# Chain to contain all the rules relating to bad TCP flags
/sbin/iptables -N BADTCP
+ #Don't check loopback
+ /sbin/iptables -A BADTCP -i lo -j RETURN
+
# Disallow packets frequently used by port-scanners
# nmap xmas
/sbin/iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN
# CUSTOM chains, can be used by the users themselves
/sbin/iptables -N CUSTOMINPUT
/sbin/iptables -A INPUT -j CUSTOMINPUT
- /sbin/iptables -N GUARDIANINPUT
- /sbin/iptables -A INPUT -j GUARDIANINPUT
+ /sbin/iptables -N GUARDIAN
+ /sbin/iptables -A INPUT -j GUARDIAN
+ /sbin/iptables -A FORWARD -j GUARDIAN
/sbin/iptables -N CUSTOMFORWARD
/sbin/iptables -A FORWARD -j CUSTOMFORWARD
/sbin/iptables -N CUSTOMOUTPUT
# Outgoing Firewall
/sbin/iptables -A FORWARD -j OUTGOINGFWMAC
- /sbin/iptables -A FORWARD -j OUTGOINGFW
# localhost and ethernet.
- /sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
+ /sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -s 127.0.0.0/8 -m state --state NEW -j DROP # Loopback not on lo
/sbin/iptables -A INPUT -d 127.0.0.0/8 -m state --state NEW -j DROP
- /sbin/iptables -A FORWARD -i lo -m state --state NEW -j ACCEPT
+ /sbin/iptables -A FORWARD -i lo -m state --state NEW -j ACCEPT
/sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP
/sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP
/sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT ! -p icmp
# upnp chain for our upnp daemon
/sbin/iptables -t nat -N UPNPFW
/sbin/iptables -t nat -A PREROUTING -j UPNPFW
-
+ /sbin/iptables -A FORWARD -m state --state NEW -j UPNPFW
+ # This chain only contains dummy rules.
+ /sbin/iptables -N UPNPFW
# Custom mangle chain (for port fowarding)
/sbin/iptables -t mangle -N PORTFWMANGLE
;;
restart)
$0 stop
+ $0 stopovpn
$0 start
+ $0 startovpn
;;
*)
echo "Usage: $0 {start|stop|reload|restart}"
projects / ipfire-2.x.git / blobdiff