Merge remote-tracking branch 'ms/iptables-conntrack' into next

[ipfire-2.x.git] / src / initscripts / init.d / firewall

diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 5b193c2c3b9e049112b92e420a0e4c77020ff08c..cb52670d6a5e42c5dbf7fd809fd1350d66a8a00d 100644 (file)
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -178,6 +178,11 @@ iptables_init() {
        iptables -A INPUT -j GUARDIAN
        iptables -A FORWARD -j GUARDIAN
 
+       # Block non-established IPsec networks
+       iptables -N IPSECBLOCK
+       iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK
+       iptables -A OUTPUT  -m policy --dir out --pol none -j IPSECBLOCK
+
        # Block OpenVPN transfer networks
        iptables -N OVPNBLOCK
        iptables -A INPUT   -i tun+ -j OVPNBLOCK
@@ -333,6 +338,9 @@ iptables_init() {
        iptables -t nat -N REDNAT
        iptables -t nat -A POSTROUTING -j REDNAT
 
+       # Populate IPsec block chain
+       /usr/lib/firewall/ipsec-block
+
        # Apply OpenVPN firewall rules
        /usr/local/bin/openvpnctrl --firewall-rules
 
@@ -407,8 +415,8 @@ iptables_red_up() {
                # Outgoing masquerading (don't masqerade IPSEC (mark 50))
                iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN
 
-               if [ "$IFACE" = "$GREEN_DEV" ]; then
-                       MASQUERADE_GREEN="off"
+               if [ "${IFACE}" = "${GREEN_DEV}" ]; then
+                       iptables -t nat -A REDNAT -i "${GREEN_DEV}" -o "${IFACE}" -j RETURN
                fi
 
                local NO_MASQ_NETWORKS