_is_local ${zone}; then | |
93 | policy_allow_all ${zone} ${chain} | |
94 | ||
95 | # Uplink connections are not. | |
96 | else | |
97 | : # XXX TODO | |
98 | fi | |
afb7d704 MT |
99 | |
100 | # Import all configured rules and those things. | |
101 | policy_import_all_rules ${zone} ${chain} | |
98146c00 MT |
102 | } |
103 | ||
104 | function policy_add_localhost() { | |
105 | log DEBUG "Creating firewall policy for localhost..." | |
106 | ||
107 | # Accept everything on lo | |
108 | iptables -A INPUT -i lo -j ACCEPT | |
109 | iptables -A OUTPUT -o lo -j ACCEPT | |
110 | } | |
111 | ||
112 | function policy_allow_all() { | |
113 | local zone=${1} | |
114 | assert isset zone | |
115 | ||
116 | local chain=${2} | |
117 | assert isset chain | |
118 | ||
119 | # Just accept everything. | |
120 | iptables -A ${chain}_POLICY -j ACCEPT | |
121 | } | |
afb7d704 MT |
122 | |
123 | function policy_drop_all() { | |
124 | # Nothing to do here, because that is the | |
125 | # default policy of the INPUT/OUTPUT/FORWARD chain. | |
126 | : | |
127 | } | |
128 | ||
129 | function policy_import_all_rules() { | |
130 | # This will populate all chains with the rules | |
131 | # for the given zone. | |
132 | ||
133 | local zone=${1} | |
134 | assert isset zone | |
135 | ||
136 | local chain=${2} | |
137 | assert isset chain | |
138 | ||
139 | # XXX TODO | |
140 | } |