]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blob - config/firewall/firewall-policy
projects / people / pmueller / ipfire-2.x.git / blob
? search:


c0a526f225e7a1d9ad763dc15f5e6d73c95ccfb1
[people/pmueller/ipfire-2.x.git] / config / firewall / firewall-policy
1 #!/bin/sh
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21
22 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
23 eval $(/usr/local/bin/readhash /var/ipfire/firewall/settings)
24 eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
25
26 function iptables() {
27 /sbin/iptables --wait "$@"
28 }
29
30 iptables -F POLICYFWD
31 iptables -F POLICYOUT
32 iptables -F POLICYIN
33
34 if [ -f "/var/ipfire/red/iface" ]; then
35 IFACE="$(</var/ipfire/red/iface)"
36 fi
37
38 # Figure out what devices are configured.
39 HAVE_BLUE="false"
40 HAVE_ORANGE="false"
41
42 case "${CONFIG_TYPE}" in
43 2)
44 HAVE_ORANGE="true"
45 ;;
46 3)
47 HAVE_BLUE="true"
48 ;;
49 4)
50 HAVE_BLUE="true"
51 HAVE_ORANGE="true"
52 ;;
53 esac
54
55 HAVE_IPSEC="true"
56 HAVE_OPENVPN="true"
57
58 # INPUT
59
60 # Allow access from GREEN
61 if [ -n "${GREEN_DEV}" ]; then
62 iptables -A POLICYIN -i "${GREEN_DEV}" -j ACCEPT
63 fi
64
65 # Allow access from BLUE
66 if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then
67 iptables -A POLICYIN -i "${BLUE_DEV}" -j ACCEPT
68 fi
69
70 # IPsec INPUT
71 case "${HAVE_IPSEC},${POLICY}" in
72 true,MODE1) ;;
73 true,*)
74 iptables -A POLICYIN -m policy --pol ipsec --dir in -j ACCEPT
75 ;;
76 esac
77
78 # OpenVPN INPUT
79 # Allow direct access to the internal IP addresses of the firewall
80 # from remote subnets if forward policy is allowed.
81 case "${HAVE_OPENVPN},${POLICY}" in
82 true,MODE1) ;;
83 true,*)
84 iptables -A POLICYIN -i tun+ -j ACCEPT
85 ;;
86 esac
87
88 case "${FWPOLICY2}" in
89 REJECT)
90 if [ "${DROPINPUT}" = "on" ]; then
91 iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT "
92 fi
93 iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
94 ;;
95 *) # DROP
96 if [ "${DROPINPUT}" = "on" ]; then
97 iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
98 fi
99 iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
100 ;;
101 esac
102
103 # FORWARD
104 case "${POLICY}" in
105 MODE1)
106 case "${FWPOLICY}" in
107 REJECT)
108 if [ "${DROPFORWARD}" = "on" ]; then
109 iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD "
110 fi
111 iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
112 ;;
113 *) # DROP
114 if [ "${DROPFORWARD}" = "on" ]; then
115 iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
116 fi
117 iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
118 ;;
119 esac
120 ;;
121
122 *)
123 # Access from GREEN is granted to everywhere
124 if [ -n "${GREEN_DEV}" ]; then
125 if [ "${IFACE}" = "${GREEN_DEV}" ]; then
126 # internet via green
127 # don't check source IP/NET if IFACE is GREEN
128 iptables -A POLICYFWD -i "${GREEN_DEV}" -j ACCEPT
129 else
130 iptables -A POLICYFWD -i "${GREEN_DEV}" -s "${GREEN_NETADDRESS}/${GREEN_NETMASK}" -j ACCEPT
131 fi
132 fi
133
134 # Grant access for IPsec VPN connections
135 iptables -A POLICYFWD -m policy --pol ipsec --dir in -j ACCEPT
136
137 # Grant access for OpenVPN connections
138 iptables -A POLICYFWD -i tun+ -j ACCEPT
139
140 if [ -n "${IFACE}" ]; then
141 if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then
142 iptables -A POLICYFWD -i "${BLUE_DEV}" -s "${BLUE_NETADDRESS}/${BLUE_NETMASK}" -o "${IFACE}" -j ACCEPT
143 fi
144
145 if [ "${HAVE_ORANGE}" = "true" ] && [ -n "${ORANGE_DEV}" ]; then
146 iptables -A POLICYFWD -i "${ORANGE_DEV}" -s "${ORANGE_NETADDRESS}/${ORANGE_NETMASK}" -o "${IFACE}" -j ACCEPT
147 fi
148 fi
149
150 if [ "${DROPFORWARD}" = "on" ]; then
151 iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
152 fi
153 iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
154 ;;
155 esac
156
157 # OUTGOING
158 case "${POLICY1}" in
159 MODE1)
160 case "${FWPOLICY1}" in
161 REJECT)
162 if [ "${DROPOUTGOING}" = "on" ]; then
163 iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT "
164 fi
165 iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
166 ;;
167 *) # DROP
168 if [ "${DROPOUTGOING}" == "on" ]; then
169 iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT "
170 fi
171 iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
172 ;;
173 esac
174 ;;
175 *)
176 iptables -A POLICYOUT -j ACCEPT
177 iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP
178 ;;
179 esac
180
181 exit 0
Peter's tree of IPFire 2.x