Forward Firewall: added GPL header to all files
[people/teissler/ipfire-2.x.git] / config / forwardfw / firewall-policy
CommitLineData
5d7faa45
AM
1#!/bin/sh
2
dc21519f
AM
3###############################################################################
4# #
5# IPFire.org - A linux based firewall #
6# Copyright (C) 2013 #
7# #
8# This program is free software: you can redistribute it and/or modify #
9# it under the terms of the GNU General Public License as published by #
10# the Free Software Foundation, either version 3 of the License, or #
11# (at your option) any later version. #
12# #
13# This program is distributed in the hope that it will be useful, #
14# but WITHOUT ANY WARRANTY; without even the implied warranty of #
15# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
16# GNU General Public License for more details. #
17# #
18# You should have received a copy of the GNU General Public License #
19# along with this program. If not, see <http://www.gnu.org/licenses/>. #
20# #
21###############################################################################
22# Author: Alexander Marx (amarx@ipfire.org) #
23###############################################################################
24
25
5d7faa45
AM
26eval $(/usr/local/bin/readhash /var/ipfire/forward/settings)
27eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
53f4c74d 28eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
5d7faa45
AM
29
30iptables -F POLICYFWD
31iptables -F POLICYOUT
d47bb8a1 32iptables -F POLICYIN
53f4c74d
AM
33
34if [ -f "/var/ipfire/red/iface" ]; then
35 IFACE=`cat /var/ipfire/red/iface`
36fi
5d7faa45 37
ef6f983b 38#FORWARDFW
5d7faa45
AM
39if [ "$POLICY" == "MODE1" ]; then
40 if [ "$FWPOLICY" == "REJECT" ]; then
41 if [ "$DROPFORWARD" == "on" ]; then
42 /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
43 fi
93b75f31 44 /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
5d7faa45
AM
45 fi
46 if [ "$FWPOLICY" == "DROP" ]; then
47 if [ "$DROPFORWARD" == "on" ]; then
48 /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
49 fi
50 /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
51 fi
93b75f31 52else
53f4c74d
AM
53 if [ "$BLUE_DEV" ] && [ "$IFACE" ]; then
54 /sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP
55 fi
a6485463 56 /sbin/iptables -A POLICYFWD -i orange0 ! -o $IFACE -j DROP
94ea1f03 57 /sbin/iptables -A POLICYFWD -j ACCEPT
aff15def 58 /sbin/iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
5d7faa45 59fi
93b75f31 60
ef6f983b 61#OUTGOINGFW
5d7faa45 62if [ "$POLICY1" == "MODE1" ]; then
ef6f983b
AM
63 if [ "$FWPOLICY1" == "REJECT" ]; then
64 if [ "$DROPOUTGOING" == "on" ]; then
65 /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
5d7faa45 66 fi
93b75f31 67 /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
ef6f983b
AM
68 fi
69 if [ "$FWPOLICY1" == "DROP" ]; then
70 if [ "$DROPOUTGOING" == "on" ]; then
71 /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT"
5d7faa45 72 fi
ef6f983b
AM
73 /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
74 fi
93b75f31 75else
94ea1f03 76 /sbin/iptables -A POLICYOUT -j ACCEPT
aff15def 77 /sbin/iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP
5d7faa45 78fi
d47bb8a1
AM
79#INPUT
80if [ "$FWPOLICY2" == "REJECT" ]; then
81 if [ "$DROPINPUT" == "on" ]; then
82 /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT"
83 fi
93b75f31 84 /sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
d47bb8a1
AM
85fi
86if [ "$FWPOLICY2" == "DROP" ]; then
87 if [ "$DROPINPUT" == "on" ]; then
93b75f31 88 /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
d47bb8a1 89 fi
93b75f31 90 /sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
d47bb8a1 91fi
aff15def
AM
92
93exit 0