diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2016-05-24 17:13:38 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2016-05-24 17:13:38 +0200 |
| commit | 25564fcae2ed65eb3c1981e1e0e44621a3c9d7eb (patch) | |
| tree | 63183ad2fd8ff88366f3762af6ecaf9423de74cd /roles/common/files/usr/local | |
| parent | 1af3c572eedb0eaddcdc5c9c41d98ff59bb7b2c9 (diff) | |
typo
Diffstat (limited to 'roles/common/files/usr/local')
| -rwxr-xr-x | roles/common/files/usr/local/sbin/update-firewall.sh | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh index 065bae2..d5e2238 100755 --- a/roles/common/files/usr/local/sbin/update-firewall.sh +++ b/roles/common/files/usr/local/sbin/update-firewall.sh @@ -247,44 +247,44 @@ run() { iptables -A INPUT -i $if -d "$ip" -j DROP done fi # DROP INVALID packets immediately. iptables -A INPUT -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP # DROP bogus TCP packets. iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A INPUT -p tcp \! --syn -m state --state NEW -j DROP # Allow all input/output to/from the loopback interface. local localhost=$(inet46 $f '127.0.0.1/8' '::1/128') iptables -A INPUT -i lo -s "$localhost" -d "$localhost" -j ACCEPT iptables -A OUTPUT -o lo -s "$localhost" -d "$localhost" -j ACCEPT if [ "$f" = 4 -a "$ipsec" = y ]; then # Allow local access to our virtual IP /bin/ip -4 -o route show table 220 dev $if \ - | sed -nr 's/.*\ssrc\s+([[:digit:].]{7,15})(\s.*)?/\1/p' \ - | while read ipsec; do - iptables -A INPUT -i lo -s "$ipsec" -d "$ipsec" -j ACCEPT - iptables -A OUTPUT -o lo -s "$ipsec" -d "$ipsec" -j ACCEPT + | sed -nr 's/.*\ssrc\s+([[:digit:].]{7,15})(\s.*)?$/\1/p' \ + | while read ips; do + iptables -A INPUT -i lo -s "$ips" -d "$ips" -j ACCEPT + iptables -A OUTPUT -o lo -s "$ips" -d "$ips" -j ACCEPT done fi # Prepare fail2ban. We make fail2ban insert its rules in a # dedicated chain, so that it doesn't mess up the existing rules. [ $fail2ban -eq 1 ] && iptables -A INPUT -i $if -j fail2ban if [ "$f" = 4 ]; then # Allow only ICMP of type 0, 3 and 8. The rate-limiting is done # directly by the kernel (net.ipv4.icmp_ratelimit and # net.ipv4.icmp_ratemask runtime options). See icmp(7). local t for t in 'echo-reply' 'destination-unreachable' 'echo-request'; do iptables -A INPUT -p icmp -m icmp --icmp-type $t -j ACCEPT iptables -A OUTPUT -p icmp -m icmp --icmp-type $t -j ACCEPT done elif [ $f = 6 ]; then iptables -A INPUT -p icmpv6 -j ACCEPT iptables -A OUTPUT -p icmpv6 -j ACCEPT fi |