diff options
| -rw-r--r-- | group_vars/all.yml | 4 | ||||
| -rwxr-xr-x | roles/common/files/usr/local/sbin/update-firewall.sh | 8 |
2 files changed, 6 insertions, 6 deletions
diff --git a/group_vars/all.yml b/group_vars/all.yml index c7900a6..9458dc0 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -1,25 +1,25 @@ --- postfix_instance: # The keys are the group names associated with a Postfix role, and the # values are the name and group (optional) of the instance dedicated # to that role. IMAP: { name: mda, port: 2526 } MX: { name: mx, group: mta } out: { name: out, group: mta, port: 2525 } MSA: { name: msa } lists: { name: lists, port: 2527 } # Virtual (non-routable) IPv4 subnet for IPSec. It is always nullrouted -# on in the absence of xfrm lookup (i.e., when there is no matching -# IPSec Security Association) to avoid data leaks. +# in the absence of xfrm lookup (i.e., when there is no matching IPSec +# Security Association) to avoid data leaks. ipsec_subnet: 172.16.0.0/24 ipsec: # Virtual (non-routable) addresses for IPSec. They all need to be # distinct and belong to the above subnet 'ipsec_subnet'. antilop: 172.16.0.1 benjamin: 172.16.0.2 civett: 172.16.0.3 elefant: 172.16.0.4 giraff: 172.16.0.5 mistral: 172.16.0.6 diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh index 065bae2..d5e2238 100755 --- a/roles/common/files/usr/local/sbin/update-firewall.sh +++ b/roles/common/files/usr/local/sbin/update-firewall.sh @@ -247,44 +247,44 @@ run() { iptables -A INPUT -i $if -d "$ip" -j DROP done fi # DROP INVALID packets immediately. iptables -A INPUT -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP # DROP bogus TCP packets. iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A INPUT -p tcp \! --syn -m state --state NEW -j DROP # Allow all input/output to/from the loopback interface. local localhost=$(inet46 $f '127.0.0.1/8' '::1/128') iptables -A INPUT -i lo -s "$localhost" -d "$localhost" -j ACCEPT iptables -A OUTPUT -o lo -s "$localhost" -d "$localhost" -j ACCEPT if [ "$f" = 4 -a "$ipsec" = y ]; then # Allow local access to our virtual IP /bin/ip -4 -o route show table 220 dev $if \ - | sed -nr 's/.*\ssrc\s+([[:digit:].]{7,15})(\s.*)?/\1/p' \ - | while read ipsec; do - iptables -A INPUT -i lo -s "$ipsec" -d "$ipsec" -j ACCEPT - iptables -A OUTPUT -o lo -s "$ipsec" -d "$ipsec" -j ACCEPT + | sed -nr 's/.*\ssrc\s+([[:digit:].]{7,15})(\s.*)?$/\1/p' \ + | while read ips; do + iptables -A INPUT -i lo -s "$ips" -d "$ips" -j ACCEPT + iptables -A OUTPUT -o lo -s "$ips" -d "$ips" -j ACCEPT done fi # Prepare fail2ban. We make fail2ban insert its rules in a # dedicated chain, so that it doesn't mess up the existing rules. [ $fail2ban -eq 1 ] && iptables -A INPUT -i $if -j fail2ban if [ "$f" = 4 ]; then # Allow only ICMP of type 0, 3 and 8. The rate-limiting is done # directly by the kernel (net.ipv4.icmp_ratelimit and # net.ipv4.icmp_ratemask runtime options). See icmp(7). local t for t in 'echo-reply' 'destination-unreachable' 'echo-request'; do iptables -A INPUT -p icmp -m icmp --icmp-type $t -j ACCEPT iptables -A OUTPUT -p icmp -m icmp --icmp-type $t -j ACCEPT done elif [ $f = 6 ]; then iptables -A INPUT -p icmpv6 -j ACCEPT iptables -A OUTPUT -p icmpv6 -j ACCEPT fi |