Firewall: REJECT outgoing connections instead of DROPing them.

author: Guilhem Moulin <guilhem@fripost.org> 2018-12-08 01:05:28 +0100
committer: Guilhem Moulin <guilhem@fripost.org> 2018-12-09 20:25:39 +0100
commit: bccbd0d4c0faf46e911284e599cc22da2c9b04d9 (patch)
tree: f97f322251eae8d5fb84ddc217fd65ac6a67c4ed /roles/common/files/usr
parent: d6ce377c2eea26b3ba708b70de942af81c94e813 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh
index 207eada..36c12c6 100755
--- a/roles/common/files/usr/local/sbin/update-firewall.sh
+++ b/roles/common/files/usr/local/sbin/update-firewall.sh
@@ -310,40 +310,41 @@ run() {
             *,*|*:*) optsNew="--match multiport --dports $dport"
                      optsEst="--match multiport --sports $dport";;
             ?*)      optsNew="--dport $dport"
                      optsEst="--sport $dport";;
         esac
         case "$sport" in
             *,*|*:*) optsNew+=" --match multiport --sports $sport"
                      optsEst+=" --match multiport --dports $sport";;
             ?*)      optsNew+=" --sport $sport"
                      optsEst+=" --dport $sport";;
         esac
         case "$dir" in
             in|inout) iptNew="-A INPUT  -i";  iptEst="-A OUTPUT -o";;
             out)      iptNew="-A OUTPUT -o";  iptEst="-A INPUT  -i";;
             *) fatal "Error: Unknown direction: '$dir'."
         esac
 
         iptables $iptNew $if -p $proto $optsNew -m state --state $stNew -j ACCEPT
         iptables $iptEst $if -p $proto $optsEst -m state --state $stEst -j ACCEPT
     done
+    iptables -A OUTPUT -o $if -j REJECT
 
     ########################################################################
     commit
 
 
     local rv1=0 rv2=0 persistent=/etc/iptables/rules.v$f
     local oldz=$(mktemp --tmpdir current-rules.v$f.XXXXXX)
 
     # Reset the counters.  They are not useful for comparing and/or
     # storing persistent ruleset.  (We don't use sed -i because we want
     # to restore the counters when reverting.)
     sed -r -e '/^:/ s/\[[0-9]+:[0-9]+\]$/[0:0]/' \
            -e 's/^\[[0-9]+:[0-9]+\]\s+//' \
            "$old" >"$oldz"
 
     ip netns exec $netns $ipt-restore <"$new" || ipt-revert
 
     for table in ${tables[$f]}; do
        ip netns exec $netns $ipt-save -t $table
     done >"$new"
author	Guilhem Moulin <guilhem@fripost.org>	2018-12-08 01:05:28 +0100
committer	Guilhem Moulin <guilhem@fripost.org>	2018-12-09 20:25:39 +0100
commit	bccbd0d4c0faf46e911284e599cc22da2c9b04d9 (patch)
tree	f97f322251eae8d5fb84ddc217fd65ac6a67c4ed /roles/common/files/usr
parent	d6ce377c2eea26b3ba708b70de942af81c94e813 (diff)