}
if ($POLICY_INPUT_ACTION eq "DROP") {
- push(@special_input_targets, "REJECT");
+ push(@special_input_targets, ("ACCEPT", "REJECT"));
} elsif ($POLICY_INPUT_ACTION eq "REJECT") {
- push(@special_input_targets, "DROP");
+ push(@special_input_targets, ("ACCEPT", "DROP"));
}
my @special_output_targets = ();
push(@special_output_targets, "ACCEPT");
if ($POLICY_OUTPUT_ACTION eq "DROP") {
- push(@special_output_targets, "REJECT");
+ push(@special_output_targets, ("ACCEPT", "REJECT"));
} elsif ($POLICY_OUTPUT_ACTION eq "REJECT") {
- push(@special_output_targets, "DROP");
+ push(@special_output_targets, ("ACCEPT", "DROP"));
}
}
push(@destination_options, ("-d", $destination));
}
+ # Add source and destination interface to the filter rules.
+ # These are supposed to help filtering forged packets that originate
+ # from BLUE with an IP address from GREEN for instance.
+ my @source_intf_options = ();
+ if ($source_intf) {
+ push(@source_intf_options, ("-i", $source_intf));
+ }
+
+ my @destination_intf_options = ();
+ if ($destination_intf) {
+ push(@destination_intf_options, ("-o", $destination_intf));
+ }
+
# Add time constraint options.
push(@options, @time_options);
} elsif ($NAT_MODE eq "SNAT") {
my @nat_options = @options;
+ push(@nat_options, @destination_intf_options);
push(@nat_options, @source_options);
push(@nat_options, @destination_options);
}
}
- # Add source and destination interface to the filter rules.
- # These are supposed to help filtering forged packets that originate
- # from BLUE with an IP address from GREEN for instance.
- if ($source_intf) {
- push(@source_options, ("-i", $source_intf));
- }
-
- if ($destination_intf) {
- push(@destination_options, ("-o", $destination_intf));
- }
-
push(@options, @source_options);
push(@options, @destination_options);
# Insert firewall rule.
if ($LOG && !$NAT) {
- run("$IPTABLES -A $chain @options @log_limit_options -j LOG --log-prefix '$chain '");
+ run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options @log_limit_options -j LOG --log-prefix '$chain '");
}
- run("$IPTABLES -A $chain @options -j $target");
+ run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options -j $target");
# Handle forwarding rules and add corresponding rules for firewall access.
if ($chain eq $CHAIN_FORWARD) {
# for the firewall, too.
if ($firewall_is_in_destination_subnet && ($target ~~ @special_input_targets)) {
if ($LOG && !$NAT) {
- run("$IPTABLES -A $CHAIN_INPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '");
+ run("$IPTABLES -A $CHAIN_INPUT @options @source_intf_options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '");
}
- run("$IPTABLES -A $CHAIN_INPUT @options -j $target");
+ run("$IPTABLES -A $CHAIN_INPUT @options @source_intf_options -j $target");
}
# Likewise.
if ($firewall_is_in_source_subnet && ($target ~~ @special_output_targets)) {
if ($LOG && !$NAT) {
- run("$IPTABLES -A $CHAIN_OUTPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_OUTPUT '");
+ run("$IPTABLES -A $CHAIN_OUTPUT @options @destination_intf_options @log_limit_options -j LOG --log-prefix '$CHAIN_OUTPUT '");
}
- run("$IPTABLES -A $CHAIN_OUTPUT @options -j $target");
+ run("$IPTABLES -A $CHAIN_OUTPUT @options @destination_intf_options -j $target");
}
}
}
# create iptables rules, if blocking this country
# is enabled.
foreach my $location (@locations) {
- if($geoipsettings{$location} eq "on") {
+ if(exists $geoipsettings{$location} && $geoipsettings{$location} eq "on") {
run("$IPTABLES -A GEOIPBLOCK -m geoip --src-cc $location -j DROP");
}
}
projects / ipfire-2.x.git / blobdiff