diff options
author | Christian Pointner <equinox@spreadspace.org> | 2018-12-30 01:05:04 +0100 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2018-12-30 01:05:04 +0100 |
commit | 085ddb87f0a003b8a500652514f843ba4b6bc7d5 (patch) | |
tree | 9d66d2161f39d389e72e5b43c3df4084f6ec9cec | |
parent | elevate guest wifi password was too short (diff) |
improved firewall for ele-router
-rw-r--r-- | inventory/host_vars/ele-router.yml | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/inventory/host_vars/ele-router.yml b/inventory/host_vars/ele-router.yml index 2d5cb1b3..8fa386a9 100644 --- a/inventory/host_vars/ele-router.yml +++ b/inventory/host_vars/ele-router.yml @@ -168,9 +168,11 @@ openwrt_mixin: MGMT_NETMASK=$(uci get network.mgmt.netmask) start() { - iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i "$MGMT_IF" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT + + ### todo: limit the destination address? + iptables -A INPUT -i "$WAN_IF" -p icmp -j ACCEPT iptables -A INPUT -i "$WAN_IF" -p tcp --dport 22000 -j ACCEPT iptables -A INPUT -i "$WAN_IF" -m state --state RELATED,ESTABLISHED -j ACCEPT @@ -179,10 +181,12 @@ openwrt_mixin: ipaddr=$(uci get "network.$zone.ipaddr") netmask=$(uci get "network.$zone.netmask") + iptables -A INPUT -i "$interface" -p icmp -d "$ipaddr" -s "$ipaddr/$netmask" -j ACCEPT + ### todo: only do this if dhcp is defined in network_zone iptables -A INPUT -i "$interface" -p udp --dport 67 --sport 68 -j ACCEPT - iptables -A INPUT -i "$interface" -p udp --dport 53 -j ACCEPT - iptables -A INPUT -i "$interface" -p tcp --dport 53 -j ACCEPT + iptables -A INPUT -i "$interface" -p udp --dport 53 -d "$ipaddr" -s "$ipaddr/$netmask" -j ACCEPT + iptables -A INPUT -i "$interface" -p tcp --dport 53 -d "$ipaddr" -s "$ipaddr/$netmask" -j ACCEPT iptables -A FORWARD -i "$interface" -o "$WAN_IF" -s "$ipaddr/$netmask" -j ACCEPT iptables -A FORWARD -i "$WAN_IF" -o "$interface" -m state --state RELATED,ESTABLISHED -j ACCEPT |