Forward Firewall: clean up some files
authorAlexander Marx <amarx@ipfire.org>
Tue, 19 Mar 2013 11:56:38 +0000 (12:56 +0100)
committerMichael Tremer <michael.tremer@ipfire.org>
Fri, 9 Aug 2013 12:11:56 +0000 (14:11 +0200)
Fix iptables loop wirelessctrl
Fix firewall chain order
Fix policies (added comment for statistic)

config/forwardfw/firewall-policy
html/cgi-bin/forwardfw.cgi
src/initscripts/init.d/firewall
src/misc-progs/wirelessctrl.c

index 3b7fa18ada97a46b431135a5aa58abcdee5e8c4b..2d4b9ec86cc99f7b80530b8109cadeb6394e6f1e 100755 (executable)
@@ -13,7 +13,7 @@ if [ "$POLICY" == "MODE1" ]; then
                        if [ "$DROPFORWARD" == "on" ]; then
                                /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
                        fi
-                       /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "REJECT_FORWARD"
+                       /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
                fi
                if [ "$FWPOLICY" == "DROP" ]; then
                        if [ "$DROPFORWARD" == "on" ]; then
@@ -21,14 +21,17 @@ if [ "$POLICY" == "MODE1" ]; then
                        fi
                        /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
                fi
+else
+       /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
 fi
+
 #OUTGOINGFW
 if [ "$POLICY1" == "MODE1" ]; then
        if [ "$FWPOLICY1" == "REJECT" ]; then
                if [ "$DROPOUTGOING" == "on" ]; then
                        /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
                fi
-               /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "REJECT_OUTPUT"
+               /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
        fi
        if [ "$FWPOLICY1" == "DROP" ]; then
                if [ "$DROPOUTGOING" == "on" ]; then
@@ -36,17 +39,19 @@ if [ "$POLICY1" == "MODE1" ]; then
                fi
                        /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
        fi
+else
+       /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
 fi
 #INPUT
 if [ "$FWPOLICY2" == "REJECT" ]; then
        if [ "$DROPINPUT" == "on" ]; then
                /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT"
        fi
-       /sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "REJECT_FORWARD"
+       /sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
 fi
 if [ "$FWPOLICY2" == "DROP" ]; then
        if [ "$DROPINPUT" == "on" ]; then
-               /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
+               /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
        fi
-       /sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_FORWARD"
+       /sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
 fi
index 84e01704d8c754b6c7b15be5068d55d623b2168e..a37fb29d1e7bbce05ea42608068f8e1f9c80160d 100755 (executable)
@@ -1738,17 +1738,12 @@ END
                <tr><td width='1%'><input type='checkbox' name='USE_NAT' value='ON' $checked{'USE_NAT'}{'ON'}></td><td width='15%'>$Lang::tr{'fwdfw use nat'}</td><td colspan='5'></td></tr>
                <tr><td colspan='2'></td><td width='1%'><input type='radio' name='nat' value='dnat' checked ></td><td width='50%'>$Lang::tr{'fwdfw dnat'}</td>
 END
-               if (! -z "${General::swroot}/ethernet/aliases"){
-                       print"<td width='8%'>IPFire: </td><td width='20%' align='right'><select name='dnat' style='width:140px;'>";
-                       print "<option value='ALL' $selected{'dnat'}{$Lang::tr{'all'}}>$Lang::tr{'all'}</option>";
-                       print "<option value='Default IP' $selected{'dnat'}{'Default IP'}>Default IP</option>";
-
-                       foreach my $alias (sort keys %aliases)
-                       {
-                               print "<option value='$alias' $selected{'dnat'}{$alias}>$alias</option>";
-                       }
-               }else{
-                       print"<td></td><td style='width:200px;'><input type='hidden' name ='ipfire' value='Default IP'>";
+               print"<td width='8%'>IPFire: </td><td width='20%' align='right'><select name='dnat' style='width:140px;'>";
+               print "<option value='ALL' $selected{'dnat'}{$Lang::tr{'all'}}>$Lang::tr{'all'}</option>";
+               print "<option value='Default IP' $selected{'dnat'}{'Default IP'}>Default IP</option>";
+               foreach my $alias (sort keys %aliases)
+               {
+                       print "<option value='$alias' $selected{'dnat'}{$alias}>$alias</option>";
                }
                print"</td></tr>";
                print"<tr><td colspan='4'></td><td>Port: </td><td align='right'><input type='text' name='dnatport' style='width:130px;' value=$fwdfwsettings{'dnatport'}> </td></tr>";
index 39e1dfd7b1fd981eb34658b91251495e3ad4cecf..18dea0ab859cb176cb7f9cd9aa5f8df4eb81b1be 100644 (file)
@@ -192,10 +192,6 @@ case "$1" in
        /sbin/iptables -t nat -A POSTROUTING -j OVPNNAT
        /sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
 
-       # Forward Firewall
-       /sbin/iptables -N FORWARDFW
-       /sbin/iptables -A FORWARD -j FORWARDFW
-
        # Input Firewall
        /sbin/iptables -N INPUTFW
        /sbin/iptables -A INPUT -m state --state NEW -j INPUTFW
@@ -225,6 +221,10 @@ case "$1" in
        /sbin/iptables -N WIRELESSFORWARD
        /sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD
        
+       # Forward Firewall
+       /sbin/iptables -N FORWARDFW
+       /sbin/iptables -A FORWARD -j FORWARDFW
+               
        # PORTFWACCESS chain, used for portforwarding
        /sbin/iptables -N PORTFWACCESS
        /sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS
@@ -284,12 +284,7 @@ case "$1" in
        if [ "$DROPINPUT" == "on" ]; then
                /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
        fi
-       /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
-       #if [ "$DROPFORWARD" == "on" ]; then
-       #       /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
-       #fi
-       #/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
-       
+               
        #POLICY CHAIN
        /sbin/iptables -N POLICYIN
        /sbin/iptables -A INPUT -j POLICYIN
index 2a6ed0cae1193d34fdcf0d4b106c70142fe7eefa..450aa368fec86126cf12d71e6907c3d9a26a239a 100644 (file)
@@ -154,9 +154,7 @@ int main(void)
                                                                        (VALID_IP_AND_MASK(ipaddress))) {
                                                                        snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev);
                                                                        safe_system(command);
-                                                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s ! -o %s -j RETURN", macaddress, ipaddress, blue_dev, green_dev);
-                                                                       safe_system(command);
-                                                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j FORWARDFW", macaddress, ipaddress, blue_dev);
+                                                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j RETURN", macaddress, ipaddress, blue_dev);
                                                                        safe_system(command);
                                                        } else {
 
@@ -164,18 +162,14 @@ int main(void)
                                                                        if (strlen(macaddress) == 17) {
                                                                                                        snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev);
                                                                                                        safe_system(command);
-                                                                                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s ! -o %s -j RETURN", macaddress, blue_dev, green_dev);
-                                                                                                       safe_system(command);
-                                                                                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j FORWARDFW", macaddress, blue_dev);
+                                                                                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j RETURN", macaddress, blue_dev);
                                                                                                        safe_system(command);
                                                                        }
 
                                                                        if (VALID_IP_AND_MASK(ipaddress)) {
                                                                                                        snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev);
                                                                                                        safe_system(command);
-                                                                                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s ! -o %s -j RETURN", ipaddress, blue_dev, green_dev);
-                                                                                                       safe_system(command);
-                                                                                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j FORWARDFW", ipaddress, blue_dev);
+                                                                                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j RETURN", ipaddress, blue_dev);
                                                                                                        safe_system(command);
                                                                        }
                                                        }