elif [ "${TYPE}" == "DHCP" ]; then
# Add firewall rules to allow comunication with the dhcp server on red.
- iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i ${DEVICE} -j ACCEPT
- iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i ${DEVICE} -j ACCEPT
+ iptables --wait -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i ${DEVICE} -j ACCEPT
+ iptables --wait -A REDINPUT -p udp --source-port 67 --destination-port 68 -i ${DEVICE} -j ACCEPT
echo -n "${DEVICE}" > /var/ipfire/red/iface
# Allow incoming traffic to Tor relay (and directory) port and
# all outgoing TCP connections from Tor user.
if [ "${TOR_RELAY_ENABLED}" = "on" -a -n "${TOR_RELAY_PORT}" ]; then
- iptables -A TOR_INPUT -p tcp --dport "${TOR_RELAY_PORT}" -j ACCEPT
- iptables -A TOR_OUTPUT -p tcp -m owner --uid-owner tor -j ACCEPT
+ iptables --wait -A TOR_INPUT -p tcp --dport "${TOR_RELAY_PORT}" -j ACCEPT
+ iptables --wait -A TOR_OUTPUT -p tcp -m owner --uid-owner tor -j ACCEPT
fi
if [ "${TOR_RELAY_ENABLED}" = "on" -a -n "${TOR_RELAY_DIRPORT}" ] && [ "${TOR_RELAY_DIRPORT}" -ne 0 ]; then
- iptables -A TOR_INPUT -p tcp --dport "${TOR_RELAY_DIRPORT}" -j ACCEPT
+ iptables --wait -A TOR_INPUT -p tcp --dport "${TOR_RELAY_DIRPORT}" -j ACCEPT
fi
}
function flush_firewall() {
# Flush all rules.
- iptables -F TOR_INPUT
- iptables -F TOR_OUTPUT
+ iptables --wait -F TOR_INPUT
+ iptables --wait -F TOR_OUTPUT
}
case "${1}" in
eval $(/usr/local/bin/readhash /var/ipfire/dhcp/settings)
function flush_chains() {
- iptables -F DHCPGREENINPUT
- iptables -F DHCPGREENOUTPUT
- iptables -F DHCPBLUEINPUT
- iptables -F DHCPBLUEOUTPUT
+ iptables --wait -F DHCPGREENINPUT
+ iptables --wait -F DHCPGREENOUTPUT
+ iptables --wait -F DHCPBLUEINPUT
+ iptables --wait -F DHCPBLUEOUTPUT
}
case "$1" in
if [ -n "${GREEN_DEV}" -a -e "/var/ipfire/dhcp/enable_green" ]; then
LISTEN_INTERFACES+=" ${GREEN_DEV}"
- iptables -A DHCPGREENINPUT -i "${GREEN_DEV}" -j DHCPINPUT
- iptables -A DHCPGREENOUTPUT -o "${GREEN_DEV}" -j DHCPOUTPUT
+ iptables --wait -A DHCPGREENINPUT -i "${GREEN_DEV}" -j DHCPINPUT
+ iptables --wait -A DHCPGREENOUTPUT -o "${GREEN_DEV}" -j DHCPOUTPUT
fi
if [ -n "${BLUE_DEV}" -a -e "/var/ipfire/dhcp/enable_blue" ]; then
LISTEN_INTERFACES+=" ${BLUE_DEV}"
- iptables -A DHCPBLUEINPUT -i "${BLUE_DEV}" -j DHCPINPUT
- iptables -A DHCPBLUEOUTPUT -o "${BLUE_DEV}" -j DHCPOUTPUT
+ iptables --wait -A DHCPBLUEINPUT -i "${BLUE_DEV}" -j DHCPINPUT
+ iptables --wait -A DHCPBLUEOUTPUT -o "${BLUE_DEV}" -j DHCPOUTPUT
fi
boot_mesg "Starting DHCP Server..."
local local_address
# Flush the block chain
- iptables -F OVPNBLOCK
+ iptables --wait -F OVPNBLOCK
# Flush the NAT chain
- iptables -t nat -F OVPNNAT
+ iptables --wait -t nat -F OVPNNAT
local IFS=','
fi
# Open port
- iptables -A OVPNINPUTN2N -p "${proto}" --dport "${port}" -j ACCEPT
+ iptables --wait -A OVPNINPUTN2N -p "${proto}" --dport "${port}" -j ACCEPT
# Block all communication from transfer networks
- iptables -A OVPNBLOCK -s "${transfer_subnet}" -j DROP
+ iptables --wait -A OVPNBLOCK -s "${transfer_subnet}" -j DROP
# Calculate NAT addresses
transfer_address="$(calculate_transfer_address "${transfer_subnet}" "${role}")"
# NAT all outgoing connections away from the transfer net
if [ -n "${transfer_address}" -a -n "${local_address}" ]; then
- iptables -t nat -A OVPNNAT -s "${transfer_address}" \
+ iptables --wait -t nat -A OVPNNAT -s "${transfer_address}" \
-j SNAT --to-source "${local_address}"
fi
done < /var/ipfire/ovpn/ovpnconfig
modprobe tun &>/dev/null
# Flush all firewall rules
- iptables -F OVPNINPUTRW
+ iptables --wait -F OVPNINPUTRW
# Open the port
- iptables -A OVPNINPUTRW \
+ iptables --wait -A OVPNINPUTRW \
-p "${DPROTOCOL}" --dport "${DDEST_PORT}" -j ACCEPT
boot_mesg "Starting OpenVPN Roadwarrior Server..."
killproc /usr/sbin/openvpn
# Flush all firewall rules
- iptables -F OVPNINPUTRW
+ iptables --wait -F OVPNINPUTRW
;;
restart)
ip addr add "${local_address}" dev "${intf}"
# Apply MASQUERADE
- iptables -t nat -A WGNAT -o "${intf}" -j MASQUERADE
+ iptables --wait -t nat -A WGNAT -o "${intf}" -j MASQUERADE
fi
echo "[Interface]"
echo "ListenPort = ${port}"
# Open the port
- iptables -A WGINPUT -p udp --dport "${port}" -j ACCEPT
+ iptables --wait -A WGINPUT -p udp --dport "${port}" -j ACCEPT
fi
echo "[Peer]"
# Set blocking rules
for local_subnet in ${local_subnets//|/ }; do
for remote_subnet in ${remote_subnets//|/ }; do
- iptables -I WGBLOCK \
+ iptables --wait -I WGBLOCK \
-s "${remote_subnet}" -d "${local_subnet}" -j RETURN
done
done
reload_firewall() {
# Flush all previous rules
- iptables -F WGINPUT
- iptables -t nat -F WGNAT
+ iptables --wait -F WGINPUT
+ iptables --wait -t nat -F WGNAT
if [ "${ENABLED}" = "on" ]; then
- iptables -A WGINPUT -p udp --dport "${PORT}" -j ACCEPT
+ iptables --wait -A WGINPUT -p udp --dport "${PORT}" -j ACCEPT
fi
- iptables -F WGBLOCK
+ iptables --wait -F WGBLOCK
# Don't block any traffic from Roadwarrior peers
if [ -n "${CLIENT_POOL}" ]; then
- iptables -A WGBLOCK -s "${CLIENT_POOL}" -i wg0 -j RETURN
- iptables -A WGBLOCK -d "${CLIENT_POOL}" -o wg0 -j RETURN
+ iptables --wait -A WGBLOCK -s "${CLIENT_POOL}" -i wg0 -j RETURN
+ iptables --wait -A WGBLOCK -d "${CLIENT_POOL}" -o wg0 -j RETURN
fi
# Block all other traffic
- iptables -A WGBLOCK -j REJECT --reject-with icmp-admin-prohibited
+ iptables --wait -A WGBLOCK -j REJECT --reject-with icmp-admin-prohibited
# Flush any custom routes
ip route flush table wg 2>/dev/null
projects / ipfire-2.x.git / commitdiff
