]>
Commit | Line | Data |
---|---|---|
3a1019f6 MT |
1 | #!/bin/sh |
2 | ||
3 | eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings) | |
4 | eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) | |
5 | IFACE=`/bin/cat /var/ipfire/red/iface 2> /dev/null | /usr/bin/tr -d '\012'` | |
6 | ||
7 | if [ -f /var/ipfire/red/device ]; then | |
8 | DEVICE=`/bin/cat /var/ipfire/red/device 2> /dev/null | /usr/bin/tr -d '\012'` | |
9 | fi | |
10 | ||
11 | iptables_init() { | |
12 | # Flush all rules and delete all custom chains | |
13 | /sbin/iptables -F | |
14 | /sbin/iptables -t nat -F | |
15 | /sbin/iptables -t mangle -F | |
16 | /sbin/iptables -X | |
17 | /sbin/iptables -t nat -X | |
18 | /sbin/iptables -t mangle -X | |
19 | ||
20 | # Set up policies | |
21 | /sbin/iptables -P INPUT DROP | |
22 | /sbin/iptables -P FORWARD DROP | |
23 | /sbin/iptables -P OUTPUT ACCEPT | |
24 | ||
25 | # Empty LOG_DROP and LOG_REJECT chains | |
26 | /sbin/iptables -N LOG_DROP | |
27 | /sbin/iptables -A LOG_DROP -m limit --limit 10/minute -j LOG | |
28 | /sbin/iptables -A LOG_DROP -j DROP | |
29 | /sbin/iptables -N LOG_REJECT | |
30 | /sbin/iptables -A LOG_REJECT -m limit --limit 10/minute -j LOG | |
31 | /sbin/iptables -A LOG_REJECT -j REJECT | |
32 | ||
33 | # This chain will log, then DROPs packets with certain bad combinations | |
34 | # of flags might indicate a port-scan attempt (xmas, null, etc) | |
35 | /sbin/iptables -N PSCAN | |
36 | /sbin/iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix "TCP Scan? " | |
37 | /sbin/iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix "UDP Scan? " | |
38 | /sbin/iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "ICMP Scan? " | |
39 | /sbin/iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix "FRAG Scan? " | |
40 | /sbin/iptables -A PSCAN -j DROP | |
41 | ||
42 | # New tcp packets without SYN set - could well be an obscure type of port scan | |
43 | # that's not covered above, may just be a broken windows machine | |
44 | /sbin/iptables -N NEWNOTSYN | |
45 | /sbin/iptables -A NEWNOTSYN -m limit --limit 10/minute -j LOG --log-prefix "NEW not SYN? " | |
46 | /sbin/iptables -A NEWNOTSYN -j DROP | |
47 | ||
48 | # Chain to contain all the rules relating to bad TCP flags | |
49 | /sbin/iptables -N BADTCP | |
50 | ||
51 | # Disallow packets frequently used by port-scanners | |
52 | # nmap xmas | |
53 | /sbin/iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN | |
54 | # Null | |
55 | /sbin/iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN | |
56 | # FIN | |
57 | /sbin/iptables -A BADTCP -p tcp --tcp-flags ALL FIN -j PSCAN | |
58 | # SYN/RST (also catches xmas variants that set SYN+RST+...) | |
59 | /sbin/iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j PSCAN | |
60 | # SYN/FIN (QueSO or nmap OS probe) | |
61 | /sbin/iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN | |
62 | # NEW TCP without SYN | |
63 | /sbin/iptables -A BADTCP -p tcp ! --syn -m state --state NEW -j NEWNOTSYN | |
64 | ||
65 | /sbin/iptables -A INPUT -j BADTCP | |
66 | /sbin/iptables -A FORWARD -j BADTCP | |
67 | ||
68 | } | |
69 | ||
70 | iptables_red() { | |
71 | /sbin/iptables -F REDINPUT | |
72 | /sbin/iptables -F REDFORWARD | |
73 | /sbin/iptables -t nat -F REDNAT | |
74 | ||
75 | # PPPoE / PPTP Device | |
76 | if [ "$IFACE" != "" ]; then | |
77 | # PPPoE / PPTP | |
78 | if [ "$DEVICE" != "" ]; then | |
79 | /sbin/iptables -A REDINPUT -i $DEVICE -j ACCEPT | |
80 | fi | |
81 | if [ "$RED_TYPE" == "PPTP" -o "$RED_TYPE" == "PPPOE" ]; then | |
82 | if [ "$RED_DEV" != "" ]; then | |
83 | /sbin/iptables -A REDINPUT -i $RED_DEV -j ACCEPT | |
84 | fi | |
85 | fi | |
86 | fi | |
87 | ||
88 | # PPTP over DHCP | |
89 | if [ "$DEVICE" != "" -a "$TYPE" == "PPTP" -a "$METHOD" == "DHCP" ]; then | |
90 | /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT | |
91 | /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT | |
92 | fi | |
93 | ||
94 | # Orange pinholes | |
95 | if [ "$ORANGE_DEV" != "" ]; then | |
96 | # This rule enables a host on ORANGE network to connect to the outside | |
97 | # (only if we have a red connection) | |
98 | if [ "$IFACE" != "" ]; then | |
99 | /sbin/iptables -A REDFORWARD -i $ORANGE_DEV -p tcp -o $IFACE -j ACCEPT | |
100 | /sbin/iptables -A REDFORWARD -i $ORANGE_DEV -p udp -o $IFACE -j ACCEPT | |
101 | fi | |
102 | fi | |
103 | ||
104 | if [ "$IFACE" != "" -a -f /var/ipfire/red/active ]; then | |
105 | # DHCP | |
106 | if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then | |
107 | /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
108 | /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
109 | fi | |
110 | if [ "$METHOD" == "DHCP" -a "$PROTOCOL" == "RFC1483" ]; then | |
111 | /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
112 | /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
113 | fi | |
114 | ||
115 | # Outgoing masquerading | |
116 | /sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE | |
117 | ||
118 | fi | |
119 | } | |
120 | ||
121 | # See how we were called. | |
122 | case "$1" in | |
123 | start) | |
124 | iptables_init | |
125 | ||
126 | # Limit Packets- helps reduce dos/syn attacks | |
127 | # original do nothing line | |
128 | #/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec | |
129 | # the correct one, but the negative '!' do nothing... | |
130 | #/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit ! --limit 10/sec -j DROP | |
131 | ||
132 | # Fix for braindead ISP's | |
133 | /sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | |
134 | ||
135 | # CUSTOM chains, can be used by the users themselves | |
136 | /sbin/iptables -N CUSTOMINPUT | |
137 | /sbin/iptables -A INPUT -j CUSTOMINPUT | |
138 | /sbin/iptables -N CUSTOMFORWARD | |
139 | /sbin/iptables -A FORWARD -j CUSTOMFORWARD | |
140 | /sbin/iptables -N CUSTOMOUTPUT | |
141 | /sbin/iptables -A OUTPUT -j CUSTOMOUTPUT | |
142 | /sbin/iptables -t nat -N CUSTOMPREROUTING | |
143 | /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING | |
144 | /sbin/iptables -t nat -N CUSTOMPOSTROUTING | |
145 | /sbin/iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING | |
146 | ||
147 | # filtering from GUI | |
148 | /sbin/iptables -N GUIINPUT | |
149 | /sbin/iptables -A INPUT -j GUIINPUT | |
150 | ||
151 | # Accept everything connected | |
152 | /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
153 | /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT | |
5fd30232 MT |
154 | |
155 | # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything | |
156 | /sbin/iptables -N IPSECVIRTUAL | |
157 | /sbin/iptables -N OPENSSLVIRTUAL | |
158 | /sbin/iptables -A INPUT -j IPSECVIRTUAL | |
159 | /sbin/iptables -A INPUT -j OPENSSLVIRTUAL | |
160 | /sbin/iptables -A FORWARD -j IPSECVIRTUAL | |
161 | /sbin/iptables -A FORWARD -j OPENSSLVIRTUAL | |
3a1019f6 MT |
162 | |
163 | # localhost and ethernet. | |
164 | /sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT | |
165 | /sbin/iptables -A INPUT -s 127.0.0.0/8 -m state --state NEW -j DROP # Loopback not on lo | |
166 | /sbin/iptables -A INPUT -d 127.0.0.0/8 -m state --state NEW -j DROP | |
167 | /sbin/iptables -A FORWARD -i lo -m state --state NEW -j ACCEPT | |
168 | /sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP | |
169 | /sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP | |
170 | /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT -p ! icmp | |
171 | /sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT | |
172 | ||
173 | # If a host on orange tries to initiate a connection to IPFire's red IP and | |
174 | # the connection gets DNATed back through a port forward to a server on orange | |
175 | # we end up with orange -> orange traffic passing through IPFire | |
176 | [ "$ORANGE_DEV" != "" ] && /sbin/iptables -A FORWARD -i $ORANGE_DEV -o $ORANGE_DEV -m state --state NEW -j ACCEPT | |
177 | ||
3a1019f6 MT |
178 | # allow DHCP on BLUE to be turned on/off |
179 | /sbin/iptables -N DHCPBLUEINPUT | |
180 | /sbin/iptables -A INPUT -j DHCPBLUEINPUT | |
181 | ||
5fd30232 MT |
182 | # IPSec |
183 | /sbin/iptables -N IPSECPHYSICAL | |
184 | /sbin/iptables -A INPUT -j IPSECPHYSICAL | |
185 | ||
186 | # OPenSSL | |
187 | /sbin/iptables -N OPENSSLPHYSICAL | |
188 | /sbin/iptables -A INPUT -j OPENSSLPHYSICAL | |
3a1019f6 MT |
189 | |
190 | # WIRELESS chains | |
191 | /sbin/iptables -N WIRELESSINPUT | |
192 | /sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT | |
193 | /sbin/iptables -N WIRELESSFORWARD | |
194 | /sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD | |
195 | ||
196 | # RED chain, used for the red interface | |
197 | /sbin/iptables -N REDINPUT | |
198 | /sbin/iptables -A INPUT -j REDINPUT | |
199 | /sbin/iptables -N REDFORWARD | |
200 | /sbin/iptables -A FORWARD -j REDFORWARD | |
201 | /sbin/iptables -t nat -N REDNAT | |
202 | /sbin/iptables -t nat -A POSTROUTING -j REDNAT | |
203 | ||
204 | iptables_red | |
205 | ||
206 | # DMZ pinhole chain. setdmzholes setuid prog adds rules here to allow | |
207 | # ORANGE to talk to GREEN / BLUE. | |
208 | /sbin/iptables -N DMZHOLES | |
209 | if [ "$ORANGE_DEV" != "" ]; then | |
210 | /sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j DMZHOLES | |
211 | fi | |
212 | ||
213 | # XTACCESS chain, used for external access | |
214 | /sbin/iptables -N XTACCESS | |
215 | /sbin/iptables -A INPUT -m state --state NEW -j XTACCESS | |
216 | ||
217 | # PORTFWACCESS chain, used for portforwarding | |
218 | /sbin/iptables -N PORTFWACCESS | |
219 | /sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS | |
220 | ||
221 | # Custom prerouting chains (for transparent proxy and port forwarding) | |
222 | /sbin/iptables -t nat -N SQUID | |
223 | /sbin/iptables -t nat -A PREROUTING -j SQUID | |
224 | /sbin/iptables -t nat -N PORTFW | |
225 | /sbin/iptables -t nat -A PREROUTING -j PORTFW | |
226 | ||
7e7495b3 MT |
227 | # upnp chain for our upnp daemon |
228 | /sbin/iptables -t nat -N UPNPFW | |
229 | /sbin/iptables -t nat -A PREROUTING -j UPNPFW | |
230 | ||
3a1019f6 MT |
231 | |
232 | # Custom mangle chain (for port fowarding) | |
233 | /sbin/iptables -t mangle -N PORTFWMANGLE | |
234 | /sbin/iptables -t mangle -A PREROUTING -j PORTFWMANGLE | |
235 | ||
236 | # Postrouting rules (for port forwarding) | |
237 | /sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT \ | |
238 | --to-source $GREEN_ADDRESS | |
239 | if [ "$BLUE_DEV" != "" ]; then | |
240 | /sbin/iptables -t nat -A POSTROUTING -m mark --mark 2 -j SNAT --to-source $BLUE_ADDRESS | |
241 | fi | |
242 | if [ "$ORANGE_DEV" != "" ]; then | |
243 | /sbin/iptables -t nat -A POSTROUTING -m mark --mark 3 -j SNAT --to-source $ORANGE_ADDRESS | |
244 | fi | |
245 | ||
246 | # run openvpn | |
247 | /usr/local/bin/openvpnctrl --create-chains-and-rules | |
248 | ||
249 | # run local firewall configuration, if present | |
250 | if [ -x /etc/sysconfig/firewall.local ]; then | |
251 | /etc/sysconfig/firewall.local start | |
252 | fi | |
253 | ||
254 | # last rule in input and forward chain is for logging. | |
255 | /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "INPUT " | |
256 | /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT " | |
257 | ;; | |
258 | stop) | |
259 | iptables_init | |
260 | # Accept everyting connected | |
261 | /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
262 | ||
263 | # localhost and ethernet. | |
264 | /sbin/iptables -A INPUT -i lo -j ACCEPT | |
265 | /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT | |
266 | ||
267 | if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then | |
268 | /sbin/iptables -A INPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
269 | /sbin/iptables -A INPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
270 | fi | |
271 | if [ "$PROTOCOL" == "RFC1483" -a "$METHOD" == "DHCP" ]; then | |
272 | /sbin/iptables -A INPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
273 | /sbin/iptables -A INPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
274 | fi | |
275 | ||
276 | # stop openvpn | |
277 | /usr/local/bin/openvpnctrl --delete-chains-and-rules | |
278 | ||
279 | # run local firewall configuration, if present | |
280 | if [ -x /etc/sysconfig/firewall.local ]; then | |
281 | /etc/sysconfig/firewall.local stop | |
282 | fi | |
283 | ||
284 | /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "INPUT " | |
285 | /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT " | |
286 | ;; | |
287 | reload) | |
288 | iptables_red | |
289 | ||
290 | # run local firewall configuration, if present | |
291 | if [ -x /etc/sysconfig/firewall.local ]; then | |
292 | /etc/sysconfig/firewall.local reload | |
293 | fi | |
294 | ;; | |
295 | restart) | |
296 | $0 stop | |
297 | $0 start | |
298 | ;; | |
299 | *) | |
300 | echo "Usage: $0 {start|stop|reload|restart}" | |
301 | exit 1 | |
302 | ;; | |
303 | esac | |
304 | ||
305 | exit 0 |