]>
Commit | Line | Data |
---|---|---|
1 | #!/bin/sh | |
2 | ||
3 | . /etc/sysconfig/rc | |
4 | . ${rc_functions} | |
5 | ||
6 | eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings) | |
7 | eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) | |
8 | eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) | |
9 | IFACE=`/bin/cat /var/ipfire/red/iface 2> /dev/null | /usr/bin/tr -d '\012'` | |
10 | ||
11 | if [ -f /var/ipfire/red/device ]; then | |
12 | DEVICE=`/bin/cat /var/ipfire/red/device 2> /dev/null | /usr/bin/tr -d '\012'` | |
13 | fi | |
14 | ||
15 | function iptables() { | |
16 | /sbin/iptables --wait "$@" | |
17 | } | |
18 | ||
19 | iptables_init() { | |
20 | # Flush all rules and delete all custom chains | |
21 | iptables -F | |
22 | iptables -t nat -F | |
23 | iptables -t mangle -F | |
24 | iptables -X | |
25 | iptables -t nat -X | |
26 | iptables -t mangle -X | |
27 | ||
28 | # Set up policies | |
29 | iptables -P INPUT DROP | |
30 | iptables -P FORWARD DROP | |
31 | iptables -P OUTPUT ACCEPT | |
32 | ||
33 | # Empty LOG_DROP and LOG_REJECT chains | |
34 | iptables -N LOG_DROP | |
35 | iptables -A LOG_DROP -m limit --limit 10/minute -j LOG | |
36 | iptables -A LOG_DROP -j DROP | |
37 | iptables -N LOG_REJECT | |
38 | iptables -A LOG_REJECT -m limit --limit 10/minute -j LOG | |
39 | iptables -A LOG_REJECT -j REJECT | |
40 | ||
41 | # This chain will log, then DROPs packets with certain bad combinations | |
42 | # of flags might indicate a port-scan attempt (xmas, null, etc) | |
43 | iptables -N PSCAN | |
44 | if [ "$DROPPORTSCAN" == "on" ]; then | |
45 | iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix "DROP_TCP Scan " -m comment --comment "DROP_TCP PScan" | |
46 | iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix "DROP_UDP Scan " -m comment --comment "DROP_UDP PScan" | |
47 | iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "DROP_ICMP Scan " -m comment --comment "DROP_ICMP PScan" | |
48 | iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix "DROP_FRAG Scan " -m comment --comment "DROP_FRAG PScan" | |
49 | fi | |
50 | iptables -A PSCAN -j DROP -m comment --comment "DROP_PScan" | |
51 | ||
52 | # New tcp packets without SYN set - could well be an obscure type of port scan | |
53 | # that's not covered above, may just be a broken windows machine | |
54 | iptables -N NEWNOTSYN | |
55 | if [ "$DROPNEWNOTSYN" == "on" ]; then | |
56 | iptables -A NEWNOTSYN -m limit --limit 10/minute -j LOG --log-prefix "DROP_NEWNOTSYN " | |
57 | fi | |
58 | iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN" | |
59 | ||
60 | # Chain to contain all the rules relating to bad TCP flags | |
61 | iptables -N BADTCP | |
62 | ||
63 | # Don't check loopback | |
64 | iptables -A BADTCP -i lo -j RETURN | |
65 | ||
66 | # Disallow packets frequently used by port-scanners | |
67 | # nmap xmas | |
68 | iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN | |
69 | # Null | |
70 | iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN | |
71 | # FIN | |
72 | iptables -A BADTCP -p tcp --tcp-flags ALL FIN -j PSCAN | |
73 | # SYN/RST (also catches xmas variants that set SYN+RST+...) | |
74 | iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j PSCAN | |
75 | # SYN/FIN (QueSO or nmap OS probe) | |
76 | iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN | |
77 | # NEW TCP without SYN | |
78 | iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN | |
79 | ||
80 | iptables -A INPUT -p tcp -j BADTCP | |
81 | iptables -A FORWARD -p tcp -j BADTCP | |
82 | ||
83 | # Connection tracking chain | |
84 | iptables -N CONNTRACK | |
85 | iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
86 | ||
87 | # Fix for braindead ISP's | |
88 | iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | |
89 | ||
90 | # CUSTOM chains, can be used by the users themselves | |
91 | iptables -N CUSTOMINPUT | |
92 | iptables -A INPUT -j CUSTOMINPUT | |
93 | iptables -N CUSTOMFORWARD | |
94 | iptables -A FORWARD -j CUSTOMFORWARD | |
95 | iptables -N CUSTOMOUTPUT | |
96 | iptables -A OUTPUT -j CUSTOMOUTPUT | |
97 | iptables -t nat -N CUSTOMPREROUTING | |
98 | iptables -t nat -A PREROUTING -j CUSTOMPREROUTING | |
99 | iptables -t nat -N CUSTOMPOSTROUTING | |
100 | iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING | |
101 | ||
102 | # Guardian (IPS) chains | |
103 | iptables -N GUARDIAN | |
104 | iptables -A INPUT -j GUARDIAN | |
105 | iptables -A FORWARD -j GUARDIAN | |
106 | ||
107 | # Block OpenVPN transfer networks | |
108 | iptables -N OVPNBLOCK | |
109 | iptables -A INPUT -i tun+ -j OVPNBLOCK | |
110 | iptables -A OUTPUT -o tun+ -j OVPNBLOCK | |
111 | iptables -A FORWARD -i tun+ -j OVPNBLOCK | |
112 | iptables -A FORWARD -o tun+ -j OVPNBLOCK | |
113 | ||
114 | # OpenVPN transfer network translation | |
115 | iptables -t nat -N OVPNNAT | |
116 | iptables -t nat -A POSTROUTING -j OVPNNAT | |
117 | ||
118 | # IPTV chains for IGMPPROXY | |
119 | iptables -N IPTVINPUT | |
120 | iptables -A INPUT -j IPTVINPUT | |
121 | iptables -N IPTVFORWARD | |
122 | iptables -A FORWARD -j IPTVFORWARD | |
123 | ||
124 | # filtering from GUI | |
125 | iptables -N GUIINPUT | |
126 | iptables -A INPUT -j GUIINPUT | |
127 | iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT | |
128 | ||
129 | # Accept everything on loopback | |
130 | iptables -N LOOPBACK | |
131 | iptables -A LOOPBACK -i lo -j ACCEPT | |
132 | iptables -A LOOPBACK -o lo -j ACCEPT | |
133 | ||
134 | # Filter all packets with loopback addresses on non-loopback interfaces. | |
135 | iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP | |
136 | iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP | |
137 | ||
138 | for i in INPUT FORWARD OUTPUT; do | |
139 | iptables -A ${i} -j LOOPBACK | |
140 | done | |
141 | ||
142 | # Accept everything connected | |
143 | for i in INPUT FORWARD OUTPUT; do | |
144 | iptables -A ${i} -j CONNTRACK | |
145 | done | |
146 | ||
147 | # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything | |
148 | iptables -N IPSECINPUT | |
149 | iptables -N IPSECFORWARD | |
150 | iptables -N IPSECOUTPUT | |
151 | iptables -A INPUT -j IPSECINPUT | |
152 | iptables -A FORWARD -j IPSECFORWARD | |
153 | iptables -A OUTPUT -j IPSECOUTPUT | |
154 | iptables -t nat -N IPSECNAT | |
155 | iptables -t nat -A POSTROUTING -j IPSECNAT | |
156 | ||
157 | # localhost and ethernet. | |
158 | iptables -A INPUT -i $GREEN_DEV -m conntrack --ctstate NEW -j ACCEPT ! -p icmp | |
159 | ||
160 | # allow DHCP on BLUE to be turned on/off | |
161 | iptables -N DHCPBLUEINPUT | |
162 | iptables -A INPUT -j DHCPBLUEINPUT | |
163 | ||
164 | # WIRELESS chains | |
165 | iptables -N WIRELESSINPUT | |
166 | iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT | |
167 | iptables -N WIRELESSFORWARD | |
168 | iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD | |
169 | ||
170 | # OpenVPN | |
171 | iptables -N OVPNINPUT | |
172 | iptables -A INPUT -j OVPNINPUT | |
173 | ||
174 | # TOR | |
175 | iptables -N TOR_INPUT | |
176 | iptables -A INPUT -j TOR_INPUT | |
177 | ||
178 | # Jump into the actual firewall ruleset. | |
179 | iptables -N INPUTFW | |
180 | iptables -A INPUT -j INPUTFW | |
181 | ||
182 | iptables -N OUTGOINGFW | |
183 | iptables -A OUTPUT -j OUTGOINGFW | |
184 | ||
185 | iptables -N FORWARDFW | |
186 | iptables -A FORWARD -j FORWARDFW | |
187 | ||
188 | # SNAT rules | |
189 | iptables -t nat -N NAT_SOURCE | |
190 | iptables -t nat -A POSTROUTING -j NAT_SOURCE | |
191 | ||
192 | # Custom prerouting chains (for transparent proxy) | |
193 | iptables -t nat -N SQUID | |
194 | iptables -t nat -A PREROUTING -j SQUID | |
195 | ||
196 | # DNAT rules | |
197 | iptables -t nat -N NAT_DESTINATION | |
198 | iptables -t nat -A PREROUTING -j NAT_DESTINATION | |
199 | iptables -t nat -A OUTPUT -j NAT_DESTINATION | |
200 | ||
201 | iptables -t mangle -N NAT_DESTINATION | |
202 | iptables -t mangle -A PREROUTING -j NAT_DESTINATION | |
203 | ||
204 | iptables -t nat -N NAT_DESTINATION_FIX | |
205 | iptables -t nat -A POSTROUTING -j NAT_DESTINATION_FIX | |
206 | ||
207 | iptables -t nat -A NAT_DESTINATION_FIX \ | |
208 | -m mark --mark 1 -j SNAT --to-source "${GREEN_ADDRESS}" | |
209 | ||
210 | if [ -n "${BLUE_ADDRESS}" ]; then | |
211 | iptables -t nat -A NAT_DESTINATION_FIX \ | |
212 | -m mark --mark 2 -j SNAT --to-source "${BLUE_ADDRESS}" | |
213 | fi | |
214 | ||
215 | if [ -n "${ORANGE_ADDRESS}" ]; then | |
216 | iptables -t nat -A NAT_DESTINATION_FIX \ | |
217 | -m mark --mark 3 -j SNAT --to-source "${ORANGE_ADDRESS}" | |
218 | fi | |
219 | ||
220 | # upnp chain for our upnp daemon | |
221 | iptables -t nat -N UPNPFW | |
222 | iptables -t nat -A PREROUTING -j UPNPFW | |
223 | iptables -N UPNPFW | |
224 | iptables -A FORWARD -m conntrack --ctstate NEW -j UPNPFW | |
225 | ||
226 | # RED chain, used for the red interface | |
227 | iptables -N REDINPUT | |
228 | iptables -A INPUT -j REDINPUT | |
229 | iptables -N REDFORWARD | |
230 | iptables -A FORWARD -j REDFORWARD | |
231 | iptables -t nat -N REDNAT | |
232 | iptables -t nat -A POSTROUTING -j REDNAT | |
233 | ||
234 | # Filter logging of incoming broadcasts. | |
235 | iptables -N BROADCAST_FILTER | |
236 | iptables -A INPUT -j BROADCAST_FILTER | |
237 | ||
238 | iptables -A BROADCAST_FILTER -i "${GREEN_DEV}" -d "${GREEN_BROADCAST}" -j DROP | |
239 | ||
240 | if [ -n "${BLUE_DEV}" -a -n "${BLUE_BROADCAST}" ]; then | |
241 | iptables -A BROADCAST_FILTER -i "${BLUE_DEV}" -d "${BLUE_BROADCAST}" -j DROP | |
242 | fi | |
243 | ||
244 | if [ -n "${ORANGE_DEV}" -a -n "${ORANGE_BROADCAST}" ]; then | |
245 | iptables -A BROADCAST_FILTER -i "${ORANGE_DEV}" -d "${ORANGE_BROADCAST}" -j DROP | |
246 | fi | |
247 | ||
248 | # Apply OpenVPN firewall rules | |
249 | /usr/local/bin/openvpnctrl --firewall-rules | |
250 | ||
251 | # run wirelessctrl | |
252 | /usr/local/bin/wirelessctrl | |
253 | ||
254 | # POLICY CHAIN | |
255 | iptables -N POLICYIN | |
256 | iptables -A INPUT -j POLICYIN | |
257 | iptables -N POLICYFWD | |
258 | iptables -A FORWARD -j POLICYFWD | |
259 | iptables -N POLICYOUT | |
260 | iptables -A OUTPUT -j POLICYOUT | |
261 | ||
262 | # Initialize firewall policies. | |
263 | /usr/sbin/firewall-policy | |
264 | ||
265 | # Install firewall rules for the red interface. | |
266 | iptables_red | |
267 | } | |
268 | ||
269 | iptables_red() { | |
270 | iptables -F REDINPUT | |
271 | iptables -F REDFORWARD | |
272 | iptables -t nat -F REDNAT | |
273 | ||
274 | # PPPoE / PPTP Device | |
275 | if [ "$IFACE" != "" ]; then | |
276 | # PPPoE / PPTP | |
277 | if [ "$DEVICE" != "" ]; then | |
278 | iptables -A REDINPUT -i $DEVICE -j ACCEPT | |
279 | fi | |
280 | if [ "$RED_TYPE" == "PPTP" -o "$RED_TYPE" == "PPPOE" ]; then | |
281 | if [ "$RED_DEV" != "" ]; then | |
282 | iptables -A REDINPUT -i $RED_DEV -j ACCEPT | |
283 | fi | |
284 | fi | |
285 | fi | |
286 | ||
287 | # PPTP over DHCP | |
288 | if [ "$DEVICE" != "" -a "$TYPE" == "PPTP" -a "$METHOD" == "DHCP" ]; then | |
289 | iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT | |
290 | iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT | |
291 | fi | |
292 | ||
293 | # Orange pinholes | |
294 | if [ "$ORANGE_DEV" != "" ]; then | |
295 | # This rule enables a host on ORANGE network to connect to the outside | |
296 | # (only if we have a red connection) | |
297 | if [ "$IFACE" != "" ]; then | |
298 | iptables -A REDFORWARD -i $ORANGE_DEV -o $IFACE -j ACCEPT | |
299 | fi | |
300 | fi | |
301 | ||
302 | if [ "$IFACE" != "" -a -f /var/ipfire/red/active ]; then | |
303 | # DHCP | |
304 | if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then | |
305 | iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
306 | iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
307 | fi | |
308 | if [ "$METHOD" == "DHCP" -a "$PROTOCOL" == "RFC1483" ]; then | |
309 | iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
310 | iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
311 | fi | |
312 | ||
313 | # Outgoing masquerading (don't masqerade IPSEC (mark 50)) | |
314 | iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN | |
315 | ||
316 | if [ "$IFACE" != "$GREEN_DEV" ]; then | |
317 | iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE | |
318 | fi | |
319 | ||
320 | fi | |
321 | ||
322 | # Reload all rules. | |
323 | /usr/local/bin/firewallctrl | |
324 | } | |
325 | ||
326 | # See how we were called. | |
327 | case "$1" in | |
328 | start) | |
329 | boot_mesg "Loading firewall modules into the kernel" | |
330 | modprobe iptable_nat || failed=1 | |
331 | for i in $(find /lib/modules/$(uname -r) -name nf_conntrack*); do | |
332 | modprobe $(basename $i | cut -d. -f1) || failed=1 | |
333 | done | |
334 | for i in $(find /lib/modules/$(uname -r) -name nf_nat*); do | |
335 | modprobe $(basename $i | cut -d. -f1) || failed=1 | |
336 | done | |
337 | (exit ${failed}) | |
338 | evaluate_retval | |
339 | ||
340 | if [ -e /var/ipfire/main/disable_nf_sip ]; then | |
341 | rmmod nf_nat_sip | |
342 | rmmod nf_conntrack_sip | |
343 | rmmod nf_nat_h323 | |
344 | rmmod nf_conntrack_h323 | |
345 | fi | |
346 | ||
347 | boot_mesg "Setting up firewall" | |
348 | iptables_init | |
349 | evaluate_retval | |
350 | ||
351 | # run local firewall configuration, if present | |
352 | if [ -x /etc/sysconfig/firewall.local ]; then | |
353 | /etc/sysconfig/firewall.local start | |
354 | fi | |
355 | ;; | |
356 | reload) | |
357 | boot_mesg "Reloading firewall" | |
358 | iptables_red | |
359 | evaluate_retval | |
360 | ||
361 | # run local firewall configuration, if present | |
362 | if [ -x /etc/sysconfig/firewall.local ]; then | |
363 | /etc/sysconfig/firewall.local reload | |
364 | fi | |
365 | ;; | |
366 | restart) | |
367 | # run local firewall configuration, if present | |
368 | if [ -x /etc/sysconfig/firewall.local ]; then | |
369 | /etc/sysconfig/firewall.local stop | |
370 | fi | |
371 | $0 start | |
372 | ;; | |
373 | *) | |
374 | echo "Usage: $0 {start|reload|restart}" | |
375 | exit 1 | |
376 | ;; | |
377 | esac | |
378 | ||
379 | exit 0 |