X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=blobdiff_plain;f=src%2Finitscripts%2Finit.d%2Ffirewall;h=94b869dd6b9d7bea35cea0a6aec8d68e23bf3d9f;hp=57bdef9016517ce24dc882f7e5646dd4e76f3973;hb=690b0bd7618c2b0e7284beaebcf771c02daced1d;hpb=94ea1f03464ab9434189ec270baa83fc2f2dcadd

diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 57bdef901..94b869dd6 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -145,18 +145,23 @@ case "$1" in
 	/sbin/iptables -A INPUT -j CUSTOMINPUT
 	/sbin/iptables -N GUARDIAN
 	/sbin/iptables -A INPUT -j GUARDIAN
+	/sbin/iptables -N OVPNBLOCK
+	/sbin/iptables -A FORWARD -j OVPNBLOCK
 	/sbin/iptables -A FORWARD -j GUARDIAN
 	/sbin/iptables -N CUSTOMFORWARD
 	/sbin/iptables -A FORWARD -j CUSTOMFORWARD
 	/sbin/iptables -N CUSTOMOUTPUT
+	/sbin/iptables -A OUTPUT -j OVPNBLOCK
 	/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 	/sbin/iptables -A OUTPUT -j CUSTOMOUTPUT
 	/sbin/iptables -N OUTGOINGFW
 	/sbin/iptables -A OUTPUT -j OUTGOINGFW
 	/sbin/iptables -t nat -N CUSTOMPREROUTING
+	/sbin/iptables -t nat -N OVPNNAT
 	/sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
 	/sbin/iptables -t nat -N CUSTOMPOSTROUTING
 	/sbin/iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
+	/sbin/iptables -t nat -A POSTROUTING -j OVPNNAT
 
 	# IPTV chains for IGMPPROXY
 	/sbin/iptables -N IPTVINPUT
@@ -164,6 +169,9 @@ case "$1" in
 	/sbin/iptables -N IPTVFORWARD
 	/sbin/iptables -A FORWARD -j IPTVFORWARD
 
+	# Filtering ovpn networks INPUT
+	/sbin/iptables -A INPUT -j OVPNBLOCK
+
 	# filtering from GUI
 	/sbin/iptables -N GUIINPUT
 	/sbin/iptables -A INPUT -j GUIINPUT
@@ -187,9 +195,7 @@ case "$1" in
 	/sbin/iptables -A FORWARD -j IPSECFORWARD
 	/sbin/iptables -A FORWARD -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL FORWARD"
 	/sbin/iptables -A OUTPUT -j IPSECOUTPUT
-	/sbin/iptables -t nat -N OVPNNAT
 	/sbin/iptables -t nat -N IPSECNAT
-	/sbin/iptables -t nat -A POSTROUTING -j OVPNNAT
 	/sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
 
 	# Input Firewall
@@ -243,7 +249,8 @@ case "$1" in
 	/sbin/iptables -t nat -N NAT_DESTINATION
 	/sbin/iptables -t nat -N NAT_SOURCE
 	/sbin/iptables -t nat -A PREROUTING -j NAT_DESTINATION
-	/sbin/iptables -t nat -A POSTROUTING -j NAT_SOURCE
+	/sbin/iptables -t nat -I POSTROUTING 3 -j NAT_SOURCE
+	
 	
 	
 	# upnp chain for our upnp daemon
@@ -253,8 +260,7 @@ case "$1" in
 	/sbin/iptables -A FORWARD -m state --state NEW -j UPNPFW
 
 	# Postrouting rules (for port forwarding)
-	/sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT \
-	 --to-source $GREEN_ADDRESS
+	/sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT --to-source $GREEN_ADDRESS
 	if [ "$BLUE_DEV" != "" ]; then
 		/sbin/iptables -t nat -A POSTROUTING -m mark --mark 2 -j SNAT --to-source $BLUE_ADDRESS
 	fi
@@ -266,7 +272,17 @@ case "$1" in
  	if [ -x /etc/sysconfig/firewall.local ]; then
 		/etc/sysconfig/firewall.local start
 	fi
-	
+
+	/sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
+
+	if [ "$DROPINPUT" == "on" ]; then
+		/sbin/iptables -A INPUT   -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
+	fi
+	if [ "$DROPFORWARD" == "on" ]; then
+		/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
+	fi
+	/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
+
 	#POLICY CHAIN
 	/sbin/iptables -N POLICYIN
 	/sbin/iptables -A INPUT -j POLICYIN
@@ -276,10 +292,16 @@ case "$1" in
 	/sbin/iptables -A OUTPUT -j POLICYOUT
 
 	/usr/sbin/firewall-policy
-	
-	#Only for firewall Hits statistik
-	/sbin/iptables -A POLICYFWD -j DROP  -m comment --comment "DROP_FORWARD"
-	/sbin/iptables -A POLICYOUT -j DROP  -m comment --comment "DROP_OUTPUT"
+
+	/sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
+
+	if [ "$DROPINPUT" == "on" ]; then
+		/sbin/iptables -A INPUT   -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
+	fi
+	if [ "$DROPFORWARD" == "on" ]; then
+		/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
+	fi
+	/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
 	;;
   startovpn)  
 	# run openvpn
@@ -308,14 +330,16 @@ case "$1" in
 		/etc/sysconfig/firewall.local stop
 	fi
 
+	/sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
+
 	if [ "$DROPINPUT" == "on" ]; then
-		/sbin/iptables -A INPUT   -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
+		/sbin/iptables -A INPUT   -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
 	fi
-	/sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
 	if [ "$DROPFORWARD" == "on" ]; then
-		/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
+		/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
 	fi
 	/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
+	
 	;;
   stopovpn)
 	# stop openvpn