X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=src%2Finitscripts%2Finit.d%2Ffirewall;h=467d1b9ab7b93de9b9a78ebe2b56c53796f0cb84;hb=111c99ddfa3632a8c2788b9c6d70c5e6d8a1dfd4;hp=88889a4c2609186b22eee3a013eba7c762cc2a0b;hpb=6cd3f8f8d7a7fc1a78d03a4b7167859edd980354;p=people%2Fpmueller%2Fipfire-2.x.git

diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 88889a4c26..467d1b9ab7 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -53,6 +53,9 @@ iptables_init() {
 	# Chain to contain all the rules relating to bad TCP flags
 	/sbin/iptables -N BADTCP
 
+	#Don't check loopback
+	/sbin/iptables -A BADTCP -i lo -j RETURN
+
 	# Disallow packets frequently used by port-scanners
 	# nmap xmas
 	/sbin/iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH  -j PSCAN
@@ -180,18 +183,31 @@ case "$1" in
 	/sbin/iptables -A FORWARD -j IPSECFORWARD
 	/sbin/iptables -A FORWARD -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL FORWARD"
 	/sbin/iptables -A OUTPUT -j IPSECOUTPUT
+	/sbin/iptables -t nat -N OVPNNAT
 	/sbin/iptables -t nat -N IPSECNAT
+	/sbin/iptables -t nat -A POSTROUTING -j OVPNNAT
 	/sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
 
+	# TOR
+	/sbin/iptables -N TOR_INPUT
+	/sbin/iptables -A INPUT -j TOR_INPUT
+
 	# Outgoing Firewall
 	/sbin/iptables -A FORWARD -j OUTGOINGFWMAC
-	/sbin/iptables -A FORWARD -j OUTGOINGFW
 
+    # Forward Firewall
+    /sbin/iptables -N FORWARDFW
+    /sbin/iptables -A FORWARD -j FORWARDFW
+    
+    # Input Firewall
+    /sbin/iptables -N INPUTFW
+    /sbin/iptables -A INPUT -m state --state NEW -j INPUTFW
+    
 	# localhost and ethernet.
-	/sbin/iptables -I INPUT 1 -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -m state --state NEW -j ACCEPT
+	/sbin/iptables -A INPUT   -i lo -m state --state NEW -j ACCEPT
 	/sbin/iptables -A INPUT   -s 127.0.0.0/8 -m state --state NEW -j DROP   # Loopback not on lo
 	/sbin/iptables -A INPUT   -d 127.0.0.0/8 -m state --state NEW -j DROP
-	/sbin/iptables -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -m state --state NEW -j ACCEPT
+	/sbin/iptables -A FORWARD -i lo -m state --state NEW -j ACCEPT
 	/sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP
 	/sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP
 	/sbin/iptables -A INPUT   -i $GREEN_DEV  -m state --state NEW -j ACCEPT ! -p icmp
@@ -226,17 +242,6 @@ case "$1" in
 
 	iptables_red
 
-	# DMZ pinhole chain.  setdmzholes setuid prog adds rules here to allow
-	# ORANGE to talk to GREEN / BLUE.
-	/sbin/iptables -N DMZHOLES
-	if [ "$ORANGE_DEV" != "" ]; then
-		/sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j DMZHOLES
-	fi
-
-	# XTACCESS chain, used for external access
-	/sbin/iptables -N XTACCESS
-	/sbin/iptables -A INPUT -m state --state NEW -j XTACCESS
-
 	# PORTFWACCESS chain, used for portforwarding
 	/sbin/iptables -N PORTFWACCESS
 	/sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS
@@ -250,8 +255,8 @@ case "$1" in
 	# upnp chain for our upnp daemon
 	/sbin/iptables -t nat -N UPNPFW
 	/sbin/iptables -t nat -A PREROUTING -j UPNPFW
-	# This chain only contains dummy rules.
 	/sbin/iptables -N UPNPFW
+	/sbin/iptables -A FORWARD -m state --state NEW -j UPNPFW
 
 	# Custom mangle chain (for port fowarding)
 	/sbin/iptables -t mangle -N PORTFWMANGLE
@@ -333,7 +338,9 @@ case "$1" in
 	;;
   restart)
 	$0 stop
+	$0 stopovpn
 	$0 start
+	$0 startovpn
 	;;
   *)
         echo "Usage: $0 {start|stop|reload|restart}"