mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-27 19:23:24 +02:00
Forward Firewall: First part of adding OUTGOING to th efirewall
This commit is contained in:
Alexander Marx
committed by
Michael Tremer
Michael Tremer
parent
d7127db8fb
commit
5d7faa4518
@@ -1,24 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
eval $(/usr/local/bin/readhash /var/ipfire/forward/settings)
|
||||
eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
|
||||
|
||||
iptables -F POLICY
|
||||
|
||||
if [ "$POLICY" == "MODE1" ]; then
|
||||
|
||||
if [ "$FWPOLICY" == "REJECT" ]; then
|
||||
if [ "$DROPFORWARD" == "on" ]; then
|
||||
/sbin/iptables -A POLICY -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
|
||||
fi
|
||||
/sbin/iptables -A POLICY -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
|
||||
fi
|
||||
if [ "$FWPOLICY" == "DROP" ]; then
|
||||
if [ "$DROPFORWARD" == "on" ]; then
|
||||
/sbin/iptables -A POLICY -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
|
||||
fi
|
||||
/sbin/iptables -A POLICY -j DROP -m comment --comment "DROP_OUTPUT"
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
@@ -221,6 +221,8 @@ sub get_std_net_ip
|
||||
return "$ovpnsettings{'DOVPN_SUBNET'}";
|
||||
}elsif($val =~ /IPsec/i){
|
||||
return "$ipsecsettings{'RW_NET'}";
|
||||
}elsif($val eq 'IPFire'){
|
||||
return ;
|
||||
}
|
||||
}
|
||||
sub get_net_ip
|
||||
|
||||
39
config/forwardfw/firewall-policy
Executable file
39
config/forwardfw/firewall-policy
Executable file
@@ -0,0 +1,39 @@
|
||||
#!/bin/sh
|
||||
|
||||
eval $(/usr/local/bin/readhash /var/ipfire/forward/settings)
|
||||
eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
|
||||
|
||||
iptables -F POLICYFWD
|
||||
iptables -F POLICYOUT
|
||||
|
||||
|
||||
if [ "$POLICY" == "MODE1" ]; then
|
||||
if [ "$FWPOLICY" == "REJECT" ]; then
|
||||
if [ "$DROPFORWARD" == "on" ]; then
|
||||
/sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
|
||||
fi
|
||||
/sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
|
||||
fi
|
||||
if [ "$FWPOLICY" == "DROP" ]; then
|
||||
if [ "$DROPFORWARD" == "on" ]; then
|
||||
/sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
|
||||
fi
|
||||
/sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
|
||||
fi
|
||||
fi
|
||||
if [ "$POLICY1" == "MODE1" ]; then
|
||||
/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
if [ "$FWPOLICY1" == "REJECT" ]; then
|
||||
if [ "$DROPOUTGOING" == "on" ]; then
|
||||
/sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
|
||||
fi
|
||||
/sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
|
||||
fi
|
||||
if [ "$FWPOLICY1" == "DROP" ]; then
|
||||
if [ "$DROPOUTGOING" == "on" ]; then
|
||||
/sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT"
|
||||
fi
|
||||
/sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
|
||||
fi
|
||||
fi
|
||||
|
||||
@@ -42,6 +42,7 @@ our %sourcehash=();
|
||||
our %targethash=();
|
||||
my @timeframe=();
|
||||
my %configinputfw=();
|
||||
my %configoutgoingfw=();
|
||||
my %aliases=();
|
||||
my @DPROT=();
|
||||
my @p2ps=();
|
||||
@@ -51,6 +52,7 @@ require "${General::swroot}/forward/bin/firewall-lib.pl";
|
||||
|
||||
my $configfwdfw = "${General::swroot}/forward/config";
|
||||
my $configinput = "${General::swroot}/forward/input";
|
||||
my $configoutgoing = "${General::swroot}/forward/outgoing";
|
||||
my $p2pfile = "${General::swroot}/forward/p2protocols";
|
||||
my $configgrp = "${General::swroot}/fwhosts/customgroups";
|
||||
my $netsettings = "${General::swroot}/ethernet/settings";
|
||||
@@ -66,6 +68,7 @@ my $CHAIN="FORWARDFW";
|
||||
&General::readhash("$netsettings", \%defaultNetworks);
|
||||
&General::readhasharray($configfwdfw, \%configfwdfw);
|
||||
&General::readhasharray($configinput, \%configinputfw);
|
||||
&General::readhasharray($configoutgoing, \%configoutgoingfw);
|
||||
&General::readhasharray($configgrp, \%customgrp);
|
||||
&General::get_aliases(\%aliases);
|
||||
|
||||
@@ -95,7 +98,7 @@ if($param eq 'flush'){
|
||||
if($MODE eq '0'){
|
||||
if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
|
||||
&p2pblock;
|
||||
system ("/usr/sbin/firewall-forward-policy");
|
||||
system ("/usr/sbin/firewall-policy");
|
||||
}elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
|
||||
$defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'});
|
||||
$green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
|
||||
@@ -117,7 +120,7 @@ if($param eq 'flush'){
|
||||
|
||||
&p2pblock;
|
||||
system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
|
||||
system ("/usr/sbin/firewall-forward-policy");
|
||||
system ("/usr/sbin/firewall-policy");
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -125,6 +128,7 @@ sub flush
|
||||
{
|
||||
system ("iptables -F FORWARDFW");
|
||||
system ("iptables -F INPUTFW");
|
||||
system ("iptables -F OUTGOINGFW");
|
||||
}
|
||||
sub preparerules
|
||||
{
|
||||
@@ -134,6 +138,9 @@ sub preparerules
|
||||
if (! -z "${General::swroot}/forward/input"){
|
||||
&buildrules(\%configinputfw);
|
||||
}
|
||||
if (! -z "${General::swroot}/forward/outgoing"){
|
||||
&buildrules(\%configoutgoingfw);
|
||||
}
|
||||
}
|
||||
sub buildrules
|
||||
{
|
||||
@@ -160,7 +167,6 @@ sub buildrules
|
||||
}
|
||||
}
|
||||
}elsif($$hash{$key}[5] eq 'ipfire'){
|
||||
|
||||
if($$hash{$key}[6] eq 'Default IP'){
|
||||
open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.';
|
||||
$targethash{$key}[0]= <FILE>;
|
||||
@@ -217,7 +223,7 @@ sub buildrules
|
||||
foreach my $b (sort keys %targethash){
|
||||
if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
|
||||
if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
|
||||
if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";}
|
||||
if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
|
||||
if ($$hash{$key}[17] eq 'ON'){
|
||||
print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
|
||||
}
|
||||
@@ -237,7 +243,7 @@ sub buildrules
|
||||
foreach my $b (sort keys %targethash){
|
||||
if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
|
||||
if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
|
||||
if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";}
|
||||
if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
|
||||
if ($$hash{$key}[17] eq 'ON'){
|
||||
system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user