]>
Commit | Line | Data |
---|---|---|
3a1019f6 MT |
1 | #!/bin/sh |
2 | ||
3 | eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings) | |
4 | eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) | |
fe0cd647 | 5 | eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) |
3a1019f6 MT |
6 | IFACE=`/bin/cat /var/ipfire/red/iface 2> /dev/null | /usr/bin/tr -d '\012'` |
7 | ||
8 | if [ -f /var/ipfire/red/device ]; then | |
9 | DEVICE=`/bin/cat /var/ipfire/red/device 2> /dev/null | /usr/bin/tr -d '\012'` | |
10 | fi | |
11 | ||
c581b670 MT |
12 | function iptables() { |
13 | /sbin/iptables --wait "$@" | |
14 | } | |
15 | ||
3a1019f6 MT |
16 | iptables_init() { |
17 | # Flush all rules and delete all custom chains | |
c581b670 MT |
18 | iptables -F |
19 | iptables -t nat -F | |
20 | iptables -t mangle -F | |
21 | iptables -X | |
22 | iptables -t nat -X | |
23 | iptables -t mangle -X | |
3a1019f6 MT |
24 | |
25 | # Set up policies | |
c581b670 MT |
26 | iptables -P INPUT DROP |
27 | iptables -P FORWARD DROP | |
28 | iptables -P OUTPUT ACCEPT | |
3a1019f6 MT |
29 | |
30 | # Empty LOG_DROP and LOG_REJECT chains | |
c581b670 MT |
31 | iptables -N LOG_DROP |
32 | iptables -A LOG_DROP -m limit --limit 10/minute -j LOG | |
33 | iptables -A LOG_DROP -j DROP | |
34 | iptables -N LOG_REJECT | |
35 | iptables -A LOG_REJECT -m limit --limit 10/minute -j LOG | |
36 | iptables -A LOG_REJECT -j REJECT | |
3a1019f6 MT |
37 | |
38 | # This chain will log, then DROPs packets with certain bad combinations | |
39 | # of flags might indicate a port-scan attempt (xmas, null, etc) | |
c581b670 | 40 | iptables -N PSCAN |
5595bc03 | 41 | if [ "$DROPPORTSCAN" == "on" ]; then |
c581b670 MT |
42 | iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix "DROP_TCP Scan " -m comment --comment "DROP_TCP PScan" |
43 | iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix "DROP_UDP Scan " -m comment --comment "DROP_UDP PScan" | |
44 | iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "DROP_ICMP Scan " -m comment --comment "DROP_ICMP PScan" | |
45 | iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix "DROP_FRAG Scan " -m comment --comment "DROP_FRAG PScan" | |
5595bc03 | 46 | fi |
c581b670 | 47 | iptables -A PSCAN -j DROP -m comment --comment "DROP_PScan" |
3a1019f6 MT |
48 | |
49 | # New tcp packets without SYN set - could well be an obscure type of port scan | |
50 | # that's not covered above, may just be a broken windows machine | |
c581b670 | 51 | iptables -N NEWNOTSYN |
5595bc03 | 52 | if [ "$DROPNEWNOTSYN" == "on" ]; then |
c581b670 | 53 | iptables -A NEWNOTSYN -m limit --limit 10/minute -j LOG --log-prefix "DROP_NEWNOTSYN " |
5595bc03 | 54 | fi |
c581b670 | 55 | iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN" |
3a1019f6 MT |
56 | |
57 | # Chain to contain all the rules relating to bad TCP flags | |
c581b670 | 58 | iptables -N BADTCP |
3a1019f6 | 59 | |
c581b670 MT |
60 | # Don't check loopback |
61 | iptables -A BADTCP -i lo -j RETURN | |
d8158ca6 | 62 | |
3a1019f6 MT |
63 | # Disallow packets frequently used by port-scanners |
64 | # nmap xmas | |
c581b670 | 65 | iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN |
3a1019f6 | 66 | # Null |
c581b670 | 67 | iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN |
3a1019f6 | 68 | # FIN |
c581b670 | 69 | iptables -A BADTCP -p tcp --tcp-flags ALL FIN -j PSCAN |
3a1019f6 | 70 | # SYN/RST (also catches xmas variants that set SYN+RST+...) |
c581b670 | 71 | iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j PSCAN |
3a1019f6 | 72 | # SYN/FIN (QueSO or nmap OS probe) |
c581b670 | 73 | iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN |
3a1019f6 | 74 | # NEW TCP without SYN |
c581b670 | 75 | iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN |
b85d2a98 | 76 | |
c581b670 MT |
77 | iptables -A INPUT -p tcp -j BADTCP |
78 | iptables -A FORWARD -p tcp -j BADTCP | |
c0359d6d | 79 | |
b85d2a98 | 80 | # Connection tracking chain |
c581b670 MT |
81 | iptables -N CONNTRACK |
82 | iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
3a1019f6 | 83 | |
3a1019f6 | 84 | # Fix for braindead ISP's |
c581b670 | 85 | iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu |
3a1019f6 MT |
86 | |
87 | # CUSTOM chains, can be used by the users themselves | |
c581b670 MT |
88 | iptables -N CUSTOMINPUT |
89 | iptables -A INPUT -j CUSTOMINPUT | |
90 | iptables -N CUSTOMFORWARD | |
91 | iptables -A FORWARD -j CUSTOMFORWARD | |
92 | iptables -N CUSTOMOUTPUT | |
93 | iptables -A OUTPUT -j CUSTOMOUTPUT | |
94 | iptables -t nat -N CUSTOMPREROUTING | |
95 | iptables -t nat -A PREROUTING -j CUSTOMPREROUTING | |
96 | iptables -t nat -N CUSTOMPOSTROUTING | |
97 | iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING | |
3a1019f6 | 98 | |
815eaff4 | 99 | # Guardian (IPS) chains |
c581b670 MT |
100 | iptables -N GUARDIAN |
101 | iptables -A INPUT -j GUARDIAN | |
102 | iptables -A FORWARD -j GUARDIAN | |
815eaff4 | 103 | |
1e555330 | 104 | # Block OpenVPN transfer networks |
c581b670 | 105 | iptables -N OVPNBLOCK |
c0f99754 | 106 | for i in INPUT FORWARD; do |
c581b670 | 107 | iptables -A ${i} -j OVPNBLOCK |
1e555330 MT |
108 | done |
109 | ||
51ab1de1 | 110 | # OpenVPN transfer network translation |
c581b670 MT |
111 | iptables -t nat -N OVPNNAT |
112 | iptables -t nat -A POSTROUTING -j OVPNNAT | |
51ab1de1 | 113 | |
daa1ceba | 114 | # IPTV chains for IGMPPROXY |
c581b670 MT |
115 | iptables -N IPTVINPUT |
116 | iptables -A INPUT -j IPTVINPUT | |
117 | iptables -N IPTVFORWARD | |
118 | iptables -A FORWARD -j IPTVFORWARD | |
daa1ceba | 119 | |
3a1019f6 | 120 | # filtering from GUI |
c581b670 MT |
121 | iptables -N GUIINPUT |
122 | iptables -A INPUT -j GUIINPUT | |
123 | iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT | |
3a1019f6 | 124 | |
afc611d4 | 125 | # Accept everything on loopback |
c581b670 MT |
126 | iptables -N LOOPBACK |
127 | iptables -A LOOPBACK -i lo -j ACCEPT | |
128 | iptables -A LOOPBACK -o lo -j ACCEPT | |
afc611d4 | 129 | |
3b9a23ce | 130 | # Filter all packets with loopback addresses on non-loopback interfaces. |
c581b670 MT |
131 | iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP |
132 | iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP | |
3b9a23ce MT |
133 | |
134 | for i in INPUT FORWARD OUTPUT; do | |
c581b670 | 135 | iptables -A ${i} -j LOOPBACK |
3b9a23ce | 136 | done |
afc611d4 | 137 | |
3a1019f6 | 138 | # Accept everything connected |
b85d2a98 | 139 | for i in INPUT FORWARD OUTPUT; do |
c581b670 | 140 | iptables -A ${i} -j CONNTRACK |
b85d2a98 MT |
141 | done |
142 | ||
5fd30232 | 143 | # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything |
c581b670 MT |
144 | iptables -N IPSECINPUT |
145 | iptables -N IPSECFORWARD | |
146 | iptables -N IPSECOUTPUT | |
147 | iptables -A INPUT -j IPSECINPUT | |
148 | iptables -A FORWARD -j IPSECFORWARD | |
149 | iptables -A OUTPUT -j IPSECOUTPUT | |
150 | iptables -t nat -N IPSECNAT | |
151 | iptables -t nat -A POSTROUTING -j IPSECNAT | |
b68e5c14 | 152 | |
3a1019f6 | 153 | # localhost and ethernet. |
c581b670 | 154 | iptables -A INPUT -i $GREEN_DEV -m conntrack --ctstate NEW -j ACCEPT ! -p icmp |
218b3341 | 155 | |
3a1019f6 | 156 | # allow DHCP on BLUE to be turned on/off |
c581b670 MT |
157 | iptables -N DHCPBLUEINPUT |
158 | iptables -A INPUT -j DHCPBLUEINPUT | |
81393987 AM |
159 | |
160 | # WIRELESS chains | |
c581b670 MT |
161 | iptables -N WIRELESSINPUT |
162 | iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT | |
163 | iptables -N WIRELESSFORWARD | |
164 | iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD | |
987b75bc | 165 | |
ab4876ad | 166 | # OpenVPN |
c581b670 MT |
167 | iptables -N OVPNINPUT |
168 | iptables -A INPUT -j OVPNINPUT | |
ab4876ad | 169 | |
987b75bc | 170 | # TOR |
c581b670 MT |
171 | iptables -N TOR_INPUT |
172 | iptables -A INPUT -j TOR_INPUT | |
12dcfbbd | 173 | |
d5f1422d | 174 | # Jump into the actual firewall ruleset. |
c581b670 MT |
175 | iptables -N INPUTFW |
176 | iptables -A INPUT -j INPUTFW | |
d5f1422d | 177 | |
c581b670 MT |
178 | iptables -N OUTGOINGFW |
179 | iptables -A OUTPUT -j OUTGOINGFW | |
d5f1422d | 180 | |
c581b670 MT |
181 | iptables -N FORWARDFW |
182 | iptables -A FORWARD -j FORWARDFW | |
d5f1422d | 183 | |
fac38614 | 184 | # SNAT rules |
c581b670 MT |
185 | iptables -t nat -N NAT_SOURCE |
186 | iptables -t nat -A POSTROUTING -j NAT_SOURCE | |
fac38614 | 187 | |
3a1019f6 | 188 | # RED chain, used for the red interface |
c581b670 MT |
189 | iptables -N REDINPUT |
190 | iptables -A INPUT -j REDINPUT | |
191 | iptables -N REDFORWARD | |
192 | iptables -A FORWARD -j REDFORWARD | |
193 | iptables -t nat -N REDNAT | |
194 | iptables -t nat -A POSTROUTING -j REDNAT | |
3a1019f6 MT |
195 | |
196 | iptables_red | |
bb12dd7b MT |
197 | |
198 | # Custom prerouting chains (for transparent proxy) | |
c581b670 MT |
199 | iptables -t nat -N SQUID |
200 | iptables -t nat -A PREROUTING -j SQUID | |
bb12dd7b MT |
201 | |
202 | # DNAT rules | |
c581b670 MT |
203 | iptables -t nat -N NAT_DESTINATION |
204 | iptables -t nat -A PREROUTING -j NAT_DESTINATION | |
bb12dd7b | 205 | |
7e7495b3 | 206 | # upnp chain for our upnp daemon |
c581b670 MT |
207 | iptables -t nat -N UPNPFW |
208 | iptables -t nat -A PREROUTING -j UPNPFW | |
209 | iptables -N UPNPFW | |
210 | iptables -A FORWARD -m conntrack --ctstate NEW -j UPNPFW | |
3a1019f6 | 211 | |
ab4876ad MT |
212 | # Apply OpenVPN firewall rules |
213 | /usr/local/bin/openvpnctrl --firewall-rules | |
ff4770c7 AM |
214 | |
215 | # run wirelessctrl | |
216 | /usr/local/bin/wirelessctrl | |
217 | ||
c581b670 MT |
218 | # POLICY CHAIN |
219 | iptables -N POLICYIN | |
220 | iptables -A INPUT -j POLICYIN | |
221 | iptables -N POLICYFWD | |
222 | iptables -A FORWARD -j POLICYFWD | |
223 | iptables -N POLICYOUT | |
224 | iptables -A OUTPUT -j POLICYOUT | |
b324de14 | 225 | |
5d7faa45 | 226 | /usr/sbin/firewall-policy |
690b0bd7 | 227 | |
ff4770c7 | 228 | # read new firewall |
8039a710 | 229 | /usr/local/bin/firewallctrl |
ff4770c7 | 230 | |
690b0bd7 | 231 | if [ "$DROPINPUT" == "on" ]; then |
c581b670 | 232 | iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT" |
690b0bd7 | 233 | fi |
c581b670 | 234 | iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" |
690b0bd7 | 235 | if [ "$DROPFORWARD" == "on" ]; then |
c581b670 | 236 | iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" |
690b0bd7 | 237 | fi |
c581b670 | 238 | iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" |
ff4770c7 | 239 | } |
3a1019f6 | 240 | |
ff4770c7 | 241 | iptables_red() { |
c581b670 MT |
242 | iptables -F REDINPUT |
243 | iptables -F REDFORWARD | |
244 | iptables -t nat -F REDNAT | |
3a1019f6 | 245 | |
ff4770c7 AM |
246 | # PPPoE / PPTP Device |
247 | if [ "$IFACE" != "" ]; then | |
248 | # PPPoE / PPTP | |
249 | if [ "$DEVICE" != "" ]; then | |
c581b670 | 250 | iptables -A REDINPUT -i $DEVICE -j ACCEPT |
ff4770c7 AM |
251 | fi |
252 | if [ "$RED_TYPE" == "PPTP" -o "$RED_TYPE" == "PPPOE" ]; then | |
253 | if [ "$RED_DEV" != "" ]; then | |
c581b670 | 254 | iptables -A REDINPUT -i $RED_DEV -j ACCEPT |
ff4770c7 AM |
255 | fi |
256 | fi | |
3a1019f6 | 257 | fi |
ff4770c7 AM |
258 | |
259 | # PPTP over DHCP | |
260 | if [ "$DEVICE" != "" -a "$TYPE" == "PPTP" -a "$METHOD" == "DHCP" ]; then | |
c581b670 MT |
261 | iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT |
262 | iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT | |
3a1019f6 MT |
263 | fi |
264 | ||
ff4770c7 AM |
265 | # Orange pinholes |
266 | if [ "$ORANGE_DEV" != "" ]; then | |
267 | # This rule enables a host on ORANGE network to connect to the outside | |
268 | # (only if we have a red connection) | |
269 | if [ "$IFACE" != "" ]; then | |
c581b670 | 270 | iptables -A REDFORWARD -i $ORANGE_DEV -o $IFACE -j ACCEPT |
ff4770c7 | 271 | fi |
3a1019f6 | 272 | fi |
c400fe4c | 273 | |
ff4770c7 AM |
274 | if [ "$IFACE" != "" -a -f /var/ipfire/red/active ]; then |
275 | # DHCP | |
276 | if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then | |
c581b670 MT |
277 | iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT |
278 | iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
ff4770c7 AM |
279 | fi |
280 | if [ "$METHOD" == "DHCP" -a "$PROTOCOL" == "RFC1483" ]; then | |
c581b670 MT |
281 | iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT |
282 | iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT | |
ff4770c7 AM |
283 | fi |
284 | ||
285 | # Outgoing masquerading (don't masqerade IPSEC (mark 50)) | |
c581b670 MT |
286 | iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN |
287 | iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE | |
c400fe4c | 288 | |
6be0579b | 289 | fi |
ff4770c7 AM |
290 | } |
291 | ||
292 | # See how we were called. | |
293 | case "$1" in | |
294 | start) | |
7d7740a4 | 295 | boot_mesg "Setting up firewall" |
ff4770c7 | 296 | iptables_init |
7d7740a4 MT |
297 | evaluate_retval |
298 | ||
159c55c5 MT |
299 | # run local firewall configuration, if present |
300 | if [ -x /etc/sysconfig/firewall.local ]; then | |
301 | /etc/sysconfig/firewall.local start | |
302 | fi | |
6be0579b | 303 | ;; |
3a1019f6 | 304 | reload) |
7d7740a4 | 305 | boot_mesg "Reloading firewall" |
3a1019f6 | 306 | iptables_red |
7d7740a4 MT |
307 | evaluate_retval |
308 | ||
3a1019f6 | 309 | # run local firewall configuration, if present |
ff4770c7 | 310 | if [ -x /etc/sysconfig/firewall.local ]; then |
3a1019f6 MT |
311 | /etc/sysconfig/firewall.local reload |
312 | fi | |
313 | ;; | |
314 | restart) | |
ff4770c7 AM |
315 | # run local firewall configuration, if present |
316 | if [ -x /etc/sysconfig/firewall.local ]; then | |
317 | /etc/sysconfig/firewall.local stop | |
318 | fi | |
3a1019f6 MT |
319 | $0 start |
320 | ;; | |
321 | *) | |
ff4770c7 | 322 | echo "Usage: $0 {start|reload|restart}" |
3a1019f6 MT |
323 | exit 1 |
324 | ;; | |
325 | esac | |
326 | ||
327 | exit 0 |