X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff_plain;f=src%2Finitscripts%2Finit.d%2Ffirewall;h=cc6b6190eb8ecb7c376934b1aa74968915c46c6c;hp=9b708697f3b5a9bd48d0abf2e6f7545c6e2dd906;hb=31901da1edb401590960558b61e31ddd9fda89c1;hpb=db073a101e354ae047e1c5c113b50d03de1058de

diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 9b708697f3..cc6b6190eb 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -53,6 +53,9 @@ iptables_init() {
 	# Chain to contain all the rules relating to bad TCP flags
 	/sbin/iptables -N BADTCP
 
+	#Don't check loopback
+	/sbin/iptables -A BADTCP -i lo -j RETURN
+
 	# Disallow packets frequently used by port-scanners
 	# nmap xmas
 	/sbin/iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH  -j PSCAN
@@ -140,11 +143,15 @@ case "$1" in
 	# CUSTOM chains, can be used by the users themselves
 	/sbin/iptables -N CUSTOMINPUT
 	/sbin/iptables -A INPUT -j CUSTOMINPUT
+	/sbin/iptables -N GUARDIAN
+	/sbin/iptables -A INPUT -j GUARDIAN
+	/sbin/iptables -A FORWARD -j GUARDIAN
 	/sbin/iptables -N CUSTOMFORWARD
 	/sbin/iptables -A FORWARD -j CUSTOMFORWARD
 	/sbin/iptables -N CUSTOMOUTPUT
 	/sbin/iptables -A OUTPUT -j CUSTOMOUTPUT
 	/sbin/iptables -N OUTGOINGFW
+	/sbin/iptables -N OUTGOINGFWMAC
 	/sbin/iptables -A OUTPUT -j OUTGOINGFW
 	/sbin/iptables -t nat -N CUSTOMPREROUTING
 	/sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
@@ -176,17 +183,17 @@ case "$1" in
 	/sbin/iptables -A FORWARD -j IPSECFORWARD
 	/sbin/iptables -A FORWARD -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL FORWARD"
 	/sbin/iptables -A OUTPUT -j IPSECOUTPUT
-	#/sbin/iptables -t nat -N IPSECNAT
-	#/sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
+	/sbin/iptables -t nat -N IPSECNAT
+	/sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
 
 	# Outgoing Firewall
-	/sbin/iptables -A FORWARD -j OUTGOINGFW
+	/sbin/iptables -A FORWARD -j OUTGOINGFWMAC
 
 	# localhost and ethernet.
-	/sbin/iptables -A INPUT   -i lo          -m state --state NEW -j ACCEPT
+	/sbin/iptables -A INPUT   -i lo -m state --state NEW -j ACCEPT
 	/sbin/iptables -A INPUT   -s 127.0.0.0/8 -m state --state NEW -j DROP   # Loopback not on lo
 	/sbin/iptables -A INPUT   -d 127.0.0.0/8 -m state --state NEW -j DROP
-	/sbin/iptables -A FORWARD -i lo          -m state --state NEW -j ACCEPT
+	/sbin/iptables -A FORWARD -i lo -m state --state NEW -j ACCEPT
 	/sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP
 	/sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP
 	/sbin/iptables -A INPUT   -i $GREEN_DEV  -m state --state NEW -j ACCEPT ! -p icmp
@@ -245,7 +252,9 @@ case "$1" in
 	# upnp chain for our upnp daemon
 	/sbin/iptables -t nat -N UPNPFW
 	/sbin/iptables -t nat -A PREROUTING -j UPNPFW
-
+	/sbin/iptables -A FORWARD -m state --state NEW -j UPNPFW
+	# This chain only contains dummy rules.
+	/sbin/iptables -N UPNPFW
 
 	# Custom mangle chain (for port fowarding)
 	/sbin/iptables -t mangle -N PORTFWMANGLE
@@ -327,7 +336,9 @@ case "$1" in
 	;;
   restart)
 	$0 stop
+	$0 stopovpn
 	$0 start
+	$0 startovpn
 	;;
   *)
         echo "Usage: $0 {start|stop|reload|restart}"