iptables -F
iptables -t nat -F
iptables -t mangle -F
+ iptables -t raw -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
+ iptables -t raw -X
# Set up policies
iptables -P INPUT DROP
iptables -A BADTCP -i lo -j RETURN
# Disallow packets frequently used by port-scanners
- # nmap xmas
- iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN
- # Null
- iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN
- # FIN
+ # NMAP FIN/URG/PSH (XMAS scan)
+ iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN
+ # SYN/RST/ACK/FIN/URG
+ iptables -A BADTCP -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j PSCAN
+ # ALL/ALL
+ iptables -A BADTCP -p tcp --tcp-flags ALL ALL -j PSCAN
+ # FIN Stealth
iptables -A BADTCP -p tcp --tcp-flags ALL FIN -j PSCAN
# SYN/RST (also catches xmas variants that set SYN+RST+...)
iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j PSCAN
# SYN/FIN (QueSO or nmap OS probe)
iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN
+ # Null
+ iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN
# NEW TCP without SYN
iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN
iptables -A INPUT -p tcp -j BADTCP
iptables -A FORWARD -p tcp -j BADTCP
- # Connection tracking chain
+ # Connection tracking chains
iptables -N CONNTRACK
- iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+ iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED -j ACCEPT
+ iptables -A CONNTRACK -m conntrack --ctstate INVALID -j DROP
+ iptables -A CONNTRACK -p icmp -m conntrack --ctstate RELATED -j ACCEPT
+ iptables -t raw -N CONNTRACK
+ iptables -t raw -A PREROUTING -j CONNTRACK
+
+ # Conntrack helpers (https://home.regit.org/netfilter-en/secure-use-of-helpers/)
+
+ # SIP
+ if [ "${CONNTRACK_SIP}" = "on" ]; then
+ iptables -A CONNTRACK -m conntrack --ctstate RELATED \
+ -m helper --helper sip -j ACCEPT
+ for proto in udp tcp; do
+ iptables -t raw -A CONNTRACK -p "${proto}" --dport 5060 -j CT --helper sip
+ done
+ fi
+
+ # H.323
+ if [ "${CONNTRACK_H323}" = "on" ]; then
+ iptables -A CONNTRACK -m conntrack --ctstate RELATED \
+ -m helper --helper h323 -j ACCEPT
+
+ # Gatekeeper RAS
+ iptables -t raw -A CONNTRACK -p udp --dport 1719 -j CT --helper RAS
+
+ # Q.931
+ iptables -t raw -A CONNTRACK -p tcp --dport 1720 -j CT --helper Q.931
+ fi
+
+ # FTP
+ if [ "${CONNTRACK_FTP}" = "on" ]; then
+ iptables -A CONNTRACK -m conntrack --ctstate RELATED \
+ -m helper --helper ftp -p tcp --dport 1024: -j ACCEPT
+ iptables -t raw -A CONNTRACK -p tcp --dport 21 -j CT --helper ftp
+ fi
+
+ # PPTP
+ if [ "${CONNTRACK_PPTP}" = "on" ]; then
+ iptables -A CONNTRACK -m conntrack --ctstate RELATED \
+ -m helper --helper pptp -j ACCEPT
+ iptables -t raw -A CONNTRACK -p udp --dport 1723 -j CT --helper pptp
+ fi
+
+ # TFTP
+ if [ "${CONNTRACK_TFTP}" = "on" ]; then
+ iptables -A CONNTRACK -m conntrack --ctstate RELATED \
+ -m helper --helper tftp -j ACCEPT
+ iptables -t raw -A CONNTRACK -p udp --dport 69 -j CT --helper tftp
+ fi
+
+ # IRC
+ if [ "${CONNTRACK_IRC}" = "on" ]; then
+ iptables -A CONNTRACK -m conntrack --ctstate RELATED \
+ -m helper --helper irc -j ACCEPT
+ iptables -t raw -A CONNTRACK -p tcp --dport 6667 -j CT --helper irc
+ fi
+
+ # Amanda
+ if [ "${CONNTRACK_AMANDA}" = "on" ]; then
+ iptables -A CONNTRACK -m conntrack --ctstate RELATED \
+ -m helper --helper amanda -j ACCEPT
+ iptables -t raw -A CONNTRACK -j CT --helper amanda
+ fi
# Fix for braindead ISP's
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t nat -N CUSTOMPOSTROUTING
iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
+ # P2PBLOCK
+ iptables -N P2PBLOCK
+ iptables -A INPUT -j P2PBLOCK
+ iptables -A FORWARD -j P2PBLOCK
+ iptables -A OUTPUT -j P2PBLOCK
+
# Guardian (IPS) chains
iptables -N GUARDIAN
iptables -A INPUT -j GUARDIAN
iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
fi
+ # GeoIP block
+ iptables -N GEOIPBLOCK
+ iptables -A INPUT -j GEOIPBLOCK
+ iptables -A FORWARD -j GEOIPBLOCK
+
# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
iptables -N IPSECINPUT
iptables -N IPSECFORWARD
iptables -t nat -N REDNAT
iptables -t nat -A POSTROUTING -j REDNAT
- # Filter logging of incoming broadcasts.
- iptables -N BROADCAST_FILTER
- iptables -A INPUT -j BROADCAST_FILTER
-
- iptables -A BROADCAST_FILTER -i "${GREEN_DEV}" -d "${GREEN_BROADCAST}" -j DROP
-
- if [ -n "${BLUE_DEV}" -a -n "${BLUE_BROADCAST}" ]; then
- iptables -A BROADCAST_FILTER -i "${BLUE_DEV}" -d "${BLUE_BROADCAST}" -j DROP
- fi
-
- if [ -n "${ORANGE_DEV}" -a -n "${ORANGE_BROADCAST}" ]; then
- iptables -A BROADCAST_FILTER -i "${ORANGE_DEV}" -d "${ORANGE_BROADCAST}" -j DROP
- fi
-
# Apply OpenVPN firewall rules
/usr/local/bin/openvpnctrl --firewall-rules
/usr/sbin/firewall-policy
# Install firewall rules for the red interface.
- iptables_red
+ iptables_red_up
+
+ # If red has not been brought up yet, we will
+ # add the blocking rules for MASQUERADE
+ if [ ! -e "/var/ipfire/red/active" ]; then
+ iptables_red_down
+ fi
}
-iptables_red() {
+iptables_red_up() {
iptables -F REDINPUT
iptables -F REDFORWARD
iptables -t nat -F REDNAT
/usr/local/bin/firewallctrl
}
+iptables_red_down() {
+ # Prohibit packets to reach the masquerading rule
+ # while the wan interface is down - this is required to
+ # circumvent udp related NAT issues
+ # http://forum.ipfire.org/index.php?topic=11127.0
+ if [ -n "${IFACE}" ]; then
+ iptables -F REDFORWARD
+ iptables -A REDFORWARD -o "${IFACE}" -j DROP
+ fi
+
+ # Reload all rules.
+ /usr/local/bin/firewallctrl
+}
+
# See how we were called.
case "$1" in
start)
- boot_mesg "Loading firewall modules into the kernel"
- modprobe iptable_nat || failed=1
- for i in $(find /lib/modules/$(uname -r) -name nf_conntrack*); do
- modprobe $(basename $i | cut -d. -f1) || failed=1
- done
- for i in $(find /lib/modules/$(uname -r) -name nf_nat*); do
- modprobe $(basename $i | cut -d. -f1) || failed=1
- done
- (exit ${failed})
- evaluate_retval
-
- if [ -e /var/ipfire/main/disable_nf_sip ]; then
- rmmod nf_nat_sip
- rmmod nf_conntrack_sip
- rmmod nf_nat_h323
- rmmod nf_conntrack_h323
- fi
-
boot_mesg "Setting up firewall"
iptables_init
evaluate_retval
-
- # run local firewall configuration, if present
- if [ -x /etc/sysconfig/firewall.local ]; then
- /etc/sysconfig/firewall.local start
- fi
;;
- reload)
+ reload|up)
boot_mesg "Reloading firewall"
- iptables_red
+ iptables_red_up
+ evaluate_retval
+ ;;
+ down)
+ boot_mesg "Disabling firewall access to RED"
+ iptables_red_down
evaluate_retval
-
- # run local firewall configuration, if present
- if [ -x /etc/sysconfig/firewall.local ]; then
- /etc/sysconfig/firewall.local reload
- fi
;;
restart)
- # run local firewall configuration, if present
- if [ -x /etc/sysconfig/firewall.local ]; then
- /etc/sysconfig/firewall.local stop
- fi
$0 start
;;
*)
projects / ipfire-2.x.git / blobdiff