X-Git-Url: http://git.ipfire.org/?p=people%2Fpmueller%2Fipfire-2.x.git;a=blobdiff_plain;f=src%2Finitscripts%2Fsystem%2Ffirewall;h=da89857d8b17b75dbeda6515745d5068d9869204;hp=7bdb292f7ddb8a2160377a45180fe58de40b93dc;hb=686c4b9f25d2c2edfc4fe851f84a78e04eaee330;hpb=33f53d55ccec436a6cbd80ea469ea4a558528798 diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 7bdb292f7d..da89857d8b 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -185,6 +185,14 @@ iptables_init() { iptables -A INPUT -j GUARDIAN iptables -A FORWARD -j GUARDIAN + # IPS (suricata) chains + iptables -N IPS_INPUT + iptables -N IPS_FORWARD + iptables -N IPS_OUTPUT + iptables -A INPUT -j IPS_INPUT + iptables -A FORWARD -j IPS_FORWARD + iptables -A OUTPUT -j IPS_OUTPUT + # Block non-established IPsec networks iptables -N IPSECBLOCK iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK @@ -224,6 +232,13 @@ iptables_init() { iptables -A ${i} -j LOOPBACK done + # Captive portal + iptables -N CAPTIVE_PORTAL + iptables -N CAPTIVE_PORTAL_CLIENTS + for i in INPUT FORWARD; do + iptables -A ${i} -j CAPTIVE_PORTAL + done + # Accept everything connected for i in INPUT FORWARD OUTPUT; do iptables -A ${i} -j CONNTRACK @@ -273,7 +288,9 @@ iptables_init() { # Always allow accessing the web GUI from GREEN. iptables -N GUIINPUT iptables -A INPUT -j GUIINPUT - iptables -A GUIINPUT -i "${GREEN_DEV}" -p tcp --dport 444 -j ACCEPT + if [ -n "${GREEN_DEV}" ]; then + iptables -A GUIINPUT -i "${GREEN_DEV}" -p tcp --dport 444 -j ACCEPT + fi # WIRELESS chains iptables -N WIRELESSINPUT @@ -285,9 +302,11 @@ iptables_init() { iptables -N OVPNINPUT iptables -A INPUT -j OVPNINPUT - # TOR + # Tor (inbound and outbound) iptables -N TOR_INPUT iptables -A INPUT -j TOR_INPUT + iptables -N TOR_OUTPUT + iptables -A OUTPUT -j TOR_OUTPUT # Jump into the actual firewall ruleset. iptables -N INPUTFW @@ -303,6 +322,10 @@ iptables_init() { iptables -t nat -N NAT_SOURCE iptables -t nat -A POSTROUTING -j NAT_SOURCE + # Captive Portal + iptables -t nat -N CAPTIVE_PORTAL + iptables -t nat -A PREROUTING -j CAPTIVE_PORTAL + # Custom prerouting chains (for transparent proxy) iptables -t nat -N SQUID iptables -t nat -A PREROUTING -j SQUID @@ -318,8 +341,10 @@ iptables_init() { iptables -t nat -N NAT_DESTINATION_FIX iptables -t nat -A POSTROUTING -j NAT_DESTINATION_FIX - iptables -t nat -A NAT_DESTINATION_FIX \ - -m mark --mark 1 -j SNAT --to-source "${GREEN_ADDRESS}" + if [ -n "${GREEN_ADDRESS}" ]; then + iptables -t nat -A NAT_DESTINATION_FIX \ + -m mark --mark 1 -j SNAT --to-source "${GREEN_ADDRESS}" + fi if [ -n "${BLUE_ADDRESS}" ]; then iptables -t nat -A NAT_DESTINATION_FIX \ @@ -345,8 +370,8 @@ iptables_init() { iptables -t nat -N REDNAT iptables -t nat -A POSTROUTING -j REDNAT - # Populate IPsec block chain - /usr/lib/firewall/ipsec-block + # Populate IPsec chains + /usr/lib/firewall/ipsec-policy # Apply OpenVPN firewall rules /usr/local/bin/openvpnctrl --firewall-rules @@ -399,15 +424,6 @@ iptables_red_up() { iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT fi - # Orange pinholes - if [ "$ORANGE_DEV" != "" ]; then - # This rule enables a host on ORANGE network to connect to the outside - # (only if we have a red connection) - if [ "$IFACE" != "" ]; then - iptables -A REDFORWARD -i $ORANGE_DEV -o $IFACE -j ACCEPT - fi - fi - if [ "$IFACE" != "" -a -f /var/ipfire/red/active ]; then # DHCP if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then @@ -455,7 +471,7 @@ iptables_red_up() { iptables_red_down() { # Prohibit packets to reach the masquerading rule - # while the wan interface is down - this is required to + # while the WAN interface is down - this is required to # circumvent udp related NAT issues # http://forum.ipfire.org/index.php?topic=11127.0 if [ -n "${IFACE}" ]; then