Merge pull request #1693 from holta/firewall-usability

iptables firewall: Apply @jvonau's "$lan" != "none" to forwarding not just masquerading
2025-03-09 15:40:17 +00:00 · 2019-05-23 23:51:54 -04:00 · 2019-05-23 23:51:54 -04:00 · 44c8204f66
commit 44c8204f66
parent 3d976bebec a68ae48b4e
1 changed files with 17 additions and 16 deletions
--- a/roles/network/templates/gateway/iiab-gen-iptables
+++ b/roles/network/templates/gateway/iiab-gen-iptables
@ -166,30 +166,31 @@ if [ "$wan" != "none" ]; then
        $IPTABLES -A INPUT -p tcp -m multiport --dports $samba_tcp_mports -m state --state NEW -i $wan -j ACCEPT
    fi

-    # Typically False, to keep client machines (e.g. students) off the Internet
-    if [ "$iiab_gateway_enabled" == "True" ] && [ "$lan" != "none" ]; then
-        $IPTABLES -A POSTROUTING -t nat -o $wan -j MASQUERADE
-    fi
+    if [ "$lan" != "none" ]; then
+        # Typically False, to keep client machines (e.g. students) off the Internet
+        if [ "$iiab_gateway_enabled" == "True" ]; then
+            $IPTABLES -A POSTROUTING -t nat -o $wan -j MASQUERADE
+        fi

-    # 3 or 4 IP forwarding rules
-    $IPTABLES -A FORWARD -i $wan -o $lan -m state --state ESTABLISHED,RELATED -j ACCEPT
-    # Block https traffic except if directed at server
-    if [ "$gw_block_https" == "True" ]; then
-        $IPTABLES -A FORWARD -p tcp ! -d {{ lan_ip }} --dport 443 -j DROP
+        # 3 or 4 IP forwarding rules
+        $IPTABLES -A FORWARD -i $wan -o $lan -m state --state ESTABLISHED,RELATED -j ACCEPT
+        # Block https traffic except if directed at server
+        if [ "$gw_block_https" == "True" ]; then
+            $IPTABLES -A FORWARD -p tcp ! -d {{ lan_ip }} --dport 443 -j DROP
+        fi
+        # Allow outgoing connections from the LAN side
+        $IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT
+        # Don't forward from the outside to the inside
+        $IPTABLES -A FORWARD -i $wan -o $lan -j DROP
+        # Enable routing (kernel IP forwarding)
+        echo 1 > /proc/sys/net/ipv4/ip_forward
    fi
-    # Allow outgoing connections from the LAN side
-    $IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT
-    # Don't forward from the outside to the inside
-    $IPTABLES -A FORWARD -i $wan -o $lan -j DROP
-    # Enable routing (kernel IP forwarding)
-    echo 1 > /proc/sys/net/ipv4/ip_forward

    # 5 = "all but databases"
    if [ "$ports_externally_visible" -lt 5 ]; then
        # Drop everything else arriving via WAN
        $IPTABLES -A INPUT -i $wan -j DROP
    fi
-
 fi

 # TCP & UDP block of DNS port 53 if truly nec