Forward Firewall: clean up some files

Fix iptables loop wirelessctrl Fix firewall chain order Fix policies (added comment for statistic)
2026-04-11 19:55:52 +02:00 · 2013-03-19 12:56:38 +01:00
parent 6397b6e789
commit 93b75f31ad
4 changed files with 24 additions and 35 deletions
--- a/config/forwardfw/firewall-policy
+++ b/config/forwardfw/firewall-policy
@@ -13,7 +13,7 @@ if [ "$POLICY" == "MODE1" ]; then
 			if [ "$DROPFORWARD" == "on" ]; then
 				/sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
 			fi
-			/sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "REJECT_FORWARD"
+			/sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
 		fi
 		if [ "$FWPOLICY" == "DROP" ]; then
 			if [ "$DROPFORWARD" == "on" ]; then
@@ -21,14 +21,17 @@ if [ "$POLICY" == "MODE1" ]; then
 			fi
 			/sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
 		fi
+else
+	/sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
 fi
+
 #OUTGOINGFW
 if [ "$POLICY1" == "MODE1" ]; then
 	if [ "$FWPOLICY1" == "REJECT" ]; then
 		if [ "$DROPOUTGOING" == "on" ]; then
 			/sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
 		fi
-		/sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "REJECT_OUTPUT"
+		/sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
 	fi
 	if [ "$FWPOLICY1" == "DROP" ]; then
 		if [ "$DROPOUTGOING" == "on" ]; then
@@ -36,17 +39,19 @@ if [ "$POLICY1" == "MODE1" ]; then
 		fi
 			/sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
 	fi
+else
+	/sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
 fi
 #INPUT
 if [ "$FWPOLICY2" == "REJECT" ]; then
 	if [ "$DROPINPUT" == "on" ]; then
 		/sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT"
 	fi
-	/sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "REJECT_FORWARD"
+	/sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
 fi
 if [ "$FWPOLICY2" == "DROP" ]; then
 	if [ "$DROPINPUT" == "on" ]; then
-		/sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
+		/sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
 	fi
-	/sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_FORWARD"
+	/sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
 fi
--- a/html/cgi-bin/forwardfw.cgi
+++ b/html/cgi-bin/forwardfw.cgi
@@ -1738,17 +1738,12 @@ END
 		<tr><td width='1%'><input type='checkbox' name='USE_NAT' value='ON' $checked{'USE_NAT'}{'ON'}></td><td width='15%'>$Lang::tr{'fwdfw use nat'}</td><td colspan='5'></td></tr>
 		<tr><td colspan='2'></td><td width='1%'><input type='radio' name='nat' value='dnat' checked ></td><td width='50%'>$Lang::tr{'fwdfw dnat'}</td>
 END
-		if (! -z "${General::swroot}/ethernet/aliases"){
-			print"<td width='8%'>IPFire: </td><td width='20%' align='right'><select name='dnat' style='width:140px;'>";
-			print "<option value='ALL' $selected{'dnat'}{$Lang::tr{'all'}}>$Lang::tr{'all'}</option>";
-			print "<option value='Default IP' $selected{'dnat'}{'Default IP'}>Default IP</option>";
-
-			foreach my $alias (sort keys %aliases)
-			{
-				print "<option value='$alias' $selected{'dnat'}{$alias}>$alias</option>";
-			}
-		}else{
-			print"<td></td><td style='width:200px;'><input type='hidden' name ='ipfire' value='Default IP'>";
+		print"<td width='8%'>IPFire: </td><td width='20%' align='right'><select name='dnat' style='width:140px;'>";
+		print "<option value='ALL' $selected{'dnat'}{$Lang::tr{'all'}}>$Lang::tr{'all'}</option>";
+		print "<option value='Default IP' $selected{'dnat'}{'Default IP'}>Default IP</option>";
+		foreach my $alias (sort keys %aliases)
+		{
+			print "<option value='$alias' $selected{'dnat'}{$alias}>$alias</option>";
 		}
 		print"</td></tr>";
 		print"<tr><td colspan='4'></td><td>Port: </td><td align='right'><input type='text' name='dnatport' style='width:130px;' value=$fwdfwsettings{'dnatport'}> </td></tr>";
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -192,10 +192,6 @@ case "$1" in
 	/sbin/iptables -t nat -A POSTROUTING -j OVPNNAT
 	/sbin/iptables -t nat -A POSTROUTING -j IPSECNAT

-	# Forward Firewall
-	/sbin/iptables -N FORWARDFW
-	/sbin/iptables -A FORWARD -j FORWARDFW
-
 	# Input Firewall
 	/sbin/iptables -N INPUTFW
 	/sbin/iptables -A INPUT -m state --state NEW -j INPUTFW
@@ -225,6 +221,10 @@ case "$1" in
 	/sbin/iptables -N WIRELESSFORWARD
 	/sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD
 	
+	# Forward Firewall
+	/sbin/iptables -N FORWARDFW
+	/sbin/iptables -A FORWARD -j FORWARDFW
+		
 	# PORTFWACCESS chain, used for portforwarding
 	/sbin/iptables -N PORTFWACCESS
 	/sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS
@@ -284,12 +284,7 @@ case "$1" in
 	if [ "$DROPINPUT" == "on" ]; then
 		/sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
 	fi
-	/sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
-	#if [ "$DROPFORWARD" == "on" ]; then
-	#	/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
-	#fi
-	#/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
-	
+		
 	#POLICY CHAIN
 	/sbin/iptables -N POLICYIN
 	/sbin/iptables -A INPUT -j POLICYIN
--- a/src/misc-progs/wirelessctrl.c
+++ b/src/misc-progs/wirelessctrl.c
@@ -154,9 +154,7 @@ int main(void)
 									(VALID_IP_AND_MASK(ipaddress))) {
 									snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev);
 									safe_system(command);
-									snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s ! -o %s -j RETURN", macaddress, ipaddress, blue_dev, green_dev);
-									safe_system(command);
-									snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j FORWARDFW", macaddress, ipaddress, blue_dev);
+									snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j RETURN", macaddress, ipaddress, blue_dev);
 									safe_system(command);
 							} else {

@@ -164,18 +162,14 @@ int main(void)
 									if (strlen(macaddress) == 17) {
 													snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev);
 													safe_system(command);
-													snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s ! -o %s -j RETURN", macaddress, blue_dev, green_dev);
-													safe_system(command);
-													snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j FORWARDFW", macaddress, blue_dev);
+													snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j RETURN", macaddress, blue_dev);
 													safe_system(command);
 									}

 									if (VALID_IP_AND_MASK(ipaddress)) {
 													snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev);
 													safe_system(command);
-													snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s ! -o %s -j RETURN", ipaddress, blue_dev, green_dev);
-													safe_system(command);
-													snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j FORWARDFW", ipaddress, blue_dev);
+													snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j RETURN", ipaddress, blue_dev);
 													safe_system(command);
 									}
 							}