X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=blobdiff_plain;f=src%2Finitscripts%2Finit.d%2Ffirewall;h=200c1550e77f11afe60de6b988065d8044235e00;hp=0888145e28a752769c952a2cbfbdc38d38a9011b;hb=e1eef9d53e80503c97f86587d1f8e0fb99195a96;hpb=aff15defbc1ade178a1fbbf1fa1b592033d4fb77 diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 0888145e2..200c1550e 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -120,8 +120,8 @@ iptables_red() { fi # Outgoing masquerading (don't masqerade IPSEC (mark 50)) - #/sbin/iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN - #/sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE + /sbin/iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN + /sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE fi } @@ -243,7 +243,7 @@ case "$1" in /sbin/iptables -t nat -N NAT_DESTINATION /sbin/iptables -t nat -N NAT_SOURCE /sbin/iptables -t nat -A PREROUTING -j NAT_DESTINATION - /sbin/iptables -t nat -A POSTROUTING -j NAT_SOURCE + /sbin/iptables -t nat -I POSTROUTING 2 -j NAT_SOURCE # upnp chain for our upnp daemon @@ -267,6 +267,16 @@ case "$1" in /etc/sysconfig/firewall.local start fi + /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT_a" + + if [ "$DROPINPUT" == "on" ]; then + /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT_b" + fi + if [ "$DROPFORWARD" == "on" ]; then + /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" + fi + /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" + #POLICY CHAIN /sbin/iptables -N POLICYIN /sbin/iptables -A INPUT -j POLICYIN @@ -304,12 +314,13 @@ case "$1" in /etc/sysconfig/firewall.local stop fi + /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" + if [ "$DROPINPUT" == "on" ]; then - /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT " + /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT" fi - /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" if [ "$DROPFORWARD" == "on" ]; then - /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD " + /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" fi /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"