fi
# Outgoing masquerading (don't masqerade IPSEC (mark 50))
- /sbin/iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN
- /sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
+ #/sbin/iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN
+ #/sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
fi
}
/sbin/iptables -t nat -A POSTROUTING -j OVPNNAT
/sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
- # Forward Firewall
- /sbin/iptables -N FORWARDFW
- /sbin/iptables -A FORWARD -j FORWARDFW
-
# Input Firewall
/sbin/iptables -N INPUTFW
/sbin/iptables -A INPUT -m state --state NEW -j INPUTFW
/sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP
/sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP
/sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT ! -p icmp
- #/sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT
-
- # If a host on orange tries to initiate a connection to IPFire's red IP and
- # the connection gets DNATed back through a port forward to a server on orange
- # we end up with orange -> orange traffic passing through IPFire
- [ "$ORANGE_DEV" != "" ] && /sbin/iptables -A FORWARD -i $ORANGE_DEV -o $ORANGE_DEV -m state --state NEW -j ACCEPT
-
+
# allow DHCP on BLUE to be turned on/off
/sbin/iptables -N DHCPBLUEINPUT
/sbin/iptables -A INPUT -j DHCPBLUEINPUT
/sbin/iptables -N WIRELESSFORWARD
/sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD
+ # Forward Firewall
+ /sbin/iptables -N FORWARDFW
+ /sbin/iptables -A FORWARD -j FORWARDFW
+
# PORTFWACCESS chain, used for portforwarding
/sbin/iptables -N PORTFWACCESS
/sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS
/sbin/iptables -t nat -A POSTROUTING -j REDNAT
iptables_red
-
- # DMZ pinhole chain.
- # ORANGE to talk to GREEN / BLUE.
- if [ "$ORANGE_DEV" != "" ]; then
- /sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j FORWARDFW
- fi
-
+
# Custom prerouting chains (for transparent proxy and port forwarding)
/sbin/iptables -t nat -N SQUID
/sbin/iptables -t nat -A PREROUTING -j SQUID
/etc/sysconfig/firewall.local start
fi
- # last rule in input and forward chain is for logging.
-
- if [ "$DROPINPUT" == "on" ]; then
- /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
- fi
- /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
- #if [ "$DROPFORWARD" == "on" ]; then
- # /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
- #fi
- #/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
-
#POLICY CHAIN
/sbin/iptables -N POLICYIN
/sbin/iptables -A INPUT -j POLICYIN
/sbin/iptables -A OUTPUT -j POLICYOUT
/usr/sbin/firewall-policy
-
;;
startovpn)
# run openvpn
/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
fi
/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
+
;;
stopovpn)
# stop openvpn