X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=blobdiff_plain;f=src%2Finitscripts%2Finit.d%2Ffirewall;h=7e3248147dc7e5bbcda0ba68a4af0e21cf2881c4;hp=8333c4df7dabf30f552396b073c4f84af1830fe2;hb=218b3341b6fd9da564ee876c08d8bf2c1b0ec78d;hpb=6adcf1569cf30ca399ae0aacb9e86c06fff4ffc6 diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 8333c4df7..7e3248147 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -149,9 +149,9 @@ case "$1" in /sbin/iptables -N CUSTOMFORWARD /sbin/iptables -A FORWARD -j CUSTOMFORWARD /sbin/iptables -N CUSTOMOUTPUT + /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A OUTPUT -j CUSTOMOUTPUT /sbin/iptables -N OUTGOINGFW - /sbin/iptables -N OUTGOINGFWMAC /sbin/iptables -A OUTPUT -j OUTGOINGFW /sbin/iptables -t nat -N CUSTOMPREROUTING /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING @@ -173,6 +173,10 @@ case "$1" in /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT + # Accept everything on lo + iptables -A INPUT -i lo -m state --state NEW -j ACCEPT + iptables -A OUTPUT -o lo -m state --state NEW -j ACCEPT + # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything /sbin/iptables -N IPSECINPUT /sbin/iptables -N IPSECFORWARD @@ -188,17 +192,6 @@ case "$1" in /sbin/iptables -t nat -A POSTROUTING -j OVPNNAT /sbin/iptables -t nat -A POSTROUTING -j IPSECNAT - # TOR - /sbin/iptables -N TOR_INPUT - /sbin/iptables -A INPUT -j TOR_INPUT - - # Outgoing Firewall - /sbin/iptables -A FORWARD -j OUTGOINGFWMAC - - # Forward Firewall - /sbin/iptables -N FORWARDFW - /sbin/iptables -A FORWARD -j FORWARDFW - # Input Firewall /sbin/iptables -N INPUTFW /sbin/iptables -A INPUT -m state --state NEW -j INPUTFW @@ -211,13 +204,7 @@ case "$1" in /sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP /sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT ! -p icmp - #/sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT - - # If a host on orange tries to initiate a connection to IPFire's red IP and - # the connection gets DNATed back through a port forward to a server on orange - # we end up with orange -> orange traffic passing through IPFire - [ "$ORANGE_DEV" != "" ] && /sbin/iptables -A FORWARD -i $ORANGE_DEV -o $ORANGE_DEV -m state --state NEW -j ACCEPT - + # allow DHCP on BLUE to be turned on/off /sbin/iptables -N DHCPBLUEINPUT /sbin/iptables -A INPUT -j DHCPBLUEINPUT @@ -227,7 +214,15 @@ case "$1" in /sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT /sbin/iptables -N WIRELESSFORWARD /sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD - + + # Forward Firewall + /sbin/iptables -N FORWARDFW + /sbin/iptables -A FORWARD -j FORWARDFW + + # PORTFWACCESS chain, used for portforwarding + /sbin/iptables -N PORTFWACCESS + /sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS + # OPenSSL /sbin/iptables -N OPENSSLPHYSICAL /sbin/iptables -A INPUT -j OPENSSLPHYSICAL @@ -241,34 +236,22 @@ case "$1" in /sbin/iptables -t nat -A POSTROUTING -j REDNAT iptables_red - - # DMZ pinhole chain. setdmzholes setuid prog adds rules here to allow - # ORANGE to talk to GREEN / BLUE. - /sbin/iptables -N DMZHOLES - if [ "$ORANGE_DEV" != "" ]; then - /sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j FORWARDFW - fi - - # PORTFWACCESS chain, used for portforwarding - /sbin/iptables -N PORTFWACCESS - /sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS - + # Custom prerouting chains (for transparent proxy and port forwarding) /sbin/iptables -t nat -N SQUID /sbin/iptables -t nat -A PREROUTING -j SQUID - /sbin/iptables -t nat -N PORTFW - /sbin/iptables -t nat -A PREROUTING -j PORTFW - + /sbin/iptables -t nat -N NAT_DESTINATION + /sbin/iptables -t nat -N NAT_SOURCE + /sbin/iptables -t nat -A PREROUTING -j NAT_DESTINATION + /sbin/iptables -t nat -A POSTROUTING -j NAT_SOURCE + + # upnp chain for our upnp daemon /sbin/iptables -t nat -N UPNPFW /sbin/iptables -t nat -A PREROUTING -j UPNPFW /sbin/iptables -N UPNPFW /sbin/iptables -A FORWARD -m state --state NEW -j UPNPFW - # Custom mangle chain (for port fowarding) - /sbin/iptables -t mangle -N PORTFWMANGLE - /sbin/iptables -t mangle -A PREROUTING -j PORTFWMANGLE - # Postrouting rules (for port forwarding) /sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT \ --to-source $GREEN_ADDRESS @@ -284,22 +267,16 @@ case "$1" in /etc/sysconfig/firewall.local start fi - # last rule in input and forward chain is for logging. - - if [ "$DROPINPUT" == "on" ]; then - /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT " - fi - /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" - #if [ "$DROPFORWARD" == "on" ]; then - # /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD " - #fi - #/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" - #POLICY CHAIN - /sbin/iptables -N POLICY - /sbin/iptables -A FORWARD -j POLICY + /sbin/iptables -N POLICYIN + /sbin/iptables -A INPUT -j POLICYIN + /sbin/iptables -N POLICYFWD + /sbin/iptables -A FORWARD -j POLICYFWD + /sbin/iptables -N POLICYOUT + /sbin/iptables -A OUTPUT -j POLICYOUT + + /usr/sbin/firewall-policy - /usr/sbin/firewall-forward-policy ;; startovpn) # run openvpn @@ -353,7 +330,6 @@ case "$1" in $0 stop $0 start /usr/local/bin/forwardfwctrl - /usr/local/bin/setportfw /usr/local/bin/openvpnctrl -s > /dev/null 2>&1 /usr/local/bin/openvpnctrl -sn2n > /dev/null 2>&1 ;;