;;
esac
+HAVE_OPENVPN="true"
+
# INPUT
case "${FWPOLICY2}" in
REJECT)
iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
;;
*) # DROP
+ # OpenVPN
+ # Allow direct access to the internal IP addresses of the firewall
+ # from remote subnets if forward policy is allowed.
+ case "${HAVE_OPENVPN},${POLICY}" in
+ true,MODE1) ;;
+ true,*)
+ iptables -A POLICYIN -i tun+ -j ACCEPT
+ ;;
+ esac
+
if [ "${DROPINPUT}" = "on" ]; then
iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
fi
}elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
&p2pblock;
system ("/usr/sbin/firewall-policy");
- system ("/etc/sysconfig/firewall.local reload");
}
}
}
<font color="$Header::colourorange">$Lang::tr{'orange'}</font>
($Lang::tr{'fwdfw pol block'})
</td>
+END
+ }
+
+ print <<END;
<td align='center'>
<font color="$Header::colourgreen">$Lang::tr{'green'}</font>
($Lang::tr{'fwdfw pol block'})
</td>
+ </tr>
END
- }
-
- print"</tr>";
}
print <<END;
# Block OpenVPN transfer networks
iptables -N OVPNBLOCK
- for i in INPUT FORWARD; do
- iptables -A ${i} -j OVPNBLOCK
- done
+ iptables -A INPUT -i tun+ -j OVPNBLOCK
+ iptables -A OUTPUT -o tun+ -j OVPNBLOCK
+ iptables -A FORWARD -i tun+ -j OVPNBLOCK
+ iptables -A FORWARD -o tun+ -j OVPNBLOCK
# OpenVPN transfer network translation
iptables -t nat -N OVPNNAT
iptables -t nat -N REDNAT
iptables -t nat -A POSTROUTING -j REDNAT
- iptables_red
-
# Custom prerouting chains (for transparent proxy)
iptables -t nat -N SQUID
iptables -t nat -A PREROUTING -j SQUID
iptables -N POLICYOUT
iptables -A OUTPUT -j POLICYOUT
+ # Initialize firewall policies.
/usr/sbin/firewall-policy
- # read new firewall
- /usr/local/bin/firewallctrl
+ # Install firewall rules for the red interface.
+ iptables_red
}
iptables_red() {
}
void setFirewallRules(void) {
+ char command[STRING_SIZE];
char protocol[STRING_SIZE] = "";
char dport[STRING_SIZE] = "";
char dovpnip[STRING_SIZE] = "";
if (!strcmp(enableorange, "on") && strlen(orangeif))
addRule(OVPNINPUT, orangeif, protocol, dport);
+ /* Allow ICMP error messages to pass. */
+ snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A %s -p icmp"
+ " -m conntrack --ctstate RELATED -j RETURN", OVPNBLOCK);
+ executeCommand(command);
+
// read connection configuration
connection *conn = getConnections();
// set firewall rules for n2n connections
- char command[STRING_SIZE];
char *local_subnet_address = NULL;
char *transfer_subnet_address = NULL;
while (conn != NULL) {