# NEW TCP without SYN
/sbin/iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN
+ /sbin/iptables -A INPUT -p tcp -j BADTCP
+ /sbin/iptables -A FORWARD -p tcp -j BADTCP
+
# Connection tracking chain
/sbin/iptables -N CONNTRACK
/sbin/iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- /sbin/iptables -A INPUT -j BADTCP
- /sbin/iptables -A FORWARD -j BADTCP
-
# Fix for braindead ISP's
/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# CUSTOM chains, can be used by the users themselves
/sbin/iptables -N CUSTOMINPUT
/sbin/iptables -A INPUT -j CUSTOMINPUT
- /sbin/iptables -N GUARDIAN
- /sbin/iptables -A INPUT -j GUARDIAN
- /sbin/iptables -N OVPNBLOCK
- /sbin/iptables -A FORWARD -j OVPNBLOCK
- /sbin/iptables -A FORWARD -j GUARDIAN
/sbin/iptables -N CUSTOMFORWARD
/sbin/iptables -A FORWARD -j CUSTOMFORWARD
/sbin/iptables -N CUSTOMOUTPUT
- /sbin/iptables -A OUTPUT -j OVPNBLOCK
/sbin/iptables -A OUTPUT -j CUSTOMOUTPUT
- /sbin/iptables -N OUTGOINGFW
- /sbin/iptables -A OUTPUT -j OUTGOINGFW
/sbin/iptables -t nat -N CUSTOMPREROUTING
- /sbin/iptables -t nat -N OVPNNAT
/sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
/sbin/iptables -t nat -N CUSTOMPOSTROUTING
/sbin/iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
+
+ # Guardian (IPS) chains
+ /sbin/iptables -N GUARDIAN
+ /sbin/iptables -A INPUT -j GUARDIAN
+ /sbin/iptables -A FORWARD -j GUARDIAN
+
+ # Block OpenVPN transfer networks
+ /sbin/iptables -N OVPNBLOCK
+ for i in INPUT FORWARD OUTPUT; do
+ /sbin/iptables -A ${i} -j OVPNBLOCK
+ done
+
+ # OpenVPN transfer network translation
+ /sbin/iptables -t nat -N OVPNNAT
/sbin/iptables -t nat -A POSTROUTING -j OVPNNAT
# IPTV chains for IGMPPROXY
/sbin/iptables -N IPTVFORWARD
/sbin/iptables -A FORWARD -j IPTVFORWARD
- # Filtering ovpn networks INPUT
- /sbin/iptables -A INPUT -j OVPNBLOCK
-
# filtering from GUI
/sbin/iptables -N GUIINPUT
/sbin/iptables -A INPUT -j GUIINPUT
/sbin/iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT
+ # Accept everything on loopback
+ /sbin/iptables -N LOOPBACK
+ /sbin/iptables -A LOOPBACK -i lo -j ACCEPT
+ /sbin/iptables -A LOOPBACK -o lo -j ACCEPT
+
+ # Filter all packets with loopback addresses on non-loopback interfaces.
+ /sbin/iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
+ /sbin/iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP
+
+ for i in INPUT FORWARD OUTPUT; do
+ /sbin/iptables -A ${i} -j LOOPBACK
+ done
+
# Accept everything connected
for i in INPUT FORWARD OUTPUT; do
/sbin/iptables -A ${i} -j CONNTRACK
done
- # Accept everything on lo
- iptables -A INPUT -i lo -m conntrack --ctstate NEW -j ACCEPT
- iptables -A OUTPUT -o lo -m conntrack --ctstate NEW -j ACCEPT
-
# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
/sbin/iptables -N IPSECINPUT
/sbin/iptables -N IPSECFORWARD
/sbin/iptables -N IPSECOUTPUT
- /sbin/iptables -N OPENSSLVIRTUAL
/sbin/iptables -A INPUT -j IPSECINPUT
- /sbin/iptables -A INPUT -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL INPUT"
/sbin/iptables -A FORWARD -j IPSECFORWARD
- /sbin/iptables -A FORWARD -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL FORWARD"
/sbin/iptables -A OUTPUT -j IPSECOUTPUT
/sbin/iptables -t nat -N IPSECNAT
/sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
- # Input Firewall
- /sbin/iptables -N INPUTFW
- /sbin/iptables -A INPUT -m conntrack --ctstate NEW -j INPUTFW
-
# localhost and ethernet.
- /sbin/iptables -A INPUT -i lo -m conntrack --ctstate NEW -j ACCEPT
- /sbin/iptables -A INPUT -s 127.0.0.0/8 -m conntrack --ctstate NEW -j DROP # Loopback not on lo
- /sbin/iptables -A INPUT -d 127.0.0.0/8 -m conntrack --ctstate NEW -j DROP
- /sbin/iptables -A FORWARD -i lo -m conntrack --ctstate NEW -j ACCEPT
- /sbin/iptables -A FORWARD -s 127.0.0.0/8 -m conntrack --ctstate NEW -j DROP
- /sbin/iptables -A FORWARD -d 127.0.0.0/8 -m conntrack --ctstate NEW -j DROP
/sbin/iptables -A INPUT -i $GREEN_DEV -m conntrack --ctstate NEW -j ACCEPT ! -p icmp
# allow DHCP on BLUE to be turned on/off
/sbin/iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT
/sbin/iptables -N WIRELESSFORWARD
/sbin/iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD
+
+ # OpenVPN
+ /sbin/iptables -N OVPNINPUT
+ /sbin/iptables -A INPUT -j OVPNINPUT
+
+ # TOR
+ /sbin/iptables -N TOR_INPUT
+ /sbin/iptables -A INPUT -j TOR_INPUT
- # Forward Firewall
+ # Jump into the actual firewall ruleset.
+ /sbin/iptables -N INPUTFW
+ /sbin/iptables -A INPUT -j INPUTFW
+
+ /sbin/iptables -N OUTGOINGFW
+ /sbin/iptables -A OUTPUT -j OUTGOINGFW
+
/sbin/iptables -N FORWARDFW
/sbin/iptables -A FORWARD -j FORWARDFW
-
- # OPenSSL
- /sbin/iptables -N OPENSSLPHYSICAL
- /sbin/iptables -A INPUT -j OPENSSLPHYSICAL
+
+ # SNAT rules
+ /sbin/iptables -t nat -N NAT_SOURCE
+ /sbin/iptables -t nat -A POSTROUTING -j NAT_SOURCE
# RED chain, used for the red interface
/sbin/iptables -N REDINPUT
/sbin/iptables -t nat -A POSTROUTING -j REDNAT
iptables_red
-
- # Custom prerouting chains (for transparent proxy and port forwarding)
+
+ # Custom prerouting chains (for transparent proxy)
/sbin/iptables -t nat -N SQUID
/sbin/iptables -t nat -A PREROUTING -j SQUID
+
+ # DNAT rules
/sbin/iptables -t nat -N NAT_DESTINATION
- /sbin/iptables -t nat -N NAT_SOURCE
/sbin/iptables -t nat -A PREROUTING -j NAT_DESTINATION
- /sbin/iptables -t nat -I POSTROUTING 3 -j NAT_SOURCE
-
-
-
+
# upnp chain for our upnp daemon
/sbin/iptables -t nat -N UPNPFW
/sbin/iptables -t nat -A PREROUTING -j UPNPFW
/sbin/iptables -N UPNPFW
/sbin/iptables -A FORWARD -m conntrack --ctstate NEW -j UPNPFW
- # Postrouting rules (for port forwarding)
- /sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT --to-source $GREEN_ADDRESS
- if [ "$BLUE_DEV" != "" ]; then
- /sbin/iptables -t nat -A POSTROUTING -m mark --mark 2 -j SNAT --to-source $BLUE_ADDRESS
- fi
- if [ "$ORANGE_DEV" != "" ]; then
- /sbin/iptables -t nat -A POSTROUTING -m mark --mark 3 -j SNAT --to-source $ORANGE_ADDRESS
- fi
-
# run local firewall configuration, if present
if [ -x /etc/sysconfig/firewall.local ]; then
/etc/sysconfig/firewall.local start
fi
- # run openvpn
- /usr/local/bin/openvpnctrl --create-chains-and-rules
+ # Apply OpenVPN firewall rules
+ /usr/local/bin/openvpnctrl --firewall-rules
# run wirelessctrl
/usr/local/bin/wirelessctrl
/usr/sbin/firewall-policy
# read new firewall
- /usr/local/bin/forwardfwctrl
+ /usr/local/bin/firewallctrl
if [ "$DROPINPUT" == "on" ]; then
/sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
projects / people / teissler / ipfire-2.x.git / blobdiff