]>
Commit | Line | Data |
---|---|---|
fe52c5e0 MT |
1 | #!/bin/bash |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2012 IPFire Network Development Team # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
1c6a4e30 | 22 | policy_zone_add() { |
fe52c5e0 MT |
23 | local zone=${1} |
24 | assert isset zone | |
25 | ||
26 | local ${FIREWALL_ZONE_SETTINGS} | |
27 | firewall_zone_read ${zone} | |
28 | ||
29 | # Apply masquerading. | |
30 | if enabled MASQUERADE4; then | |
31 | policy_zone_masquerade4 ${zone} | |
32 | fi | |
33 | ||
34 | # Allow/deny cross-zone communication. | |
35 | local other_zone | |
36 | for other_zone in $(zones_get_all); do | |
37 | if list_match "${other_zone}" ${FRIEND_ZONES}; then | |
38 | policy_zone_allow_all ${zone} ${other_zone} | |
39 | else | |
40 | policy_zone_deny_all ${zone} ${other_zone} | |
41 | fi | |
42 | done | |
43 | } | |
44 | ||
1c6a4e30 | 45 | policy_zone_masquerade4() { |
fe52c5e0 MT |
46 | local zone=${1} |
47 | assert isset zone | |
48 | ||
49 | local chain="ZONE_${zone^^}_SNAT" | |
50 | ||
51 | iptables -4 -t nat -A "${chain}" -o ${zone} \ | |
52 | -j MASQUERADE --random | |
53 | } | |
54 | ||
1c6a4e30 | 55 | policy_zone_allow_all() { |
fe52c5e0 MT |
56 | local zone=${1} |
57 | assert isset zone | |
58 | ||
59 | local other_zone=${2} | |
60 | assert isset other_zone | |
61 | ||
62 | local chain="ZONE_${zone^^}_${other_zone^^}_POLICY" | |
63 | ||
64 | # Just accept all new connections. | |
85b52db6 | 65 | iptables -A "${chain}" -m conntrack --ctstate NEW -j ACCEPT |
fe52c5e0 MT |
66 | } |
67 | ||
1c6a4e30 | 68 | policy_zone_deny_all() { |
fe52c5e0 MT |
69 | local zone=${1} |
70 | assert isset zone | |
71 | ||
72 | local other_zone=${2} | |
73 | assert isset other_zone | |
74 | ||
75 | local chain="ZONE_${zone^^}_${other_zone^^}_POLICY" | |
76 | ||
77 | # Just accept all new connections. | |
78 | iptables -A "${chain}" -j DROP | |
79 | } | |
80 | ||
1c6a4e30 | 81 | policy_drop_all() { |
fe52c5e0 MT |
82 | # Nothing to do here, because that is the |
83 | # default policy of the INPUT/OUTPUT/FORWARD chain. | |
84 | : | |
85 | } | |
86 | ||
1c6a4e30 | 87 | policy_import_all_rules() { |
fe52c5e0 MT |
88 | # This will populate all chains with the rules |
89 | # for the given zone. | |
90 | ||
91 | local zone=${1} | |
92 | assert isset zone | |
93 | ||
94 | local chain=${2} | |
95 | assert isset chain | |
96 | ||
97 | local zone_dir=$(firewall_zone_dir ${zone}) | |
98 | assert isset zone_dir | |
99 | ||
100 | local rulesfile="${zone_dir}/rules" | |
101 | ||
102 | #firewall_parse_rules "${rulesfile}" \ | |
103 | # -A ${chain}_RULES_INC | |
104 | } | |
105 | ||
1c6a4e30 | 106 | policy_load() { |
fe52c5e0 MT |
107 | local zone_from=${1} |
108 | assert isset zone_from | |
109 | ||
110 | local zone_to=${2} | |
111 | assert isset zone_to | |
112 | ||
113 | local chain=${3} | |
114 | assert isset chain | |
115 | ||
116 | # Allow routes that have the same incoming and outgoing interface. | |
117 | if [ "${zone_from}" = "${zone_to}" ]; then | |
118 | iptables -A ${chain} -j ACCEPT | |
119 | return ${EXIT_OK} | |
120 | fi | |
121 | ||
122 | # Grant all local zones accessing everything (GREEN). | |
123 | if zone_is_local ${zone_from}; then | |
124 | iptables -A ${chain} -j ACCEPT | |
125 | return ${EXIT_OK} | |
126 | fi | |
127 | } |