summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xroles/common/files/usr/local/sbin/update-firewall.sh16
1 files changed, 12 insertions, 4 deletions
diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh
index 36c12c6..8ef3ab9 100755
--- a/roles/common/files/usr/local/sbin/update-firewall.sh
+++ b/roles/common/files/usr/local/sbin/update-firewall.sh
@@ -254,7 +254,7 @@ run() {
# DROP bogus TCP packets.
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
- iptables -A INPUT -p tcp \! --syn -m state --state NEW -j DROP
+ iptables -A INPUT -p tcp \! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
# Allow all input/output to/from the loopback interface.
local localhost=$(inet46 $f '127.0.0.1/8' '::1/128')
@@ -299,8 +299,8 @@ run() {
while read dir proto dport sport; do
# We add two entries per config line: we need to accept the new
# connection, and latter the reply.
- local stNew=NEW,ESTABLISHED
- local stEst=ESTABLISHED
+ local stNew=NEW,ESTABLISHED,RELATED
+ local stEst=ESTABLISHED,RELATED
# In-Out means full-duplex
[[ "$dir" =~ ^inout ]] && stEst="$stNew"
@@ -327,7 +327,15 @@ run() {
iptables $iptNew $if -p $proto $optsNew -m state --state $stNew -j ACCEPT
iptables $iptEst $if -p $proto $optsEst -m state --state $stEst -j ACCEPT
done
- iptables -A OUTPUT -o $if -j REJECT
+
+ iptables -A OUTPUT -o $if -p tcp -j REJECT --reject-with tcp-reset
+ iptables -A OUTPUT -o $if -p udp -j REJECT --reject-with port-unreach
+ if [ "$f" = "4" ]; then
+ iptables -A OUTPUT -o $if -p icmp -j REJECT --reject-with icmp-host-unreachable
+ iptables -A OUTPUT -o $if -j REJECT --reject-with icmp-host-prohibited
+ else
+ iptables -A OUTPUT -o $if -j REJECT
+ fi
########################################################################
commit