freifunk: Apply firewall rules for IPv4

diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index c383652e0b5e89b086caac5a1d745181fb113b6b..2cc865e672db52dd4ede9c82d8d4c481c551ff8e 100644 (file)
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -3,6 +3,8 @@
 . /etc/sysconfig/rc
 . ${rc_functions}
 
+. /etc/rc.d/init.d/lib-freifunk
+
 eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
@@ -104,6 +106,10 @@ iptables_init() {
        iptables -t nat -N CUSTOMPOSTROUTING
        iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
 
+       # Freifunk
+       iptables -N FREIFUNK
+       iptables -A FORWARD -j FREIFUNK
+
        # P2PBLOCK
        iptables -N P2PBLOCK
        iptables -A INPUT -j P2PBLOCK
@@ -285,6 +291,9 @@ iptables_init() {
        # Install firewall rules for the red interface.
        iptables_red_up
 
+       # Install firewall rules for Freifunk
+       freifunk_init_firewall
+
        # If red has not been brought up yet, we will
        # add the blocking rules for MASQUERADE
        if [ ! -e "/var/ipfire/red/active" ]; then

diff --git a/src/initscripts/init.d/lib-freifunk b/src/initscripts/init.d/lib-freifunk
index 426fba9990064a29665768b82e96902ce423dc14..1b0b7a504e88f27c457eb9e1442ce55249734e01 100755 (executable)
--- a/src/initscripts/init.d/lib-freifunk
+++ b/src/initscripts/init.d/lib-freifunk
@@ -11,9 +11,14 @@ function freifunk_is_enabled() {
 }
 
 function freifunk_start() {
+       freifunk_flush_firewall
+
        # Do nothing if Freifunk is not enabled
        freifunk_is_enabled || exit 0
 
+       # Initialize firewall rules
+       freifunk_init_firewall
+
        # Bring up the batman interface
        freifunk_batman_create
        freifunk_batman_attach_all
@@ -30,6 +35,8 @@ function freifunk_start() {
 }
 
 function freifunk_stop() {
+       freifunk_flush_firewall
+
        /etc/init.d/alfred stop &>/dev/null
 
        ip link set "${BATMAN_INTERFACE}" down &>/dev/null
@@ -98,6 +105,37 @@ function freifunk_batman_attach_all() {
        done
 }
 
+function freifunk_init_firewall() {
+       # Flush the existing configuration
+       freifunk_flush_firewall
+
+       # Forward everything incoming and outgoing on the
+       # BATMAN interface without further noticing.
+       iptables -A FREIFUNK -i bat+ -j ACCEPT
+       iptables -A FREIFUNK -o bat+ -j ACCEPT
+
+       # Also make the mesh bridge transparent for IPv4
+       iptables -A FREIFUNK -i meshbr+ -j ACCEPT
+       iptables -A FREIFUNK -o meshbr+ -j ACCEPT
+
+       # Forward all packets from and to the local interfaces
+       local mesh
+       for mesh in FREIFUNK1 FREIFUNK2 FREIFUNK3 FREIFUNK4; do
+               local interface_var="${mesh}_DEV"
+               local interface="${!interface_var}"
+
+               [ -n "${interface}" ] || continue
+
+               iptables -A FREIFUNK -i "${interface}" -j ACCEPT
+               iptables -A FREIFUNK -o "${interface}" -j ACCEPT
+       done
+}
+
+function freifunk_flush_firewall() {
+       # Flush all existing rules
+       iptables -F FREIFUNK
+}
+
 function freifunk_ipv6_enable() {
        local device="${1}"