From: Timo Eissler Date: Thu, 7 Aug 2014 17:00:58 +0000 (+0200) Subject: firewall: fix faulty masquerading packets X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4b12aa414c0ae63e135d3ec36737152fff44f6d9;p=people%2Fms%2Fipfire-2.x.git firewall: fix faulty masquerading packets --- diff --git a/lfs/initscripts b/lfs/initscripts index 02f97431a2..ab870dc77d 100644 --- a/lfs/initscripts +++ b/lfs/initscripts @@ -187,7 +187,6 @@ $(TARGET) : /etc/rc.d/init.d/networking/red.up/24-RS-qos ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/27-RS-squid ln -sf ../../dnsmasq /etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq - ln -sf ../../firewall /etc/rc.d/init.d/networking/red.down/20-RL-firewall for i in green blue orange; do \ ln -sf any /etc/rc.d/init.d/networking/$$i; \ diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index f77bc02032..0d80e7cd6d 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -277,10 +277,16 @@ iptables_init() { /usr/sbin/firewall-policy # Install firewall rules for the red interface. - iptables_red + iptables_red_up + + # If red has not been brought up yet, we will + # add the blocking rules for MASQUERADE + if [ ! -e "/var/ipfire/red/active" ]; then + iptables_red_down + fi } -iptables_red() { +iptables_red_up() { iptables -F REDINPUT iptables -F REDFORWARD iptables -t nat -F REDNAT @@ -358,6 +364,18 @@ iptables_red() { /usr/local/bin/firewallctrl } +iptables_red_down() { + # Prohibit packets to reach the masquerading rule + # while the wan interface is down - this is required to + # circumvent udp related NAT issues + # http://forum.ipfire.org/index.php?topic=11127.0 + iptables -F REDFORWARD + iptables -A REDFORWARD -o $IFACE -j DROP + + # Reload all rules. + /usr/local/bin/firewallctrl +} + # See how we were called. case "$1" in start) @@ -388,9 +406,9 @@ case "$1" in /etc/sysconfig/firewall.local start fi ;; - reload) + reload|up) boot_mesg "Reloading firewall" - iptables_red + iptables_red_up evaluate_retval # run local firewall configuration, if present @@ -398,6 +416,11 @@ case "$1" in /etc/sysconfig/firewall.local reload fi ;; + down) + boot_mesg "Disabling firewall access to RED" + iptables_red_down + evaluate_retval + ;; restart) # run local firewall configuration, if present if [ -x /etc/sysconfig/firewall.local ]; then diff --git a/src/initscripts/init.d/networking/red.down/20-firewall b/src/initscripts/init.d/networking/red.down/20-firewall new file mode 100644 index 0000000000..d21c97ce91 --- /dev/null +++ b/src/initscripts/init.d/networking/red.down/20-firewall @@ -0,0 +1,3 @@ +#!/bin/bash + +exec /etc/rc.d/init.d/firewall down diff --git a/src/initscripts/init.d/networking/red.up/20-firewall b/src/initscripts/init.d/networking/red.up/20-firewall new file mode 100644 index 0000000000..ca52b4bd94 --- /dev/null +++ b/src/initscripts/init.d/networking/red.up/20-firewall @@ -0,0 +1,3 @@ +#!/bin/bash + +exec /etc/rc.d/init.d/firewall up