projects / people / pmueller / ipfire-2.x.git / blame
| Commit | Line | Data |
|---|---|---|
| 3a1019f6 MT |
1 | #!/bin/sh |
| 2 | ||
| 3 | eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings) | |
| 4 | eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) | |
| fe0cd647 | 5 | eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) |
| 3a1019f6 MT |
6 | IFACE=`/bin/cat /var/ipfire/red/iface 2> /dev/null | /usr/bin/tr -d '\012'` |
| 7 | ||
| 8 | if [ -f /var/ipfire/red/device ]; then | |
| 9 | DEVICE=`/bin/cat /var/ipfire/red/device 2> /dev/null | /usr/bin/tr -d '\012'` | |
| 10 | fi | |
| 11 | ||
| 12 | iptables_init() { | |
| 13 | # Flush all rules and delete all custom chains | |
| 14 | /sbin/iptables -F | |
| 15 | /sbin/iptables -t nat -F | |
| 16 | /sbin/iptables -t mangle -F | |
| 17 | /sbin/iptables -X | |
| 18 | /sbin/iptables -t nat -X | |
| 19 | /sbin/iptables -t mangle -X | |
| 20 | ||
| 21 | # Set up policies | |
| 22 | /sbin/iptables -P INPUT DROP | |
| 23 | /sbin/iptables -P FORWARD DROP | |
| 24 | /sbin/iptables -P OUTPUT ACCEPT | |
| 25 | ||
| 26 | # Empty LOG_DROP and LOG_REJECT chains | |
| 27 | /sbin/iptables -N LOG_DROP | |
| 28 | /sbin/iptables -A LOG_DROP -m limit --limit 10/minute -j LOG | |
| 29 | /sbin/iptables -A LOG_DROP -j DROP | |
| 30 | /sbin/iptables -N LOG_REJECT | |
| 31 | /sbin/iptables -A LOG_REJECT -m limit --limit 10/minute -j LOG | |
| 32 | /sbin/iptables -A LOG_REJECT -j REJECT | |
| 33 | ||
| 34 | # This chain will log, then DROPs packets with certain bad combinations | |
| 35 | # of flags might indicate a port-scan attempt (xmas, null, etc) | |
| 36 | /sbin/iptables -N PSCAN | |
| 5595bc03 | 37 | if [ "$DROPPORTSCAN" == "on" ]; then |
| 97fe1741 | 38 | /sbin/iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix "DROP_TCP Scan " -m comment --comment "DROP_TCP PScan" |
| fe0cd647 | 39 | /sbin/iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix "DROP_UDP Scan " -m comment --comment "DROP_UDP PScan" |
| 97fe1741 CS |
40 | /sbin/iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "DROP_ICMP Scan " -m comment --comment "DROP_ICMP PScan" |
| 41 | /sbin/iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix "DROP_FRAG Scan " -m comment --comment "DROP_FRAG PScan" | |
| 5595bc03 | 42 | fi |
| 97fe1741 | 43 | /sbin/iptables -A PSCAN -j DROP -m comment --comment "DROP_PScan" |
| 3a1019f6 MT |
44 | |
| 45 | # New tcp packets without SYN set - could well be an obscure type of port scan | |
| 46 | # that's not covered above, may just be a broken windows machine | |
| 47 | /sbin/iptables -N NEWNOTSYN | |
| 5595bc03 | 48 | if [ "$DROPNEWNOTSYN" == "on" ]; then |
| 97fe1741 | 49 | /sbin/iptables -A NEWNOTSYN -m limit --limit 10/minute -j LOG --log-prefix "DROP_NEWNOTSYN " |
| 5595bc03 | 50 | fi |
| 97fe1741 | 51 | /sbin/iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN" |
| 3a1019f6 MT |
52 | |
| 53 | # Chain to contain all the rules relating to bad TCP flags | |
| 54 | /sbin/iptables -N BADTCP | |
| 55 | ||
| 56 | # Disallow packets frequently used by port-scanners | |
| 57 | # nmap xmas | |
| 58 | /sbin/iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN | |
| 59 | # Null | |
| 60 | /sbin/iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN | |
| 61 | # FIN | |
| 62 | /sbin/iptables -A BADTCP -p tcp --tcp-flags ALL FIN -j PSCAN | |
| 63 | # SYN/RST (also catches xmas variants that set SYN+RST+...) | |
| 64 | /sbin/iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j PSCAN | |
| 65 | # SYN/FIN (QueSO or nmap OS probe) | |
| 66 | /sbin/iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN | |
| 67 | # NEW TCP without SYN | |
| 68 | /sbin/iptables -A BADTCP -p tcp ! --syn -m state --state NEW -j NEWNOTSYN | |
| 69 | ||
| 70 | /sbin/iptables -A INPUT -j BADTCP | |
| 71 | /sbin/iptables -A FORWARD -j BADTCP | |
| 72 | ||
| 73 | } | |
| 74 | ||
| 75 | iptables_red() { | |
| 76 | /sbin/iptables -F REDINPUT | |
| 77 | /sbin/iptables -F REDFORWARD | |
| 78 | /sbin/iptables -t nat -F REDNAT | |
| 79 | ||
| 80 | # PPPoE / PPTP Device | |
| 81 | if [ "$IFACE" != "" ]; then | |
| 82 | # PPPoE / PPTP | |
| 83 | if [ "$DEVICE" != "" ]; then | |
| 84 | /sbin/iptables -A REDINPUT -i $DEVICE -j ACCEPT | |
| 85 | fi | |
| 86 | if [ "$RED_TYPE" == "PPTP" -o "$RED_TYPE" == "PPPOE" ]; then | |
| 87 | if [ "$RED_DEV" != "" ]; then | |
| 88 | /sbin/iptables -A REDINPUT -i $RED_DEV -j ACCEPT | |
| 89 | fi | |
| 90 | fi | |
| 91 | fi | |
| 92 | ||
| 93 | # PPTP over DHCP | |
| 94 | if [ "$DEVICE" != "" -a "$TYPE" == "PPTP" -a "$METHOD" == "DHCP" ]; then | |
| 95 | /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT | |
| 96 | /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT | |
| 97 | fi | |
| 98 | ||
| 99 | # Orange pinholes | |
| 100 | if [ "$ORANGE_DEV" != "" ]; then | |
| 101 | # This rule enables a host on ORANGE network to connect to the outside | |
| 102 | # (only if we have a red connection) | |
| 103 | if [ "$IFACE" != "" ]; then | |
| 104 | /sbin/iptables -A REDFORWARD -i $ORANGE_DEV -p tcp -o $IFACE -j ACCEPT | |
| 105 | /sbin/iptables -A REDFORWARD -i $ORANGE_DEV -p udp -o $IFACE -j ACCEPT | |
| 106 | fi | |
| 107 | fi | |
| 108 | ||
| 109 | if [ "$IFACE" != "" -a -f /var/ipfire/red/active ]; then | |
| 110 | # DHCP | |
| 111 | if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then | |
| 112 | /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
| 113 | /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
| 114 | fi | |
| 115 | if [ "$METHOD" == "DHCP" -a "$PROTOCOL" == "RFC1483" ]; then | |
| 116 | /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
| 117 | /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
| 118 | fi | |
| 119 | ||
| 120 | # Outgoing masquerading | |
| 121 | /sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE | |
| 122 | ||
| 123 | fi | |
| 124 | } | |
| 125 | ||
| 126 | # See how we were called. | |
| 127 | case "$1" in | |
| 128 | start) | |
| 129 | iptables_init | |
| 130 | ||
| 131 | # Limit Packets- helps reduce dos/syn attacks | |
| 132 | # original do nothing line | |
| 133 | #/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec | |
| 134 | # the correct one, but the negative '!' do nothing... | |
| 9efdd899 | 135 | #/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN ! -m limit --limit 10/sec -j DROP |
| 3a1019f6 MT |
136 | |
| 137 | # Fix for braindead ISP's | |
| 138 | /sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | |
| 139 | ||
| 140 | # CUSTOM chains, can be used by the users themselves | |
| 141 | /sbin/iptables -N CUSTOMINPUT | |
| 142 | /sbin/iptables -A INPUT -j CUSTOMINPUT | |
| 143 | /sbin/iptables -N CUSTOMFORWARD | |
| 144 | /sbin/iptables -A FORWARD -j CUSTOMFORWARD | |
| 145 | /sbin/iptables -N CUSTOMOUTPUT | |
| 146 | /sbin/iptables -A OUTPUT -j CUSTOMOUTPUT | |
| 4cb74dce MT |
147 | /sbin/iptables -N OUTGOINGFW |
| 148 | /sbin/iptables -A OUTPUT -j OUTGOINGFW | |
| 3a1019f6 MT |
149 | /sbin/iptables -t nat -N CUSTOMPREROUTING |
| 150 | /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING | |
| 151 | /sbin/iptables -t nat -N CUSTOMPOSTROUTING | |
| 152 | /sbin/iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING | |
| 153 | ||
| daa1ceba AF |
154 | # IPTV chains for IGMPPROXY |
| 155 | /sbin/iptables -N IPTVINPUT | |
| 156 | /sbin/iptables -A INPUT -j IPTVINPUT | |
| 157 | /sbin/iptables -N IPTVFORWARD | |
| 158 | /sbin/iptables -A FORWARD -j IPTVFORWARD | |
| 159 | ||
| 3a1019f6 MT |
160 | # filtering from GUI |
| 161 | /sbin/iptables -N GUIINPUT | |
| 162 | /sbin/iptables -A INPUT -j GUIINPUT | |
| 905fbf3e | 163 | /sbin/iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT |
| 3a1019f6 MT |
164 | |
| 165 | # Accept everything connected | |
| 166 | /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| 167 | /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| 5fd30232 MT |
168 | |
| 169 | # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything | |
| 170 | /sbin/iptables -N IPSECVIRTUAL | |
| 171 | /sbin/iptables -N OPENSSLVIRTUAL | |
| 5595bc03 CS |
172 | /sbin/iptables -A INPUT -j IPSECVIRTUAL -m comment --comment "IPSECVIRTUAL INPUT" |
| 173 | /sbin/iptables -A INPUT -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL INPUT" | |
| 174 | /sbin/iptables -A FORWARD -j IPSECVIRTUAL -m comment --comment "IPSECVIRTUAL FORWARD" | |
| 175 | /sbin/iptables -A FORWARD -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL FORWARD" | |
| 507954d9 AF |
176 | /sbin/iptables -t nat -N IPSECNAT |
| 177 | /sbin/iptables -t nat -A POSTROUTING -j IPSECNAT | |
| b68e5c14 | 178 | |
| 4cb74dce MT |
179 | # Outgoing Firewall |
| 180 | /sbin/iptables -A FORWARD -j OUTGOINGFW | |
| 3a1019f6 MT |
181 | |
| 182 | # localhost and ethernet. | |
| 183 | /sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT | |
| 184 | /sbin/iptables -A INPUT -s 127.0.0.0/8 -m state --state NEW -j DROP # Loopback not on lo | |
| 185 | /sbin/iptables -A INPUT -d 127.0.0.0/8 -m state --state NEW -j DROP | |
| 186 | /sbin/iptables -A FORWARD -i lo -m state --state NEW -j ACCEPT | |
| 187 | /sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP | |
| 188 | /sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP | |
| dd79c399 | 189 | /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT ! -p icmp |
| 3a1019f6 MT |
190 | /sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT |
| 191 | ||
| 192 | # If a host on orange tries to initiate a connection to IPFire's red IP and | |
| 193 | # the connection gets DNATed back through a port forward to a server on orange | |
| 194 | # we end up with orange -> orange traffic passing through IPFire | |
| 195 | [ "$ORANGE_DEV" != "" ] && /sbin/iptables -A FORWARD -i $ORANGE_DEV -o $ORANGE_DEV -m state --state NEW -j ACCEPT | |
| 196 | ||
| 3a1019f6 MT |
197 | # allow DHCP on BLUE to be turned on/off |
| 198 | /sbin/iptables -N DHCPBLUEINPUT | |
| 199 | /sbin/iptables -A INPUT -j DHCPBLUEINPUT | |
| 200 | ||
| 5fd30232 MT |
201 | # IPSec |
| 202 | /sbin/iptables -N IPSECPHYSICAL | |
| 203 | /sbin/iptables -A INPUT -j IPSECPHYSICAL | |
| 204 | ||
| 205 | # OPenSSL | |
| 206 | /sbin/iptables -N OPENSSLPHYSICAL | |
| 207 | /sbin/iptables -A INPUT -j OPENSSLPHYSICAL | |
| 3a1019f6 MT |
208 | |
| 209 | # WIRELESS chains | |
| 210 | /sbin/iptables -N WIRELESSINPUT | |
| 211 | /sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT | |
| 212 | /sbin/iptables -N WIRELESSFORWARD | |
| 213 | /sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD | |
| 214 | ||
| 215 | # RED chain, used for the red interface | |
| 216 | /sbin/iptables -N REDINPUT | |
| 217 | /sbin/iptables -A INPUT -j REDINPUT | |
| 218 | /sbin/iptables -N REDFORWARD | |
| 219 | /sbin/iptables -A FORWARD -j REDFORWARD | |
| 220 | /sbin/iptables -t nat -N REDNAT | |
| 221 | /sbin/iptables -t nat -A POSTROUTING -j REDNAT | |
| 222 | ||
| 223 | iptables_red | |
| 224 | ||
| 225 | # DMZ pinhole chain. setdmzholes setuid prog adds rules here to allow | |
| 226 | # ORANGE to talk to GREEN / BLUE. | |
| 227 | /sbin/iptables -N DMZHOLES | |
| 228 | if [ "$ORANGE_DEV" != "" ]; then | |
| 229 | /sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j DMZHOLES | |
| 230 | fi | |
| 231 | ||
| 232 | # XTACCESS chain, used for external access | |
| 233 | /sbin/iptables -N XTACCESS | |
| 234 | /sbin/iptables -A INPUT -m state --state NEW -j XTACCESS | |
| 235 | ||
| 236 | # PORTFWACCESS chain, used for portforwarding | |
| 237 | /sbin/iptables -N PORTFWACCESS | |
| 238 | /sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS | |
| 239 | ||
| 240 | # Custom prerouting chains (for transparent proxy and port forwarding) | |
| 241 | /sbin/iptables -t nat -N SQUID | |
| 242 | /sbin/iptables -t nat -A PREROUTING -j SQUID | |
| 243 | /sbin/iptables -t nat -N PORTFW | |
| 244 | /sbin/iptables -t nat -A PREROUTING -j PORTFW | |
| 245 | ||
| 7e7495b3 MT |
246 | # upnp chain for our upnp daemon |
| 247 | /sbin/iptables -t nat -N UPNPFW | |
| 248 | /sbin/iptables -t nat -A PREROUTING -j UPNPFW | |
| 249 | ||
| 3a1019f6 MT |
250 | |
| 251 | # Custom mangle chain (for port fowarding) | |
| 252 | /sbin/iptables -t mangle -N PORTFWMANGLE | |
| 253 | /sbin/iptables -t mangle -A PREROUTING -j PORTFWMANGLE | |
| 254 | ||
| 255 | # Postrouting rules (for port forwarding) | |
| 256 | /sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT \ | |
| 257 | --to-source $GREEN_ADDRESS | |
| 258 | if [ "$BLUE_DEV" != "" ]; then | |
| 259 | /sbin/iptables -t nat -A POSTROUTING -m mark --mark 2 -j SNAT --to-source $BLUE_ADDRESS | |
| 260 | fi | |
| 261 | if [ "$ORANGE_DEV" != "" ]; then | |
| 262 | /sbin/iptables -t nat -A POSTROUTING -m mark --mark 3 -j SNAT --to-source $ORANGE_ADDRESS | |
| 263 | fi | |
| 264 | ||
| 3a1019f6 MT |
265 | # run local firewall configuration, if present |
| 266 | if [ -x /etc/sysconfig/firewall.local ]; then | |
| 267 | /etc/sysconfig/firewall.local start | |
| 268 | fi | |
| 269 | ||
| 270 | # last rule in input and forward chain is for logging. | |
| 5595bc03 CS |
271 | |
| 272 | if [ "$DROPINPUT" == "on" ]; then | |
| 97fe1741 | 273 | /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT " |
| 5595bc03 | 274 | fi |
| 97fe1741 | 275 | /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" |
| 5595bc03 | 276 | if [ "$DROPOUTPUT" == "on" ]; then |
| 97fe1741 | 277 | /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT " |
| 5595bc03 | 278 | fi |
| 97fe1741 | 279 | /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT" |
| 3a1019f6 | 280 | ;; |
| 13211b21 CS |
281 | startovpn) |
| 282 | # run openvpn | |
| 283 | /usr/local/bin/openvpnctrl --create-chains-and-rules | |
| 284 | ;; | |
| 3a1019f6 MT |
285 | stop) |
| 286 | iptables_init | |
| 287 | # Accept everyting connected | |
| 288 | /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| 289 | ||
| 290 | # localhost and ethernet. | |
| 291 | /sbin/iptables -A INPUT -i lo -j ACCEPT | |
| 292 | /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT | |
| 293 | ||
| 294 | if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then | |
| 295 | /sbin/iptables -A INPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
| 296 | /sbin/iptables -A INPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
| 297 | fi | |
| 298 | if [ "$PROTOCOL" == "RFC1483" -a "$METHOD" == "DHCP" ]; then | |
| 299 | /sbin/iptables -A INPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
| 300 | /sbin/iptables -A INPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
| 301 | fi | |
| 302 | ||
| 3a1019f6 MT |
303 | # run local firewall configuration, if present |
| 304 | if [ -x /etc/sysconfig/firewall.local ]; then | |
| 305 | /etc/sysconfig/firewall.local stop | |
| 306 | fi | |
| 307 | ||
| 5595bc03 | 308 | if [ "$DROPINPUT" == "on" ]; then |
| 97fe1741 | 309 | /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT " |
| 5595bc03 | 310 | fi |
| 97fe1741 | 311 | /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" |
| 5595bc03 | 312 | if [ "$DROPOUTPUT" == "on" ]; then |
| 97fe1741 | 313 | /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT " |
| 5595bc03 | 314 | fi |
| 97fe1741 | 315 | /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT" |
| 3a1019f6 | 316 | ;; |
| 13211b21 CS |
317 | stopovpn) |
| 318 | # stop openvpn | |
| 319 | /usr/local/bin/openvpnctrl --delete-chains-and-rules | |
| 320 | ;; | |
| 3a1019f6 MT |
321 | reload) |
| 322 | iptables_red | |
| 323 | ||
| 324 | # run local firewall configuration, if present | |
| 325 | if [ -x /etc/sysconfig/firewall.local ]; then | |
| 326 | /etc/sysconfig/firewall.local reload | |
| 327 | fi | |
| 328 | ;; | |
| 329 | restart) | |
| 330 | $0 stop | |
| 331 | $0 start | |
| 332 | ;; | |
| 333 | *) | |
| 334 | echo "Usage: $0 {start|stop|reload|restart}" | |
| 335 | exit 1 | |
| 336 | ;; | |
| 337 | esac | |
| 338 | ||
| 339 | exit 0 |