]>
Commit | Line | Data |
---|---|---|
1 | #!/bin/sh | |
2 | ||
3 | eval $(/usr/local/bin/readhash /var/ipfire/forward/settings) | |
4 | eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) | |
5 | eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) | |
6 | ||
7 | iptables -F POLICYFWD | |
8 | iptables -F POLICYOUT | |
9 | iptables -F POLICYIN | |
10 | ||
11 | if [ -f "/var/ipfire/red/iface" ]; then | |
12 | IFACE=`cat /var/ipfire/red/iface` | |
13 | fi | |
14 | ||
15 | #FORWARDFW | |
16 | if [ "$POLICY" == "MODE1" ]; then | |
17 | if [ "$FWPOLICY" == "REJECT" ]; then | |
18 | if [ "$DROPFORWARD" == "on" ]; then | |
19 | /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD" | |
20 | fi | |
21 | /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD" | |
22 | fi | |
23 | if [ "$FWPOLICY" == "DROP" ]; then | |
24 | if [ "$DROPFORWARD" == "on" ]; then | |
25 | /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" | |
26 | fi | |
27 | /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" | |
28 | fi | |
29 | else | |
30 | if [ "$BLUE_DEV" ] && [ "$IFACE" ]; then | |
31 | /sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP | |
32 | fi | |
33 | /sbin/iptables -A POLICYFWD -s "$ORANGE_NETADDRESS"/"$ORANGE_NETMASK" -d "$BLUE_NETADDRESS"/"$BLUE_NETMASK" -j DROP | |
34 | /sbin/iptables -A POLICYFWD -s "$ORANGE_NETADDRESS"/"$ORANGE_NETMASK" -d "$GREEN_NETADDRESS"/"$GREEN_NETMASK" -j DROP | |
35 | /sbin/iptables -A POLICYFWD -j ACCEPT | |
36 | /sbin/iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP | |
37 | fi | |
38 | ||
39 | #OUTGOINGFW | |
40 | if [ "$POLICY1" == "MODE1" ]; then | |
41 | if [ "$FWPOLICY1" == "REJECT" ]; then | |
42 | if [ "$DROPOUTGOING" == "on" ]; then | |
43 | /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT" | |
44 | fi | |
45 | /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT" | |
46 | fi | |
47 | if [ "$FWPOLICY1" == "DROP" ]; then | |
48 | if [ "$DROPOUTGOING" == "on" ]; then | |
49 | /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT" | |
50 | fi | |
51 | /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" | |
52 | fi | |
53 | else | |
54 | /sbin/iptables -A POLICYOUT -j ACCEPT | |
55 | /sbin/iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP | |
56 | fi | |
57 | #INPUT | |
58 | if [ "$FWPOLICY2" == "REJECT" ]; then | |
59 | if [ "$DROPINPUT" == "on" ]; then | |
60 | /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT" | |
61 | fi | |
62 | /sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT" | |
63 | fi | |
64 | if [ "$FWPOLICY2" == "DROP" ]; then | |
65 | if [ "$DROPINPUT" == "on" ]; then | |
66 | /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT" | |
67 | fi | |
68 | /sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT" | |
69 | fi | |
70 | ||
71 | exit 0 |