/sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP
/sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP
/sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT ! -p icmp
- #/sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT
-
- # If a host on orange tries to initiate a connection to IPFire's red IP and
- # the connection gets DNATed back through a port forward to a server on orange
- # we end up with orange -> orange traffic passing through IPFire
- [ "$ORANGE_DEV" != "" ] && /sbin/iptables -A FORWARD -i $ORANGE_DEV -o $ORANGE_DEV -m state --state NEW -j ACCEPT
-
+
# allow DHCP on BLUE to be turned on/off
/sbin/iptables -N DHCPBLUEINPUT
/sbin/iptables -A INPUT -j DHCPBLUEINPUT
/sbin/iptables -t nat -A POSTROUTING -j REDNAT
iptables_red
-
- # DMZ pinhole chain.
- # ORANGE to talk to GREEN / BLUE.
- if [ "$ORANGE_DEV" != "" ]; then
- /sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j FORWARDFW
- fi
-
+
# Custom prerouting chains (for transparent proxy and port forwarding)
/sbin/iptables -t nat -N SQUID
/sbin/iptables -t nat -A PREROUTING -j SQUID
/sbin/iptables -t nat -N NAT_DESTINATION
/sbin/iptables -t nat -N NAT_SOURCE
/sbin/iptables -t nat -A PREROUTING -j NAT_DESTINATION
- /sbin/iptables -t nat -A POSTROUTING -j NAT_SOURCE
+ /sbin/iptables -t nat -I POSTROUTING 2 -j NAT_SOURCE
# upnp chain for our upnp daemon
/etc/sysconfig/firewall.local start
fi
- # last rule in input and forward chain is for logging.
+ /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT_a"
if [ "$DROPINPUT" == "on" ]; then
- /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
+ /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT_b"
fi
-
+ if [ "$DROPFORWARD" == "on" ]; then
+ /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
+ fi
+ /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
+
#POLICY CHAIN
/sbin/iptables -N POLICYIN
/sbin/iptables -A INPUT -j POLICYIN
/sbin/iptables -A OUTPUT -j POLICYOUT
/usr/sbin/firewall-policy
-
;;
startovpn)
# run openvpn
/etc/sysconfig/firewall.local stop
fi
+ /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
+
if [ "$DROPINPUT" == "on" ]; then
- /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
+ /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
fi
- /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
if [ "$DROPFORWARD" == "on" ]; then
- /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
+ /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
fi
/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
+
;;
stopovpn)
# stop openvpn
projects / people / teissler / ipfire-2.x.git / blobdiff