/sbin/iptables -N IPSECINPUT
/sbin/iptables -N IPSECFORWARD
/sbin/iptables -N IPSECOUTPUT
- /sbin/iptables -N OPENSSLVIRTUAL
/sbin/iptables -A INPUT -j IPSECINPUT
- /sbin/iptables -A INPUT -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL INPUT"
/sbin/iptables -A FORWARD -j IPSECFORWARD
- /sbin/iptables -A FORWARD -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL FORWARD"
/sbin/iptables -A OUTPUT -j IPSECOUTPUT
/sbin/iptables -t nat -N IPSECNAT
/sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
/sbin/iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT
/sbin/iptables -N WIRELESSFORWARD
/sbin/iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD
+
+ # OpenVPN
+ /sbin/iptables -N OVPNINPUT
+ /sbin/iptables -A INPUT -j OVPNINPUT
+
+ # TOR
+ /sbin/iptables -N TOR_INPUT
+ /sbin/iptables -A INPUT -j TOR_INPUT
# Jump into the actual firewall ruleset.
/sbin/iptables -N INPUTFW
/sbin/iptables -N FORWARDFW
/sbin/iptables -A FORWARD -j FORWARDFW
- # OPenSSL
- /sbin/iptables -N OPENSSLPHYSICAL
- /sbin/iptables -A INPUT -j OPENSSLPHYSICAL
+ # SNAT rules
+ /sbin/iptables -t nat -N NAT_SOURCE
+ /sbin/iptables -t nat -A POSTROUTING -j NAT_SOURCE
# RED chain, used for the red interface
/sbin/iptables -N REDINPUT
/sbin/iptables -t nat -A POSTROUTING -j REDNAT
iptables_red
-
- # Custom prerouting chains (for transparent proxy and port forwarding)
+
+ # Custom prerouting chains (for transparent proxy)
/sbin/iptables -t nat -N SQUID
/sbin/iptables -t nat -A PREROUTING -j SQUID
+
+ # DNAT rules
/sbin/iptables -t nat -N NAT_DESTINATION
- /sbin/iptables -t nat -N NAT_SOURCE
/sbin/iptables -t nat -A PREROUTING -j NAT_DESTINATION
- /sbin/iptables -t nat -I POSTROUTING 3 -j NAT_SOURCE
-
-
-
+
# upnp chain for our upnp daemon
/sbin/iptables -t nat -N UPNPFW
/sbin/iptables -t nat -A PREROUTING -j UPNPFW
/sbin/iptables -N UPNPFW
/sbin/iptables -A FORWARD -m conntrack --ctstate NEW -j UPNPFW
- # Postrouting rules (for port forwarding)
- /sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT --to-source $GREEN_ADDRESS
- if [ "$BLUE_DEV" != "" ]; then
- /sbin/iptables -t nat -A POSTROUTING -m mark --mark 2 -j SNAT --to-source $BLUE_ADDRESS
- fi
- if [ "$ORANGE_DEV" != "" ]; then
- /sbin/iptables -t nat -A POSTROUTING -m mark --mark 3 -j SNAT --to-source $ORANGE_ADDRESS
- fi
-
# run local firewall configuration, if present
if [ -x /etc/sysconfig/firewall.local ]; then
/etc/sysconfig/firewall.local start
fi
- # run openvpn
- /usr/local/bin/openvpnctrl --create-chains-and-rules
+ # Apply OpenVPN firewall rules
+ /usr/local/bin/openvpnctrl --firewall-rules
# run wirelessctrl
/usr/local/bin/wirelessctrl
/usr/sbin/firewall-policy
# read new firewall
- /usr/local/bin/forwardfwctrl
+ /usr/local/bin/firewallctrl
if [ "$DROPINPUT" == "on" ]; then
/sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
projects / people / teissler / ipfire-2.x.git / blobdiff