summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2018-12-20 02:04:25 +0100
committerGuilhem Moulin <guilhem@fripost.org>2018-12-22 13:22:43 +0100
commitfc337924c7e66258319c6b6d538660240cfeda5e (patch)
treef0e96885c014ee7bc0083e93c1c8385aa53faed2
parent57273eb0ab62acbc38a327f50ccfd1ac5cc415da (diff)
firewall: gracefully close invalid connections.
This is useful when an ESTABLISHED connection is seen as NEW because the client was offline for some time. For instance, clients now gracefully close existing SSH connections immediately after resuming from a suspend state, rather that waiting for the TCP timeout.
-rwxr-xr-xroles/common/files/usr/local/sbin/update-firewall.sh16
1 files changed, 12 insertions, 4 deletions
diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh
index 36c12c6..8ef3ab9 100755
--- a/roles/common/files/usr/local/sbin/update-firewall.sh
+++ b/roles/common/files/usr/local/sbin/update-firewall.sh
@@ -254,7 +254,7 @@ run() {
# DROP bogus TCP packets.
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
- iptables -A INPUT -p tcp \! --syn -m state --state NEW -j DROP
+ iptables -A INPUT -p tcp \! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
# Allow all input/output to/from the loopback interface.
local localhost=$(inet46 $f '127.0.0.1/8' '::1/128')
@@ -299,8 +299,8 @@ run() {
while read dir proto dport sport; do
# We add two entries per config line: we need to accept the new
# connection, and latter the reply.
- local stNew=NEW,ESTABLISHED
- local stEst=ESTABLISHED
+ local stNew=NEW,ESTABLISHED,RELATED
+ local stEst=ESTABLISHED,RELATED
# In-Out means full-duplex
[[ "$dir" =~ ^inout ]] && stEst="$stNew"
@@ -327,7 +327,15 @@ run() {
iptables $iptNew $if -p $proto $optsNew -m state --state $stNew -j ACCEPT
iptables $iptEst $if -p $proto $optsEst -m state --state $stEst -j ACCEPT
done
- iptables -A OUTPUT -o $if -j REJECT
+
+ iptables -A OUTPUT -o $if -p tcp -j REJECT --reject-with tcp-reset
+ iptables -A OUTPUT -o $if -p udp -j REJECT --reject-with port-unreach
+ if [ "$f" = "4" ]; then
+ iptables -A OUTPUT -o $if -p icmp -j REJECT --reject-with icmp-host-unreachable
+ iptables -A OUTPUT -o $if -j REJECT --reject-with icmp-host-prohibited
+ else
+ iptables -A OUTPUT -o $if -j REJECT
+ fi
########################################################################
commit