X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=blobdiff_plain;f=src%2Finitscripts%2Finit.d%2Ffirewall;h=f0d9c492adc9bff9844fc41bc6968d82532a92c4;hp=e87952bac6ebbf6b818875bc5ae6094104dd60d4;hb=d22294fa7e70fa6eb907239ba00c2a0c7ae1863d;hpb=7bb66417fa6908750cf083e90805d7e498ff161e diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index e87952bac..f0d9c492a 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -107,7 +107,6 @@ iptables_init() { # Block OpenVPN transfer networks iptables -N OVPNBLOCK iptables -A INPUT -i tun+ -j OVPNBLOCK - iptables -A OUTPUT -o tun+ -j OVPNBLOCK iptables -A FORWARD -i tun+ -j OVPNBLOCK iptables -A FORWARD -o tun+ -j OVPNBLOCK @@ -196,6 +195,7 @@ iptables_init() { # DNAT rules iptables -t nat -N NAT_DESTINATION iptables -t nat -A PREROUTING -j NAT_DESTINATION + iptables -t nat -A OUTPUT -j NAT_DESTINATION iptables -t mangle -N NAT_DESTINATION iptables -t mangle -A PREROUTING -j NAT_DESTINATION @@ -230,6 +230,20 @@ iptables_init() { iptables -t nat -N REDNAT iptables -t nat -A POSTROUTING -j REDNAT + # Filter logging of incoming broadcasts. + iptables -N BROADCAST_FILTER + iptables -A INPUT -j BROADCAST_FILTER + + iptables -A BROADCAST_FILTER -i "${GREEN_DEV}" -d "${GREEN_BROADCAST}" -j DROP + + if [ -n "${BLUE_DEV}" -a -n "${BLUE_BROADCAST}" ]; then + iptables -A BROADCAST_FILTER -i "${BLUE_DEV}" -d "${BLUE_BROADCAST}" -j DROP + fi + + if [ -n "${ORANGE_DEV}" -a -n "${ORANGE_BROADCAST}" ]; then + iptables -A BROADCAST_FILTER -i "${ORANGE_DEV}" -d "${ORANGE_BROADCAST}" -j DROP + fi + # Apply OpenVPN firewall rules /usr/local/bin/openvpnctrl --firewall-rules @@ -297,7 +311,10 @@ iptables_red() { # Outgoing masquerading (don't masqerade IPSEC (mark 50)) iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN - iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE + + if [ "$IFACE" != "$GREEN_DEV" ]; then + iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE + fi fi