X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=blobdiff_plain;f=src%2Finitscripts%2Finit.d%2Ffirewall;h=cc6b6190eb8ecb7c376934b1aa74968915c46c6c;hp=1cd2009399485586d01a89aad4744fede71086f2;hb=31901da1edb401590960558b61e31ddd9fda89c1;hpb=507954d9480485740c00ca79164e05e8ad0cc18c

diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 1cd200939..cc6b6190e 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -53,6 +53,9 @@ iptables_init() {
 	# Chain to contain all the rules relating to bad TCP flags
 	/sbin/iptables -N BADTCP
 
+	#Don't check loopback
+	/sbin/iptables -A BADTCP -i lo -j RETURN
+
 	# Disallow packets frequently used by port-scanners
 	# nmap xmas
 	/sbin/iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH  -j PSCAN
@@ -101,8 +104,7 @@ iptables_red() {
 		# This rule enables a host on ORANGE network to connect to the outside
 		# (only if we have a red connection)
 		if [ "$IFACE" != "" ]; then
-			/sbin/iptables -A REDFORWARD -i $ORANGE_DEV -p tcp -o $IFACE -j ACCEPT
-			/sbin/iptables -A REDFORWARD -i $ORANGE_DEV -p udp -o $IFACE -j ACCEPT
+			/sbin/iptables -A REDFORWARD -i $ORANGE_DEV -o $IFACE -j ACCEPT
 		fi
 	fi
 
@@ -117,7 +119,8 @@ iptables_red() {
 			/sbin/iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
 		fi
 
-		# Outgoing masquerading
+		# Outgoing masquerading (don't masqerade IPSEC (mark 50))
+		/sbin/iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN
 		/sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
 
 	fi
@@ -132,7 +135,7 @@ case "$1" in
 	# original do nothing line
 	#/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec
 	# the correct one, but the negative '!' do nothing...
-	#/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit ! --limit 10/sec -j DROP
+	#/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN ! -m limit --limit 10/sec -j DROP
 
 	# Fix for braindead ISP's
 	/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
@@ -140,17 +143,27 @@ case "$1" in
 	# CUSTOM chains, can be used by the users themselves
 	/sbin/iptables -N CUSTOMINPUT
 	/sbin/iptables -A INPUT -j CUSTOMINPUT
+	/sbin/iptables -N GUARDIAN
+	/sbin/iptables -A INPUT -j GUARDIAN
+	/sbin/iptables -A FORWARD -j GUARDIAN
 	/sbin/iptables -N CUSTOMFORWARD
 	/sbin/iptables -A FORWARD -j CUSTOMFORWARD
 	/sbin/iptables -N CUSTOMOUTPUT
 	/sbin/iptables -A OUTPUT -j CUSTOMOUTPUT
 	/sbin/iptables -N OUTGOINGFW
+	/sbin/iptables -N OUTGOINGFWMAC
 	/sbin/iptables -A OUTPUT -j OUTGOINGFW
 	/sbin/iptables -t nat -N CUSTOMPREROUTING
 	/sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
 	/sbin/iptables -t nat -N CUSTOMPOSTROUTING
 	/sbin/iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
 
+	# IPTV chains for IGMPPROXY
+	/sbin/iptables -N IPTVINPUT
+	/sbin/iptables -A INPUT -j IPTVINPUT
+	/sbin/iptables -N IPTVFORWARD
+	/sbin/iptables -A FORWARD -j IPTVFORWARD
+
 	# filtering from GUI
 	/sbin/iptables -N GUIINPUT
 	/sbin/iptables -A INPUT -j GUIINPUT
@@ -161,26 +174,29 @@ case "$1" in
 	/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 	
 	# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
-	/sbin/iptables -N IPSECVIRTUAL
+	/sbin/iptables -N IPSECINPUT
+	/sbin/iptables -N IPSECFORWARD
+	/sbin/iptables -N IPSECOUTPUT
 	/sbin/iptables -N OPENSSLVIRTUAL
-	/sbin/iptables -A INPUT -j IPSECVIRTUAL -m comment --comment "IPSECVIRTUAL INPUT"
+	/sbin/iptables -A INPUT -j IPSECINPUT
 	/sbin/iptables -A INPUT -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL INPUT"
-	/sbin/iptables -A FORWARD -j IPSECVIRTUAL -m comment --comment "IPSECVIRTUAL FORWARD"
+	/sbin/iptables -A FORWARD -j IPSECFORWARD
 	/sbin/iptables -A FORWARD -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL FORWARD"
+	/sbin/iptables -A OUTPUT -j IPSECOUTPUT
 	/sbin/iptables -t nat -N IPSECNAT
 	/sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
 
 	# Outgoing Firewall
-	/sbin/iptables -A FORWARD -j OUTGOINGFW
+	/sbin/iptables -A FORWARD -j OUTGOINGFWMAC
 
 	# localhost and ethernet.
-	/sbin/iptables -A INPUT   -i lo          -m state --state NEW -j ACCEPT
+	/sbin/iptables -A INPUT   -i lo -m state --state NEW -j ACCEPT
 	/sbin/iptables -A INPUT   -s 127.0.0.0/8 -m state --state NEW -j DROP   # Loopback not on lo
 	/sbin/iptables -A INPUT   -d 127.0.0.0/8 -m state --state NEW -j DROP
-	/sbin/iptables -A FORWARD -i lo          -m state --state NEW -j ACCEPT
+	/sbin/iptables -A FORWARD -i lo -m state --state NEW -j ACCEPT
 	/sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP
 	/sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP
-	/sbin/iptables -A INPUT   -i $GREEN_DEV  -m state --state NEW -j ACCEPT -p ! icmp
+	/sbin/iptables -A INPUT   -i $GREEN_DEV  -m state --state NEW -j ACCEPT ! -p icmp
 	/sbin/iptables -A FORWARD -i $GREEN_DEV  -m state --state NEW -j ACCEPT
 
 	# If a host on orange tries to initiate a connection to IPFire's red IP and
@@ -192,10 +208,6 @@ case "$1" in
 	/sbin/iptables -N DHCPBLUEINPUT 
 	/sbin/iptables -A INPUT -j DHCPBLUEINPUT
 
-	# IPSec
-	/sbin/iptables -N IPSECPHYSICAL
-	/sbin/iptables -A INPUT -j IPSECPHYSICAL
-
 	# OPenSSL
 	/sbin/iptables -N OPENSSLPHYSICAL
 	/sbin/iptables -A INPUT -j OPENSSLPHYSICAL
@@ -240,7 +252,9 @@ case "$1" in
 	# upnp chain for our upnp daemon
 	/sbin/iptables -t nat -N UPNPFW
 	/sbin/iptables -t nat -A PREROUTING -j UPNPFW
-
+	/sbin/iptables -A FORWARD -m state --state NEW -j UPNPFW
+	# This chain only contains dummy rules.
+	/sbin/iptables -N UPNPFW
 
 	# Custom mangle chain (for port fowarding)
 	/sbin/iptables -t mangle -N PORTFWMANGLE
@@ -322,7 +336,9 @@ case "$1" in
 	;;
   restart)
 	$0 stop
+	$0 stopovpn
 	$0 start
+	$0 startovpn
 	;;
   *)
         echo "Usage: $0 {start|stop|reload|restart}"