/sbin/iptables -A INPUT -j CUSTOMINPUT
/sbin/iptables -N GUARDIAN
/sbin/iptables -A INPUT -j GUARDIAN
+ /sbin/iptables -N OVPNBLOCK
+ /sbin/iptables -A FORWARD -j OVPNBLOCK
/sbin/iptables -A FORWARD -j GUARDIAN
/sbin/iptables -N CUSTOMFORWARD
/sbin/iptables -A FORWARD -j CUSTOMFORWARD
/sbin/iptables -N CUSTOMOUTPUT
+ /sbin/iptables -A OUTPUT -j OVPNBLOCK
+ /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -j CUSTOMOUTPUT
/sbin/iptables -N OUTGOINGFW
- /sbin/iptables -N OUTGOINGFWMAC
/sbin/iptables -A OUTPUT -j OUTGOINGFW
/sbin/iptables -t nat -N CUSTOMPREROUTING
+ /sbin/iptables -t nat -N OVPNNAT
/sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
/sbin/iptables -t nat -N CUSTOMPOSTROUTING
/sbin/iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
+ /sbin/iptables -t nat -A POSTROUTING -j OVPNNAT
# IPTV chains for IGMPPROXY
/sbin/iptables -N IPTVINPUT
/sbin/iptables -N IPTVFORWARD
/sbin/iptables -A FORWARD -j IPTVFORWARD
+ # Filtering ovpn networks INPUT
+ /sbin/iptables -A INPUT -j OVPNBLOCK
+
# filtering from GUI
/sbin/iptables -N GUIINPUT
/sbin/iptables -A INPUT -j GUIINPUT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+ # Accept everything on lo
+ iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
+ iptables -A OUTPUT -o lo -m state --state NEW -j ACCEPT
+
# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
/sbin/iptables -N IPSECINPUT
/sbin/iptables -N IPSECFORWARD
/sbin/iptables -t nat -N IPSECNAT
/sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
- # Outgoing Firewall
- /sbin/iptables -A FORWARD -j OUTGOINGFWMAC
- /sbin/iptables -A FORWARD -j OUTGOINGFW
+ # Input Firewall
+ /sbin/iptables -N INPUTFW
+ /sbin/iptables -A INPUT -m state --state NEW -j INPUTFW
# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
/sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP
/sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP
/sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT ! -p icmp
- /sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT
-
- # If a host on orange tries to initiate a connection to IPFire's red IP and
- # the connection gets DNATed back through a port forward to a server on orange
- # we end up with orange -> orange traffic passing through IPFire
- [ "$ORANGE_DEV" != "" ] && /sbin/iptables -A FORWARD -i $ORANGE_DEV -o $ORANGE_DEV -m state --state NEW -j ACCEPT
-
+
# allow DHCP on BLUE to be turned on/off
/sbin/iptables -N DHCPBLUEINPUT
/sbin/iptables -A INPUT -j DHCPBLUEINPUT
-
- # OPenSSL
- /sbin/iptables -N OPENSSLPHYSICAL
- /sbin/iptables -A INPUT -j OPENSSLPHYSICAL
-
+
# WIRELESS chains
/sbin/iptables -N WIRELESSINPUT
/sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT
/sbin/iptables -N WIRELESSFORWARD
/sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD
+
+ # Forward Firewall
+ /sbin/iptables -N FORWARDFW
+ /sbin/iptables -A FORWARD -j FORWARDFW
+
+ # PORTFWACCESS chain, used for portforwarding
+ /sbin/iptables -N PORTFWACCESS
+ /sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS
+
+ # OPenSSL
+ /sbin/iptables -N OPENSSLPHYSICAL
+ /sbin/iptables -A INPUT -j OPENSSLPHYSICAL
# RED chain, used for the red interface
/sbin/iptables -N REDINPUT
/sbin/iptables -t nat -A POSTROUTING -j REDNAT
iptables_red
-
- # DMZ pinhole chain. setdmzholes setuid prog adds rules here to allow
- # ORANGE to talk to GREEN / BLUE.
- /sbin/iptables -N DMZHOLES
- if [ "$ORANGE_DEV" != "" ]; then
- /sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j DMZHOLES
- fi
-
- # XTACCESS chain, used for external access
- /sbin/iptables -N XTACCESS
- /sbin/iptables -A INPUT -m state --state NEW -j XTACCESS
-
- # PORTFWACCESS chain, used for portforwarding
- /sbin/iptables -N PORTFWACCESS
- /sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS
-
+
# Custom prerouting chains (for transparent proxy and port forwarding)
/sbin/iptables -t nat -N SQUID
/sbin/iptables -t nat -A PREROUTING -j SQUID
- /sbin/iptables -t nat -N PORTFW
- /sbin/iptables -t nat -A PREROUTING -j PORTFW
-
+ /sbin/iptables -t nat -N NAT_DESTINATION
+ /sbin/iptables -t nat -N NAT_SOURCE
+ /sbin/iptables -t nat -A PREROUTING -j NAT_DESTINATION
+ /sbin/iptables -t nat -I POSTROUTING 3 -j NAT_SOURCE
+
+
+
# upnp chain for our upnp daemon
/sbin/iptables -t nat -N UPNPFW
/sbin/iptables -t nat -A PREROUTING -j UPNPFW
- # This chain only contains dummy rules.
/sbin/iptables -N UPNPFW
-
- # Custom mangle chain (for port fowarding)
- /sbin/iptables -t mangle -N PORTFWMANGLE
- /sbin/iptables -t mangle -A PREROUTING -j PORTFWMANGLE
+ /sbin/iptables -A FORWARD -m state --state NEW -j UPNPFW
# Postrouting rules (for port forwarding)
- /sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT \
- --to-source $GREEN_ADDRESS
+ /sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT --to-source $GREEN_ADDRESS
if [ "$BLUE_DEV" != "" ]; then
/sbin/iptables -t nat -A POSTROUTING -m mark --mark 2 -j SNAT --to-source $BLUE_ADDRESS
fi
if [ -x /etc/sysconfig/firewall.local ]; then
/etc/sysconfig/firewall.local start
fi
-
- # last rule in input and forward chain is for logging.
+
+ #POLICY CHAIN
+ /sbin/iptables -N POLICYIN
+ /sbin/iptables -A INPUT -j POLICYIN
+ /sbin/iptables -N POLICYFWD
+ /sbin/iptables -A FORWARD -j POLICYFWD
+ /sbin/iptables -N POLICYOUT
+ /sbin/iptables -A OUTPUT -j POLICYOUT
+
+ /usr/sbin/firewall-policy
+
+ /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
if [ "$DROPINPUT" == "on" ]; then
- /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
+ /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
fi
- /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
- if [ "$DROPOUTPUT" == "on" ]; then
- /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT "
+ if [ "$DROPFORWARD" == "on" ]; then
+ /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
fi
- /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT"
- ;;
+ /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
+ ;;
startovpn)
# run openvpn
/usr/local/bin/openvpnctrl --create-chains-and-rules
/etc/sysconfig/firewall.local stop
fi
+ /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
+
if [ "$DROPINPUT" == "on" ]; then
- /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
+ /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
fi
- /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
- if [ "$DROPOUTPUT" == "on" ]; then
- /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT "
+ if [ "$DROPFORWARD" == "on" ]; then
+ /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
fi
- /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT"
- ;;
+ /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
+
+ ;;
stopovpn)
# stop openvpn
/usr/local/bin/openvpnctrl --delete-chains-and-rules
restart)
$0 stop
$0 start
+ /usr/local/bin/forwardfwctrl
+ /usr/local/bin/openvpnctrl -s > /dev/null 2>&1
+ /usr/local/bin/openvpnctrl -sn2n > /dev/null 2>&1
;;
*)
echo "Usage: $0 {start|stop|reload|restart}"