]>
Commit | Line | Data |
---|---|---|
5d7faa45 AM |
1 | #!/bin/sh |
2 | ||
dc21519f AM |
3 | ############################################################################### |
4 | # # | |
5 | # IPFire.org - A linux based firewall # | |
6 | # Copyright (C) 2013 # | |
7 | # # | |
8 | # This program is free software: you can redistribute it and/or modify # | |
9 | # it under the terms of the GNU General Public License as published by # | |
10 | # the Free Software Foundation, either version 3 of the License, or # | |
11 | # (at your option) any later version. # | |
12 | # # | |
13 | # This program is distributed in the hope that it will be useful, # | |
14 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
15 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
16 | # GNU General Public License for more details. # | |
17 | # # | |
18 | # You should have received a copy of the GNU General Public License # | |
19 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
20 | # # | |
21 | ############################################################################### | |
22 | # Author: Alexander Marx (amarx@ipfire.org) # | |
23 | ############################################################################### | |
24 | ||
25 | ||
5d7faa45 AM |
26 | eval $(/usr/local/bin/readhash /var/ipfire/forward/settings) |
27 | eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) | |
53f4c74d | 28 | eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) |
5d7faa45 AM |
29 | |
30 | iptables -F POLICYFWD | |
31 | iptables -F POLICYOUT | |
d47bb8a1 | 32 | iptables -F POLICYIN |
53f4c74d AM |
33 | |
34 | if [ -f "/var/ipfire/red/iface" ]; then | |
35 | IFACE=`cat /var/ipfire/red/iface` | |
36 | fi | |
5d7faa45 | 37 | |
ef6f983b | 38 | #FORWARDFW |
5d7faa45 AM |
39 | if [ "$POLICY" == "MODE1" ]; then |
40 | if [ "$FWPOLICY" == "REJECT" ]; then | |
41 | if [ "$DROPFORWARD" == "on" ]; then | |
42 | /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD" | |
43 | fi | |
93b75f31 | 44 | /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD" |
5d7faa45 AM |
45 | fi |
46 | if [ "$FWPOLICY" == "DROP" ]; then | |
47 | if [ "$DROPFORWARD" == "on" ]; then | |
48 | /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" | |
49 | fi | |
50 | /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" | |
51 | fi | |
93b75f31 | 52 | else |
53f4c74d AM |
53 | if [ "$BLUE_DEV" ] && [ "$IFACE" ]; then |
54 | /sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP | |
55 | fi | |
a6485463 | 56 | /sbin/iptables -A POLICYFWD -i orange0 ! -o $IFACE -j DROP |
94ea1f03 | 57 | /sbin/iptables -A POLICYFWD -j ACCEPT |
aff15def | 58 | /sbin/iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP |
5d7faa45 | 59 | fi |
93b75f31 | 60 | |
ef6f983b | 61 | #OUTGOINGFW |
5d7faa45 | 62 | if [ "$POLICY1" == "MODE1" ]; then |
ef6f983b AM |
63 | if [ "$FWPOLICY1" == "REJECT" ]; then |
64 | if [ "$DROPOUTGOING" == "on" ]; then | |
65 | /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT" | |
5d7faa45 | 66 | fi |
93b75f31 | 67 | /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT" |
ef6f983b AM |
68 | fi |
69 | if [ "$FWPOLICY1" == "DROP" ]; then | |
70 | if [ "$DROPOUTGOING" == "on" ]; then | |
71 | /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT" | |
5d7faa45 | 72 | fi |
ef6f983b AM |
73 | /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" |
74 | fi | |
93b75f31 | 75 | else |
94ea1f03 | 76 | /sbin/iptables -A POLICYOUT -j ACCEPT |
aff15def | 77 | /sbin/iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP |
5d7faa45 | 78 | fi |
d47bb8a1 AM |
79 | #INPUT |
80 | if [ "$FWPOLICY2" == "REJECT" ]; then | |
81 | if [ "$DROPINPUT" == "on" ]; then | |
82 | /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT" | |
83 | fi | |
93b75f31 | 84 | /sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT" |
d47bb8a1 AM |
85 | fi |
86 | if [ "$FWPOLICY2" == "DROP" ]; then | |
87 | if [ "$DROPINPUT" == "on" ]; then | |
93b75f31 | 88 | /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT" |
d47bb8a1 | 89 | fi |
93b75f31 | 90 | /sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT" |
d47bb8a1 | 91 | fi |
aff15def AM |
92 | |
93 | exit 0 |