-}
-
-iptables_red() {
- /sbin/iptables -F REDINPUT
- /sbin/iptables -F REDFORWARD
- /sbin/iptables -t nat -F REDNAT
-
- # PPPoE / PPTP Device
- if [ "$IFACE" != "" ]; then
- # PPPoE / PPTP
- if [ "$DEVICE" != "" ]; then
- /sbin/iptables -A REDINPUT -i $DEVICE -j ACCEPT
- fi
- if [ "$RED_TYPE" == "PPTP" -o "$RED_TYPE" == "PPPOE" ]; then
- if [ "$RED_DEV" != "" ]; then
- /sbin/iptables -A REDINPUT -i $RED_DEV -j ACCEPT
- fi
- fi
- fi
-
- # PPTP over DHCP
- if [ "$DEVICE" != "" -a "$TYPE" == "PPTP" -a "$METHOD" == "DHCP" ]; then
- /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT
- /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT
- fi
-
- # Orange pinholes
- if [ "$ORANGE_DEV" != "" ]; then
- # This rule enables a host on ORANGE network to connect to the outside
- # (only if we have a red connection)
- if [ "$IFACE" != "" ]; then
- /sbin/iptables -A REDFORWARD -i $ORANGE_DEV -o $IFACE -j ACCEPT
- fi
- fi
-
- if [ "$IFACE" != "" -a -f /var/ipfire/red/active ]; then
- # DHCP
- if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then
- /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
- /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
- fi
- if [ "$METHOD" == "DHCP" -a "$PROTOCOL" == "RFC1483" ]; then
- /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
- /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
- fi
-
- # Outgoing masquerading (don't masqerade IPSEC (mark 50))
- /sbin/iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN
- /sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
-
- fi
-}
-
-# See how we were called.
-case "$1" in
- start)
- iptables_init
-
- # Limit Packets- helps reduce dos/syn attacks
- # original do nothing line
- #/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec
- # the correct one, but the negative '!' do nothing...
- #/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN ! -m limit --limit 10/sec -j DROP