X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=blobdiff_plain;f=src%2Finitscripts%2Finit.d%2Ffirewall;h=39e1dfd7b1fd981eb34658b91251495e3ad4cecf;hp=f4d5611d3694efdbbe059ff91b4dac6b977c8c84;hb=9efd8d1c7eb134c71465396a1bdcc5ae52497d80;hpb=dc1c56ca781324b2ef9fe895e388075df74a018a diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index f4d5611d3..39e1dfd7b 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -53,6 +53,9 @@ iptables_init() { # Chain to contain all the rules relating to bad TCP flags /sbin/iptables -N BADTCP + #Don't check loopback + /sbin/iptables -A BADTCP -i lo -j RETURN + # Disallow packets frequently used by port-scanners # nmap xmas /sbin/iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN @@ -146,9 +149,9 @@ case "$1" in /sbin/iptables -N CUSTOMFORWARD /sbin/iptables -A FORWARD -j CUSTOMFORWARD /sbin/iptables -N CUSTOMOUTPUT + /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A OUTPUT -j CUSTOMOUTPUT /sbin/iptables -N OUTGOINGFW - /sbin/iptables -N OUTGOINGFWMAC /sbin/iptables -A OUTPUT -j OUTGOINGFW /sbin/iptables -t nat -N CUSTOMPREROUTING /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING @@ -170,6 +173,10 @@ case "$1" in /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT + # Accept everything on lo + iptables -A INPUT -i lo -m state --state NEW -j ACCEPT + iptables -A OUTPUT -o lo -m state --state NEW -j ACCEPT + # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything /sbin/iptables -N IPSECINPUT /sbin/iptables -N IPSECFORWARD @@ -180,22 +187,28 @@ case "$1" in /sbin/iptables -A FORWARD -j IPSECFORWARD /sbin/iptables -A FORWARD -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL FORWARD" /sbin/iptables -A OUTPUT -j IPSECOUTPUT + /sbin/iptables -t nat -N OVPNNAT /sbin/iptables -t nat -N IPSECNAT + /sbin/iptables -t nat -A POSTROUTING -j OVPNNAT /sbin/iptables -t nat -A POSTROUTING -j IPSECNAT - # Outgoing Firewall - /sbin/iptables -A FORWARD -j OUTGOINGFWMAC - /sbin/iptables -A FORWARD -j OUTGOINGFW + # Forward Firewall + /sbin/iptables -N FORWARDFW + /sbin/iptables -A FORWARD -j FORWARDFW + + # Input Firewall + /sbin/iptables -N INPUTFW + /sbin/iptables -A INPUT -m state --state NEW -j INPUTFW # localhost and ethernet. - /sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT + /sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT /sbin/iptables -A INPUT -s 127.0.0.0/8 -m state --state NEW -j DROP # Loopback not on lo /sbin/iptables -A INPUT -d 127.0.0.0/8 -m state --state NEW -j DROP - /sbin/iptables -A FORWARD -i lo -m state --state NEW -j ACCEPT + /sbin/iptables -A FORWARD -i lo -m state --state NEW -j ACCEPT /sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP /sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT ! -p icmp - /sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT + #/sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT # If a host on orange tries to initiate a connection to IPFire's red IP and # the connection gets DNATed back through a port forward to a server on orange @@ -205,16 +218,20 @@ case "$1" in # allow DHCP on BLUE to be turned on/off /sbin/iptables -N DHCPBLUEINPUT /sbin/iptables -A INPUT -j DHCPBLUEINPUT - - # OPenSSL - /sbin/iptables -N OPENSSLPHYSICAL - /sbin/iptables -A INPUT -j OPENSSLPHYSICAL - + # WIRELESS chains /sbin/iptables -N WIRELESSINPUT /sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT /sbin/iptables -N WIRELESSFORWARD /sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD + + # PORTFWACCESS chain, used for portforwarding + /sbin/iptables -N PORTFWACCESS + /sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS + + # OPenSSL + /sbin/iptables -N OPENSSLPHYSICAL + /sbin/iptables -A INPUT -j OPENSSLPHYSICAL # RED chain, used for the red interface /sbin/iptables -N REDINPUT @@ -225,36 +242,27 @@ case "$1" in /sbin/iptables -t nat -A POSTROUTING -j REDNAT iptables_red - - # DMZ pinhole chain. setdmzholes setuid prog adds rules here to allow + + # DMZ pinhole chain. # ORANGE to talk to GREEN / BLUE. - /sbin/iptables -N DMZHOLES if [ "$ORANGE_DEV" != "" ]; then - /sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j DMZHOLES + /sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j FORWARDFW fi - - # XTACCESS chain, used for external access - /sbin/iptables -N XTACCESS - /sbin/iptables -A INPUT -m state --state NEW -j XTACCESS - - # PORTFWACCESS chain, used for portforwarding - /sbin/iptables -N PORTFWACCESS - /sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS - + # Custom prerouting chains (for transparent proxy and port forwarding) /sbin/iptables -t nat -N SQUID /sbin/iptables -t nat -A PREROUTING -j SQUID - /sbin/iptables -t nat -N PORTFW - /sbin/iptables -t nat -A PREROUTING -j PORTFW - + /sbin/iptables -t nat -N NAT_DESTINATION + /sbin/iptables -t nat -N NAT_SOURCE + /sbin/iptables -t nat -A PREROUTING -j NAT_DESTINATION + /sbin/iptables -t nat -A POSTROUTING -j NAT_SOURCE + + # upnp chain for our upnp daemon /sbin/iptables -t nat -N UPNPFW /sbin/iptables -t nat -A PREROUTING -j UPNPFW - - - # Custom mangle chain (for port fowarding) - /sbin/iptables -t mangle -N PORTFWMANGLE - /sbin/iptables -t mangle -A PREROUTING -j PORTFWMANGLE + /sbin/iptables -N UPNPFW + /sbin/iptables -A FORWARD -m state --state NEW -j UPNPFW # Postrouting rules (for port forwarding) /sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT \ @@ -277,11 +285,22 @@ case "$1" in /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT " fi /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" - if [ "$DROPOUTPUT" == "on" ]; then - /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT " - fi - /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT" - ;; + #if [ "$DROPFORWARD" == "on" ]; then + # /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD " + #fi + #/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" + + #POLICY CHAIN + /sbin/iptables -N POLICYIN + /sbin/iptables -A INPUT -j POLICYIN + /sbin/iptables -N POLICYFWD + /sbin/iptables -A FORWARD -j POLICYFWD + /sbin/iptables -N POLICYOUT + /sbin/iptables -A OUTPUT -j POLICYOUT + + /usr/sbin/firewall-policy + + ;; startovpn) # run openvpn /usr/local/bin/openvpnctrl --create-chains-and-rules @@ -313,11 +332,11 @@ case "$1" in /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT " fi /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" - if [ "$DROPOUTPUT" == "on" ]; then - /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT " + if [ "$DROPFORWARD" == "on" ]; then + /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD " fi - /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT" - ;; + /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" + ;; stopovpn) # stop openvpn /usr/local/bin/openvpnctrl --delete-chains-and-rules @@ -333,6 +352,9 @@ case "$1" in restart) $0 stop $0 start + /usr/local/bin/forwardfwctrl + /usr/local/bin/openvpnctrl -s > /dev/null 2>&1 + /usr/local/bin/openvpnctrl -sn2n > /dev/null 2>&1 ;; *) echo "Usage: $0 {start|stop|reload|restart}"