From 93b75f31ad920a2aa96206c2053b70affa135a42 Mon Sep 17 00:00:00 2001
From: Alexander Marx <amarx@ipfire.org>
Date: Tue, 19 Mar 2013 12:56:38 +0100
Subject: [PATCH] Forward Firewall: clean up some files

Fix iptables loop wirelessctrl
Fix firewall chain order
Fix policies (added comment for statistic)
---
 config/forwardfw/firewall-policy | 15 ++++++++++-----
 html/cgi-bin/forwardfw.cgi       | 17 ++++++-----------
 src/initscripts/init.d/firewall  | 15 +++++----------
 src/misc-progs/wirelessctrl.c    | 12 +++---------
 4 files changed, 24 insertions(+), 35 deletions(-)

diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy
index 3b7fa18ad..2d4b9ec86 100755
--- a/config/forwardfw/firewall-policy
+++ b/config/forwardfw/firewall-policy
@@ -13,7 +13,7 @@ if [ "$POLICY" == "MODE1" ]; then
 			if [ "$DROPFORWARD" == "on" ]; then
 				/sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
 			fi
-			/sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "REJECT_FORWARD"
+			/sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
 		fi
 		if [ "$FWPOLICY" == "DROP" ]; then
 			if [ "$DROPFORWARD" == "on" ]; then
@@ -21,14 +21,17 @@ if [ "$POLICY" == "MODE1" ]; then
 			fi
 			/sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
 		fi
+else
+	/sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
 fi
+
 #OUTGOINGFW
 if [ "$POLICY1" == "MODE1" ]; then
 	if [ "$FWPOLICY1" == "REJECT" ]; then
 		if [ "$DROPOUTGOING" == "on" ]; then
 			/sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
 		fi
-		/sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "REJECT_OUTPUT"
+		/sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
 	fi
 	if [ "$FWPOLICY1" == "DROP" ]; then
 		if [ "$DROPOUTGOING" == "on" ]; then
@@ -36,17 +39,19 @@ if [ "$POLICY1" == "MODE1" ]; then
 		fi
 			/sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
 	fi
+else
+	/sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
 fi
 #INPUT
 if [ "$FWPOLICY2" == "REJECT" ]; then
 	if [ "$DROPINPUT" == "on" ]; then
 		/sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT"
 	fi
-	/sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "REJECT_FORWARD"
+	/sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
 fi
 if [ "$FWPOLICY2" == "DROP" ]; then
 	if [ "$DROPINPUT" == "on" ]; then
-		/sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
+		/sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
 	fi
-	/sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_FORWARD"
+	/sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
 fi
diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
index 84e01704d..a37fb29d1 100755
--- a/html/cgi-bin/forwardfw.cgi
+++ b/html/cgi-bin/forwardfw.cgi
@@ -1738,17 +1738,12 @@ END
 		<tr><td width='1%'><input type='checkbox' name='USE_NAT' value='ON' $checked{'USE_NAT'}{'ON'}></td><td width='15%'>$Lang::tr{'fwdfw use nat'}</td><td colspan='5'></td></tr>
 		<tr><td colspan='2'></td><td width='1%'><input type='radio' name='nat' value='dnat' checked ></td><td width='50%'>$Lang::tr{'fwdfw dnat'}</td>
 END
-		if (! -z "${General::swroot}/ethernet/aliases"){
-			print"<td width='8%'>IPFire: </td><td width='20%' align='right'><select name='dnat' style='width:140px;'>";
-			print "<option value='ALL' $selected{'dnat'}{$Lang::tr{'all'}}>$Lang::tr{'all'}</option>";
-			print "<option value='Default IP' $selected{'dnat'}{'Default IP'}>Default IP</option>";
-
-			foreach my $alias (sort keys %aliases)
-			{
-				print "<option value='$alias' $selected{'dnat'}{$alias}>$alias</option>";
-			}
-		}else{
-			print"<td></td><td style='width:200px;'><input type='hidden' name ='ipfire' value='Default IP'>";
+		print"<td width='8%'>IPFire: </td><td width='20%' align='right'><select name='dnat' style='width:140px;'>";
+		print "<option value='ALL' $selected{'dnat'}{$Lang::tr{'all'}}>$Lang::tr{'all'}</option>";
+		print "<option value='Default IP' $selected{'dnat'}{'Default IP'}>Default IP</option>";
+		foreach my $alias (sort keys %aliases)
+		{
+			print "<option value='$alias' $selected{'dnat'}{$alias}>$alias</option>";
 		}
 		print"</td></tr>";
 		print"<tr><td colspan='4'></td><td>Port: </td><td align='right'><input type='text' name='dnatport' style='width:130px;' value=$fwdfwsettings{'dnatport'}> </td></tr>";
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 39e1dfd7b..18dea0ab8 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -192,10 +192,6 @@ case "$1" in
 	/sbin/iptables -t nat -A POSTROUTING -j OVPNNAT
 	/sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
 
-	# Forward Firewall
-	/sbin/iptables -N FORWARDFW
-	/sbin/iptables -A FORWARD -j FORWARDFW
-
 	# Input Firewall
 	/sbin/iptables -N INPUTFW
 	/sbin/iptables -A INPUT -m state --state NEW -j INPUTFW
@@ -225,6 +221,10 @@ case "$1" in
 	/sbin/iptables -N WIRELESSFORWARD
 	/sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD
 	
+	# Forward Firewall
+	/sbin/iptables -N FORWARDFW
+	/sbin/iptables -A FORWARD -j FORWARDFW
+		
 	# PORTFWACCESS chain, used for portforwarding
 	/sbin/iptables -N PORTFWACCESS
 	/sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS
@@ -284,12 +284,7 @@ case "$1" in
 	if [ "$DROPINPUT" == "on" ]; then
 		/sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
 	fi
-	/sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
-	#if [ "$DROPFORWARD" == "on" ]; then
-	#	/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
-	#fi
-	#/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
-	
+		
 	#POLICY CHAIN
 	/sbin/iptables -N POLICYIN
 	/sbin/iptables -A INPUT -j POLICYIN
diff --git a/src/misc-progs/wirelessctrl.c b/src/misc-progs/wirelessctrl.c
index 2a6ed0cae..450aa368f 100644
--- a/src/misc-progs/wirelessctrl.c
+++ b/src/misc-progs/wirelessctrl.c
@@ -154,9 +154,7 @@ int main(void)
 									(VALID_IP_AND_MASK(ipaddress))) {
 									snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev);
 									safe_system(command);
-									snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s ! -o %s -j RETURN", macaddress, ipaddress, blue_dev, green_dev);
-									safe_system(command);
-									snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j FORWARDFW", macaddress, ipaddress, blue_dev);
+									snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j RETURN", macaddress, ipaddress, blue_dev);
 									safe_system(command);
 							} else {
 
@@ -164,18 +162,14 @@ int main(void)
 									if (strlen(macaddress) == 17) {
 													snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev);
 													safe_system(command);
-													snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s ! -o %s -j RETURN", macaddress, blue_dev, green_dev);
-													safe_system(command);
-													snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j FORWARDFW", macaddress, blue_dev);
+													snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j RETURN", macaddress, blue_dev);
 													safe_system(command);
 									}
 
 									if (VALID_IP_AND_MASK(ipaddress)) {
 													snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev);
 													safe_system(command);
-													snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s ! -o %s -j RETURN", ipaddress, blue_dev, green_dev);
-													safe_system(command);
-													snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j FORWARDFW", ipaddress, blue_dev);
+													snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j RETURN", ipaddress, blue_dev);
 													safe_system(command);
 									}
 							}