diff options
Diffstat (limited to 'roles/common/files/usr/local/sbin')
| -rwxr-xr-x | roles/common/files/usr/local/sbin/update-firewall.sh | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh index 4050e9e..cfd2678 100755 --- a/roles/common/files/usr/local/sbin/update-firewall.sh +++ b/roles/common/files/usr/local/sbin/update-firewall.sh @@ -236,70 +236,72 @@ run() { iptables -A INPUT -i $if -s "$ip" -j DROP iptables -A INPUT -i $if -d "$ip" -j DROP done elif [ "$f" = 6 ]; then # Martian IPv6 packets: ULA (RFC 4193) and site local addresses # (RFC 3879). for ip in fc00::/7 fec0::/10; do iptables -A INPUT -i $if -s "$ip" -j DROP iptables -A INPUT -i $if -d "$ip" -j DROP done fi # DROP INVALID packets immediately. iptables -A INPUT -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP # DROP bogus TCP packets. iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP + iptables -A INPUT -p tcp \! --syn -m state --state NEW -j DROP # Allow all input/output to/from the loopback interface. local localhost=$(inet46 $f '127.0.0.1/32' '::1/128') iptables -A INPUT -i lo -s "$localhost" -d "$localhost" -j ACCEPT iptables -A OUTPUT -o lo -s "$localhost" -d "$localhost" -j ACCEPT if [ "$ipsec" ]; then # ACCEPT any, *IPSec* traffic destinating to the non-routable # $ipsec. Also ACCEPT all traffic originating from $ipsec, as # it is MASQUERADE'd. iptables -A INPUT -d "$ipsec" -i $if -m policy --dir in \ --pol ipsec --proto $secproto -j ACCEPT iptables -A OUTPUT -m mark --mark "$secmark" -o $if -j ACCEPT fi # Prepare fail2ban. We make fail2ban insert its rules in a # dedicated chain, so that it doesn't mess up the existing rules. [ $fail2ban -eq 1 ] && iptables -A INPUT -i $if -j fail2ban if [ "$f" = 4 ]; then # Allow only ICMP of type 0, 3 and 8. The rate-limiting is done # directly by the kernel (net.ipv4.icmp_ratelimit and # net.ipv4.icmp_ratemask runtime options). See icmp(7). local t for t in 'echo-reply' 'destination-unreachable' 'echo-request'; do - iptables -A INPUT -i $if -p icmp -m icmp --icmp-type $t -j ACCEPT - iptables -A OUTPUT -o $if -p icmp -m icmp --icmp-type $t -j ACCEPT + iptables -A INPUT -p icmp -m icmp --icmp-type $t -j ACCEPT + iptables -A OUTPUT -p icmp -m icmp --icmp-type $t -j ACCEPT done elif [ $f = 6 ]; then - iptables -A INPUT -i $ip -p icmpv6 -j ACCEPT + iptables -A INPUT -p icmpv6 -j ACCEPT + iptables -A OUTPUT -p icmpv6 -j ACCEPT fi ######################################################################## # ACCEPT new connections to the services we provide, or to those we want # to connect to. sed -re 's/#.*//; /^\s*$/d' -e "s/^(in|out|inout)$f?(\s.*)/\1\2/" \ /etc/iptables/services | \ grep -Ev '^(in|out|inout)\S\s' | \ while read dir proto dport sport; do # We add two entries per config line: we need to accept the new # connection, and latter the reply. local stNew=NEW,ESTABLISHED local stEst=ESTABLISHED # In-Out means full-duplex [[ "$dir" =~ ^inout ]] && stEst="$stNew" local iptNew= iptEst= optsNew= optsEst= |