X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=src%2Finitscripts%2Finit.d%2Ffirewall;h=7ec3274170ec896756529a49d053f4c798f53404;hb=15add1c8afbbc8eed5dd9d9649049109dbce8d58;hp=c38cce5c27c3ef9e6d0b8bd208f376be6132bc64;hpb=b6af41a572eb83e73875b1f8d450405fbee8eb0a;p=ipfire-2.x.git

diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index c38cce5c27..7ec3274170 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -53,6 +53,9 @@ iptables_init() {
 	# Chain to contain all the rules relating to bad TCP flags
 	/sbin/iptables -N BADTCP
 
+	#Don't check loopback
+	/sbin/iptables -A BADTCP -i lo -j RETURN
+
 	# Disallow packets frequently used by port-scanners
 	# nmap xmas
 	/sbin/iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH  -j PSCAN
@@ -140,14 +143,17 @@ case "$1" in
 	# CUSTOM chains, can be used by the users themselves
 	/sbin/iptables -N CUSTOMINPUT
 	/sbin/iptables -A INPUT -j CUSTOMINPUT
-	/sbin/iptables -N GUARDIANINPUT
-	/sbin/iptables -A INPUT -j GUARDIANINPUT
+	/sbin/iptables -N GUARDIAN
+	/sbin/iptables -A INPUT -j GUARDIAN
+	/sbin/iptables -A FORWARD -j GUARDIAN
 	/sbin/iptables -N CUSTOMFORWARD
 	/sbin/iptables -A FORWARD -j CUSTOMFORWARD
 	/sbin/iptables -N CUSTOMOUTPUT
 	/sbin/iptables -A OUTPUT -j CUSTOMOUTPUT
 	/sbin/iptables -N OUTGOINGFW
+	/sbin/iptables -N OUTGOINGFWMAC
 	/sbin/iptables -A OUTPUT -j OUTGOINGFW
+	/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT
 	/sbin/iptables -t nat -N CUSTOMPREROUTING
 	/sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
 	/sbin/iptables -t nat -N CUSTOMPOSTROUTING
@@ -178,21 +184,35 @@ case "$1" in
 	/sbin/iptables -A FORWARD -j IPSECFORWARD
 	/sbin/iptables -A FORWARD -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL FORWARD"
 	/sbin/iptables -A OUTPUT -j IPSECOUTPUT
+	/sbin/iptables -t nat -N OVPNNAT
 	/sbin/iptables -t nat -N IPSECNAT
+	/sbin/iptables -t nat -A POSTROUTING -j OVPNNAT
 	/sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
 
+	# TOR
+	/sbin/iptables -N TOR_INPUT
+	/sbin/iptables -A INPUT -j TOR_INPUT
+
 	# Outgoing Firewall
-	/sbin/iptables -A FORWARD -j OUTGOINGFW
+	/sbin/iptables -A FORWARD -j OUTGOINGFWMAC
+
+	# Forward Firewall
+	/sbin/iptables -N FORWARDFW
+	/sbin/iptables -A FORWARD -j FORWARDFW
+
+	# Input Firewall
+	/sbin/iptables -N INPUTFW
+	/sbin/iptables -A INPUT -m state --state NEW -j INPUTFW
 
 	# localhost and ethernet.
-	/sbin/iptables -A INPUT   -i lo          -m state --state NEW -j ACCEPT
+	/sbin/iptables -A INPUT   -i lo -m state --state NEW -j ACCEPT
 	/sbin/iptables -A INPUT   -s 127.0.0.0/8 -m state --state NEW -j DROP   # Loopback not on lo
 	/sbin/iptables -A INPUT   -d 127.0.0.0/8 -m state --state NEW -j DROP
-	/sbin/iptables -A FORWARD -i lo          -m state --state NEW -j ACCEPT
+	/sbin/iptables -A FORWARD -i lo -m state --state NEW -j ACCEPT
 	/sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP
 	/sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP
 	/sbin/iptables -A INPUT   -i $GREEN_DEV  -m state --state NEW -j ACCEPT ! -p icmp
-	/sbin/iptables -A FORWARD -i $GREEN_DEV  -m state --state NEW -j ACCEPT
+	#/sbin/iptables -A FORWARD -i $GREEN_DEV  -m state --state NEW -j ACCEPT
 
 	# If a host on orange tries to initiate a connection to IPFire's red IP and
 	# the connection gets DNATed back through a port forward to a server on orange
@@ -202,16 +222,20 @@ case "$1" in
 	# allow DHCP on BLUE to be turned on/off
 	/sbin/iptables -N DHCPBLUEINPUT 
 	/sbin/iptables -A INPUT -j DHCPBLUEINPUT
-
-	# OPenSSL
-	/sbin/iptables -N OPENSSLPHYSICAL
-	/sbin/iptables -A INPUT -j OPENSSLPHYSICAL
-
+	
 	# WIRELESS chains
 	/sbin/iptables -N WIRELESSINPUT
 	/sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT
 	/sbin/iptables -N WIRELESSFORWARD
 	/sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD
+	
+	# PORTFWACCESS chain, used for portforwarding
+	/sbin/iptables -N PORTFWACCESS
+	/sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS
+	
+	# OPenSSL
+	/sbin/iptables -N OPENSSLPHYSICAL
+	/sbin/iptables -A INPUT -j OPENSSLPHYSICAL
 
 	# RED chain, used for the red interface
 	/sbin/iptables -N REDINPUT
@@ -222,22 +246,13 @@ case "$1" in
 	/sbin/iptables -t nat -A POSTROUTING -j REDNAT
 
 	iptables_red
-
-	# DMZ pinhole chain.  setdmzholes setuid prog adds rules here to allow
+	
+	# DMZ pinhole chain.  
 	# ORANGE to talk to GREEN / BLUE.
-	/sbin/iptables -N DMZHOLES
 	if [ "$ORANGE_DEV" != "" ]; then
-		/sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j DMZHOLES
+		/sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j FORWARDFW
 	fi
-
-	# XTACCESS chain, used for external access
-	/sbin/iptables -N XTACCESS
-	/sbin/iptables -A INPUT -m state --state NEW -j XTACCESS
-
-	# PORTFWACCESS chain, used for portforwarding
-	/sbin/iptables -N PORTFWACCESS
-	/sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS
-
+	
 	# Custom prerouting chains (for transparent proxy and port forwarding)
 	/sbin/iptables -t nat -N SQUID
 	/sbin/iptables -t nat -A PREROUTING -j SQUID
@@ -247,7 +262,8 @@ case "$1" in
 	# upnp chain for our upnp daemon
 	/sbin/iptables -t nat -N UPNPFW
 	/sbin/iptables -t nat -A PREROUTING -j UPNPFW
-
+	/sbin/iptables -N UPNPFW
+	/sbin/iptables -A FORWARD -m state --state NEW -j UPNPFW
 
 	# Custom mangle chain (for port fowarding)
 	/sbin/iptables -t mangle -N PORTFWMANGLE
@@ -274,11 +290,20 @@ case "$1" in
 		/sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
 	fi
 	/sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
-	if [ "$DROPOUTPUT" == "on" ]; then
-		/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT "
-	fi
-	/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT"
-        ;;
+	#if [ "$DROPFORWARD" == "on" ]; then
+	#	/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
+	#fi
+	#/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
+	
+	#POLICY CHAIN
+	/sbin/iptables -N POLICYFWD
+	/sbin/iptables -A FORWARD -j POLICYFWD
+	/sbin/iptables -N POLICYOUT
+	/sbin/iptables -A OUTPUT -j POLICYOUT
+	
+	
+	/usr/sbin/firewall-policy
+	;;
   startovpn)  
 	# run openvpn
 	/usr/local/bin/openvpnctrl --create-chains-and-rules
@@ -310,11 +335,11 @@ case "$1" in
 		/sbin/iptables -A INPUT   -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
 	fi
 	/sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
-	if [ "$DROPOUTPUT" == "on" ]; then
-		/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT "
+	if [ "$DROPFORWARD" == "on" ]; then
+		/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
 	fi
-	/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT"
-        ;;
+	/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
+	;;
   stopovpn)
 	# stop openvpn
 	/usr/local/bin/openvpnctrl --delete-chains-and-rules
@@ -330,6 +355,10 @@ case "$1" in
   restart)
 	$0 stop
 	$0 start
+	/usr/local/bin/forwardfwctrl
+	/usr/local/bin/setportfw
+	/usr/local/bin/openvpnctrl -s > /dev/null 2>&1
+	/usr/local/bin/openvpnctrl -sn2n > /dev/null 2>&1
 	;;
   *)
         echo "Usage: $0 {start|stop|reload|restart}"