X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=src%2Finitscripts%2Finit.d%2Ffirewall;h=0af3d4b2af5340d99f12402470e0d1aaacff9fb6;hb=62fc8511664c6646d706aa42927bac53ac6a5b5f;hp=410ff8737115425eca5b5dc36ac10398bbad82c1;hpb=dd79c3999b595db4f9be7df57b7d7423b3a78912;p=people%2Fteissler%2Fipfire-2.x.git diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 410ff8737..0af3d4b2a 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -53,6 +53,9 @@ iptables_init() { # Chain to contain all the rules relating to bad TCP flags /sbin/iptables -N BADTCP + #Don't check loopback + /sbin/iptables -A BADTCP -i lo -j RETURN + # Disallow packets frequently used by port-scanners # nmap xmas /sbin/iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN @@ -101,8 +104,7 @@ iptables_red() { # This rule enables a host on ORANGE network to connect to the outside # (only if we have a red connection) if [ "$IFACE" != "" ]; then - /sbin/iptables -A REDFORWARD -i $ORANGE_DEV -p tcp -o $IFACE -j ACCEPT - /sbin/iptables -A REDFORWARD -i $ORANGE_DEV -p udp -o $IFACE -j ACCEPT + /sbin/iptables -A REDFORWARD -i $ORANGE_DEV -o $IFACE -j ACCEPT fi fi @@ -117,7 +119,8 @@ iptables_red() { /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT fi - # Outgoing masquerading + # Outgoing masquerading (don't masqerade IPSEC (mark 50)) + /sbin/iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN /sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE fi @@ -132,7 +135,7 @@ case "$1" in # original do nothing line #/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec # the correct one, but the negative '!' do nothing... - #/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit ! --limit 10/sec -j DROP + #/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN ! -m limit --limit 10/sec -j DROP # Fix for braindead ISP's /sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu @@ -140,11 +143,15 @@ case "$1" in # CUSTOM chains, can be used by the users themselves /sbin/iptables -N CUSTOMINPUT /sbin/iptables -A INPUT -j CUSTOMINPUT + /sbin/iptables -N GUARDIAN + /sbin/iptables -A INPUT -j GUARDIAN + /sbin/iptables -A FORWARD -j GUARDIAN /sbin/iptables -N CUSTOMFORWARD /sbin/iptables -A FORWARD -j CUSTOMFORWARD /sbin/iptables -N CUSTOMOUTPUT /sbin/iptables -A OUTPUT -j CUSTOMOUTPUT /sbin/iptables -N OUTGOINGFW + /sbin/iptables -N OUTGOINGFWMAC /sbin/iptables -A OUTPUT -j OUTGOINGFW /sbin/iptables -t nat -N CUSTOMPREROUTING /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING @@ -167,27 +174,44 @@ case "$1" in /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything - /sbin/iptables -N IPSECVIRTUAL + /sbin/iptables -N IPSECINPUT + /sbin/iptables -N IPSECFORWARD + /sbin/iptables -N IPSECOUTPUT /sbin/iptables -N OPENSSLVIRTUAL - /sbin/iptables -A INPUT -j IPSECVIRTUAL -m comment --comment "IPSECVIRTUAL INPUT" + /sbin/iptables -A INPUT -j IPSECINPUT /sbin/iptables -A INPUT -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL INPUT" - /sbin/iptables -A FORWARD -j IPSECVIRTUAL -m comment --comment "IPSECVIRTUAL FORWARD" + /sbin/iptables -A FORWARD -j IPSECFORWARD /sbin/iptables -A FORWARD -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL FORWARD" + /sbin/iptables -A OUTPUT -j IPSECOUTPUT + /sbin/iptables -t nat -N OVPNNAT /sbin/iptables -t nat -N IPSECNAT + /sbin/iptables -t nat -A POSTROUTING -j OVPNNAT /sbin/iptables -t nat -A POSTROUTING -j IPSECNAT + # TOR + /sbin/iptables -N TOR_INPUT + /sbin/iptables -A INPUT -j TOR_INPUT + # Outgoing Firewall - /sbin/iptables -A FORWARD -j OUTGOINGFW + /sbin/iptables -A FORWARD -j OUTGOINGFWMAC + + # Forward Firewall + /sbin/iptables -N FORWARDFW + /sbin/iptables -A FORWARD -j FORWARDFW + + # Input Firewall + /sbin/iptables -N INPUTFW + /sbin/iptables -A INPUT -m state --state NEW -j INPUTFW # localhost and ethernet. - /sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT + /sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT /sbin/iptables -A INPUT -s 127.0.0.0/8 -m state --state NEW -j DROP # Loopback not on lo /sbin/iptables -A INPUT -d 127.0.0.0/8 -m state --state NEW -j DROP - /sbin/iptables -A FORWARD -i lo -m state --state NEW -j ACCEPT + /sbin/iptables -A FORWARD -i lo -m state --state NEW -j ACCEPT /sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP /sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT ! -p icmp - /sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT + #/sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT # If a host on orange tries to initiate a connection to IPFire's red IP and # the connection gets DNATed back through a port forward to a server on orange @@ -198,20 +222,10 @@ case "$1" in /sbin/iptables -N DHCPBLUEINPUT /sbin/iptables -A INPUT -j DHCPBLUEINPUT - # IPSec - /sbin/iptables -N IPSECPHYSICAL - /sbin/iptables -A INPUT -j IPSECPHYSICAL - # OPenSSL /sbin/iptables -N OPENSSLPHYSICAL /sbin/iptables -A INPUT -j OPENSSLPHYSICAL - # WIRELESS chains - /sbin/iptables -N WIRELESSINPUT - /sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT - /sbin/iptables -N WIRELESSFORWARD - /sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD - # RED chain, used for the red interface /sbin/iptables -N REDINPUT /sbin/iptables -A INPUT -j REDINPUT @@ -222,17 +236,6 @@ case "$1" in iptables_red - # DMZ pinhole chain. setdmzholes setuid prog adds rules here to allow - # ORANGE to talk to GREEN / BLUE. - /sbin/iptables -N DMZHOLES - if [ "$ORANGE_DEV" != "" ]; then - /sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j DMZHOLES - fi - - # XTACCESS chain, used for external access - /sbin/iptables -N XTACCESS - /sbin/iptables -A INPUT -m state --state NEW -j XTACCESS - # PORTFWACCESS chain, used for portforwarding /sbin/iptables -N PORTFWACCESS /sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS @@ -246,7 +249,8 @@ case "$1" in # upnp chain for our upnp daemon /sbin/iptables -t nat -N UPNPFW /sbin/iptables -t nat -A PREROUTING -j UPNPFW - + /sbin/iptables -N UPNPFW + /sbin/iptables -A FORWARD -m state --state NEW -j UPNPFW # Custom mangle chain (for port fowarding) /sbin/iptables -t mangle -N PORTFWMANGLE @@ -273,11 +277,17 @@ case "$1" in /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT " fi /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" - if [ "$DROPOUTPUT" == "on" ]; then - /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT " - fi - /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT" - ;; + #if [ "$DROPFORWARD" == "on" ]; then + # /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD " + #fi + #/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" + + #POLICY CHAIN + /sbin/iptables -N POLICY + /sbin/iptables -A FORWARD -j POLICY + + /usr/sbin/firewall-forward-policy + ;; startovpn) # run openvpn /usr/local/bin/openvpnctrl --create-chains-and-rules @@ -309,11 +319,11 @@ case "$1" in /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT " fi /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" - if [ "$DROPOUTPUT" == "on" ]; then - /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT " + if [ "$DROPFORWARD" == "on" ]; then + /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD " fi - /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT" - ;; + /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" + ;; stopovpn) # stop openvpn /usr/local/bin/openvpnctrl --delete-chains-and-rules @@ -328,7 +338,9 @@ case "$1" in ;; restart) $0 stop + $0 stopovpn $0 start + $0 startovpn ;; *) echo "Usage: $0 {start|stop|reload|restart}"