Forward Firewall: put rule OUTGOING ACCEPT Related, established into /etc/init.d...
authorAlexander Marx <amarx@ipfire.org>
Thu, 7 Mar 2013 09:01:24 +0000 (10:01 +0100)
committerMichael Tremer <michael.tremer@ipfire.org>
Fri, 9 Aug 2013 12:11:55 +0000 (14:11 +0200)
deleted ACCEPT OUTGOINGFW related,established from POLICYOUT

config/forwardfw/firewall-policy
src/initscripts/init.d/firewall

index bbdec37bc2499121a2fb333689c87c84927d214f..3b7fa18ada97a46b431135a5aa58abcdee5e8c4b 100755 (executable)
@@ -7,6 +7,7 @@ iptables -F POLICYFWD
 iptables -F POLICYOUT
 iptables -F POLICYIN
 
+#FORWARDFW
 if [ "$POLICY" == "MODE1" ]; then
                if [ "$FWPOLICY" == "REJECT" ]; then
                        if [ "$DROPFORWARD" == "on" ]; then
@@ -21,20 +22,20 @@ if [ "$POLICY" == "MODE1" ]; then
                        /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
                fi
 fi
+#OUTGOINGFW
 if [ "$POLICY1" == "MODE1" ]; then
-       /sbin/iptables -I OUTGOINGFW 1 -m state --state ESTABLISHED,RELATED -j ACCEPT
-               if [ "$FWPOLICY1" == "REJECT" ]; then
-                       if [ "$DROPOUTGOING" == "on" ]; then
-                               /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
-                       fi
-                               /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "REJECT_OUTPUT"
+       if [ "$FWPOLICY1" == "REJECT" ]; then
+               if [ "$DROPOUTGOING" == "on" ]; then
+                       /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
                fi
-               if [ "$FWPOLICY1" == "DROP" ]; then
-                       if [ "$DROPOUTGOING" == "on" ]; then
-                               /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT"
-                       fi
-                               /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
+               /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "REJECT_OUTPUT"
+       fi
+       if [ "$FWPOLICY1" == "DROP" ]; then
+               if [ "$DROPOUTGOING" == "on" ]; then
+                       /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT"
                fi
+                       /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
+       fi
 fi
 #INPUT
 if [ "$FWPOLICY2" == "REJECT" ]; then
index c51ba35855a1a44ea7d45e2fe5d10fbc0ed19285..9024a88fdae8069f9e74a43b4bb4b09c7496be76 100644 (file)
@@ -149,10 +149,10 @@ case "$1" in
        /sbin/iptables -N CUSTOMFORWARD
        /sbin/iptables -A FORWARD -j CUSTOMFORWARD
        /sbin/iptables -N CUSTOMOUTPUT
+       /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
        /sbin/iptables -A OUTPUT -j CUSTOMOUTPUT
        /sbin/iptables -N OUTGOINGFW
        /sbin/iptables -A OUTPUT -j OUTGOINGFW
-       /sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT
        /sbin/iptables -t nat -N CUSTOMPREROUTING
        /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
        /sbin/iptables -t nat -N CUSTOMPOSTROUTING
@@ -173,6 +173,10 @@ case "$1" in
        /sbin/iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
        /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
        
+       # Accept everything on lo
+       iptables -A INPUT  -i lo -m state --state NEW -j ACCEPT
+       iptables -A OUTPUT -o lo -m state --state NEW -j ACCEPT
+       
        # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
        /sbin/iptables -N IPSECINPUT
        /sbin/iptables -N IPSECFORWARD