X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=blobdiff_plain;f=src%2Finitscripts%2Finit.d%2Ffirewall;h=844cbf6d56092689418b2fe3f45da33bf43c844c;hp=b9f3908303cdd9a142860de7b655516ac38ac877;hb=ff4770c79ba800a03fea65ffd5153f75e63cf2b8;hpb=d9716b067d5ad6c904653840c70d9fde01eac3f7 diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index b9f390830..844cbf6d5 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -53,6 +53,9 @@ iptables_init() { # Chain to contain all the rules relating to bad TCP flags /sbin/iptables -N BADTCP + #Don't check loopback + /sbin/iptables -A BADTCP -i lo -j RETURN + # Disallow packets frequently used by port-scanners # nmap xmas /sbin/iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN @@ -70,89 +73,31 @@ iptables_init() { /sbin/iptables -A INPUT -j BADTCP /sbin/iptables -A FORWARD -j BADTCP -} - -iptables_red() { - /sbin/iptables -F REDINPUT - /sbin/iptables -F REDFORWARD - /sbin/iptables -t nat -F REDNAT - - # PPPoE / PPTP Device - if [ "$IFACE" != "" ]; then - # PPPoE / PPTP - if [ "$DEVICE" != "" ]; then - /sbin/iptables -A REDINPUT -i $DEVICE -j ACCEPT - fi - if [ "$RED_TYPE" == "PPTP" -o "$RED_TYPE" == "PPPOE" ]; then - if [ "$RED_DEV" != "" ]; then - /sbin/iptables -A REDINPUT -i $RED_DEV -j ACCEPT - fi - fi - fi - - # PPTP over DHCP - if [ "$DEVICE" != "" -a "$TYPE" == "PPTP" -a "$METHOD" == "DHCP" ]; then - /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT - /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT - fi - - # Orange pinholes - if [ "$ORANGE_DEV" != "" ]; then - # This rule enables a host on ORANGE network to connect to the outside - # (only if we have a red connection) - if [ "$IFACE" != "" ]; then - /sbin/iptables -A REDFORWARD -i $ORANGE_DEV -o $IFACE -j ACCEPT - fi - fi - - if [ "$IFACE" != "" -a -f /var/ipfire/red/active ]; then - # DHCP - if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then - /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT - /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT - fi - if [ "$METHOD" == "DHCP" -a "$PROTOCOL" == "RFC1483" ]; then - /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT - /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT - fi - - # Outgoing masquerading (don't masqerade IPSEC (mark 50)) - /sbin/iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN - /sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE - - fi -} - -# See how we were called. -case "$1" in - start) - iptables_init - - # Limit Packets- helps reduce dos/syn attacks - # original do nothing line - #/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec - # the correct one, but the negative '!' do nothing... - #/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN ! -m limit --limit 10/sec -j DROP - # Fix for braindead ISP's /sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # CUSTOM chains, can be used by the users themselves /sbin/iptables -N CUSTOMINPUT /sbin/iptables -A INPUT -j CUSTOMINPUT - /sbin/iptables -N GUARDIANINPUT - /sbin/iptables -A INPUT -j GUARDIANINPUT + /sbin/iptables -N GUARDIAN + /sbin/iptables -A INPUT -j GUARDIAN + /sbin/iptables -N OVPNBLOCK + /sbin/iptables -A FORWARD -j OVPNBLOCK + /sbin/iptables -A FORWARD -j GUARDIAN /sbin/iptables -N CUSTOMFORWARD /sbin/iptables -A FORWARD -j CUSTOMFORWARD /sbin/iptables -N CUSTOMOUTPUT + /sbin/iptables -A OUTPUT -j OVPNBLOCK + /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A OUTPUT -j CUSTOMOUTPUT /sbin/iptables -N OUTGOINGFW - /sbin/iptables -N OUTGOINGFWMAC /sbin/iptables -A OUTPUT -j OUTGOINGFW /sbin/iptables -t nat -N CUSTOMPREROUTING + /sbin/iptables -t nat -N OVPNNAT /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING /sbin/iptables -t nat -N CUSTOMPOSTROUTING /sbin/iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING + /sbin/iptables -t nat -A POSTROUTING -j OVPNNAT # IPTV chains for IGMPPROXY /sbin/iptables -N IPTVINPUT @@ -160,6 +105,9 @@ case "$1" in /sbin/iptables -N IPTVFORWARD /sbin/iptables -A FORWARD -j IPTVFORWARD + # Filtering ovpn networks INPUT + /sbin/iptables -A INPUT -j OVPNBLOCK + # filtering from GUI /sbin/iptables -N GUIINPUT /sbin/iptables -A INPUT -j GUIINPUT @@ -169,6 +117,10 @@ case "$1" in /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT + # Accept everything on lo + iptables -A INPUT -i lo -m state --state NEW -j ACCEPT + iptables -A OUTPUT -o lo -m state --state NEW -j ACCEPT + # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything /sbin/iptables -N IPSECINPUT /sbin/iptables -N IPSECFORWARD @@ -182,39 +134,40 @@ case "$1" in /sbin/iptables -t nat -N IPSECNAT /sbin/iptables -t nat -A POSTROUTING -j IPSECNAT - # Outgoing Firewall - /sbin/iptables -A FORWARD -j OUTGOINGFW - /sbin/iptables -A FORWARD -j OUTGOINGFWMAC - /sbin/iptables -A INPUT -j OUTGOINGFWMAC + # Input Firewall + /sbin/iptables -N INPUTFW + /sbin/iptables -A INPUT -m state --state NEW -j INPUTFW # localhost and ethernet. - /sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT + /sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT /sbin/iptables -A INPUT -s 127.0.0.0/8 -m state --state NEW -j DROP # Loopback not on lo /sbin/iptables -A INPUT -d 127.0.0.0/8 -m state --state NEW -j DROP - /sbin/iptables -A FORWARD -i lo -m state --state NEW -j ACCEPT + /sbin/iptables -A FORWARD -i lo -m state --state NEW -j ACCEPT /sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP /sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT ! -p icmp - /sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT - - # If a host on orange tries to initiate a connection to IPFire's red IP and - # the connection gets DNATed back through a port forward to a server on orange - # we end up with orange -> orange traffic passing through IPFire - [ "$ORANGE_DEV" != "" ] && /sbin/iptables -A FORWARD -i $ORANGE_DEV -o $ORANGE_DEV -m state --state NEW -j ACCEPT - + # allow DHCP on BLUE to be turned on/off /sbin/iptables -N DHCPBLUEINPUT /sbin/iptables -A INPUT -j DHCPBLUEINPUT - - # OPenSSL - /sbin/iptables -N OPENSSLPHYSICAL - /sbin/iptables -A INPUT -j OPENSSLPHYSICAL - + # WIRELESS chains /sbin/iptables -N WIRELESSINPUT /sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT /sbin/iptables -N WIRELESSFORWARD /sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD + + # Forward Firewall + /sbin/iptables -N FORWARDFW + /sbin/iptables -A FORWARD -j FORWARDFW + + # PORTFWACCESS chain, used for portforwarding + /sbin/iptables -N PORTFWACCESS + /sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS + + # OPenSSL + /sbin/iptables -N OPENSSLPHYSICAL + /sbin/iptables -A INPUT -j OPENSSLPHYSICAL # RED chain, used for the red interface /sbin/iptables -N REDINPUT @@ -225,40 +178,25 @@ case "$1" in /sbin/iptables -t nat -A POSTROUTING -j REDNAT iptables_red - - # DMZ pinhole chain. setdmzholes setuid prog adds rules here to allow - # ORANGE to talk to GREEN / BLUE. - /sbin/iptables -N DMZHOLES - if [ "$ORANGE_DEV" != "" ]; then - /sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j DMZHOLES - fi - - # XTACCESS chain, used for external access - /sbin/iptables -N XTACCESS - /sbin/iptables -A INPUT -m state --state NEW -j XTACCESS - - # PORTFWACCESS chain, used for portforwarding - /sbin/iptables -N PORTFWACCESS - /sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS - + # Custom prerouting chains (for transparent proxy and port forwarding) /sbin/iptables -t nat -N SQUID /sbin/iptables -t nat -A PREROUTING -j SQUID - /sbin/iptables -t nat -N PORTFW - /sbin/iptables -t nat -A PREROUTING -j PORTFW - + /sbin/iptables -t nat -N NAT_DESTINATION + /sbin/iptables -t nat -N NAT_SOURCE + /sbin/iptables -t nat -A PREROUTING -j NAT_DESTINATION + /sbin/iptables -t nat -I POSTROUTING 3 -j NAT_SOURCE + + + # upnp chain for our upnp daemon /sbin/iptables -t nat -N UPNPFW /sbin/iptables -t nat -A PREROUTING -j UPNPFW - - - # Custom mangle chain (for port fowarding) - /sbin/iptables -t mangle -N PORTFWMANGLE - /sbin/iptables -t mangle -A PREROUTING -j PORTFWMANGLE + /sbin/iptables -N UPNPFW + /sbin/iptables -A FORWARD -m state --state NEW -j UPNPFW # Postrouting rules (for port forwarding) - /sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT \ - --to-source $GREEN_ADDRESS + /sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT --to-source $GREEN_ADDRESS if [ "$BLUE_DEV" != "" ]; then /sbin/iptables -t nat -A POSTROUTING -m mark --mark 2 -j SNAT --to-source $BLUE_ADDRESS fi @@ -270,72 +208,108 @@ case "$1" in if [ -x /etc/sysconfig/firewall.local ]; then /etc/sysconfig/firewall.local start fi - - # last rule in input and forward chain is for logging. + + # run openvpn + /usr/local/bin/openvpnctrl --create-chains-and-rules + + # run wirelessctrl + /usr/local/bin/wirelessctrl + + #POLICY CHAIN + /sbin/iptables -N POLICYIN + /sbin/iptables -A INPUT -j POLICYIN + /sbin/iptables -N POLICYFWD + /sbin/iptables -A FORWARD -j POLICYFWD + /sbin/iptables -N POLICYOUT + /sbin/iptables -A OUTPUT -j POLICYOUT + + /usr/sbin/firewall-policy + + # read new firewall + /usr/local/bin/forwardfwctrl if [ "$DROPINPUT" == "on" ]; then - /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT " + /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT" fi /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" - if [ "$DROPOUTPUT" == "on" ]; then - /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT " + if [ "$DROPFORWARD" == "on" ]; then + /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" fi - /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT" - ;; - startovpn) - # run openvpn - /usr/local/bin/openvpnctrl --create-chains-and-rules - ;; - stop) - iptables_init - # Accept everyting connected - /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" +} - # localhost and ethernet. - /sbin/iptables -A INPUT -i lo -j ACCEPT - /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT +iptables_red() { + /sbin/iptables -F REDINPUT + /sbin/iptables -F REDFORWARD + /sbin/iptables -t nat -F REDNAT - if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then - /sbin/iptables -A INPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT - /sbin/iptables -A INPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT - fi - if [ "$PROTOCOL" == "RFC1483" -a "$METHOD" == "DHCP" ]; then - /sbin/iptables -A INPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT - /sbin/iptables -A INPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT + # PPPoE / PPTP Device + if [ "$IFACE" != "" ]; then + # PPPoE / PPTP + if [ "$DEVICE" != "" ]; then + /sbin/iptables -A REDINPUT -i $DEVICE -j ACCEPT + fi + if [ "$RED_TYPE" == "PPTP" -o "$RED_TYPE" == "PPPOE" ]; then + if [ "$RED_DEV" != "" ]; then + /sbin/iptables -A REDINPUT -i $RED_DEV -j ACCEPT + fi + fi fi - # run local firewall configuration, if present - if [ -x /etc/sysconfig/firewall.local ]; then - /etc/sysconfig/firewall.local stop + # PPTP over DHCP + if [ "$DEVICE" != "" -a "$TYPE" == "PPTP" -a "$METHOD" == "DHCP" ]; then + /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT + /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT fi - if [ "$DROPINPUT" == "on" ]; then - /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT " + # Orange pinholes + if [ "$ORANGE_DEV" != "" ]; then + # This rule enables a host on ORANGE network to connect to the outside + # (only if we have a red connection) + if [ "$IFACE" != "" ]; then + /sbin/iptables -A REDFORWARD -i $ORANGE_DEV -o $IFACE -j ACCEPT + fi fi - /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT" - if [ "$DROPOUTPUT" == "on" ]; then - /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT " + + if [ "$IFACE" != "" -a -f /var/ipfire/red/active ]; then + # DHCP + if [ "$RED_DEV" != "" -a "$RED_TYPE" == "DHCP" ]; then + /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT + /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT + fi + if [ "$METHOD" == "DHCP" -a "$PROTOCOL" == "RFC1483" ]; then + /sbin/iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT + /sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT + fi + + # Outgoing masquerading (don't masqerade IPSEC (mark 50)) + /sbin/iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN + /sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE + fi - /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT" - ;; - stopovpn) - # stop openvpn - /usr/local/bin/openvpnctrl --delete-chains-and-rules - ;; +} + +# See how we were called. +case "$1" in + start) + iptables_init + ;; reload) iptables_red - # run local firewall configuration, if present - if [ -x /etc/sysconfig/firewall.local ]; then + if [ -x /etc/sysconfig/firewall.local ]; then /etc/sysconfig/firewall.local reload fi ;; restart) - $0 stop + # run local firewall configuration, if present + if [ -x /etc/sysconfig/firewall.local ]; then + /etc/sysconfig/firewall.local stop + fi $0 start ;; *) - echo "Usage: $0 {start|stop|reload|restart}" + echo "Usage: $0 {start|reload|restart}" exit 1 ;; esac