[people/teissler/ipfire-2.x.git] / config / forwardfw / firewall-policy

#!/bin/sh

###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org>                        #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################


eval $(/usr/local/bin/readhash /var/ipfire/forward/settings)
eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)

iptables -F POLICYFWD
iptables -F POLICYOUT
iptables -F POLICYIN

if [ -f "/var/ipfire/red/iface" ]; then
	IFACE=`cat /var/ipfire/red/iface`
fi

#FORWARDFW
if [ "$POLICY" == "MODE1" ]; then
		if [ "$FWPOLICY" == "REJECT" ]; then
			if [ "$DROPFORWARD" == "on" ]; then
				/sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
			fi
			/sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
		fi
		if [ "$FWPOLICY" == "DROP" ]; then
			if [ "$DROPFORWARD" == "on" ]; then
				/sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
			fi
			/sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
		fi
else
	if [  "$BLUE_DEV" ] && [ "$IFACE" ]; then
		/sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP 
	fi
	/sbin/iptables -A POLICYFWD -i orange0 ! -o $IFACE -j DROP
	/sbin/iptables -A POLICYFWD -j ACCEPT 
	/sbin/iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
fi

#OUTGOINGFW
if [ "$POLICY1" == "MODE1" ]; then
	if [ "$FWPOLICY1" == "REJECT" ]; then
		if [ "$DROPOUTGOING" == "on" ]; then
			/sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
		fi
		/sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
	fi
	if [ "$FWPOLICY1" == "DROP" ]; then
		if [ "$DROPOUTGOING" == "on" ]; then
			/sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT"
		fi
			/sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
	fi
else
	/sbin/iptables -A POLICYOUT -j ACCEPT 
	/sbin/iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP
fi
#INPUT
if [ "$FWPOLICY2" == "REJECT" ]; then
	if [ "$DROPINPUT" == "on" ]; then
		/sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT"
	fi
	/sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
fi
if [ "$FWPOLICY2" == "DROP" ]; then
	if [ "$DROPINPUT" == "on" ]; then
		/sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
	fi
	/sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
fi

exit 0
Commit	Line	Data
5d7faa45 AM	1	#!/bin/sh
5d7faa45 AM	2
dc21519f AM	3	###############################################################################
	4	# #
	5	# IPFire.org - A linux based firewall #
5bee9a9d	6	# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> #
dc21519f AM	7	# #
	8	# This program is free software: you can redistribute it and/or modify #
	9	# it under the terms of the GNU General Public License as published by #
	10	# the Free Software Foundation, either version 3 of the License, or #
	11	# (at your option) any later version. #
	12	# #
	13	# This program is distributed in the hope that it will be useful, #
	14	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	15	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	16	# GNU General Public License for more details. #
	17	# #
	18	# You should have received a copy of the GNU General Public License #
	19	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	20	# #
	21	###############################################################################
dc21519f AM	22
dc21519f AM	23
5d7faa45 AM	24	eval $(/usr/local/bin/readhash /var/ipfire/forward/settings)
5d7faa45 AM	25	eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
53f4c74d	26	eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
5d7faa45 AM	27
	28	iptables -F POLICYFWD
	29	iptables -F POLICYOUT
d47bb8a1	30	iptables -F POLICYIN
53f4c74d AM	31
	32	if [ -f "/var/ipfire/red/iface" ]; then
	33	IFACE=`cat /var/ipfire/red/iface`
	34	fi
5d7faa45	35
ef6f983b	36	#FORWARDFW
5d7faa45 AM	37	if [ "$POLICY" == "MODE1" ]; then
	38	if [ "$FWPOLICY" == "REJECT" ]; then
	39	if [ "$DROPFORWARD" == "on" ]; then
	40	/sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
	41	fi
93b75f31	42	/sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
5d7faa45 AM	43	fi
	44	if [ "$FWPOLICY" == "DROP" ]; then
	45	if [ "$DROPFORWARD" == "on" ]; then
	46	/sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
	47	fi
	48	/sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
	49	fi
93b75f31	50	else
53f4c74d AM	51	if [ "$BLUE_DEV" ] && [ "$IFACE" ]; then
	52	/sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP
	53	fi
a6485463	54	/sbin/iptables -A POLICYFWD -i orange0 ! -o $IFACE -j DROP
94ea1f03	55	/sbin/iptables -A POLICYFWD -j ACCEPT
aff15def	56	/sbin/iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
5d7faa45	57	fi
93b75f31	58
ef6f983b	59	#OUTGOINGFW
5d7faa45	60	if [ "$POLICY1" == "MODE1" ]; then
ef6f983b AM	61	if [ "$FWPOLICY1" == "REJECT" ]; then
	62	if [ "$DROPOUTGOING" == "on" ]; then
	63	/sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
5d7faa45	64	fi
93b75f31	65	/sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
ef6f983b AM	66	fi
	67	if [ "$FWPOLICY1" == "DROP" ]; then
	68	if [ "$DROPOUTGOING" == "on" ]; then
	69	/sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT"
5d7faa45	70	fi
ef6f983b AM	71	/sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
ef6f983b AM	72	fi
93b75f31	73	else
94ea1f03	74	/sbin/iptables -A POLICYOUT -j ACCEPT
aff15def	75	/sbin/iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP
5d7faa45	76	fi
d47bb8a1 AM	77	#INPUT
	78	if [ "$FWPOLICY2" == "REJECT" ]; then
	79	if [ "$DROPINPUT" == "on" ]; then
	80	/sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT"
	81	fi
93b75f31	82	/sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
d47bb8a1 AM	83	fi
	84	if [ "$FWPOLICY2" == "DROP" ]; then
	85	if [ "$DROPINPUT" == "on" ]; then
93b75f31	86	/sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
d47bb8a1	87	fi
93b75f31	88	/sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
d47bb8a1	89	fi
aff15def AM	90
aff15def AM	91	exit 0