diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2015-06-03 19:21:52 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:54:16 +0200 |
| commit | 0dbdc948c7c2bda7e2610a7b48b17f63bec184ea (patch) | |
| tree | 652b31f3b1b9deabc9b86da75849d0ed89ddd9d4 /roles/common/files | |
| parent | fb9d6472095cdffd8f43c0416d63ef7b15cb598a (diff) | |
firewall: allow 127.0.0.1/8 on lo.
Diffstat (limited to 'roles/common/files')
| -rwxr-xr-x | roles/common/files/usr/local/sbin/update-firewall.sh | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh index 33b6ef1..f25f507 100755 --- a/roles/common/files/usr/local/sbin/update-firewall.sh +++ b/roles/common/files/usr/local/sbin/update-firewall.sh @@ -239,41 +239,41 @@ run() { elif [ "$f" = 6 ]; then # Martian IPv6 packets: ULA (RFC 4193) and site local addresses # (RFC 3879). for ip in fc00::/7 fec0::/10; do iptables -A INPUT -i $if -s "$ip" -j DROP iptables -A INPUT -i $if -d "$ip" -j DROP done fi # DROP INVALID packets immediately. iptables -A INPUT -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP # DROP bogus TCP packets. iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A INPUT -p tcp \! --syn -m state --state NEW -j DROP # Allow all input/output to/from the loopback interface. - local localhost=$(inet46 $f '127.0.0.1/32' '::1/128') + local localhost=$(inet46 $f '127.0.0.1/8' '::1/128') iptables -A INPUT -i lo -s "$localhost" -d "$localhost" -j ACCEPT iptables -A OUTPUT -o lo -s "$localhost" -d "$localhost" -j ACCEPT if [ "$ipsec" ]; then # ACCEPT any, *IPSec* traffic destinating to the non-routable # $ipsec. Also ACCEPT all traffic originating from $ipsec, as # it is MASQUERADE'd. iptables -A INPUT -d "$ipsec" -i $if -m policy --dir in \ --pol ipsec --proto $secproto -j ACCEPT iptables -A OUTPUT -m mark --mark "$secmark" -o $if -j ACCEPT fi # Prepare fail2ban. We make fail2ban insert its rules in a # dedicated chain, so that it doesn't mess up the existing rules. [ $fail2ban -eq 1 ] && iptables -A INPUT -i $if -j fail2ban if [ "$f" = 4 ]; then # Allow only ICMP of type 0, 3 and 8. The rate-limiting is done # directly by the kernel (net.ipv4.icmp_ratelimit and # net.ipv4.icmp_ratemask runtime options). See icmp(7). |