firewall: Explicitely allow DHCP messages.
authorMichael Tremer <michael.tremer@ipfire.org>
Thu, 17 Apr 2014 10:31:27 +0000 (12:31 +0200)
committerMichael Tremer <michael.tremer@ipfire.org>
Thu, 17 Apr 2014 10:31:27 +0000 (12:31 +0200)
src/initscripts/init.d/dhcp
src/initscripts/init.d/firewall

index abc6b5c..bc0abce 100644 (file)
@@ -9,19 +9,30 @@
 . $rc_functions
 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 
+function flush_chains() {
+       iptables -F DHCPGREENINPUT
+       iptables -F DHCPGREENOUTPUT
+       iptables -F DHCPBLUEINPUT
+       iptables -F DHCPBLUEOUTPUT
+}
+
 case "$1" in
        start)
-               iptables -F DHCPBLUEINPUT
+               flush_chains
+
                if [ -e /var/ipfire/dhcp/enable_green ]; then
                        devices="${GREEN_DEV}"
+
+                       iptables -A DHCPGREENINPUT  -i "${GREEN_DEV}" -j DHCPINPUT
+                       iptables -A DHCPGREENOUTPUT -o "${GREEN_DEV}" -j DHCPOUTPUT
                fi
                if [ -e /var/ipfire/dhcp/enable_blue ]; then
                        devices+=" ${BLUE_DEV}"
-                       
-                       iptables -A DHCPBLUEINPUT -p tcp --source-port 68 --destination-port 67 -i ${BLUE_DEV} -j ACCEPT > /dev/null 2>&1
-                       iptables -A DHCPBLUEINPUT -p udp --source-port 68 --destination-port 67 -i ${BLUE_DEV} -j ACCEPT > /dev/null 2>&1
-               fi              
-               
+
+                       iptables -A DHCPBLUEINPUT  -i "${BLUE_DEV}" -j DHCPINPUT
+                       iptables -A DHCPBLUEOUTPUT -o "${BLUE_DEV}" -j DHCPOUTPUT
+               fi
+
                boot_mesg "Starting DHCP Server..."
                loadproc /usr/sbin/dhcpd -q ${devices}
                
@@ -29,6 +40,8 @@ case "$1" in
                ;;
 
        stop)
+               flush_chains
+
                boot_mesg "Stopping DHCP Server..."
                killproc -p /var/run/dhcpd.pid /usr/sbin/dhcpd
                if [ "$(ps -A | grep " dhcpd")" != "" ] ; then
index f0d9c49..8371781 100644 (file)
@@ -143,6 +143,31 @@ iptables_init() {
                iptables -A ${i} -j CONNTRACK
        done
 
+       # Allow DHCP
+       iptables -N DHCPINPUT
+       iptables -A DHCPINPUT -p udp --sport 68 --dport 67 -j ACCEPT
+       iptables -A DHCPINPUT -p tcp --sport 68 --dport 67 -j ACCEPT
+
+       iptables -N DHCPOUTPUT
+       iptables -A DHCPOUTPUT -p udp --sport 67 --dport 68 -j ACCEPT
+       iptables -A DHCPOUTPUT -p tcp --sport 67 --dport 68 -j ACCEPT
+
+       # Allow DHCP on GREEN
+       iptables -N DHCPGREENINPUT
+       iptables -N DHCPGREENOUTPUT
+       if [ -n "${GREEN_DEV}" ]; then
+               iptables -A INPUT  -i "${GREEN_DEV}" -j DHCPGREENINPUT
+               iptables -A OUTPUT -o "${GREEN_DEV}" -j DHCPGREENOUTPUT
+       fi
+
+       # allow DHCP on BLUE to be turned on/off
+       iptables -N DHCPBLUEINPUT
+       iptables -N DHCPBLUEOUTPUT
+       if [ -n "${BLUE_DEV}" ]; then
+               iptables -A INPUT  -i "${BLUE_DEV}" -j DHCPBLUEINPUT
+               iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
+       fi
+
        # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
        iptables -N IPSECINPUT
        iptables -N IPSECFORWARD
@@ -155,11 +180,7 @@ iptables_init() {
 
        # localhost and ethernet.
        iptables -A INPUT   -i $GREEN_DEV  -m conntrack --ctstate NEW -j ACCEPT ! -p icmp
-       
-       # allow DHCP on BLUE to be turned on/off
-       iptables -N DHCPBLUEINPUT 
-       iptables -A INPUT -j DHCPBLUEINPUT
-       
+
        # WIRELESS chains
        iptables -N WIRELESSINPUT
        iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT