if [ "$DROPFORWARD" == "on" ]; then
/sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
fi
- /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "REJECT_FORWARD"
+ /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
fi
if [ "$FWPOLICY" == "DROP" ]; then
if [ "$DROPFORWARD" == "on" ]; then
fi
/sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
fi
+else
+ /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
fi
+
#OUTGOINGFW
if [ "$POLICY1" == "MODE1" ]; then
if [ "$FWPOLICY1" == "REJECT" ]; then
if [ "$DROPOUTGOING" == "on" ]; then
/sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
fi
- /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "REJECT_OUTPUT"
+ /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
fi
if [ "$FWPOLICY1" == "DROP" ]; then
if [ "$DROPOUTGOING" == "on" ]; then
fi
/sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
fi
+else
+ /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
fi
#INPUT
if [ "$FWPOLICY2" == "REJECT" ]; then
if [ "$DROPINPUT" == "on" ]; then
/sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT"
fi
- /sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "REJECT_FORWARD"
+ /sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
fi
if [ "$FWPOLICY2" == "DROP" ]; then
if [ "$DROPINPUT" == "on" ]; then
- /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
+ /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
fi
- /sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_FORWARD"
+ /sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
fi
<tr><td width='1%'><input type='checkbox' name='USE_NAT' value='ON' $checked{'USE_NAT'}{'ON'}></td><td width='15%'>$Lang::tr{'fwdfw use nat'}</td><td colspan='5'></td></tr>
<tr><td colspan='2'></td><td width='1%'><input type='radio' name='nat' value='dnat' checked ></td><td width='50%'>$Lang::tr{'fwdfw dnat'}</td>
END
- if (! -z "${General::swroot}/ethernet/aliases"){
- print"<td width='8%'>IPFire: </td><td width='20%' align='right'><select name='dnat' style='width:140px;'>";
- print "<option value='ALL' $selected{'dnat'}{$Lang::tr{'all'}}>$Lang::tr{'all'}</option>";
- print "<option value='Default IP' $selected{'dnat'}{'Default IP'}>Default IP</option>";
-
- foreach my $alias (sort keys %aliases)
- {
- print "<option value='$alias' $selected{'dnat'}{$alias}>$alias</option>";
- }
- }else{
- print"<td></td><td style='width:200px;'><input type='hidden' name ='ipfire' value='Default IP'>";
+ print"<td width='8%'>IPFire: </td><td width='20%' align='right'><select name='dnat' style='width:140px;'>";
+ print "<option value='ALL' $selected{'dnat'}{$Lang::tr{'all'}}>$Lang::tr{'all'}</option>";
+ print "<option value='Default IP' $selected{'dnat'}{'Default IP'}>Default IP</option>";
+ foreach my $alias (sort keys %aliases)
+ {
+ print "<option value='$alias' $selected{'dnat'}{$alias}>$alias</option>";
}
print"</td></tr>";
print"<tr><td colspan='4'></td><td>Port: </td><td align='right'><input type='text' name='dnatport' style='width:130px;' value=$fwdfwsettings{'dnatport'}> </td></tr>";
/sbin/iptables -t nat -A POSTROUTING -j OVPNNAT
/sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
- # Forward Firewall
- /sbin/iptables -N FORWARDFW
- /sbin/iptables -A FORWARD -j FORWARDFW
-
# Input Firewall
/sbin/iptables -N INPUTFW
/sbin/iptables -A INPUT -m state --state NEW -j INPUTFW
/sbin/iptables -N WIRELESSFORWARD
/sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD
+ # Forward Firewall
+ /sbin/iptables -N FORWARDFW
+ /sbin/iptables -A FORWARD -j FORWARDFW
+
# PORTFWACCESS chain, used for portforwarding
/sbin/iptables -N PORTFWACCESS
/sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS
if [ "$DROPINPUT" == "on" ]; then
/sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
fi
- /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
- #if [ "$DROPFORWARD" == "on" ]; then
- # /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
- #fi
- #/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
-
+
#POLICY CHAIN
/sbin/iptables -N POLICYIN
/sbin/iptables -A INPUT -j POLICYIN
(VALID_IP_AND_MASK(ipaddress))) {
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev);
safe_system(command);
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s ! -o %s -j RETURN", macaddress, ipaddress, blue_dev, green_dev);
- safe_system(command);
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j FORWARDFW", macaddress, ipaddress, blue_dev);
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j RETURN", macaddress, ipaddress, blue_dev);
safe_system(command);
} else {
if (strlen(macaddress) == 17) {
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev);
safe_system(command);
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s ! -o %s -j RETURN", macaddress, blue_dev, green_dev);
- safe_system(command);
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j FORWARDFW", macaddress, blue_dev);
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j RETURN", macaddress, blue_dev);
safe_system(command);
}
if (VALID_IP_AND_MASK(ipaddress)) {
snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev);
safe_system(command);
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s ! -o %s -j RETURN", ipaddress, blue_dev, green_dev);
- safe_system(command);
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j FORWARDFW", ipaddress, blue_dev);
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j RETURN", ipaddress, blue_dev);
safe_system(command);
}
}