external/iiab
1
0
Fork 0
mirror of https://github.com/iiab/iiab.git synced 2025-02-13 19:52:06 +00:00
Code Issues Releases Wiki Activity

Apply @jvonau's "$lan" != "none" to fwd'ing (not just masq'ing)

Browse source
This commit is contained in:
A Holt 2019-05-23 23:42:55 -04:00 committed by GitHub
parent 7012946f1b
commit a68ae48b4e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 17 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
roles/network/templates/gateway/iiab-gen-iptables
View file

@ -163,30 +163,31 @@ if [ "$wan" != "none" ]; then
$IPTABLES -A INPUT -p tcp -m multiport --dports $samba_tcp_mports -m state --state NEW -i $wan -j ACCEPT $IPTABLES -A INPUT -p tcp -m multiport --dports $samba_tcp_mports -m state --state NEW -i $wan -j ACCEPT
fi fi
# Typically False, to keep client machines (e.g. students) off the Internet if [ "$lan" != "none" ]; then
if [ "$iiab_gateway_enabled" == "True" ] && [ "$lan" != "none" ]; then # Typically False, to keep client machines (e.g. students) off the Internet
$IPTABLES -A POSTROUTING -t nat -o $wan -j MASQUERADE if [ "$iiab_gateway_enabled" == "True" ]; then
fi $IPTABLES -A POSTROUTING -t nat -o $wan -j MASQUERADE
fi
# 3 or 4 IP forwarding rules # 3 or 4 IP forwarding rules
$IPTABLES -A FORWARD -i $wan -o $lan -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $wan -o $lan -m state --state ESTABLISHED,RELATED -j ACCEPT
# Block https traffic except if directed at server # Block https traffic except if directed at server
if [ "$gw_block_https" == "True" ]; then if [ "$gw_block_https" == "True" ]; then
$IPTABLES -A FORWARD -p tcp ! -d {{ lan_ip }} --dport 443 -j DROP $IPTABLES -A FORWARD -p tcp ! -d {{ lan_ip }} --dport 443 -j DROP
fi
# Allow outgoing connections from the LAN side
$IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT
# Don't forward from the outside to the inside
$IPTABLES -A FORWARD -i $wan -o $lan -j DROP
# Enable routing (kernel IP forwarding)
echo 1 > /proc/sys/net/ipv4/ip_forward
fi fi
# Allow outgoing connections from the LAN side
$IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT
# Don't forward from the outside to the inside
$IPTABLES -A FORWARD -i $wan -o $lan -j DROP
# Enable routing (kernel IP forwarding)
echo 1 > /proc/sys/net/ipv4/ip_forward
# 5 = "all but databases" # 5 = "all but databases"
if [ "$ports_externally_visible" -lt 5 ]; then if [ "$ports_externally_visible" -lt 5 ]; then
# Drop everything else arriving via WAN # Drop everything else arriving via WAN
$IPTABLES -A INPUT -i $wan -j DROP $IPTABLES -A INPUT -i $wan -j DROP
fi fi
fi fi
# TCP & UDP block of DNS port 53 if truly nec # TCP & UDP block of DNS port 53 if truly nec