[people/teissler/ipfire-2.x.git] / config / forwardfw / firewall-policy

#!/bin/sh

eval $(/usr/local/bin/readhash /var/ipfire/forward/settings)
eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)

iptables -F POLICYFWD
iptables -F POLICYOUT
iptables -F POLICYIN

if [ -f "/var/ipfire/red/iface" ]; then
	IFACE=`cat /var/ipfire/red/iface`
fi

#FORWARDFW
if [ "$POLICY" == "MODE1" ]; then
		if [ "$FWPOLICY" == "REJECT" ]; then
			if [ "$DROPFORWARD" == "on" ]; then
				/sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
			fi
			/sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
		fi
		if [ "$FWPOLICY" == "DROP" ]; then
			if [ "$DROPFORWARD" == "on" ]; then
				/sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
			fi
			/sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
		fi
else
	if [  "$BLUE_DEV" ] && [ "$IFACE" ]; then
		/sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP 
	fi
	/sbin/iptables -A POLICYFWD -j ACCEPT 
fi

#OUTGOINGFW
if [ "$POLICY1" == "MODE1" ]; then
	if [ "$FWPOLICY1" == "REJECT" ]; then
		if [ "$DROPOUTGOING" == "on" ]; then
			/sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
		fi
		/sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
	fi
	if [ "$FWPOLICY1" == "DROP" ]; then
		if [ "$DROPOUTGOING" == "on" ]; then
			/sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT"
		fi
			/sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
	fi
else
	/sbin/iptables -A POLICYOUT -j ACCEPT 
fi
#INPUT
if [ "$FWPOLICY2" == "REJECT" ]; then
	if [ "$DROPINPUT" == "on" ]; then
		/sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT"
	fi
	/sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
fi
if [ "$FWPOLICY2" == "DROP" ]; then
	if [ "$DROPINPUT" == "on" ]; then
		/sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
	fi
	/sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
fi
Commit	Line	Data
5d7faa45 AM	1	#!/bin/sh
	2
	3	eval $(/usr/local/bin/readhash /var/ipfire/forward/settings)
	4	eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
53f4c74d	5	eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
5d7faa45 AM	6
	7	iptables -F POLICYFWD
	8	iptables -F POLICYOUT
d47bb8a1	9	iptables -F POLICYIN
53f4c74d AM	10
	11	if [ -f "/var/ipfire/red/iface" ]; then
	12	IFACE=`cat /var/ipfire/red/iface`
	13	fi
5d7faa45	14
ef6f983b	15	#FORWARDFW
5d7faa45 AM	16	if [ "$POLICY" == "MODE1" ]; then
	17	if [ "$FWPOLICY" == "REJECT" ]; then
	18	if [ "$DROPFORWARD" == "on" ]; then
	19	/sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
	20	fi
93b75f31	21	/sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
5d7faa45 AM	22	fi
	23	if [ "$FWPOLICY" == "DROP" ]; then
	24	if [ "$DROPFORWARD" == "on" ]; then
	25	/sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
	26	fi
	27	/sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
	28	fi
93b75f31	29	else
53f4c74d AM	30	if [ "$BLUE_DEV" ] && [ "$IFACE" ]; then
	31	/sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP
	32	fi
94ea1f03	33	/sbin/iptables -A POLICYFWD -j ACCEPT
5d7faa45	34	fi
93b75f31	35
ef6f983b	36	#OUTGOINGFW
5d7faa45	37	if [ "$POLICY1" == "MODE1" ]; then
ef6f983b AM	38	if [ "$FWPOLICY1" == "REJECT" ]; then
	39	if [ "$DROPOUTGOING" == "on" ]; then
	40	/sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
5d7faa45	41	fi
93b75f31	42	/sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
ef6f983b AM	43	fi
	44	if [ "$FWPOLICY1" == "DROP" ]; then
	45	if [ "$DROPOUTGOING" == "on" ]; then
	46	/sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT"
5d7faa45	47	fi
ef6f983b AM	48	/sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
ef6f983b AM	49	fi
93b75f31	50	else
94ea1f03	51	/sbin/iptables -A POLICYOUT -j ACCEPT
5d7faa45	52	fi
d47bb8a1 AM	53	#INPUT
	54	if [ "$FWPOLICY2" == "REJECT" ]; then
	55	if [ "$DROPINPUT" == "on" ]; then
	56	/sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT"
	57	fi
93b75f31	58	/sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
d47bb8a1 AM	59	fi
	60	if [ "$FWPOLICY2" == "DROP" ]; then
	61	if [ "$DROPINPUT" == "on" ]; then
93b75f31	62	/sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
d47bb8a1	63	fi
93b75f31	64	/sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
d47bb8a1	65	fi