88 lines
2.2 KiB
Plaintext
88 lines
2.2 KiB
Plaintext
table inet firewall {
|
|
|
|
set whitelist_ipv4 {
|
|
type ipv4_addr
|
|
flags timeout
|
|
timeout 1h
|
|
}
|
|
|
|
set whitelist_ipv6 {
|
|
type ipv6_addr
|
|
flags timeout
|
|
timeout 1h
|
|
}
|
|
|
|
set retry_period_ipv4 {
|
|
type ipv4_addr
|
|
flags timeout
|
|
timeout 2h
|
|
}
|
|
|
|
set retry_period_ipv6 {
|
|
type ipv6_addr
|
|
flags timeout
|
|
timeout 2h
|
|
}
|
|
|
|
chain to_deco {
|
|
accept
|
|
}
|
|
|
|
chain from_deco {
|
|
# Accept all traffic because the filtering has been done before
|
|
accept
|
|
}
|
|
|
|
chain dnat_deco{
|
|
# Redirect all http traffic to the captive portal if the client is not in the whitelist
|
|
ip saddr != @whitelist_ipv4 ip daddr != $ip_deco_web_whitelist tcp dport {http, https} dnat ip to $ip_deco_dnat
|
|
ip6 saddr != @whitelist_ipv6 ip6 daddr != $ip6_deco_web_whitelist tcp dport {http, https} dnat ip6 to $ip6_deco_dnat
|
|
}
|
|
|
|
chain prefilter_deco{
|
|
# When doing online paiment, the client must have access to several websites,
|
|
# in order for 3D secure to load correctly.
|
|
# This is why if the client hit the comnpay ip, we whitelist him for a short time
|
|
|
|
# If we are whitelisted, allow internet access
|
|
ip saddr @whitelist_ipv4 accept
|
|
ip6 saddr @whitelist_ipv6 accept
|
|
|
|
# If we are not whitelisted but we have been some time ago, limited access
|
|
ip saddr @retry_period_ipv4 goto deco_limited
|
|
ip6 saddr @retry_period_ipv6 goto deco_limited
|
|
|
|
# If we are not whitelisted, nor we have been recently, and we try to contact comnpay, then whitelist us
|
|
ip daddr $ip_comnpay goto deco_whitelist
|
|
ip6 daddr $ip6_comnpay goto deco_whitelist
|
|
|
|
# Else, only grant limited access
|
|
ip saddr @retry_period_ipv4 goto deco_limited
|
|
ip6 saddr @retry_period_ipv6 goto deco_limited
|
|
}
|
|
|
|
chain deco_whitelist {
|
|
add @whitelist_ipv4 { ip saddr }
|
|
add @whitelist_ipv6 { ip6 saddr }
|
|
|
|
add @retry_period_ipv4 { ip saddr }
|
|
add @retry_period_ipv6 { ip6 saddr }
|
|
|
|
goto deco_limited
|
|
}
|
|
|
|
chain deco_limited {
|
|
# Accept HTTP & HTTPS
|
|
ip daddr $ip_deco_web_whitelist tcp dport { http, https } accept
|
|
ip6 daddr $ip6_deco_web_whitelist tcp dport { http, https } accept
|
|
|
|
# Accept DNS
|
|
ip daddr $ip_deco_dns_whitelist udp dport 53 accept
|
|
ip6 daddr $ip6_deco_dns_whitelist tcp dport 53 accept
|
|
|
|
# Reject instead of drop so the client knows faster that the trafic is blocked
|
|
reject with icmpx type admin-prohibited
|
|
}
|
|
|
|
}
|