2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2009 Michael Tremer & Christian Schmidt #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
22 function firewall_init
() {
23 decho
"Initializing firewall interface."
25 firewall_tcp_state_flags
26 firewall_connection_tracking
29 function firewall_tcp_state_flags
() {
30 vecho
"Adding ${BOLD}TCP State Flags${NORMAL} chain..."
31 chain_create BADTCP_LOG
32 iptables
-A BADTCP_LOG
-p tcp
-j $
(iptables_LOG
"Illegal TCP state: ")
33 iptables
-A BADTCP_LOG
-j DROP
36 iptables
-A BADTCP
-p tcp
--tcp-flags ALL NONE
-j BADTCP_LOG
37 iptables
-A BADTCP
-p tcp
--tcp-flags SYN
,FIN SYN
,FIN
-j BADTCP_LOG
38 iptables
-A BADTCP
-p tcp
--tcp-flags SYN
,RST SYN
,RST
-j BADTCP_LOG
39 iptables
-A BADTCP
-p tcp
--tcp-flags FIN
,RST FIN
,RST
-j BADTCP_LOG
40 iptables
-A BADTCP
-p tcp
--tcp-flags ACK
,FIN FIN
-j BADTCP_LOG
41 iptables
-A BADTCP
-p tcp
--tcp-flags ACK
,PSH PSH
-j BADTCP_LOG
42 iptables
-A BADTCP
-p tcp
--tcp-flags ACK
,URG URG
-j BADTCP_LOG
44 iptables
-A INPUT
-p tcp
-j BADTCP
45 iptables
-A OUTPUT
-p tcp
-j BADTCP
46 iptables
-A FORWARD
-p tcp
-j BADTCP
49 function firewall_connection_tracking
() {
50 vecho
"Adding ${BOLD}Connection Tracking${NORMAL} chain..."
51 chain_create CONNTRACK
52 iptables
-A CONNTRACK
-m state
--state ESTABLISHED
,RELATED
-j ACCEPT
53 iptables
-A CONNTRACK
-m state
--state INVALID
-j $
(iptables_LOG
"INVALID packet: ")
54 iptables
-A CONNTRACK
-m state
--state INVALID
-j DROP
56 iptables
-A INPUT
-p tcp
-j CONNTRACK
57 iptables
-A OUTPUT
-p tcp
-j CONNTRACK
58 iptables
-A FORWARD
-p tcp
-j CONNTRACK