iptables -A BADTCP -i lo -j RETURN
# Disallow packets frequently used by port-scanners
- # nmap xmas
- iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN
- # Null
- iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN
- # FIN
+ # NMAP FIN/URG/PSH (XMAS scan)
+ iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN
+ # SYN/RST/ACK/FIN/URG
+ iptables -A BADTCP -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j PSCAN
+ # ALL/ALL
+ iptables -A BADTCP -p tcp --tcp-flags ALL ALL -j PSCAN
+ # FIN Stealth
iptables -A BADTCP -p tcp --tcp-flags ALL FIN -j PSCAN
# SYN/RST (also catches xmas variants that set SYN+RST+...)
iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j PSCAN
# SYN/FIN (QueSO or nmap OS probe)
iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN
+ # Null
+ iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN
# NEW TCP without SYN
iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN
# Connection tracking chain
iptables -N CONNTRACK
iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+ iptables -A CONNTRACK -m conntrack --ctstate INVALID -j DROP
# Fix for braindead ISP's
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# Block OpenVPN transfer networks
iptables -N OVPNBLOCK
iptables -A INPUT -i tun+ -j OVPNBLOCK
- iptables -A OUTPUT -o tun+ -j OVPNBLOCK
iptables -A FORWARD -i tun+ -j OVPNBLOCK
iptables -A FORWARD -o tun+ -j OVPNBLOCK
iptables -N IPTVFORWARD
iptables -A FORWARD -j IPTVFORWARD
- # filtering from GUI
- iptables -N GUIINPUT
- iptables -A INPUT -j GUIINPUT
- iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT
+ # Allow to ping the firewall.
+ iptables -N ICMPINPUT
+ iptables -A INPUT -j ICMPINPUT
+ iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
# Accept everything on loopback
iptables -N LOOPBACK
iptables -A ${i} -j CONNTRACK
done
+ # Allow DHCP
+ iptables -N DHCPINPUT
+ iptables -A DHCPINPUT -p udp --sport 68 --dport 67 -j ACCEPT
+ iptables -A DHCPINPUT -p tcp --sport 68 --dport 67 -j ACCEPT
+
+ iptables -N DHCPOUTPUT
+ iptables -A DHCPOUTPUT -p udp --sport 67 --dport 68 -j ACCEPT
+ iptables -A DHCPOUTPUT -p tcp --sport 67 --dport 68 -j ACCEPT
+
+ # Allow DHCP on GREEN
+ iptables -N DHCPGREENINPUT
+ iptables -N DHCPGREENOUTPUT
+ if [ -n "${GREEN_DEV}" ]; then
+ iptables -A INPUT -i "${GREEN_DEV}" -j DHCPGREENINPUT
+ iptables -A OUTPUT -o "${GREEN_DEV}" -j DHCPGREENOUTPUT
+ fi
+
+ # allow DHCP on BLUE to be turned on/off
+ iptables -N DHCPBLUEINPUT
+ iptables -N DHCPBLUEOUTPUT
+ if [ -n "${BLUE_DEV}" ]; then
+ iptables -A INPUT -i "${BLUE_DEV}" -j DHCPBLUEINPUT
+ iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
+ fi
+
# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
iptables -N IPSECINPUT
iptables -N IPSECFORWARD
iptables -t nat -A POSTROUTING -j IPSECNAT
# localhost and ethernet.
- iptables -A INPUT -i $GREEN_DEV -m conntrack --ctstate NEW -j ACCEPT ! -p icmp
-
- # allow DHCP on BLUE to be turned on/off
- iptables -N DHCPBLUEINPUT
- iptables -A INPUT -j DHCPBLUEINPUT
-
+ # Always allow accessing the web GUI from GREEN.
+ iptables -N GUIINPUT
+ iptables -A INPUT -j GUIINPUT
+ iptables -A GUIINPUT -i "${GREEN_DEV}" -p tcp --dport 444 -j ACCEPT
+
# WIRELESS chains
iptables -N WIRELESSINPUT
iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT
iptables -t nat -N REDNAT
iptables -t nat -A POSTROUTING -j REDNAT
- # Filter logging of incoming broadcasts.
- iptables -N BROADCAST_FILTER
- iptables -A INPUT -j BROADCAST_FILTER
-
- iptables -A BROADCAST_FILTER -i "${GREEN_DEV}" -d "${GREEN_BROADCAST}" -j DROP
-
- if [ -n "${BLUE_DEV}" -a -n "${BLUE_BROADCAST}" ]; then
- iptables -A BROADCAST_FILTER -i "${BLUE_DEV}" -d "${BLUE_BROADCAST}" -j DROP
- fi
-
- if [ -n "${ORANGE_DEV}" -a -n "${ORANGE_BROADCAST}" ]; then
- iptables -A BROADCAST_FILTER -i "${ORANGE_DEV}" -d "${ORANGE_BROADCAST}" -j DROP
- fi
-
# Apply OpenVPN firewall rules
/usr/local/bin/openvpnctrl --firewall-rules
/usr/sbin/firewall-policy
# Install firewall rules for the red interface.
- iptables_red
+ iptables_red_up
+
+ # If red has not been brought up yet, we will
+ # add the blocking rules for MASQUERADE
+ if [ ! -e "/var/ipfire/red/active" ]; then
+ iptables_red_down
+ fi
}
-iptables_red() {
+iptables_red_up() {
iptables -F REDINPUT
iptables -F REDFORWARD
iptables -t nat -F REDNAT
# Outgoing masquerading (don't masqerade IPSEC (mark 50))
iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN
- if [ "$IFACE" != "$GREEN_DEV" ]; then
- iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
+ if [ "$IFACE" = "$GREEN_DEV" ]; then
+ MASQUERADE_GREEN="off"
+ fi
+
+ local NO_MASQ_NETWORKS
+
+ if [ "${MASQUERADE_GREEN}" = "off" ]; then
+ NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${GREEN_NETADDRESS}/${GREEN_NETMASK}"
+ fi
+
+ if [ "${MASQUERADE_BLUE}" = "off" ]; then
+ NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${BLUE_NETADDRESS}/${BLUE_NETMASK}"
+ fi
+
+ if [ "${MASQUERADE_ORANGE}" = "off" ]; then
+ NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${ORANGE_NETADDRESS}/${ORANGE_NETMASK}"
fi
+ local network
+ for network in ${NO_MASQ_NETWORKS}; do
+ iptables -t nat -A REDNAT -s "${network}" -o "${IFACE}" -j RETURN
+ done
+
+ # Masquerade everything else
+ iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
fi
# Reload all rules.
/usr/local/bin/firewallctrl
}
+iptables_red_down() {
+ # Prohibit packets to reach the masquerading rule
+ # while the wan interface is down - this is required to
+ # circumvent udp related NAT issues
+ # http://forum.ipfire.org/index.php?topic=11127.0
+ iptables -F REDFORWARD
+ iptables -A REDFORWARD -o $IFACE -j DROP
+
+ # Reload all rules.
+ /usr/local/bin/firewallctrl
+}
+
# See how we were called.
case "$1" in
start)
/etc/sysconfig/firewall.local start
fi
;;
- reload)
+ reload|up)
boot_mesg "Reloading firewall"
- iptables_red
+ iptables_red_up
evaluate_retval
# run local firewall configuration, if present
/etc/sysconfig/firewall.local reload
fi
;;
+ down)
+ boot_mesg "Disabling firewall access to RED"
+ iptables_red_down
+ evaluate_retval
+ ;;
restart)
# run local firewall configuration, if present
if [ -x /etc/sysconfig/firewall.local ]; then