X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=src%2Finitscripts%2Finit.d%2Ffirewall;h=b6dd7d5bd9b4aa32e7fb7f4c80d3e3fd92312ee4;hb=61027579bbb5822d06ac41c7cdf259c49377b837;hp=f4d5611d3694efdbbe059ff91b4dac6b977c8c84;hpb=dc1c56ca781324b2ef9fe895e388075df74a018a;p=people%2Fteissler%2Fipfire-2.x.git diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index f4d5611d3..b6dd7d5bd 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -53,6 +53,9 @@ iptables_init() { # Chain to contain all the rules relating to bad TCP flags /sbin/iptables -N BADTCP + #Don't check loopback + /sbin/iptables -A BADTCP -i lo -j RETURN + # Disallow packets frequently used by port-scanners # nmap xmas /sbin/iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN @@ -185,13 +188,12 @@ case "$1" in # Outgoing Firewall /sbin/iptables -A FORWARD -j OUTGOINGFWMAC - /sbin/iptables -A FORWARD -j OUTGOINGFW # localhost and ethernet. - /sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT + /sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT /sbin/iptables -A INPUT -s 127.0.0.0/8 -m state --state NEW -j DROP # Loopback not on lo /sbin/iptables -A INPUT -d 127.0.0.0/8 -m state --state NEW -j DROP - /sbin/iptables -A FORWARD -i lo -m state --state NEW -j ACCEPT + /sbin/iptables -A FORWARD -i lo -m state --state NEW -j ACCEPT /sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP /sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT ! -p icmp @@ -250,7 +252,8 @@ case "$1" in # upnp chain for our upnp daemon /sbin/iptables -t nat -N UPNPFW /sbin/iptables -t nat -A PREROUTING -j UPNPFW - + /sbin/iptables -N UPNPFW + /sbin/iptables -A FORWARD -m state --state NEW -j UPNPFW # Custom mangle chain (for port fowarding) /sbin/iptables -t mangle -N PORTFWMANGLE @@ -332,7 +335,9 @@ case "$1" in ;; restart) $0 stop + $0 stopovpn $0 start + $0 startovpn ;; *) echo "Usage: $0 {start|stop|reload|restart}"