diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2013-11-04 08:25:54 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:50:44 +0200 |
| commit | 51ea7eca6ca198606a71c107bb67d64186761456 (patch) | |
| tree | 14813b4755d3f58113597dd96aa02da78b63494d /roles/common/files/usr/local/sbin | |
| parent | 0dd6a96ce1bf2cef9140d01a5c49eb92e2f8ec6f (diff) | |
wibble
Diffstat (limited to 'roles/common/files/usr/local/sbin')
| -rwxr-xr-x | roles/common/files/usr/local/sbin/update-firewall.sh | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh index 1c57646..2e16711 100755 --- a/roles/common/files/usr/local/sbin/update-firewall.sh +++ b/roles/common/files/usr/local/sbin/update-firewall.sh @@ -17,41 +17,41 @@ # Dependencies: netmask(1) # # Copyright 2013 Guilhem Moulin <guilhem@fripost.org> # # Licensed under the GNU GPL version 3 or higher. # set -ue PATH=/usr/sbin:/usr/bin:/sbin:/bin timeout=10 force=0 check=0 verbose=0 addrfam= secmark=0xA99 # must match that in /etc/network/if-up.d/ipsec secproto=esp # must match /etc/ipsec.conf; ESP is the default (vs AH/IPComp) fail2ban_re='^(\[[0-9]+:[0-9]+\]\s+)?-A fail2ban-\S' -IPSec_re=" -m policy --dir (in|out) --pol ipsec .* --proto $secproto -j ACCEPT$" +IPSec_re=" -m policy --dir (in|out) --pol ipsec --reqid [0-9]+ --proto $secproto -j ACCEPT$" declare -A rss=() tables=() usage() { cat >&2 <<- EOF Usage: $0 [OPTIONS] Options: -f force: no confirmation asked -c check: check (dry-run) mode -v verbose: see the difference between old and new ruleset -4 IPv4 only -6 IPv6 only EOF exit 1 } log() { /usr/bin/logger -st firewall -p syslog.info -- "$@" } fatal() { @@ -176,41 +176,41 @@ run() { # The usual chains in filter, along with the desired default policies. ipt-chains filter INPUT:DROP FORWARD:DROP OUTPUT:DROP if [ -z "$if" ]; then # If the interface is not configured, we stop here and DROP all # packets by default. Thanks to the pre-up hook this tight # policy will be activated whenever the interface goes up. mv "$new" /etc/iptables/rules.v$f return 0 fi # Fail2ban-specific chains and traps if [ $fail2ban -eq 1 ]; then echo ":fail2ban - [0:0]" # Don't remove existing rules & traps in the current rulest grep -- '^:fail2ban-\S' "$old" || true grep -E -- ' -j fail2ban-\S+$' "$old" || true grep -E -- "$fail2ban_re" "$old" || true fi >> "$new" - if [ -n "$ifsec" ]; then + if [ -n "$ipsec" ]; then # (Host-to-host) IPSec tunnels come first. TODO: test IPSec with IPv6. grep -E -- "$IPSec_re" "$old" >> "$new" || true # Allow any IPsec $secproto protocol packets to be sent and received. iptables -A INPUT -i $if -p $secproto -j ACCEPT iptables -A OUTPUT -o $if -p $secproto -j ACCEPT fi ######################################################################## # DROP all RFC1918 addresses, martian networks, multicasts, ... # Credits to http://newartisans.com/2007/09/neat-tricks-with-iptables/ # http://baldric.net/loose-iptables-firewall-for-servers/ local ip if [ "$f" = 4 ]; then # Private-use networks (RFC 1918) and link local (RFC 3927) local MyNetwork=$( /bin/ip -4 address show dev $if scope global \ | sed -nr 's/^\s+inet\s(\S+).*/\1/p') [ -n "$MyNetwork" ] && \ |