]>
Commit | Line | Data |
---|---|---|
cd1a2927 MT |
1 | #!/bin/sh |
2 | # | |
3 | # $Id: rc.firewall,v 1.7.2.20 2006/01/12 01:24:30 franck78 Exp $ | |
4 | # | |
5 | ||
6 | eval $(/usr/local/bin/readhash CONFIG_ROOT/ppp/settings) | |
7 | eval $(/usr/local/bin/readhash CONFIG_ROOT/ethernet/settings) | |
8 | IFACE=`/bin/cat CONFIG_ROOT/red/iface 2> /dev/null | /usr/bin/tr -d '\012'` | |
9 | ||
10 | if [ -f CONFIG_ROOT/red/device ]; then | |
11 | DEVICE=`/bin/cat CONFIG_ROOT/red/device 2> /dev/null | /usr/bin/tr -d '\012'` | |
12 | fi | |
13 | ||
14 | iptables_init() { | |
15 | # Flush all rules and delete all custom chains | |
16 | /sbin/iptables -F | |
17 | /sbin/iptables -t nat -F | |
18 | /sbin/iptables -t mangle -F | |
19 | /sbin/iptables -X | |
20 | /sbin/iptables -t nat -X | |
21 | /sbin/iptables -t mangle -X | |
22 | ||
23 | # Set up policies | |
24 | /sbin/iptables -P INPUT DROP | |
25 | /sbin/iptables -P FORWARD DROP | |
26 | /sbin/iptables -P OUTPUT ACCEPT | |
27 | ||
28 | # Empty LOG_DROP and LOG_REJECT chains | |
29 | /sbin/iptables -N LOG_DROP | |
30 | /sbin/iptables -A LOG_DROP -m limit --limit 10/minute -j LOG | |
31 | /sbin/iptables -A LOG_DROP -j DROP | |
32 | /sbin/iptables -N LOG_REJECT | |
33 | /sbin/iptables -A LOG_REJECT -m limit --limit 10/minute -j LOG | |
34 | /sbin/iptables -A LOG_REJECT -j REJECT | |
35 | ||
36 | # This chain will log, then DROPs packets with certain bad combinations | |
37 | # of flags might indicate a port-scan attempt (xmas, null, etc) | |
38 | /sbin/iptables -N PSCAN | |
39 | /sbin/iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix "TCP Scan? " | |
40 | /sbin/iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix "UDP Scan? " | |
41 | /sbin/iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "ICMP Scan? " | |
42 | /sbin/iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix "FRAG Scan? " | |
43 | /sbin/iptables -A PSCAN -j DROP | |
44 | ||
45 | # New tcp packets without SYN set - could well be an obscure type of port scan | |
46 | # that's not covered above, may just be a broken windows machine | |
47 | /sbin/iptables -N NEWNOTSYN | |
48 | /sbin/iptables -A NEWNOTSYN -m limit --limit 10/minute -j LOG --log-prefix "NEW not SYN? " | |
49 | /sbin/iptables -A NEWNOTSYN -j DROP | |
50 | ||
51 | # Chain to contain all the rules relating to bad TCP flags | |
52 | /sbin/iptables -N BADTCP | |
53 | ||
54 | # Disallow packets frequently used by port-scanners | |
55 | # nmap xmas | |
56 | /sbin/iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN | |
57 | # Null | |
58 | /sbin/iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN | |
59 | # FIN | |
60 | /sbin/iptables -A BADTCP -p tcp --tcp-flags ALL FIN -j PSCAN | |
61 | # SYN/RST (also catches xmas variants that set SYN+RST+...) | |
62 | /sbin/iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j PSCAN | |
63 | # SYN/FIN (QueSO or nmap OS probe) | |
64 | /sbin/iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN | |
65 | # NEW TCP without SYN | |
66 | /sbin/iptables -A BADTCP -p tcp ! --syn -m state --state NEW -j NEWNOTSYN | |
67 | ||
68 | /sbin/iptables -A INPUT -j BADTCP | |
69 | /sbin/iptables -A FORWARD -j BADTCP | |
70 | ||
71 | } | |
72 | ||
73 | iptables_red() { | |
74 | /sbin/iptables -F REDINPUT | |
75 | /sbin/iptables -F REDFORWARD | |
76 | /sbin/iptables -t nat -F REDNAT | |
77 | ||
78 | # PPPoE / PPTP Device | |
79 | if [ "$IFACE" != "" ]; then | |
80 | # PPPoE / PPTP | |
81 | if [ "$DEVICE" != "" ]; then | |
82 | /sbin/iptables -A REDINPUT -i $DEVICE -j ACCEPT | |
83 | fi | |
84 | if [ "$RED_TYPE" == "PPTP" -o "$RED_TYPE" == "PPPOE" ]; then | |
85 | if [ "$RED_DEV" != "" ]; then | |
86 | /sbin/iptables -A REDINPUT -i $RED_DEV -j ACCEPT | |
87 | fi | |
88 | fi | |
89 | fi | |
90 | ||
91 | # PPTP over DHCP | |
92 | if [ "$DEVICE" != "" -a "$TYPE" == "PPTP" -a "$METHOD" == "DHCP" ]; then | |
93 | /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT | |
94 | /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT | |
95 | fi | |
96 | ||
97 | # Orange pinholes | |
98 | if [ "$ORANGE_DEV" != "" ]; then | |
99 | # This rule enables a host on ORANGE network to connect to the outside | |
100 | # (only if we have a red connection) | |
101 | if [ "$IFACE" != "" ]; then | |
102 | /sbin/iptables -A REDFORWARD -i $ORANGE_DEV -p tcp -o $IFACE -j ACCEPT | |
103 | /sbin/iptables -A REDFORWARD -i $ORANGE_DEV -p udp -o $IFACE -j ACCEPT | |
104 | fi | |
105 | fi | |
106 | ||
107 | if [ "$IFACE" != "" -a -f CONFIG_ROOT/red/active ]; then | |
108 | # DHCP | |
109 | if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then | |
110 | /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
111 | /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
112 | fi | |
113 | if [ "$METHOD" == "DHCP" -a "$PROTOCOL" == "RFC1483" ]; then | |
114 | /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
115 | /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
116 | fi | |
117 | ||
118 | # Outgoing masquerading | |
119 | /sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE | |
120 | ||
121 | fi | |
122 | } | |
123 | ||
124 | # See how we were called. | |
125 | case "$1" in | |
126 | start) | |
127 | iptables_init | |
128 | ||
129 | # Limit Packets- helps reduce dos/syn attacks | |
130 | # original do nothing line | |
131 | #/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec | |
132 | # the correct one, but the negative '!' do nothing... | |
133 | #/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit ! --limit 10/sec -j DROP | |
134 | ||
135 | # Fix for braindead ISP's | |
136 | /sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | |
137 | ||
138 | # CUSTOM chains, can be used by the users themselves | |
139 | /sbin/iptables -N CUSTOMINPUT | |
140 | /sbin/iptables -A INPUT -j CUSTOMINPUT | |
141 | /sbin/iptables -N CUSTOMFORWARD | |
142 | /sbin/iptables -A FORWARD -j CUSTOMFORWARD | |
143 | /sbin/iptables -N CUSTOMOUTPUT | |
144 | /sbin/iptables -A OUTPUT -j CUSTOMOUTPUT | |
145 | /sbin/iptables -t nat -N CUSTOMPREROUTING | |
146 | /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING | |
147 | /sbin/iptables -t nat -N CUSTOMPOSTROUTING | |
148 | /sbin/iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING | |
149 | ||
150 | # filtering from GUI | |
151 | /sbin/iptables -N GUIINPUT | |
152 | /sbin/iptables -A INPUT -j GUIINPUT | |
153 | ||
154 | # Accept everything connected | |
155 | /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
156 | /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT | |
157 | ||
158 | # localhost and ethernet. | |
159 | /sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT | |
160 | /sbin/iptables -A INPUT -s 127.0.0.0/8 -m state --state NEW -j DROP # Loopback not on lo | |
161 | /sbin/iptables -A INPUT -d 127.0.0.0/8 -m state --state NEW -j DROP | |
162 | /sbin/iptables -A FORWARD -i lo -m state --state NEW -j ACCEPT | |
163 | /sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP | |
164 | /sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP | |
165 | /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT -p ! icmp | |
166 | /sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT | |
167 | ||
5fcb6d5a | 168 | # If a host on orange tries to initiate a connection to IPFire's red IP and |
cd1a2927 | 169 | # the connection gets DNATed back through a port forward to a server on orange |
5fcb6d5a | 170 | # we end up with orange -> orange traffic passing through IPFire |
cd1a2927 MT |
171 | [ "$ORANGE_DEV" != "" ] && /sbin/iptables -A FORWARD -i $ORANGE_DEV -o $ORANGE_DEV -m state --state NEW -j ACCEPT |
172 | ||
173 | # accept all traffic from ipsec interfaces | |
174 | /sbin/iptables -A INPUT -i ipsec+ -j ACCEPT | |
175 | /sbin/iptables -A FORWARD -i ipsec+ -j ACCEPT | |
176 | ||
177 | # allow DHCP on BLUE to be turned on/off | |
178 | /sbin/iptables -N DHCPBLUEINPUT | |
179 | /sbin/iptables -A INPUT -j DHCPBLUEINPUT | |
180 | ||
181 | # IPSec chains | |
182 | /sbin/iptables -N IPSECRED | |
183 | /sbin/iptables -A INPUT -j IPSECRED | |
184 | /sbin/iptables -N IPSECBLUE | |
185 | /sbin/iptables -A INPUT -j IPSECBLUE | |
186 | ||
187 | # WIRELESS chains | |
188 | /sbin/iptables -N WIRELESSINPUT | |
189 | /sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT | |
190 | /sbin/iptables -N WIRELESSFORWARD | |
191 | /sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD | |
192 | ||
193 | # RED chain, used for the red interface | |
194 | /sbin/iptables -N REDINPUT | |
195 | /sbin/iptables -A INPUT -j REDINPUT | |
196 | /sbin/iptables -N REDFORWARD | |
197 | /sbin/iptables -A FORWARD -j REDFORWARD | |
198 | /sbin/iptables -t nat -N REDNAT | |
199 | /sbin/iptables -t nat -A POSTROUTING -j REDNAT | |
200 | ||
201 | iptables_red | |
202 | ||
203 | # DMZ pinhole chain. setdmzholes setuid prog adds rules here to allow | |
204 | # ORANGE to talk to GREEN / BLUE. | |
205 | /sbin/iptables -N DMZHOLES | |
206 | if [ "$ORANGE_DEV" != "" ]; then | |
207 | /sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j DMZHOLES | |
208 | fi | |
209 | ||
210 | # XTACCESS chain, used for external access | |
211 | /sbin/iptables -N XTACCESS | |
212 | /sbin/iptables -A INPUT -m state --state NEW -j XTACCESS | |
213 | ||
214 | # PORTFWACCESS chain, used for portforwarding | |
215 | /sbin/iptables -N PORTFWACCESS | |
216 | /sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS | |
217 | ||
218 | # Custom prerouting chains (for transparent proxy and port forwarding) | |
219 | /sbin/iptables -t nat -N SQUID | |
220 | /sbin/iptables -t nat -A PREROUTING -j SQUID | |
221 | /sbin/iptables -t nat -N PORTFW | |
222 | /sbin/iptables -t nat -A PREROUTING -j PORTFW | |
223 | ||
224 | ||
225 | # Custom mangle chain (for port fowarding) | |
226 | /sbin/iptables -t mangle -N PORTFWMANGLE | |
227 | /sbin/iptables -t mangle -A PREROUTING -j PORTFWMANGLE | |
228 | ||
229 | # Postrouting rules (for port forwarding) | |
230 | /sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT \ | |
231 | --to-source $GREEN_ADDRESS | |
232 | if [ "$BLUE_DEV" != "" ]; then | |
233 | /sbin/iptables -t nat -A POSTROUTING -m mark --mark 2 -j SNAT --to-source $BLUE_ADDRESS | |
234 | fi | |
235 | if [ "$ORANGE_DEV" != "" ]; then | |
236 | /sbin/iptables -t nat -A POSTROUTING -m mark --mark 3 -j SNAT --to-source $ORANGE_ADDRESS | |
237 | fi | |
238 | ||
6e13d0a5 MT |
239 | # run openvpn |
240 | /usr/local/bin/openvpnctrl --create-chains-and-rules | |
cd1a2927 MT |
241 | |
242 | # run local firewall configuration, if present | |
243 | if [ -x /etc/rc.d/rc.firewall.local ]; then | |
244 | /etc/rc.d/rc.firewall.local start | |
245 | fi | |
246 | ||
247 | # last rule in input and forward chain is for logging. | |
248 | /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "INPUT " | |
249 | /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT " | |
250 | ;; | |
251 | stop) | |
252 | iptables_init | |
253 | # Accept everyting connected | |
254 | /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
255 | ||
256 | # localhost and ethernet. | |
257 | /sbin/iptables -A INPUT -i lo -j ACCEPT | |
258 | /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT | |
259 | ||
260 | if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then | |
261 | /sbin/iptables -A INPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
262 | /sbin/iptables -A INPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
263 | fi | |
264 | if [ "$PROTOCOL" == "RFC1483" -a "$METHOD" == "DHCP" ]; then | |
265 | /sbin/iptables -A INPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
266 | /sbin/iptables -A INPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
267 | fi | |
268 | ||
6e13d0a5 MT |
269 | # stop openvpn |
270 | /usr/local/bin/openvpnctrl --delete-chains-and-rules | |
271 | ||
cd1a2927 MT |
272 | # run local firewall configuration, if present |
273 | if [ -x /etc/rc.d/rc.firewall.local ]; then | |
274 | /etc/rc.d/rc.firewall.local stop | |
275 | fi | |
276 | ||
277 | /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "INPUT " | |
278 | /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT " | |
279 | ;; | |
280 | reload) | |
281 | iptables_red | |
282 | ||
283 | # run local firewall configuration, if present | |
284 | if [ -x /etc/rc.d/rc.firewall.local ]; then | |
285 | /etc/rc.d/rc.firewall.local reload | |
286 | fi | |
287 | ;; | |
288 | restart) | |
289 | $0 stop | |
290 | $0 start | |
291 | ;; | |
292 | *) | |
293 | echo "Usage: $0 {start|stop|reload|restart}" | |
294 | exit 1 | |
295 | ;; | |
296 | esac | |
297 | ||
298 | exit 0 |