2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2012 IPFire Network Development Team #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
22 # High-level function which will create a ruleset for the current firewall
23 # configuration and load it into the kernel.
24 function firewall_start
() {
27 # Initialize an empty iptables ruleset.
31 firewall_tcp_state_flags
32 firewall_connection_tracking
34 # Add policies for every zone.
38 for zone
in $
(zones_get_all
); do
39 policy_add_zone
${zone}
42 # Commit the new ruleset.
48 function firewall_stop
() {
51 # Initialize an empty firewall ruleset
52 # with default policy ACCEPT.
61 function firewall_lock_acquire
() {
62 lock_acquire
${RUN_DIR}/.firewall_lock
64 # Make sure the lock is released after the firewall
65 # script has crashed or exited early.
66 trap firewall_lock_release EXIT TERM KILL
68 # Create a directory where we can put our
69 # temporary data in the most secure way as possible.
70 IPTABLES_TMPDIR
=$
(mktemp
-d)
73 function firewall_lock_release
() {
74 if isset IPTABLES_TMPDIR
; then
75 # Remove all temporary data.
76 rm -rf ${IPTABLES_TMPDIR}
78 # Reset the tempdir variable.
83 trap true EXIT TERM KILL
85 lock_release
${RUN_DIR}/.firewall_lock
88 function firewall_tcp_state_flags
() {
89 log INFO
"Creating TCP State Flags chain..."
90 iptables_chain_create BADTCP_LOG
91 iptables
-A BADTCP_LOG
-p tcp
-j $
(iptables_LOG
"Illegal TCP state: ")
92 iptables
-A BADTCP_LOG
-j DROP
94 iptables_chain_create BADTCP
95 iptables
-A BADTCP
-p tcp
--tcp-flags ALL NONE
-j BADTCP_LOG
96 iptables
-A BADTCP
-p tcp
--tcp-flags SYN
,FIN SYN
,FIN
-j BADTCP_LOG
97 iptables
-A BADTCP
-p tcp
--tcp-flags SYN
,RST SYN
,RST
-j BADTCP_LOG
98 iptables
-A BADTCP
-p tcp
--tcp-flags FIN
,RST FIN
,RST
-j BADTCP_LOG
99 iptables
-A BADTCP
-p tcp
--tcp-flags ACK
,FIN FIN
-j BADTCP_LOG
100 iptables
-A BADTCP
-p tcp
--tcp-flags ACK
,PSH PSH
-j BADTCP_LOG
101 iptables
-A BADTCP
-p tcp
--tcp-flags ACK
,URG URG
-j BADTCP_LOG
103 iptables
-A INPUT
-p tcp
-j BADTCP
104 iptables
-A OUTPUT
-p tcp
-j BADTCP
105 iptables
-A FORWARD
-p tcp
-j BADTCP
108 function firewall_connection_tracking
() {
109 log INFO
"Creating Connection Tracking chain..."
110 iptables_chain_create CONNTRACK
111 iptables
-A CONNTRACK
-m state
--state ESTABLISHED
,RELATED
-j ACCEPT
112 iptables
-A CONNTRACK
-m state
--state INVALID
-j $
(iptables_LOG
"INVALID packet: ")
113 iptables
-A CONNTRACK
-m state
--state INVALID
-j DROP
115 iptables
-A INPUT
-j CONNTRACK
116 iptables
-A OUTPUT
-j CONNTRACK
117 iptables
-A FORWARD
-j CONNTRACK
120 function firewall_import_portfw
() {
124 local protocol
="ipv6"
127 while [ $# -gt 0 ]; do
130 chain
=$
(cli_get_val
${1})
133 protocol
=$
(cli_get_val
${1})
138 assert isoneof protocol ipv4 ipv6
140 local allowed_chains
="filter"
141 if [ "${protocol}" = "ipv4" ]; then
142 allowed_chains
="${allowed_chains} nat"
144 assert isoneof chain
${allowed_chains}
149 while read src dst proto
; do
156 done < ${FIREWALL_CONFIG_PORTFW}