Various fixes to firewall script

overlay/etc/firewall.sh

@@ -50,6 +50,7 @@ iptables -A INPUT -i $LANIF -s 192.168.0.0/16 -j DROP
 iptables -A INPUT -i $LANIF -s 172.16.0.0/12 -j Antispoof_172
 iptables -A INPUT -i $LANIF -s 10.0.0.0/8 -j DROP
 iptables -A Antispoof_172 -i $LANIF -s 172.20.0.0/16 -j RETURN
+iptables -A Antispoof_172 -j LOG --log-prefix "ANTISPOOFIN "
 iptables -A Antispoof_172 -j DROP
 
 # Block outgoing NetBios (if you have windows machines running
@@ -63,7 +64,16 @@ iptables -A OUTPUT -p tcp --sport 137:139 -o $LANIF -j DROP
 iptables -A OUTPUT -p udp --sport 137:139 -o $LANIF -j DROP
 
 # Check source address validity on packets going out to network
-iptables -A OUTPUT -s $PRIVATE -o $LANIF -j DROP
+iptables -N SourceAddr
+iptables -A OUTPUT -s $PRIVATE -o $LANIF -j SourceAddr
+iptables -A SourceAddr -j LOG --log-prefix "SOURCEADDR "
+iptables -A SourceAddr -j DROP
+
+# Keep state of connections from local machine and private subnets
+iptables -A OUTPUT -m state --state NEW -o $LANIF -j ACCEPT
+iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -A FORWARD -m state --state NEW -o $LANIF -j ACCEPT
+iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 
 # Allow local loopback
 iptables -A INPUT -s $LOOP -j ACCEPT
@@ -82,23 +92,7 @@ iptables -A FORWARD -p icmp --icmp-type 0/0 -j ACCEPT
 iptables -A FORWARD -p icmp --icmp-type 3 -j ACCEPT
 
 # Allow services such as ssh (can be disabled)
-iptables -A INPUT -p tcp --dport ssh -j ACCEPT
-
-# Allow incoming OpenVPN packets
-# Duplicate the line below for each
-# OpenVPN tunnel, changing --dport n
-# to match the OpenVPN UDP port.
-#
-# In OpenVPN, the port number is
-# controlled by the --port n option.
-# If you put this option in the config
-# file, you can remove the leading '--'
-#
-# If you taking the stateful firewall
-# approach (see the OpenVPN HOWTO),
-# then comment out the line below.
-
-iptables -A INPUT -p tcp --dport 1194 -j ACCEPT
+iptables -A INPUT -p tcp -m multiport --dports ssh,1194 -j ACCEPT -m state --state NEW
 
 # Allow packets from TUN/TAP devices.
 # When OpenVPN is run in a secure mode,
@@ -112,14 +106,10 @@ iptables -A INPUT -p tcp --dport 1194 -j ACCEPT
 
 iptables -A INPUT -i tun+ -j ACCEPT
 iptables -A FORWARD -i tun+ -j ACCEPT
-#iptables -A INPUT -i tap+ -j ACCEPT
-#iptables -A FORWARD -i tap+ -j ACCEPT
 
-# Keep state of connections from local machine and private subnets
-iptables -A OUTPUT -m state --state NEW -o $LANIF -j ACCEPT
-iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-iptables -A FORWARD -m state --state NEW -o $LANIF -j ACCEPT
-iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+# Catchall
+iptables -A INPUT -j LOG --log-prefix "CATCHALL "
+iptables -A FORWARD -j LOG --log-prefix "CATCHALL "
 
 # Masquerade local subnet
 iptables -t nat -A POSTROUTING -s $PRIVATE -o $LANIF -j MASQUERADE