X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=blobdiff_plain;f=config%2Ffirewall%2Ffirewall-policy;h=96b9b2fe5aba650033a67c67c1b035599d3dd0e5;hp=6d26d5b2cf156d0e43f2251ba124a1e31b599e22;hb=b8ec7b86ac29707a024c93958137e04c2f870e9a;hpb=5d4d41b18c80f236b4dc796e1394ef0035cb034d diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy index 6d26d5b2c..96b9b2fe5 100755 --- a/config/firewall/firewall-policy +++ b/config/firewall/firewall-policy @@ -23,6 +23,10 @@ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) eval $(/usr/local/bin/readhash /var/ipfire/firewall/settings) eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) +function iptables() { + /sbin/iptables --wait "$@" +} + iptables -F POLICYFWD iptables -F POLICYOUT iptables -F POLICYIN @@ -37,10 +41,10 @@ HAVE_ORANGE="false" case "${CONFIG_TYPE}" in 2) - HAVE_BLUE="true" + HAVE_ORANGE="true" ;; 3) - HAVE_ORANGE="true" + HAVE_BLUE="true" ;; 4) HAVE_BLUE="true" @@ -48,19 +52,41 @@ case "${CONFIG_TYPE}" in ;; esac +HAVE_IPSEC="true" +HAVE_OPENVPN="true" + # INPUT + +# IPsec INPUT +case "${HAVE_IPSEC},${POLICY}" in + true,MODE1) ;; + true,*) + iptables -A POLICYIN -m policy --pol ipsec --dir in -j ACCEPT + ;; +esac + +# OpenVPN INPUT +# Allow direct access to the internal IP addresses of the firewall +# from remote subnets if forward policy is allowed. +case "${HAVE_OPENVPN},${POLICY}" in + true,MODE1) ;; + true,*) + iptables -A POLICYIN -i tun+ -j ACCEPT + ;; +esac + case "${FWPOLICY2}" in REJECT) if [ "${DROPINPUT}" = "on" ]; then - /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT" + iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT " fi - /sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT" + iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT" ;; *) # DROP if [ "${DROPINPUT}" = "on" ]; then - /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT" + iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT " fi - /sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT" + iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT" ;; esac @@ -70,30 +96,49 @@ case "${POLICY}" in case "${FWPOLICY}" in REJECT) if [ "${DROPFORWARD}" = "on" ]; then - /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD" + iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD " fi - /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD" + iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD" ;; *) # DROP if [ "${DROPFORWARD}" = "on" ]; then - /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" + iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD " fi - /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" + iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" ;; esac ;; *) + # Access from GREEN is granted to everywhere + if [ "${IFACE}" = "${GREEN_DEV}" ]; then + # internet via green + # don't check source IP/NET if IFACE is GREEN + iptables -A POLICYFWD -i "${GREEN_DEV}" -j ACCEPT + else + iptables -A POLICYFWD -i "${GREEN_DEV}" -s "${GREEN_NETADDRESS}/${GREEN_NETMASK}" -j ACCEPT + fi + + # Grant access for IPsec VPN connections + iptables -A POLICYFWD -m policy --pol ipsec --dir in -j ACCEPT + + # Grant access for OpenVPN connections + iptables -A POLICYFWD -i tun+ -j ACCEPT + if [ -n "${IFACE}" ]; then if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then - /sbin/iptables -A POLICYFWD -i "${BLUE_DEV}" ! -o "${IFACE}" -j DROP + iptables -A POLICYFWD -i "${BLUE_DEV}" -s "${BLUE_NETADDRESS}/${BLUE_NETMASK}" -o "${IFACE}" -j ACCEPT fi + if [ "${HAVE_ORANGE}" = "true" ] && [ -n "${ORANGE_DEV}" ]; then - /sbin/iptables -A POLICYFWD -i "${ORANGE_DEV}" ! -o "${IFACE}" -j DROP + iptables -A POLICYFWD -i "${ORANGE_DEV}" -s "${ORANGE_NETADDRESS}/${ORANGE_NETMASK}" -o "${IFACE}" -j ACCEPT fi fi - /sbin/iptables -A POLICYFWD -j ACCEPT - /sbin/iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP + + if [ "${DROPFORWARD}" = "on" ]; then + iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD " + fi + iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP ;; esac @@ -103,21 +148,21 @@ case "${POLICY1}" in case "${FWPOLICY1}" in REJECT) if [ "${DROPOUTGOING}" = "on" ]; then - /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT" + iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT " fi - /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT" + iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT" ;; *) # DROP if [ "${DROPOUTGOING}" == "on" ]; then - /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT" + iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT " fi - /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" + iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" ;; esac ;; *) - /sbin/iptables -A POLICYOUT -j ACCEPT - /sbin/iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP + iptables -A POLICYOUT -j ACCEPT + iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP ;; esac