]> git.ipfire.org Git - ipfire-2.x.git/blob - config/firewall/firewall-policy
projects / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tzdata: update to 2018i
[ipfire-2.x.git] / config / firewall / firewall-policy
1 #!/bin/sh
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21
22 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
23 eval $(/usr/local/bin/readhash /var/ipfire/firewall/settings)
24 eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
25
26 function iptables() {
27 /sbin/iptables --wait "$@"
28 }
29
30 iptables -F POLICYFWD
31 iptables -F POLICYOUT
32 iptables -F POLICYIN
33
34 if [ -f "/var/ipfire/red/iface" ]; then
35 IFACE="$(</var/ipfire/red/iface)"
36 fi
37
38 # Figure out what devices are configured.
39 HAVE_BLUE="false"
40 HAVE_ORANGE="false"
41
42 case "${CONFIG_TYPE}" in
43 2)
44 HAVE_ORANGE="true"
45 ;;
46 3)
47 HAVE_BLUE="true"
48 ;;
49 4)
50 HAVE_BLUE="true"
51 HAVE_ORANGE="true"
52 ;;
53 esac
54
55 HAVE_IPSEC="true"
56 HAVE_OPENVPN="true"
57
58 # INPUT
59
60 # Drop syslog from anywhere but localhost
61 # sysklogd cannot bind to specific interface and therefore we need to
62 # block access by adding firewall rules
63 case "${FWPOLICY}" in
64 REJECT)
65 iptables -A POLICYIN -p udp --dport 514 -j REJECT --reject-with icmp-host-unreachable
66 ;;
67 *)
68 iptables -A POLICYIN -p udp --dport 514 -j DROP
69 ;;
70 esac
71
72 # Allow access from GREEN
73 if [ -n "${GREEN_DEV}" ]; then
74 iptables -A POLICYIN -i "${GREEN_DEV}" -j ACCEPT
75 fi
76
77 # Allow access from BLUE
78 if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then
79 iptables -A POLICYIN -i "${BLUE_DEV}" -j ACCEPT
80 fi
81
82 # IPsec INPUT
83 case "${HAVE_IPSEC},${POLICY}" in
84 true,MODE1) ;;
85 true,*)
86 iptables -A POLICYIN -m policy --pol ipsec --dir in -j ACCEPT
87 ;;
88 esac
89
90 # OpenVPN INPUT
91 # Allow direct access to the internal IP addresses of the firewall
92 # from remote subnets if forward policy is allowed.
93 case "${HAVE_OPENVPN},${POLICY}" in
94 true,MODE1) ;;
95 true,*)
96 iptables -A POLICYIN -i tun+ -j ACCEPT
97 ;;
98 esac
99
100 case "${FWPOLICY2}" in
101 REJECT)
102 if [ "${DROPINPUT}" = "on" ]; then
103 iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT "
104 fi
105 iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
106 ;;
107 *) # DROP
108 if [ "${DROPINPUT}" = "on" ]; then
109 iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
110 fi
111 iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
112 ;;
113 esac
114
115 # FORWARD
116 case "${POLICY}" in
117 MODE1)
118 case "${FWPOLICY}" in
119 REJECT)
120 if [ "${DROPFORWARD}" = "on" ]; then
121 iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD "
122 fi
123 iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
124 ;;
125 *) # DROP
126 if [ "${DROPFORWARD}" = "on" ]; then
127 iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
128 fi
129 iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
130 ;;
131 esac
132 ;;
133
134 *)
135 # Access from GREEN is granted to everywhere
136 if [ -n "${GREEN_DEV}" ]; then
137 if [ "${IFACE}" = "${GREEN_DEV}" ]; then
138 # internet via green
139 # don't check source IP/NET if IFACE is GREEN
140 iptables -A POLICYFWD -i "${GREEN_DEV}" -j ACCEPT
141 else
142 iptables -A POLICYFWD -i "${GREEN_DEV}" -s "${GREEN_NETADDRESS}/${GREEN_NETMASK}" -j ACCEPT
143 fi
144 fi
145
146 # Grant access for IPsec VPN connections
147 iptables -A POLICYFWD -m policy --pol ipsec --dir in -j ACCEPT
148
149 # Grant access for OpenVPN connections
150 iptables -A POLICYFWD -i tun+ -j ACCEPT
151
152 if [ -n "${IFACE}" ]; then
153 if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then
154 iptables -A POLICYFWD -i "${BLUE_DEV}" -s "${BLUE_NETADDRESS}/${BLUE_NETMASK}" -o "${IFACE}" -j ACCEPT
155 fi
156
157 if [ "${HAVE_ORANGE}" = "true" ] && [ -n "${ORANGE_DEV}" ]; then
158 iptables -A POLICYFWD -i "${ORANGE_DEV}" -s "${ORANGE_NETADDRESS}/${ORANGE_NETMASK}" -o "${IFACE}" -j ACCEPT
159 fi
160 fi
161
162 if [ "${DROPFORWARD}" = "on" ]; then
163 iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
164 fi
165 iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
166 ;;
167 esac
168
169 # OUTGOING
170 case "${POLICY1}" in
171 MODE1)
172 case "${FWPOLICY1}" in
173 REJECT)
174 if [ "${DROPOUTGOING}" = "on" ]; then
175 iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT "
176 fi
177 iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
178 ;;
179 *) # DROP
180 if [ "${DROPOUTGOING}" == "on" ]; then
181 iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT "
182 fi
183 iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
184 ;;
185 esac
186 ;;
187 *)
188 iptables -A POLICYOUT -j ACCEPT
189 iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP
190 ;;
191 esac
192
193 exit 0
IPFire 2.x development tree