]>
git.ipfire.org Git - people/stevee/network.git/blob - functions.policy
2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2012 IPFire Network Development Team #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
22 function policy_add_zone
() {
26 log DEBUG
"Creating firewall policy for zone '${zone}'."
28 local chain
="ZONE_${zone}"
31 # Create filter chain.
32 iptables_chain_create
${chain}
33 iptables
-A INPUT
-i ${zone} -j ${chain}
34 iptables
-A FORWARD
-i ${zone} -j ${chain}
35 iptables
-A FORWARD
-o ${zone} -j ${chain}
36 iptables
-A OUTPUT
-o ${zone} -j ${chain}
38 # Leave some space for own rules right at the beginning
39 # to make it possible to overwrite _everything_.
40 iptables_chain_create
${chain}_CUSTOM
41 iptables
-A ${chain} -j ${chain}_CUSTOM
43 # Intrusion Prevention System
44 iptables_chain_create
${chain}_IPS
45 iptables
-A ${chain} -i ${zone} -j ${chain}_IPS
47 # Rules for incoming packets.
48 iptables_chain_create
${chain}_RULES_INC
49 iptables
-A ${chain} -i ${zone} -j ${chain}_RULES_INC
51 # Rules for outgoing packets.
52 iptables_chain_create
${chain}_RULES_OUT
53 iptables
-A ${chain} -o ${zone} -j ${chain}_RULES_OUT
56 iptables_chain_create
${chain}_POLICY
57 iptables
-A ${chain} -j ${chain}_POLICY
59 # Create mangle chain.
60 iptables_chain_create
-t mangle
${chain}
61 iptables
-t mangle
-A PREROUTING
-i ${zone} -j ${chain}
62 iptables
-t mangle
-A POSTROUTING
-o ${zone} -j ${chain}
65 iptables_chain_create
-t mangle
${chain}_QOS_INC
66 iptables
-t mangle
-A ${chain} -i ${zone} -j ${chain}_QOS_INC
67 iptables_chain_create
-t mangle
${chain}_QOS_OUT
68 iptables
-t mangle
-A ${chain} -o ${zone} -j ${chain}_QOS_OUT
71 iptables_chain_create
-4 -t nat
${chain}
72 iptables
-4 -t nat
-A PREROUTING
-i ${zone} -j ${chain}
73 iptables
-4 -t nat
-A POSTROUTING
-o ${zone} -j ${chain}
75 # Network Address Translation
76 iptables_chain_create
-4 -t nat
${chain}_NAT
77 iptables
-4 -t nat
-A ${chain} -i ${zone} -j ${chain}_NAT
80 iptables_chain_create
-4 -t nat
${chain}_PORTFW
81 iptables
-4 -t nat
-A ${chain} -i ${zone} -j ${chain}_PORTFW
84 iptables_chain_create
-4 -t nat
${chain}_UPNP
85 iptables
-4 -t nat
-A ${chain} -j ${chain}_UPNP
87 # After the chains that are always available have been
88 # created, we will add a custom policy to every single
91 # Local zones are currently allowed to access everything.
92 if zone_is_local
${zone}; then
93 policy_allow_all
${zone} ${chain}
95 # Uplink connections are not.
100 # Import all configured rules and those things.
101 policy_import_all_rules
${zone} ${chain}
104 function policy_add_localhost
() {
105 log DEBUG
"Creating firewall policy for localhost..."
107 # Accept everything on lo
108 iptables
-A INPUT
-i lo
-j ACCEPT
109 iptables
-A OUTPUT
-o lo
-j ACCEPT
112 function policy_allow_all
() {
119 # Just accept everything.
120 iptables
-A ${chain}_POLICY
-j ACCEPT
123 function policy_drop_all
() {
124 # Nothing to do here, because that is the
125 # default policy of the INPUT/OUTPUT/FORWARD chain.
129 function policy_import_all_rules
() {
130 # This will populate all chains with the rules
131 # for the given zone.