mirror of
https://github.com/iiab/iiab.git
synced 2025-03-09 15:40:17 +00:00
add WAN-side rules even if Appliance (if WAN exists!)
This commit is contained in:
A Holt
GitHub
parent
c74053ef52
commit
52fdf8983b
1 changed files with 78 additions and 81 deletions
|
|
@ -77,13 +77,13 @@ elif [ "$ports_externally_visible" -lt 0 ] || [ "$ports_externally_visible" -gt
|
|||
exit 1
|
||||
fi
|
||||
|
||||
if [ "$wan" != "none" ] && [ "$network_mode" != "Appliance" ]; then
|
||||
#if [ "$wan" != "none" ] && [ "$network_mode" != "Appliance" ]; then
|
||||
# Load iptables kernel modules
|
||||
/sbin/modprobe ip_tables
|
||||
/sbin/modprobe iptable_filter
|
||||
/sbin/modprobe ip_conntrack
|
||||
/sbin/modprobe iptable_nat
|
||||
fi
|
||||
#fi
|
||||
|
||||
# Delete all existing firewall rules
|
||||
$IPTABLES -F
|
||||
|
|
@ -110,27 +110,16 @@ $IPTABLES -A INPUT -p udp --dport 5432 -j DROP
|
|||
$IPTABLES -A INPUT -p tcp --dport 5984 -j DROP
|
||||
$IPTABLES -A INPUT -p udp --dport 5984 -j DROP
|
||||
|
||||
save_rules_and_exit() {
|
||||
{% if is_debuntu %}
|
||||
netfilter-persistent save
|
||||
{% else %}
|
||||
iptables-save > $IPTABLES_DATA
|
||||
{% endif %}
|
||||
|
||||
exit 0
|
||||
}
|
||||
|
||||
if [ "$wan" == "none" ] || [ "$network_mode" == "Appliance" ]; then
|
||||
save_rules_and_exit
|
||||
fi
|
||||
|
||||
# Allow established connections, and those not coming from the outside
|
||||
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
$IPTABLES -A INPUT -m state --state NEW -i $lan -j ACCEPT
|
||||
|
||||
# Allow mDNS from WAN-side too (WHY OUT OF CURIOSITY?)
|
||||
# Allow mDNS from WAN-side too (ON PURPOSE? WHY OUT OF CURIOSITY?)
|
||||
$IPTABLES -A INPUT -p udp --dport 5353 -j ACCEPT
|
||||
|
||||
#if [ "$wan" != "none" ] && [ "$network_mode" != "Appliance" ]; then
|
||||
if [ "$wan" != "none" ]; then
|
||||
|
||||
# 1 = ssh only
|
||||
if [ "$ports_externally_visible" -ge 1 ]; then
|
||||
$IPTABLES -A INPUT -p tcp --dport $ssh_port -m state --state NEW -i $wan -j ACCEPT
|
||||
|
|
@ -172,7 +161,7 @@ if [ "$ports_externally_visible" -ge 4 ]; then
|
|||
$IPTABLES -A INPUT -p tcp -m multiport --dports $samba_tcp_mports -m state --state NEW -i $wan -j ACCEPT
|
||||
fi
|
||||
|
||||
# Typically False, to keep students off the Internet
|
||||
# Typically False, to keep client machines (e.g. students) off the Internet
|
||||
if [ "$iiab_gateway_enabled" == "True" ]; then
|
||||
$IPTABLES -A POSTROUTING -t nat -o $wan -j MASQUERADE
|
||||
fi
|
||||
|
|
@ -196,16 +185,24 @@ if [ "$ports_externally_visible" -lt 5 ]; then
|
|||
$IPTABLES -A INPUT -i $wan -j DROP
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
# TCP & UDP block of DNS port 53 if truly nec
|
||||
if [ "$block_DNS" == "True" ]; then
|
||||
$IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53
|
||||
$IPTABLES -t nat -A PREROUTING -i $lan -p udp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53
|
||||
fi
|
||||
|
||||
# If Squid enabled, indicated by /etc/iiab/iiab.env
|
||||
# If Squid enabled, as indicated by "HTTPCACHE_ON=True" in /etc/iiab/iiab.env
|
||||
if [ "$HTTPCACHE_ON" == "True" ]; then
|
||||
$IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:3128
|
||||
fi
|
||||
|
||||
# Save the whole rule set
|
||||
save_rules_and_exit
|
||||
{% if is_debuntu %}
|
||||
netfilter-persistent save
|
||||
{% else %}
|
||||
iptables-save > $IPTABLES_DATA
|
||||
{% endif %}
|
||||
|
||||
exit 0
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue