#!/bin/sh
+. /etc/sysconfig/rc
+. ${rc_functions}
+
eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings)
eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
# Block OpenVPN transfer networks
iptables -N OVPNBLOCK
- for i in INPUT FORWARD; do
- iptables -A ${i} -j OVPNBLOCK
- done
+ iptables -A INPUT -i tun+ -j OVPNBLOCK
+ iptables -A FORWARD -i tun+ -j OVPNBLOCK
+ iptables -A FORWARD -o tun+ -j OVPNBLOCK
# OpenVPN transfer network translation
iptables -t nat -N OVPNNAT
iptables -N IPTVFORWARD
iptables -A FORWARD -j IPTVFORWARD
- # filtering from GUI
- iptables -N GUIINPUT
- iptables -A INPUT -j GUIINPUT
- iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT
+ # Allow to ping the firewall.
+ iptables -N ICMPINPUT
+ iptables -A INPUT -j ICMPINPUT
+ iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
# Accept everything on loopback
iptables -N LOOPBACK
iptables -A ${i} -j CONNTRACK
done
+ # Allow DHCP
+ iptables -N DHCPINPUT
+ iptables -A DHCPINPUT -p udp --sport 68 --dport 67 -j ACCEPT
+ iptables -A DHCPINPUT -p tcp --sport 68 --dport 67 -j ACCEPT
+
+ iptables -N DHCPOUTPUT
+ iptables -A DHCPOUTPUT -p udp --sport 67 --dport 68 -j ACCEPT
+ iptables -A DHCPOUTPUT -p tcp --sport 67 --dport 68 -j ACCEPT
+
+ # Allow DHCP on GREEN
+ iptables -N DHCPGREENINPUT
+ iptables -N DHCPGREENOUTPUT
+ if [ -n "${GREEN_DEV}" ]; then
+ iptables -A INPUT -i "${GREEN_DEV}" -j DHCPGREENINPUT
+ iptables -A OUTPUT -o "${GREEN_DEV}" -j DHCPGREENOUTPUT
+ fi
+
+ # allow DHCP on BLUE to be turned on/off
+ iptables -N DHCPBLUEINPUT
+ iptables -N DHCPBLUEOUTPUT
+ if [ -n "${BLUE_DEV}" ]; then
+ iptables -A INPUT -i "${BLUE_DEV}" -j DHCPBLUEINPUT
+ iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
+ fi
+
# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
iptables -N IPSECINPUT
iptables -N IPSECFORWARD
iptables -t nat -A POSTROUTING -j IPSECNAT
# localhost and ethernet.
- iptables -A INPUT -i $GREEN_DEV -m conntrack --ctstate NEW -j ACCEPT ! -p icmp
-
- # allow DHCP on BLUE to be turned on/off
- iptables -N DHCPBLUEINPUT
- iptables -A INPUT -j DHCPBLUEINPUT
-
+ # Always allow accessing the web GUI from GREEN.
+ iptables -N GUIINPUT
+ iptables -A INPUT -j GUIINPUT
+ iptables -A GUIINPUT -i "${GREEN_DEV}" -p tcp --dport 444 -j ACCEPT
+
# WIRELESS chains
iptables -N WIRELESSINPUT
iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT
iptables -t nat -N NAT_SOURCE
iptables -t nat -A POSTROUTING -j NAT_SOURCE
- # RED chain, used for the red interface
- iptables -N REDINPUT
- iptables -A INPUT -j REDINPUT
- iptables -N REDFORWARD
- iptables -A FORWARD -j REDFORWARD
- iptables -t nat -N REDNAT
- iptables -t nat -A POSTROUTING -j REDNAT
-
- iptables_red
-
# Custom prerouting chains (for transparent proxy)
iptables -t nat -N SQUID
iptables -t nat -A PREROUTING -j SQUID
# DNAT rules
iptables -t nat -N NAT_DESTINATION
iptables -t nat -A PREROUTING -j NAT_DESTINATION
+ iptables -t nat -A OUTPUT -j NAT_DESTINATION
+
+ iptables -t mangle -N NAT_DESTINATION
+ iptables -t mangle -A PREROUTING -j NAT_DESTINATION
+
+ iptables -t nat -N NAT_DESTINATION_FIX
+ iptables -t nat -A POSTROUTING -j NAT_DESTINATION_FIX
+
+ iptables -t nat -A NAT_DESTINATION_FIX \
+ -m mark --mark 1 -j SNAT --to-source "${GREEN_ADDRESS}"
+
+ if [ -n "${BLUE_ADDRESS}" ]; then
+ iptables -t nat -A NAT_DESTINATION_FIX \
+ -m mark --mark 2 -j SNAT --to-source "${BLUE_ADDRESS}"
+ fi
+
+ if [ -n "${ORANGE_ADDRESS}" ]; then
+ iptables -t nat -A NAT_DESTINATION_FIX \
+ -m mark --mark 3 -j SNAT --to-source "${ORANGE_ADDRESS}"
+ fi
# upnp chain for our upnp daemon
iptables -t nat -N UPNPFW
iptables -N UPNPFW
iptables -A FORWARD -m conntrack --ctstate NEW -j UPNPFW
+ # RED chain, used for the red interface
+ iptables -N REDINPUT
+ iptables -A INPUT -j REDINPUT
+ iptables -N REDFORWARD
+ iptables -A FORWARD -j REDFORWARD
+ iptables -t nat -N REDNAT
+ iptables -t nat -A POSTROUTING -j REDNAT
+
+ # Filter logging of incoming broadcasts.
+ iptables -N BROADCAST_FILTER
+ iptables -A INPUT -j BROADCAST_FILTER
+
+ iptables -A BROADCAST_FILTER -i "${GREEN_DEV}" -d "${GREEN_BROADCAST}" -j DROP
+
+ if [ -n "${BLUE_DEV}" -a -n "${BLUE_BROADCAST}" ]; then
+ iptables -A BROADCAST_FILTER -i "${BLUE_DEV}" -d "${BLUE_BROADCAST}" -j DROP
+ fi
+
+ if [ -n "${ORANGE_DEV}" -a -n "${ORANGE_BROADCAST}" ]; then
+ iptables -A BROADCAST_FILTER -i "${ORANGE_DEV}" -d "${ORANGE_BROADCAST}" -j DROP
+ fi
+
# Apply OpenVPN firewall rules
/usr/local/bin/openvpnctrl --firewall-rules
iptables -N POLICYOUT
iptables -A OUTPUT -j POLICYOUT
+ # Initialize firewall policies.
/usr/sbin/firewall-policy
- # read new firewall
- /usr/local/bin/firewallctrl
-
- if [ "$DROPINPUT" == "on" ]; then
- iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
- fi
- iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
- if [ "$DROPFORWARD" == "on" ]; then
- iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
- fi
- iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
+ # Install firewall rules for the red interface.
+ iptables_red
}
iptables_red() {
# Outgoing masquerading (don't masqerade IPSEC (mark 50))
iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN
- iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
+
+ if [ "$IFACE" != "$GREEN_DEV" ]; then
+ iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
+ fi
fi
+
+ # Reload all rules.
+ /usr/local/bin/firewallctrl
}
# See how we were called.
case "$1" in
start)
+ boot_mesg "Loading firewall modules into the kernel"
+ modprobe iptable_nat || failed=1
+ for i in $(find /lib/modules/$(uname -r) -name nf_conntrack*); do
+ modprobe $(basename $i | cut -d. -f1) || failed=1
+ done
+ for i in $(find /lib/modules/$(uname -r) -name nf_nat*); do
+ modprobe $(basename $i | cut -d. -f1) || failed=1
+ done
+ (exit ${failed})
+ evaluate_retval
+
+ if [ -e /var/ipfire/main/disable_nf_sip ]; then
+ rmmod nf_nat_sip
+ rmmod nf_conntrack_sip
+ rmmod nf_nat_h323
+ rmmod nf_conntrack_h323
+ fi
+
+ boot_mesg "Setting up firewall"
iptables_init
+ evaluate_retval
+
# run local firewall configuration, if present
if [ -x /etc/sysconfig/firewall.local ]; then
/etc/sysconfig/firewall.local start
fi
;;
reload)
+ boot_mesg "Reloading firewall"
iptables_red
+ evaluate_retval
+
# run local firewall configuration, if present
if [ -x /etc/sysconfig/firewall.local ]; then
/etc/sysconfig/firewall.local reload