X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff_plain;f=src%2Finitscripts%2Finit.d%2Ffirewall;h=23d0c23ff7a3a03642727c85b102ce3589d3d118;hp=4c9d875f9fc8e610808c17e12df9812f4a21bf66;hb=93899a216f7f03b8e1d5092fdd20afd07b0bedae;hpb=0f5c5ce72d42a236a44bcd45ed8aa718c596aca3 diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 4c9d875f9f..23d0c23ff7 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -64,16 +64,20 @@ iptables_init() { iptables -A BADTCP -i lo -j RETURN # Disallow packets frequently used by port-scanners - # nmap xmas - iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN - # Null - iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN - # FIN + # NMAP FIN/URG/PSH (XMAS scan) + iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN + # SYN/RST/ACK/FIN/URG + iptables -A BADTCP -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j PSCAN + # ALL/ALL + iptables -A BADTCP -p tcp --tcp-flags ALL ALL -j PSCAN + # FIN Stealth iptables -A BADTCP -p tcp --tcp-flags ALL FIN -j PSCAN # SYN/RST (also catches xmas variants that set SYN+RST+...) iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j PSCAN # SYN/FIN (QueSO or nmap OS probe) iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN + # Null + iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN # NEW TCP without SYN iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN @@ -83,6 +87,7 @@ iptables_init() { # Connection tracking chain iptables -N CONNTRACK iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + iptables -A CONNTRACK -m conntrack --ctstate INVALID -j DROP # Fix for braindead ISP's iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu @@ -106,9 +111,9 @@ iptables_init() { # Block OpenVPN transfer networks iptables -N OVPNBLOCK - for i in INPUT FORWARD; do - iptables -A ${i} -j OVPNBLOCK - done + iptables -A INPUT -i tun+ -j OVPNBLOCK + iptables -A FORWARD -i tun+ -j OVPNBLOCK + iptables -A FORWARD -o tun+ -j OVPNBLOCK # OpenVPN transfer network translation iptables -t nat -N OVPNNAT @@ -120,10 +125,10 @@ iptables_init() { iptables -N IPTVFORWARD iptables -A FORWARD -j IPTVFORWARD - # filtering from GUI - iptables -N GUIINPUT - iptables -A INPUT -j GUIINPUT - iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT + # Allow to ping the firewall. + iptables -N ICMPINPUT + iptables -A INPUT -j ICMPINPUT + iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT # Accept everything on loopback iptables -N LOOPBACK @@ -143,6 +148,31 @@ iptables_init() { iptables -A ${i} -j CONNTRACK done + # Allow DHCP + iptables -N DHCPINPUT + iptables -A DHCPINPUT -p udp --sport 68 --dport 67 -j ACCEPT + iptables -A DHCPINPUT -p tcp --sport 68 --dport 67 -j ACCEPT + + iptables -N DHCPOUTPUT + iptables -A DHCPOUTPUT -p udp --sport 67 --dport 68 -j ACCEPT + iptables -A DHCPOUTPUT -p tcp --sport 67 --dport 68 -j ACCEPT + + # Allow DHCP on GREEN + iptables -N DHCPGREENINPUT + iptables -N DHCPGREENOUTPUT + if [ -n "${GREEN_DEV}" ]; then + iptables -A INPUT -i "${GREEN_DEV}" -j DHCPGREENINPUT + iptables -A OUTPUT -o "${GREEN_DEV}" -j DHCPGREENOUTPUT + fi + + # allow DHCP on BLUE to be turned on/off + iptables -N DHCPBLUEINPUT + iptables -N DHCPBLUEOUTPUT + if [ -n "${BLUE_DEV}" ]; then + iptables -A INPUT -i "${BLUE_DEV}" -j DHCPBLUEINPUT + iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT + fi + # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything iptables -N IPSECINPUT iptables -N IPSECFORWARD @@ -154,12 +184,11 @@ iptables_init() { iptables -t nat -A POSTROUTING -j IPSECNAT # localhost and ethernet. - iptables -A INPUT -i $GREEN_DEV -m conntrack --ctstate NEW -j ACCEPT ! -p icmp - - # allow DHCP on BLUE to be turned on/off - iptables -N DHCPBLUEINPUT - iptables -A INPUT -j DHCPBLUEINPUT - + # Always allow accessing the web GUI from GREEN. + iptables -N GUIINPUT + iptables -A INPUT -j GUIINPUT + iptables -A GUIINPUT -i "${GREEN_DEV}" -p tcp --dport 444 -j ACCEPT + # WIRELESS chains iptables -N WIRELESSINPUT iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT @@ -188,16 +217,6 @@ iptables_init() { iptables -t nat -N NAT_SOURCE iptables -t nat -A POSTROUTING -j NAT_SOURCE - # RED chain, used for the red interface - iptables -N REDINPUT - iptables -A INPUT -j REDINPUT - iptables -N REDFORWARD - iptables -A FORWARD -j REDFORWARD - iptables -t nat -N REDNAT - iptables -t nat -A POSTROUTING -j REDNAT - - iptables_red - # Custom prerouting chains (for transparent proxy) iptables -t nat -N SQUID iptables -t nat -A PREROUTING -j SQUID @@ -205,6 +224,26 @@ iptables_init() { # DNAT rules iptables -t nat -N NAT_DESTINATION iptables -t nat -A PREROUTING -j NAT_DESTINATION + iptables -t nat -A OUTPUT -j NAT_DESTINATION + + iptables -t mangle -N NAT_DESTINATION + iptables -t mangle -A PREROUTING -j NAT_DESTINATION + + iptables -t nat -N NAT_DESTINATION_FIX + iptables -t nat -A POSTROUTING -j NAT_DESTINATION_FIX + + iptables -t nat -A NAT_DESTINATION_FIX \ + -m mark --mark 1 -j SNAT --to-source "${GREEN_ADDRESS}" + + if [ -n "${BLUE_ADDRESS}" ]; then + iptables -t nat -A NAT_DESTINATION_FIX \ + -m mark --mark 2 -j SNAT --to-source "${BLUE_ADDRESS}" + fi + + if [ -n "${ORANGE_ADDRESS}" ]; then + iptables -t nat -A NAT_DESTINATION_FIX \ + -m mark --mark 3 -j SNAT --to-source "${ORANGE_ADDRESS}" + fi # upnp chain for our upnp daemon iptables -t nat -N UPNPFW @@ -212,6 +251,14 @@ iptables_init() { iptables -N UPNPFW iptables -A FORWARD -m conntrack --ctstate NEW -j UPNPFW + # RED chain, used for the red interface + iptables -N REDINPUT + iptables -A INPUT -j REDINPUT + iptables -N REDFORWARD + iptables -A FORWARD -j REDFORWARD + iptables -t nat -N REDNAT + iptables -t nat -A POSTROUTING -j REDNAT + # Apply OpenVPN firewall rules /usr/local/bin/openvpnctrl --firewall-rules @@ -226,19 +273,11 @@ iptables_init() { iptables -N POLICYOUT iptables -A OUTPUT -j POLICYOUT + # Initialize firewall policies. /usr/sbin/firewall-policy - # read new firewall - /usr/local/bin/firewallctrl - - if [ "$DROPINPUT" == "on" ]; then - iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT" - fi - iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" - if [ "$DROPFORWARD" == "on" ]; then - iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" - fi - iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" + # Install firewall rules for the red interface. + iptables_red } iptables_red() { @@ -287,9 +326,15 @@ iptables_red() { # Outgoing masquerading (don't masqerade IPSEC (mark 50)) iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN - iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE + + if [ "$IFACE" != "$GREEN_DEV" ]; then + iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE + fi fi + + # Reload all rules. + /usr/local/bin/firewallctrl } # See how we were called.