Revert "bugfix: resolve bad chain ref and port from hotplug to a firewall include"

This reverts commit 646702aab9.

Needs to be broken up into separate commits and doesn't cleanly fix issue with tunnel firewall
This commit is contained in:
Conrad Lara - KG6JEI 2016-01-16 19:55:20 -08:00
parent 6d619b6757
commit 921967d5f9
1 changed files with 50 additions and 34 deletions

View File

@ -1,9 +1,11 @@
#!/bin/sh
<<'LICENSE'
Part of AREDN -- Used for creating Amateur Radio Emergency Data Networks
Copyright (C) 2015 Conrad Lara and Joe Ayers
Copyright (C) 2015 Conrad Lara
See Contributors file for additional contributors
Copyright (c) 2013 David Rivenburg et al. BroadBand-HamNet
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation version 3 of the License.
@ -37,38 +39,52 @@ if [ "$MESHFW_TUNNELS_ENABLED" != "1" ]; then
exit 0;
fi
echo "Adding vtun firewall rules..."
iptables -N zone_vpn_input
iptables -N zone_vpn_ACCEPT
iptables -N zone_vpn_DROP
iptables -N zone_vpn_REJECT
iptables -N zone_vpn_forward
iptables -I delegate_forward 3 -i tun+ -j zone_vpn_forward
iptables -I delegate_input 3 -i tun+ -j zone_vpn_input
iptables -I delegate_output 3 -j zone_vpn_ACCEPT
iptables -A zone_vpn_input -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A zone_vpn_input -p tcp -m tcp --dport 2222 -j ACCEPT
iptables -A zone_vpn_input -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -A zone_vpn_input -p udp -m udp --dport 698 -j ACCEPT
iptables -A zone_vpn_input -p tcp -m tcp --dport 1978 -j ACCEPT
iptables -A zone_vpn_input -p tcp -m tcp --dport 23 -j ACCEPT
iptables -A zone_vpn_input -p tcp -m tcp --dport 9090 -j ACCEPT
iptables -I zone_dtdlink_forward 1 -j zone_vpn_ACCEPT
iptables -I zone_lan_forward 1 -j zone_vpn_ACCEPT
iptables -I zone_wifi_forward 1 -j zone_vpn_ACCEPT
iptables -I zone_vpn_forward 1 -j zone_vpn_ACCEPT
if [ "$MESHFW_MESHGW" == "1" ] ; then
iptables -I zone_vpn_forward -j zone_wan_dest_ACCEPT
# Test for pre-existing firewall rules which use a wildcard and only need setup 1 time for multiple tunnel connections
if ( $(iptables -L forwarding_vpn | egrep "^Chain forwarding_vpn \(.+ references\)" > /dev/null) ) then
rules_exist=1
else
iptables -I zone_vpn_forward -j zone_wan_dest_REJECT
rules_exist=0
fi
# Do nothing on firewall if tunnels already (or still) exist--set up once.
if [ $rules_exist -eq 0 ] ; then
echo "Adding vtun firewall rules..."
iptables -N forwarding_vpn
iptables -N input_vpn
iptables -N zone_vpn
iptables -N zone_vpn_ACCEPT
iptables -N zone_vpn_DROP
iptables -N zone_vpn_REJECT
iptables -N zone_vpn_forward
iptables -I delegate_forward 3 -i tun+ -j zone_vpn_forward
iptables -I delegate_input 3 -i tun+ -j zone_vpn
iptables -I delegate_output 3 -j zone_vpn_ACCEPT
iptables -A zone_vpn -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A zone_vpn -p tcp -m tcp --dport 2222 -j ACCEPT
iptables -A zone_vpn -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -A zone_vpn -p udp -m udp --dport 698 -j ACCEPT
iptables -A zone_vpn -p tcp -m tcp --dport 1978 -j ACCEPT
iptables -A zone_vpn -p tcp -m tcp --dport 23 -j ACCEPT
iptables -A zone_vpn -p tcp -m tcp --dport 9090 -j ACCEPT
iptables -I zone_dtdlink_forward 1 -j zone_vpn_ACCEPT
iptables -I zone_lan_forward 1 -j zone_vpn_ACCEPT
iptables -I zone_wifi_forward 1 -j zone_vpn_ACCEPT
iptables -I zone_vpn_forward 1 -j zone_vpn_ACCEPT
if [ "$MESHFW_MESHGW" -eq 1 ] ; then
iptables -I zone_vpn_forward -j zone_wan_ACCEPT
else
iptables -I zone_vpn_forward -j zone_wan_REJECT
fi
iptables -A zone_vpn -j input_vpn
iptables -A zone_vpn -j zone_vpn_ACCEPT
iptables -A zone_vpn_ACCEPT -o tun+ -j ACCEPT
iptables -A zone_vpn_ACCEPT -i tun+ -j ACCEPT
iptables -A zone_vpn_DROP -o tun+ -j DROP
iptables -A zone_vpn_DROP -i tun+ -j DROP
iptables -A zone_vpn_REJECT -o tun+ -j reject
iptables -A zone_vpn_REJECT -i tun+ -j reject
iptables -A zone_vpn_forward -j zone_dtdlink_ACCEPT
iptables -A zone_vpn_forward -j zone_lan_ACCEPT
iptables -A zone_vpn_forward -j zone_wifi_ACCEPT
iptables -A zone_vpn_forward -j forwarding_vpn
fi
iptables -A zone_vpn_input -j zone_vpn_ACCEPT
iptables -A zone_vpn_ACCEPT -o tun+ -j ACCEPT
iptables -A zone_vpn_ACCEPT -i tun+ -j ACCEPT
iptables -A zone_vpn_DROP -o tun+ -j DROP
iptables -A zone_vpn_DROP -i tun+ -j DROP
iptables -A zone_vpn_REJECT -o tun+ -j reject
iptables -A zone_vpn_REJECT -i tun+ -j reject
iptables -A zone_vpn_forward -j zone_dtdlink_dest_ACCEPT
iptables -A zone_vpn_forward -j zone_lan_dest_ACCEPT
iptables -A zone_vpn_forward -j zone_wifi_dest_ACCEPT