- iptables_init
-
- # Limit Packets- helps reduce dos/syn attacks
- # original do nothing line
- #/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec
- # the correct one, but the negative '!' do nothing...
- #/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN ! -m limit --limit 10/sec -j DROP
-
- # Fix for braindead ISP's
- /sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-
- # CUSTOM chains, can be used by the users themselves
- /sbin/iptables -N CUSTOMINPUT
- /sbin/iptables -A INPUT -j CUSTOMINPUT
- /sbin/iptables -N GUARDIAN
- /sbin/iptables -A INPUT -j GUARDIAN
- /sbin/iptables -A FORWARD -j GUARDIAN
- /sbin/iptables -N CUSTOMFORWARD
- /sbin/iptables -A FORWARD -j CUSTOMFORWARD
- /sbin/iptables -N CUSTOMOUTPUT
- /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- /sbin/iptables -A OUTPUT -j CUSTOMOUTPUT
- /sbin/iptables -N OUTGOINGFW
- /sbin/iptables -A OUTPUT -j OUTGOINGFW
- /sbin/iptables -t nat -N CUSTOMPREROUTING
- /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
- /sbin/iptables -t nat -N CUSTOMPOSTROUTING
- /sbin/iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
-
- # IPTV chains for IGMPPROXY
- /sbin/iptables -N IPTVINPUT
- /sbin/iptables -A INPUT -j IPTVINPUT
- /sbin/iptables -N IPTVFORWARD
- /sbin/iptables -A FORWARD -j IPTVFORWARD
-
- # filtering from GUI
- /sbin/iptables -N GUIINPUT
- /sbin/iptables -A INPUT -j GUIINPUT
- /sbin/iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT
-
- # Accept everything connected
- /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-
- # Accept everything on lo
- iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
- iptables -A OUTPUT -o lo -m state --state NEW -j ACCEPT
-
- # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
- /sbin/iptables -N IPSECINPUT
- /sbin/iptables -N IPSECFORWARD
- /sbin/iptables -N IPSECOUTPUT
- /sbin/iptables -N OPENSSLVIRTUAL
- /sbin/iptables -A INPUT -j IPSECINPUT
- /sbin/iptables -A INPUT -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL INPUT"
- /sbin/iptables -A FORWARD -j IPSECFORWARD
- /sbin/iptables -A FORWARD -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL FORWARD"
- /sbin/iptables -A OUTPUT -j IPSECOUTPUT
- /sbin/iptables -t nat -N OVPNNAT
- /sbin/iptables -t nat -N IPSECNAT
- /sbin/iptables -t nat -A POSTROUTING -j OVPNNAT
- /sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
-
- # Forward Firewall
- /sbin/iptables -N FORWARDFW
- /sbin/iptables -A FORWARD -j FORWARDFW
-
- # Input Firewall
- /sbin/iptables -N INPUTFW
- /sbin/iptables -A INPUT -m state --state NEW -j INPUTFW
-
- # localhost and ethernet.
- /sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
- /sbin/iptables -A INPUT -s 127.0.0.0/8 -m state --state NEW -j DROP # Loopback not on lo
- /sbin/iptables -A INPUT -d 127.0.0.0/8 -m state --state NEW -j DROP
- /sbin/iptables -A FORWARD -i lo -m state --state NEW -j ACCEPT
- /sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP
- /sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP
- /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT ! -p icmp
- #/sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT
-
- # If a host on orange tries to initiate a connection to IPFire's red IP and
- # the connection gets DNATed back through a port forward to a server on orange
- # we end up with orange -> orange traffic passing through IPFire
- [ "$ORANGE_DEV" != "" ] && /sbin/iptables -A FORWARD -i $ORANGE_DEV -o $ORANGE_DEV -m state --state NEW -j ACCEPT
-
- # allow DHCP on BLUE to be turned on/off
- /sbin/iptables -N DHCPBLUEINPUT
- /sbin/iptables -A INPUT -j DHCPBLUEINPUT
-
- # WIRELESS chains
- /sbin/iptables -N WIRELESSINPUT
- /sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT
- /sbin/iptables -N WIRELESSFORWARD
- /sbin/iptables -A FORWARDFW -m state --state NEW -j WIRELESSFORWARD
-
- # PORTFWACCESS chain, used for portforwarding
- /sbin/iptables -N PORTFWACCESS
- /sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS
-
- # OPenSSL
- /sbin/iptables -N OPENSSLPHYSICAL
- /sbin/iptables -A INPUT -j OPENSSLPHYSICAL
-
- # RED chain, used for the red interface
- /sbin/iptables -N REDINPUT
- /sbin/iptables -A INPUT -j REDINPUT
- /sbin/iptables -N REDFORWARD
- /sbin/iptables -A FORWARD -j REDFORWARD
- /sbin/iptables -t nat -N REDNAT
- /sbin/iptables -t nat -A POSTROUTING -j REDNAT
-
- iptables_red
-
- # DMZ pinhole chain.
- # ORANGE to talk to GREEN / BLUE.
- if [ "$ORANGE_DEV" != "" ]; then
- /sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j FORWARDFW
- fi
-
- # Custom prerouting chains (for transparent proxy and port forwarding)
- /sbin/iptables -t nat -N SQUID
- /sbin/iptables -t nat -A PREROUTING -j SQUID
- /sbin/iptables -t nat -N PORTFW
- /sbin/iptables -t nat -A PREROUTING -j PORTFW
-
- # upnp chain for our upnp daemon
- /sbin/iptables -t nat -N UPNPFW
- /sbin/iptables -t nat -A PREROUTING -j UPNPFW
- /sbin/iptables -N UPNPFW
- /sbin/iptables -A FORWARD -m state --state NEW -j UPNPFW
-
- # Custom mangle chain (for port fowarding)
- /sbin/iptables -t mangle -N PORTFWMANGLE
- /sbin/iptables -t mangle -A PREROUTING -j PORTFWMANGLE
-
- # Postrouting rules (for port forwarding)
- /sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT \
- --to-source $GREEN_ADDRESS
- if [ "$BLUE_DEV" != "" ]; then
- /sbin/iptables -t nat -A POSTROUTING -m mark --mark 2 -j SNAT --to-source $BLUE_ADDRESS
- fi
- if [ "$ORANGE_DEV" != "" ]; then
- /sbin/iptables -t nat -A POSTROUTING -m mark --mark 3 -j SNAT --to-source $ORANGE_ADDRESS