# Chain to contain all the rules relating to bad TCP flags
/sbin/iptables -N BADTCP
+ #Don't check loopback
+ /sbin/iptables -A BADTCP -i lo -j RETURN
+
# Disallow packets frequently used by port-scanners
# nmap xmas
/sbin/iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN
# CUSTOM chains, can be used by the users themselves
/sbin/iptables -N CUSTOMINPUT
/sbin/iptables -A INPUT -j CUSTOMINPUT
+ /sbin/iptables -N GUARDIAN
+ /sbin/iptables -A INPUT -j GUARDIAN
+ /sbin/iptables -A FORWARD -j GUARDIAN
/sbin/iptables -N CUSTOMFORWARD
/sbin/iptables -A FORWARD -j CUSTOMFORWARD
/sbin/iptables -N CUSTOMOUTPUT
/sbin/iptables -A OUTPUT -j CUSTOMOUTPUT
/sbin/iptables -N OUTGOINGFW
+ /sbin/iptables -N OUTGOINGFWMAC
/sbin/iptables -A OUTPUT -j OUTGOINGFW
/sbin/iptables -t nat -N CUSTOMPREROUTING
/sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
/sbin/iptables -A FORWARD -j IPSECFORWARD
/sbin/iptables -A FORWARD -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL FORWARD"
/sbin/iptables -A OUTPUT -j IPSECOUTPUT
+ /sbin/iptables -t nat -N OVPNNAT
/sbin/iptables -t nat -N IPSECNAT
+ /sbin/iptables -t nat -A POSTROUTING -j OVPNNAT
/sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
+ # TOR
+ /sbin/iptables -N TOR_INPUT
+ /sbin/iptables -A INPUT -j TOR_INPUT
+
# Outgoing Firewall
- /sbin/iptables -A FORWARD -j OUTGOINGFW
+ /sbin/iptables -A FORWARD -j OUTGOINGFWMAC
+
+ # Forward Firewall
+ /sbin/iptables -N FORWARDFW
+ /sbin/iptables -A FORWARD -j FORWARDFW
+
+ # Input Firewall
+ /sbin/iptables -N INPUTFW
+ /sbin/iptables -A INPUT -m state --state NEW -j INPUTFW
# localhost and ethernet.
- /sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
+ /sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -s 127.0.0.0/8 -m state --state NEW -j DROP # Loopback not on lo
/sbin/iptables -A INPUT -d 127.0.0.0/8 -m state --state NEW -j DROP
- /sbin/iptables -A FORWARD -i lo -m state --state NEW -j ACCEPT
+ /sbin/iptables -A FORWARD -i lo -m state --state NEW -j ACCEPT
/sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP
/sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP
/sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT ! -p icmp
- /sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT
+ #/sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT
# If a host on orange tries to initiate a connection to IPFire's red IP and
# the connection gets DNATed back through a port forward to a server on orange
# allow DHCP on BLUE to be turned on/off
/sbin/iptables -N DHCPBLUEINPUT
/sbin/iptables -A INPUT -j DHCPBLUEINPUT
-
- # OPenSSL
- /sbin/iptables -N OPENSSLPHYSICAL
- /sbin/iptables -A INPUT -j OPENSSLPHYSICAL
-
+
# WIRELESS chains
/sbin/iptables -N WIRELESSINPUT
/sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT
/sbin/iptables -N WIRELESSFORWARD
- /sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD
+ /sbin/iptables -A FORWARDFW -m state --state NEW -j WIRELESSFORWARD
+
+ # OPenSSL
+ /sbin/iptables -N OPENSSLPHYSICAL
+ /sbin/iptables -A INPUT -j OPENSSLPHYSICAL
# RED chain, used for the red interface
/sbin/iptables -N REDINPUT
iptables_red
- # DMZ pinhole chain. setdmzholes setuid prog adds rules here to allow
- # ORANGE to talk to GREEN / BLUE.
- /sbin/iptables -N DMZHOLES
- if [ "$ORANGE_DEV" != "" ]; then
- /sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j DMZHOLES
- fi
-
- # XTACCESS chain, used for external access
- /sbin/iptables -N XTACCESS
- /sbin/iptables -A INPUT -m state --state NEW -j XTACCESS
-
# PORTFWACCESS chain, used for portforwarding
/sbin/iptables -N PORTFWACCESS
/sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS
# upnp chain for our upnp daemon
/sbin/iptables -t nat -N UPNPFW
/sbin/iptables -t nat -A PREROUTING -j UPNPFW
-
+ /sbin/iptables -N UPNPFW
+ /sbin/iptables -A FORWARD -m state --state NEW -j UPNPFW
# Custom mangle chain (for port fowarding)
/sbin/iptables -t mangle -N PORTFWMANGLE
/sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
fi
/sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
- if [ "$DROPOUTPUT" == "on" ]; then
- /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT "
- fi
- /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT"
- ;;
+ #if [ "$DROPFORWARD" == "on" ]; then
+ # /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
+ #fi
+ #/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
+
+ #POLICY CHAIN
+ /sbin/iptables -N POLICY
+ /sbin/iptables -A FORWARD -j POLICY
+
+ /usr/sbin/firewall-forward-policy
+ ;;
startovpn)
# run openvpn
/usr/local/bin/openvpnctrl --create-chains-and-rules
/sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
fi
/sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
- if [ "$DROPOUTPUT" == "on" ]; then
- /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT "
+ if [ "$DROPFORWARD" == "on" ]; then
+ /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
fi
- /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT"
- ;;
+ /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
+ ;;
stopovpn)
# stop openvpn
/usr/local/bin/openvpnctrl --delete-chains-and-rules
;;
restart)
$0 stop
+ $0 stopovpn
$0 start
+ $0 startovpn
;;
*)
echo "Usage: $0 {start|stop|reload|restart}"
projects / people / teissler / ipfire-2.x.git / blobdiff