From ef6f983b1724f9b3ac4d5d4f5ba45288985c44fc Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 7 Mar 2013 10:01:24 +0100 Subject: [PATCH] Forward Firewall: put rule OUTGOING ACCEPT Related, established into /etc/init.d/firewall deleted ACCEPT OUTGOINGFW related,established from POLICYOUT --- config/forwardfw/firewall-policy | 23 ++++++++++++----------- src/initscripts/init.d/firewall | 6 +++++- 2 files changed, 17 insertions(+), 12 deletions(-) diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy index bbdec37bc..3b7fa18ad 100755 --- a/config/forwardfw/firewall-policy +++ b/config/forwardfw/firewall-policy @@ -7,6 +7,7 @@ iptables -F POLICYFWD iptables -F POLICYOUT iptables -F POLICYIN +#FORWARDFW if [ "$POLICY" == "MODE1" ]; then if [ "$FWPOLICY" == "REJECT" ]; then if [ "$DROPFORWARD" == "on" ]; then @@ -21,20 +22,20 @@ if [ "$POLICY" == "MODE1" ]; then /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" fi fi +#OUTGOINGFW if [ "$POLICY1" == "MODE1" ]; then - /sbin/iptables -I OUTGOINGFW 1 -m state --state ESTABLISHED,RELATED -j ACCEPT - if [ "$FWPOLICY1" == "REJECT" ]; then - if [ "$DROPOUTGOING" == "on" ]; then - /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT" - fi - /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "REJECT_OUTPUT" + if [ "$FWPOLICY1" == "REJECT" ]; then + if [ "$DROPOUTGOING" == "on" ]; then + /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT" fi - if [ "$FWPOLICY1" == "DROP" ]; then - if [ "$DROPOUTGOING" == "on" ]; then - /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT" - fi - /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" + /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "REJECT_OUTPUT" + fi + if [ "$FWPOLICY1" == "DROP" ]; then + if [ "$DROPOUTGOING" == "on" ]; then + /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT" fi + /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" + fi fi #INPUT if [ "$FWPOLICY2" == "REJECT" ]; then diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index c51ba3585..9024a88fd 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -149,10 +149,10 @@ case "$1" in /sbin/iptables -N CUSTOMFORWARD /sbin/iptables -A FORWARD -j CUSTOMFORWARD /sbin/iptables -N CUSTOMOUTPUT + /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A OUTPUT -j CUSTOMOUTPUT /sbin/iptables -N OUTGOINGFW /sbin/iptables -A OUTPUT -j OUTGOINGFW - /sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -t nat -N CUSTOMPREROUTING /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING /sbin/iptables -t nat -N CUSTOMPOSTROUTING @@ -173,6 +173,10 @@ case "$1" in /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT + # Accept everything on lo + iptables -A INPUT -i lo -m state --state NEW -j ACCEPT + iptables -A OUTPUT -o lo -m state --state NEW -j ACCEPT + # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything /sbin/iptables -N IPSECINPUT /sbin/iptables -N IPSECFORWARD -- 2.39.2