[people/teissler/ipfire-2.x.git] / config / forwardfw / firewall-policy

#!/bin/sh

###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2013                                                          #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################
# Author: Alexander Marx (amarx@ipfire.org)                                   #
###############################################################################


eval $(/usr/local/bin/readhash /var/ipfire/forward/settings)
eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)

iptables -F POLICYFWD
iptables -F POLICYOUT
iptables -F POLICYIN

if [ -f "/var/ipfire/red/iface" ]; then
	IFACE=`cat /var/ipfire/red/iface`
fi

#FORWARDFW
if [ "$POLICY" == "MODE1" ]; then
		if [ "$FWPOLICY" == "REJECT" ]; then
			if [ "$DROPFORWARD" == "on" ]; then
				/sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
			fi
			/sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
		fi
		if [ "$FWPOLICY" == "DROP" ]; then
			if [ "$DROPFORWARD" == "on" ]; then
				/sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
			fi
			/sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
		fi
else
	if [  "$BLUE_DEV" ] && [ "$IFACE" ]; then
		/sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP 
	fi
	/sbin/iptables -A POLICYFWD -i orange0 ! -o $IFACE -j DROP
	/sbin/iptables -A POLICYFWD -j ACCEPT 
	/sbin/iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
fi

#OUTGOINGFW
if [ "$POLICY1" == "MODE1" ]; then
	if [ "$FWPOLICY1" == "REJECT" ]; then
		if [ "$DROPOUTGOING" == "on" ]; then
			/sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
		fi
		/sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
	fi
	if [ "$FWPOLICY1" == "DROP" ]; then
		if [ "$DROPOUTGOING" == "on" ]; then
			/sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT"
		fi
			/sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
	fi
else
	/sbin/iptables -A POLICYOUT -j ACCEPT 
	/sbin/iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP
fi
#INPUT
if [ "$FWPOLICY2" == "REJECT" ]; then
	if [ "$DROPINPUT" == "on" ]; then
		/sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT"
	fi
	/sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
fi
if [ "$FWPOLICY2" == "DROP" ]; then
	if [ "$DROPINPUT" == "on" ]; then
		/sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
	fi
	/sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
fi

exit 0
Commit	Line	Data
5d7faa45 AM	1	#!/bin/sh
5d7faa45 AM	2
dc21519f AM	3	###############################################################################
	4	# #
	5	# IPFire.org - A linux based firewall #
	6	# Copyright (C) 2013 #
	7	# #
	8	# This program is free software: you can redistribute it and/or modify #
	9	# it under the terms of the GNU General Public License as published by #
	10	# the Free Software Foundation, either version 3 of the License, or #
	11	# (at your option) any later version. #
	12	# #
	13	# This program is distributed in the hope that it will be useful, #
	14	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	15	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	16	# GNU General Public License for more details. #
	17	# #
	18	# You should have received a copy of the GNU General Public License #
	19	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	20	# #
	21	###############################################################################
	22	# Author: Alexander Marx (amarx@ipfire.org) #
	23	###############################################################################
	24
	25
5d7faa45 AM	26	eval $(/usr/local/bin/readhash /var/ipfire/forward/settings)
5d7faa45 AM	27	eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
53f4c74d	28	eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
5d7faa45 AM	29
	30	iptables -F POLICYFWD
	31	iptables -F POLICYOUT
d47bb8a1	32	iptables -F POLICYIN
53f4c74d AM	33
	34	if [ -f "/var/ipfire/red/iface" ]; then
	35	IFACE=`cat /var/ipfire/red/iface`
	36	fi
5d7faa45	37
ef6f983b	38	#FORWARDFW
5d7faa45 AM	39	if [ "$POLICY" == "MODE1" ]; then
	40	if [ "$FWPOLICY" == "REJECT" ]; then
	41	if [ "$DROPFORWARD" == "on" ]; then
	42	/sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
	43	fi
93b75f31	44	/sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
5d7faa45 AM	45	fi
	46	if [ "$FWPOLICY" == "DROP" ]; then
	47	if [ "$DROPFORWARD" == "on" ]; then
	48	/sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
	49	fi
	50	/sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
	51	fi
93b75f31	52	else
53f4c74d AM	53	if [ "$BLUE_DEV" ] && [ "$IFACE" ]; then
	54	/sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP
	55	fi
a6485463	56	/sbin/iptables -A POLICYFWD -i orange0 ! -o $IFACE -j DROP
94ea1f03	57	/sbin/iptables -A POLICYFWD -j ACCEPT
aff15def	58	/sbin/iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
5d7faa45	59	fi
93b75f31	60
ef6f983b	61	#OUTGOINGFW
5d7faa45	62	if [ "$POLICY1" == "MODE1" ]; then
ef6f983b AM	63	if [ "$FWPOLICY1" == "REJECT" ]; then
	64	if [ "$DROPOUTGOING" == "on" ]; then
	65	/sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
5d7faa45	66	fi
93b75f31	67	/sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
ef6f983b AM	68	fi
	69	if [ "$FWPOLICY1" == "DROP" ]; then
	70	if [ "$DROPOUTGOING" == "on" ]; then
	71	/sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT"
5d7faa45	72	fi
ef6f983b AM	73	/sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
ef6f983b AM	74	fi
93b75f31	75	else
94ea1f03	76	/sbin/iptables -A POLICYOUT -j ACCEPT
aff15def	77	/sbin/iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP
5d7faa45	78	fi
d47bb8a1 AM	79	#INPUT
	80	if [ "$FWPOLICY2" == "REJECT" ]; then
	81	if [ "$DROPINPUT" == "on" ]; then
	82	/sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT"
	83	fi
93b75f31	84	/sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
d47bb8a1 AM	85	fi
	86	if [ "$FWPOLICY2" == "DROP" ]; then
	87	if [ "$DROPINPUT" == "on" ]; then
93b75f31	88	/sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
d47bb8a1	89	fi
93b75f31	90	/sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
d47bb8a1	91	fi
aff15def AM	92
aff15def AM	93	exit 0