X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=blobdiff_plain;f=src%2Finitscripts%2Finit.d%2Ffirewall;h=5d66c60b40b19e973fbc5040e3799d981b6868d0;hp=2f7577f5107a17cbcdb11908a119c9309c8513b4;hb=afc611d448aee8eaaefa018dfb6acd4c6d6227a1;hpb=c12392c0ef3aa71cda43fe38cfd22e4afab5cc5e diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 2f7577f51..5d66c60b4 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -68,10 +68,14 @@ iptables_init() { # SYN/FIN (QueSO or nmap OS probe) /sbin/iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN # NEW TCP without SYN - /sbin/iptables -A BADTCP -p tcp ! --syn -m state --state NEW -j NEWNOTSYN + /sbin/iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN - /sbin/iptables -A INPUT -j BADTCP - /sbin/iptables -A FORWARD -j BADTCP + /sbin/iptables -A INPUT -p tcp -j BADTCP + /sbin/iptables -A FORWARD -p tcp -j BADTCP + + # Connection tracking chain + /sbin/iptables -N CONNTRACK + /sbin/iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Fix for braindead ISP's /sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu @@ -88,7 +92,6 @@ iptables_init() { /sbin/iptables -A FORWARD -j CUSTOMFORWARD /sbin/iptables -N CUSTOMOUTPUT /sbin/iptables -A OUTPUT -j OVPNBLOCK - /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A OUTPUT -j CUSTOMOUTPUT /sbin/iptables -N OUTGOINGFW /sbin/iptables -A OUTPUT -j OUTGOINGFW @@ -113,14 +116,19 @@ iptables_init() { /sbin/iptables -A INPUT -j GUIINPUT /sbin/iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT + # Accept everything on loopback + /sbin/iptables -N LOOPBACK + /sbin/iptables -A LOOPBACK -i lo -j ACCEPT + /sbin/iptables -A LOOPBACK -o lo -j ACCEPT + + /sbin/iptables -A INPUT -j LOOPBACK + /sbin/iptables -A OUTPUT -j LOOPBACK + # Accept everything connected - /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT - /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT - - # Accept everything on lo - iptables -A INPUT -i lo -m state --state NEW -j ACCEPT - iptables -A OUTPUT -o lo -m state --state NEW -j ACCEPT - + for i in INPUT FORWARD OUTPUT; do + /sbin/iptables -A ${i} -j CONNTRACK + done + # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything /sbin/iptables -N IPSECINPUT /sbin/iptables -N IPSECFORWARD @@ -136,16 +144,16 @@ iptables_init() { # Input Firewall /sbin/iptables -N INPUTFW - /sbin/iptables -A INPUT -m state --state NEW -j INPUTFW + /sbin/iptables -A INPUT -m conntrack --ctstate NEW -j INPUTFW # localhost and ethernet. - /sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT - /sbin/iptables -A INPUT -s 127.0.0.0/8 -m state --state NEW -j DROP # Loopback not on lo - /sbin/iptables -A INPUT -d 127.0.0.0/8 -m state --state NEW -j DROP - /sbin/iptables -A FORWARD -i lo -m state --state NEW -j ACCEPT - /sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP - /sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP - /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT ! -p icmp + /sbin/iptables -A INPUT -i lo -m conntrack --ctstate NEW -j ACCEPT + /sbin/iptables -A INPUT -s 127.0.0.0/8 -m conntrack --ctstate NEW -j DROP # Loopback not on lo + /sbin/iptables -A INPUT -d 127.0.0.0/8 -m conntrack --ctstate NEW -j DROP + /sbin/iptables -A FORWARD -i lo -m conntrack --ctstate NEW -j ACCEPT + /sbin/iptables -A FORWARD -s 127.0.0.0/8 -m conntrack --ctstate NEW -j DROP + /sbin/iptables -A FORWARD -d 127.0.0.0/8 -m conntrack --ctstate NEW -j DROP + /sbin/iptables -A INPUT -i $GREEN_DEV -m conntrack --ctstate NEW -j ACCEPT ! -p icmp # allow DHCP on BLUE to be turned on/off /sbin/iptables -N DHCPBLUEINPUT @@ -153,9 +161,9 @@ iptables_init() { # WIRELESS chains /sbin/iptables -N WIRELESSINPUT - /sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT + /sbin/iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT /sbin/iptables -N WIRELESSFORWARD - /sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD + /sbin/iptables -A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD # Forward Firewall /sbin/iptables -N FORWARDFW @@ -189,7 +197,7 @@ iptables_init() { /sbin/iptables -t nat -N UPNPFW /sbin/iptables -t nat -A PREROUTING -j UPNPFW /sbin/iptables -N UPNPFW - /sbin/iptables -A FORWARD -m state --state NEW -j UPNPFW + /sbin/iptables -A FORWARD -m conntrack --ctstate NEW -j UPNPFW # Postrouting rules (for port forwarding) /sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT --to-source $GREEN_ADDRESS