]> git.ipfire.org Git - ipfire-2.x.git/blob - src/initscripts/system/firewall
projects / ipfire-2.x.git / blob
? search:


0d5bb0061514428aa2a428e89a223f2acabeb9ca
[ipfire-2.x.git] / src / initscripts / system / firewall
1 #!/bin/sh
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21
22 . /etc/sysconfig/rc
23 . ${rc_functions}
24
25 eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings)
26 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
27 eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
28 if [ -r "/var/ipfire/tor/settings" ]; then
29 eval $(/usr/local/bin/readhash /var/ipfire/tor/settings)
30 fi
31 IFACE=`/bin/cat /var/ipfire/red/iface 2> /dev/null | /usr/bin/tr -d '\012'`
32 if [ -z $IFACE ]; then
33 IFACE="red0"
34 fi
35
36 if [ -f /var/ipfire/red/device ]; then
37 DEVICE=`/bin/cat /var/ipfire/red/device 2> /dev/null | /usr/bin/tr -d '\012'`
38 fi
39
40 NAT_MASK="0x0f000000"
41
42 IPSET_DB_DIR="/var/lib/location/ipset"
43
44 SYNPROXY_OPTIONS=(
45 # Allow clients to use Selective ACKs
46 "--sack-perm"
47
48 # Allow TCP Timestamps
49 #"--timestamp"
50
51 # Window Scaling
52 "--wscale" "9"
53
54 # Maximum Segment Size
55 "--mss" "1460"
56 )
57
58 function iptables() {
59 /sbin/iptables --wait "$@"
60 }
61
62 iptables_init() {
63 # Flush all rules and delete all custom chains
64 iptables -F
65 iptables -t nat -F
66 iptables -t mangle -F
67 iptables -t raw -F
68 iptables -X
69 iptables -t nat -X
70 iptables -t mangle -X
71 iptables -t raw -X
72
73 # Set up policies
74 iptables -P INPUT DROP
75 iptables -P FORWARD DROP
76 iptables -P OUTPUT ACCEPT
77
78 # Enable TRACE logging to syslog
79 modprobe nf_log_ipv4
80 sysctl -q -w net.netfilter.nf_log.2=nf_log_ipv4
81
82 # Empty LOG_DROP and LOG_REJECT chains
83 iptables -N LOG_DROP
84 iptables -A LOG_DROP -m limit --limit 10/second -j LOG
85 iptables -A LOG_DROP -j DROP
86 iptables -N LOG_REJECT
87 iptables -A LOG_REJECT -m limit --limit 10/second -j LOG
88 iptables -A LOG_REJECT -j REJECT
89
90 # This chain will log, then DROPs packets with certain bad combinations
91 # of flags might indicate a port-scan attempt (xmas, null, etc.)
92 iptables -N PSCAN
93 if [ "$DROPPORTSCAN" == "on" ]; then
94 iptables -A PSCAN -p tcp -m limit --limit 10/second -j LOG --log-prefix "DROP_TCP Scan " -m comment --comment "DROP_TCP PScan"
95 iptables -A PSCAN -p udp -m limit --limit 10/second -j LOG --log-prefix "DROP_UDP Scan " -m comment --comment "DROP_UDP PScan"
96 iptables -A PSCAN -p icmp -m limit --limit 10/second -j LOG --log-prefix "DROP_ICMP Scan " -m comment --comment "DROP_ICMP PScan"
97 iptables -A PSCAN -f -m limit --limit 10/second -j LOG --log-prefix "DROP_FRAG Scan " -m comment --comment "DROP_FRAG PScan"
98 fi
99 iptables -A PSCAN -j DROP -m comment --comment "DROP_PScan"
100
101 # New tcp packets without SYN set - could well be an obscure type of port scan
102 # that's not covered above, may just be a broken Windows machine
103 iptables -N NEWNOTSYN
104 if [ "$DROPNEWNOTSYN" == "on" ]; then
105 iptables -A NEWNOTSYN -m limit --limit 10/second -j LOG --log-prefix "DROP_NEWNOTSYN "
106 fi
107 iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN"
108
109 # Log and subsequently drop spoofed packets or "martians", arriving from sources
110 # on interfaces where we don't expect them
111 iptables -N SPOOFED_MARTIAN
112 if [ "$DROPSPOOFEDMARTIAN" == "on" ]; then
113 iptables -A SPOOFED_MARTIAN -m limit --limit 10/second -j LOG --log-prefix "DROP_SPOOFED_MARTIAN "
114 fi
115 iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_MARTIAN"
116
117 # Chain to contain all the rules relating to bad TCP flags
118 iptables -N BADTCP
119
120 # Don't check loopback
121 iptables -A BADTCP -i lo -j RETURN
122
123 # Disallow packets frequently used by port-scanners
124 # NMAP FIN/URG/PSH (XMAS scan)
125 iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN
126 # SYN/RST/ACK/FIN/URG
127 iptables -A BADTCP -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j PSCAN
128 # ALL/ALL
129 iptables -A BADTCP -p tcp --tcp-flags ALL ALL -j PSCAN
130 # FIN Stealth
131 iptables -A BADTCP -p tcp --tcp-flags ALL FIN -j PSCAN
132 # SYN/RST (also catches xmas variants that set SYN+RST+...)
133 iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j PSCAN
134 # SYN/FIN (QueSO or nmap OS probe)
135 iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN
136 # Null
137 iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN
138 # NEW TCP without SYN
139 iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN
140
141 iptables -A INPUT -p tcp -j BADTCP
142 iptables -A FORWARD -p tcp -j BADTCP
143
144 # Connection tracking chains
145 iptables -N CTINVALID
146 if [ "$LOGDROPCTINVALID" == "on" ]; then
147 iptables -A CTINVALID -m limit --limit 10/second -j LOG --log-prefix "DROP_CTINVALID "
148 fi
149 iptables -A CTINVALID -j DROP -m comment --comment "DROP_CTINVALID"
150
151 iptables -N CTINPUT
152 iptables -A CTINPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
153 iptables -A CTINPUT -m conntrack --ctstate INVALID,UNTRACKED \
154 -p tcp -j SYNPROXY "${SYNPROXY_OPTIONS[@]}"
155 iptables -A CTINPUT -m conntrack --ctstate INVALID -j CTINVALID
156 iptables -A CTINPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
157
158 iptables -N CTOUTPUT
159 iptables -A CTOUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
160 iptables -A CTOUTPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
161
162 # Restore any connection marks
163 iptables -t mangle -A PREROUTING -m mark --mark 0 -j CONNMARK --restore-mark
164
165 # Fix for braindead ISPs
166 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
167
168 # CUSTOM chains, can be used by the users themselves
169 iptables -N CUSTOMINPUT
170 iptables -A INPUT -j CUSTOMINPUT
171 iptables -N CUSTOMFORWARD
172 iptables -A FORWARD -j CUSTOMFORWARD
173 iptables -N CUSTOMOUTPUT
174 iptables -A OUTPUT -j CUSTOMOUTPUT
175 iptables -t nat -N CUSTOMPREROUTING
176 iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
177 iptables -t nat -N CUSTOMPOSTROUTING
178 iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
179
180 # Chains for networks known as being hostile, posing a technical threat to our users
181 # (i. e. listed at Spamhaus DROP et al.)
182 iptables -N HOSTILE
183 iptables -A INPUT -j HOSTILE
184 iptables -A FORWARD -j HOSTILE
185 iptables -A OUTPUT -j HOSTILE
186
187 iptables -N HOSTILE_DROP_IN
188 if [ "$LOGDROPHOSTILEIN" == "on" ]; then
189 iptables -A HOSTILE_DROP_IN -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
190 fi
191 iptables -A HOSTILE_DROP_IN -j DROP -m comment --comment "DROP_HOSTILE"
192
193 iptables -N HOSTILE_DROP_OUT
194 if [ "$LOGDROPHOSTILEOUT" == "on" ]; then
195 iptables -A HOSTILE_DROP_OUT -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
196 fi
197 iptables -A HOSTILE_DROP_OUT -j DROP -m comment --comment "DROP_HOSTILE"
198
199
200 # IP Address Blocklist chains
201 iptables -N BLOCKLISTIN
202 iptables -N BLOCKLISTOUT
203 iptables -A INPUT ! -p icmp -j BLOCKLISTIN
204 iptables -A FORWARD ! -p icmp -j BLOCKLISTIN
205 iptables -A FORWARD ! -p icmp -j BLOCKLISTOUT
206 iptables -A OUTPUT ! -p icmp -j BLOCKLISTOUT
207
208 # IPS (Guardian) chains
209 iptables -N GUARDIAN
210 iptables -A INPUT -j GUARDIAN
211 iptables -A FORWARD -j GUARDIAN
212
213 # Block non-established IPsec networks
214 iptables -N IPSECBLOCK
215 iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK
216 iptables -A OUTPUT -m policy --dir out --pol none -j IPSECBLOCK
217
218 # Block unauthorized WireGuard traffic
219 iptables -N WGBLOCK
220 iptables -A INPUT -i wg+ -j WGBLOCK
221 iptables -A FORWARD -i wg+ -j WGBLOCK
222
223 # NAT for WireGuard peers
224 iptables -t nat -N WGNAT
225 iptables -t nat -A POSTROUTING -j WGNAT
226
227 # Block OpenVPN transfer networks
228 iptables -N OVPNBLOCK
229 iptables -A INPUT -i tun+ -j OVPNBLOCK
230 iptables -A FORWARD -i tun+ -j OVPNBLOCK
231 iptables -A FORWARD -o tun+ -j OVPNBLOCK
232
233 # OpenVPN transfer network translation
234 iptables -t nat -N OVPNNAT
235 iptables -t nat -A POSTROUTING -j OVPNNAT
236
237 # IPTV chains for IGMPPROXY
238 iptables -N IPTVINPUT
239 iptables -A INPUT -j IPTVINPUT
240 iptables -N IPTVFORWARD
241 iptables -A FORWARD -j IPTVFORWARD
242
243 # Allow to ping the firewall.
244 iptables -N ICMPINPUT
245 iptables -A INPUT -j ICMPINPUT
246 iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
247
248 # Accept everything on loopback
249 iptables -N LOOPBACK
250 iptables -A LOOPBACK -i lo -j ACCEPT
251 iptables -A LOOPBACK -o lo -j ACCEPT
252
253 # Filter all packets with loopback addresses on non-loopback interfaces (spoofed)
254 iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN
255 iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN
256
257 for i in INPUT FORWARD OUTPUT; do
258 iptables -A ${i} -j LOOPBACK
259 done
260
261 # Captive portal
262 iptables -N CAPTIVE_PORTAL
263 iptables -N CAPTIVE_PORTAL_CLIENTS
264 for i in INPUT FORWARD; do
265 iptables -A ${i} -j CAPTIVE_PORTAL
266 done
267
268 # Accept everything connected
269 iptables -A INPUT -j CTINPUT
270 iptables -A FORWARD -j CTINPUT
271 iptables -A OUTPUT -j CTOUTPUT
272
273 # Allow DHCP
274 iptables -N DHCPINPUT
275 iptables -A DHCPINPUT -p udp --sport 68 --dport 67 -j ACCEPT
276 iptables -A DHCPINPUT -p tcp --sport 68 --dport 67 -j ACCEPT
277
278 iptables -N DHCPOUTPUT
279 iptables -A DHCPOUTPUT -p udp --sport 67 --dport 68 -j ACCEPT
280 iptables -A DHCPOUTPUT -p tcp --sport 67 --dport 68 -j ACCEPT
281
282 # Allow DHCP on GREEN
283 iptables -N DHCPGREENINPUT
284 iptables -N DHCPGREENOUTPUT
285 if [ -n "${GREEN_DEV}" ]; then
286 iptables -A INPUT -i "${GREEN_DEV}" -j DHCPGREENINPUT
287 iptables -A OUTPUT -o "${GREEN_DEV}" -j DHCPGREENOUTPUT
288 fi
289
290 # Allow DHCP on BLUE to be turned on/off
291 iptables -N DHCPBLUEINPUT
292 iptables -N DHCPBLUEOUTPUT
293 if [ -n "${BLUE_DEV}" ]; then
294 iptables -A INPUT -i "${BLUE_DEV}" -j DHCPBLUEINPUT
295 iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
296 fi
297
298 # Tor (inbound)
299 iptables -N TOR_INPUT
300 iptables -A INPUT -j TOR_INPUT
301
302 # Location Block
303 iptables -N LOCATIONBLOCK
304 iptables -A INPUT -j LOCATIONBLOCK
305 iptables -A FORWARD -j LOCATIONBLOCK
306
307 # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
308 iptables -N IPSECINPUT
309 iptables -N IPSECFORWARD
310 iptables -N IPSECOUTPUT
311 iptables -A INPUT -j IPSECINPUT
312 iptables -A FORWARD -j IPSECFORWARD
313 iptables -A OUTPUT -j IPSECOUTPUT
314 iptables -t nat -N IPSECNAT
315 iptables -t nat -A POSTROUTING -j IPSECNAT
316
317 # localhost and ethernet.
318 # Always allow accessing the web GUI from GREEN.
319 iptables -N GUIINPUT
320 iptables -A INPUT -j GUIINPUT
321 if [ -n "${GREEN_DEV}" ]; then
322 iptables -A GUIINPUT -i "${GREEN_DEV}" -p tcp --dport 444 -j ACCEPT
323 fi
324
325 # WIRELESS chains
326 iptables -N WIRELESSINPUT
327 iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT
328 iptables -N WIRELESSFORWARD
329 iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD
330
331 # WireGuard
332 iptables -N WGINPUT
333 iptables -A INPUT -j WGINPUT
334
335 # OpenVPN
336 iptables -N OVPNINPUT
337 iptables -A INPUT -j OVPNINPUT
338
339 # Tor (outbound)
340 iptables -N TOR_OUTPUT
341 iptables -A OUTPUT -j TOR_OUTPUT
342
343 # Jump into the actual firewall ruleset.
344 iptables -N INPUTFW
345 iptables -A INPUT -j INPUTFW
346
347 iptables -N OUTGOINGFW
348 iptables -A OUTPUT -j OUTGOINGFW
349
350 iptables -N FORWARDFW
351 iptables -A FORWARD -j FORWARDFW
352
353 # SNAT rules
354 iptables -t nat -N NAT_SOURCE
355 iptables -t nat -A POSTROUTING -j NAT_SOURCE
356
357 # Captive Portal
358 iptables -t nat -N CAPTIVE_PORTAL
359 iptables -t nat -A PREROUTING -j CAPTIVE_PORTAL
360
361 # Custom prerouting chains (for transparent proxy)
362 iptables -t nat -N SQUID
363 iptables -t nat -A PREROUTING -j SQUID
364
365 # DNAT rules
366 iptables -t nat -N NAT_DESTINATION
367 iptables -t nat -A PREROUTING -j NAT_DESTINATION
368 iptables -t nat -A OUTPUT -j NAT_DESTINATION
369
370 iptables -t mangle -N NAT_DESTINATION
371 iptables -t mangle -A PREROUTING -j NAT_DESTINATION
372
373 iptables -t nat -N NAT_DESTINATION_FIX
374 iptables -t nat -A POSTROUTING -j NAT_DESTINATION_FIX
375
376 if [ -n "${GREEN_ADDRESS}" ]; then
377 iptables -t nat -A NAT_DESTINATION_FIX \
378 -m mark --mark "0x01000000/${NAT_MASK}" -j SNAT --to-source "${GREEN_ADDRESS}"
379 fi
380
381 if [ -n "${BLUE_ADDRESS}" ]; then
382 iptables -t nat -A NAT_DESTINATION_FIX \
383 -m mark --mark "0x02000000/${NAT_MASK}" -j SNAT --to-source "${BLUE_ADDRESS}"
384 fi
385
386 if [ -n "${ORANGE_ADDRESS}" ]; then
387 iptables -t nat -A NAT_DESTINATION_FIX \
388 -m mark --mark "0x04000000/${NAT_MASK}" -j SNAT --to-source "${ORANGE_ADDRESS}"
389 fi
390
391 # IPS (Suricata) chains
392 iptables -t mangle -N IPS
393 iptables -t mangle -N IPS_CLEAR
394 iptables -t mangle -N IPS_SCAN_IN
395 iptables -t mangle -N IPS_SCAN_OUT
396
397 iptables -t mangle -A INPUT -j IPS_SCAN_IN
398 iptables -t mangle -A FORWARD -j IPS_SCAN_IN
399 iptables -t mangle -A FORWARD -j IPS_SCAN_OUT
400 iptables -t mangle -A OUTPUT -j IPS_SCAN_OUT
401
402 for chain in INPUT FORWARD OUTPUT; do
403 iptables -t mangle -A "${chain}" -j IPS
404 iptables -t mangle -A "${chain}" -j IPS_CLEAR
405 done
406
407 # RED chain, used for the red interface
408 iptables -N REDINPUT
409 iptables -A INPUT -j REDINPUT
410 iptables -N REDFORWARD
411 iptables -A FORWARD -j REDFORWARD
412 iptables -t nat -N REDNAT
413 iptables -t nat -A POSTROUTING -j REDNAT
414
415 # SYN Flood Protection
416 iptables -t raw -N SYN_FLOOD_PROTECT
417 iptables -t raw -A PREROUTING -p tcp --syn -j SYN_FLOOD_PROTECT
418
419 # Populate IPsec chains
420 /usr/lib/firewall/ipsec-policy
421
422 # Apply OpenVPN firewall rules
423 /usr/local/bin/openvpnctrl --firewall-rules
424
425 # run wirelessctrl
426 /usr/local/bin/wirelessctrl
427
428 # run captivectrl
429 /usr/local/bin/captivectrl
430
431 # If a Tor relay is enabled apply firewall rules
432 if [ "${TOR_RELAY_ENABLED}" = "on" -a -n "${TOR_RELAY_PORT}" ]; then
433 /usr/local/bin/torctrl restart 1> /dev/null
434 fi
435
436 # POLICY CHAIN
437 iptables -N POLICYIN
438 iptables -A INPUT -j POLICYIN
439 iptables -N POLICYFWD
440 iptables -A FORWARD -j POLICYFWD
441 iptables -N POLICYOUT
442 iptables -A OUTPUT -j POLICYOUT
443
444 # Initialize firewall policies.
445 /usr/sbin/firewall-policy
446
447 # Install firewall rules for the red interface.
448 iptables_red_up
449
450 # If red has not been brought up yet, we will
451 # add the blocking rules for MASQUERADE
452 if [ ! -e "/var/ipfire/red/active" ]; then
453 iptables_red_down
454 fi
455 }
456
457 iptables_red_up() {
458 iptables -F REDINPUT
459 iptables -F REDFORWARD
460 iptables -t nat -F REDNAT
461
462 # Prohibit spoofing our own IP address on RED
463 if [ -f /var/ipfire/red/active ]; then
464 REDIP="$( cat /var/ipfire/red/local-ipaddress )";
465
466 if [ "$IFACE" != "" ]; then
467 iptables -A REDINPUT -s $REDIP -i $IFACE -j SPOOFED_MARTIAN
468 elif [ "$DEVICE" != "" ]; then
469 iptables -A REDINPUT -s $REDIP -i $DEVICE -j SPOOFED_MARTIAN
470 fi
471 fi
472
473 # PPTP over DHCP
474 if [ "$DEVICE" != "" -a "$TYPE" == "PPTP" -a "$METHOD" == "DHCP" ]; then
475 iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT
476 iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT
477 fi
478
479 if [ "$IFACE" != "" -a -f /var/ipfire/red/active ]; then
480 # DHCP
481 if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then
482 iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
483 iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
484 fi
485 if [ "$METHOD" == "DHCP" -a "$PROTOCOL" == "RFC1483" ]; then
486 iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
487 iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
488 fi
489
490 # Outgoing masquerading (don't masqerade IPsec)
491 iptables -t nat -A REDNAT -m policy --pol ipsec --dir=out -o "${IFACE}" -j RETURN
492
493 if [ "${IFACE}" = "${GREEN_DEV}" ]; then
494 iptables -t nat -A REDNAT -i "${GREEN_DEV}" -o "${IFACE}" -j RETURN
495 fi
496
497 local NO_MASQ_NETWORKS=()
498
499 if [ "${MASQUERADE_GREEN}" = "off" ]; then
500 NO_MASQ_NETWORKS+=( "${GREEN_NETADDRESS}/${GREEN_NETMASK}" )
501 fi
502
503 if [ "${MASQUERADE_BLUE}" = "off" ]; then
504 NO_MASQ_NETWORKS+=( "${BLUE_NETADDRESS}/${BLUE_NETMASK}" )
505 fi
506
507 if [ "${MASQUERADE_ORANGE}" = "off" ]; then
508 NO_MASQ_NETWORKS+=( "${ORANGE_NETADDRESS}/${ORANGE_NETMASK}" )
509 fi
510
511 local alias
512 for alias in $(get_aliases); do
513 NO_MASQ_NETWORKS+=( "${alias}" )
514 done
515
516 local network
517 for network in ${NO_MASQ_NETWORKS[@]}; do
518 iptables -t nat -A REDNAT -s "${network}" -o "${IFACE}" -j RETURN
519 done
520
521 # Masquerade everything else
522 iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
523 fi
524
525 # Reload all rules.
526 /usr/local/bin/firewallctrl
527 }
528
529 iptables_red_down() {
530 # Prohibit packets to reach the masquerading rule
531 # while the WAN interface is down - this is required to
532 # circumvent udp related NAT issues
533 # http://forum.ipfire.org/index.php?topic=11127.0
534 if [ -n "${IFACE}" ]; then
535 iptables -F REDFORWARD
536 iptables -A REDFORWARD -o "${IFACE}" -j DROP
537 fi
538
539 # Reload all rules.
540 /usr/local/bin/firewallctrl
541 }
542
543 # See how we were called.
544 case "$1" in
545 start)
546 boot_mesg "Setting up firewall"
547 iptables_init
548 evaluate_retval
549 ;;
550 reload|up)
551 boot_mesg "Reloading firewall"
552 iptables_red_up
553 evaluate_retval
554 ;;
555 down)
556 boot_mesg "Disabling firewall access to RED"
557 iptables_red_down
558 evaluate_retval
559 ;;
560 restart)
561 $0 start
562 ;;
563 *)
564 echo "Usage: $0 {start|reload|restart}"
565 exit 1
566 ;;
567 esac
568
569 exit 0
IPFire 2.x development tree