eval $(/usr/local/bin/readhash /var/ipfire/firewall/settings)
eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
+function iptables() {
+ /sbin/iptables --wait "$@"
+}
+
iptables -F POLICYFWD
iptables -F POLICYOUT
iptables -F POLICYIN
case "${CONFIG_TYPE}" in
2)
- HAVE_BLUE="true"
+ HAVE_ORANGE="true"
;;
3)
- HAVE_ORANGE="true"
+ HAVE_BLUE="true"
;;
4)
HAVE_BLUE="true"
;;
esac
+HAVE_OPENVPN="true"
+
# INPUT
case "${FWPOLICY2}" in
REJECT)
if [ "${DROPINPUT}" = "on" ]; then
- /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT"
+ iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT"
fi
- /sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
+ iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
;;
*) # DROP
+ # OpenVPN
+ # Allow direct access to the internal IP addresses of the firewall
+ # from remote subnets if forward policy is allowed.
+ case "${HAVE_OPENVPN},${POLICY}" in
+ true,MODE1) ;;
+ true,*)
+ iptables -A POLICYIN -i tun+ -j ACCEPT
+ ;;
+ esac
+
if [ "${DROPINPUT}" = "on" ]; then
- /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
+ iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
fi
- /sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
+ iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
;;
esac
case "${FWPOLICY}" in
REJECT)
if [ "${DROPFORWARD}" = "on" ]; then
- /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
+ iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
fi
- /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
+ iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
;;
*) # DROP
if [ "${DROPFORWARD}" = "on" ]; then
- /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
+ iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
fi
- /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
+ iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
;;
esac
;;
*)
if [ -n "${IFACE}" ]; then
if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then
- /sbin/iptables -A POLICYFWD -i "${BLUE_DEV}" ! -o "${IFACE}" -j DROP
+ iptables -A POLICYFWD -i "${BLUE_DEV}" ! -o "${IFACE}" -j DROP
fi
if [ "${HAVE_ORANGE}" = "true" ] && [ -n "${ORANGE_DEV}" ]; then
- /sbin/iptables -A POLICYFWD -i "${ORANGE_DEV}" ! -o "${IFACE}" -j DROP
+ iptables -A POLICYFWD -i "${ORANGE_DEV}" ! -o "${IFACE}" -j DROP
fi
fi
- /sbin/iptables -A POLICYFWD -j ACCEPT
- /sbin/iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
+ iptables -A POLICYFWD -j ACCEPT
+ iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
;;
esac
case "${FWPOLICY1}" in
REJECT)
if [ "${DROPOUTGOING}" = "on" ]; then
- /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
+ iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
fi
- /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
+ iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
;;
*) # DROP
if [ "${DROPOUTGOING}" == "on" ]; then
- /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT"
+ iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT"
fi
- /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
+ iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
;;
esac
;;
*)
- /sbin/iptables -A POLICYOUT -j ACCEPT
- /sbin/iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP
+ iptables -A POLICYOUT -j ACCEPT
+ iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP
;;
esac