From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 31 Jul 2013 10:52:40 +0000 (+0200)
Subject: tor: Add necessary firewall rules.
X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=commitdiff_plain;h=c60301c06a340cdd7a1bc619a3fa081d4771fc76

tor: Add necessary firewall rules.
---

diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 844618a30..0237297e7 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -188,6 +188,10 @@ case "$1" in
 	/sbin/iptables -t nat -A POSTROUTING -j OVPNNAT
 	/sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
 
+	# TOR
+	/sbin/iptables -N TOR_INPUT
+	/sbin/iptables -A INPUT -j TOR_INPUT
+
 	# Outgoing Firewall
 	/sbin/iptables -A FORWARD -j OUTGOINGFWMAC
 
diff --git a/src/initscripts/init.d/tor b/src/initscripts/init.d/tor
index 82dab68bd..d37617824 100644
--- a/src/initscripts/init.d/tor
+++ b/src/initscripts/init.d/tor
@@ -9,8 +9,27 @@
 . /etc/sysconfig/rc
 . ${rc_functions}
 
+function setup_firewall() {
+	eval $(readhash /var/ipfire/tor/settings)
+
+	# Flush all rules.
+	flush_firewall
+
+	if [ "${TOR_RELAY_ENABLED}" = "on" -a -n "${TOR_RELAY_PORT}" ]; then
+		iptables -A TOR_INPUT -p tcp --dport "${TOR_RELAY_PORT}" -j ACCEPT
+	fi
+}
+
+function flush_firewall() {
+	# Flush all rules.
+	iptables -F TOR_INPUT
+}
+
 case "${1}" in
 	start)
+		# Setup firewall.
+		setup_firewall
+
 		boot_mesg "Starting tor..."
 		loadproc /usr/bin/tor \
 			--runasdaemon 1 \
@@ -20,11 +39,17 @@ case "${1}" in
 		;;
 
 	stop)
+		# Flush firewall.
+		flush_firewall
+
 		boot_mesg "Stopping tor..."
 		killproc /usr/bin/tor
 		;;
 
 	reload)
+		# Setup firewall.
+		setup_firewall
+
 		boot_mesg "Reloading tor..."
 		reloadproc /usr/bin/tor
 		;;