diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2018-12-30 21:11:36 +0100 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2018-12-30 21:11:36 +0100 |
| commit | d65bbe813541cce6a13c524110b671e1cd5c44a6 (patch) | |
| tree | b08a9b24097960f6ccc3669b751ce2dec7ed0a21 | |
| parent | dolmetsch-ctl basic install works now (diff) | |
imporved firewall for ele-router and ele-ap-*
| -rw-r--r-- | inventory/group_vars/accesspoints/main.yml | 2 | ||||
| -rw-r--r-- | inventory/host_vars/ele-router.yml | 14 |
2 files changed, 10 insertions, 6 deletions
diff --git a/inventory/group_vars/accesspoints/main.yml b/inventory/group_vars/accesspoints/main.yml index 632e7e95..44931865 100644 --- a/inventory/group_vars/accesspoints/main.yml +++ b/inventory/group_vars/accesspoints/main.yml @@ -117,7 +117,7 @@ openwrt_mixin: start() { iptables -A INPUT -i lo -j ACCEPT - iptables -A INPUT -i "$MGMT_IF" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT + iptables -A INPUT -i "$MGMT_IF" -d "$MGMT_IPADDR" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT iptables -P INPUT DROP iptables -P FORWARD DROP } diff --git a/inventory/host_vars/ele-router.yml b/inventory/host_vars/ele-router.yml index 8fa386a9..50ea7658 100644 --- a/inventory/host_vars/ele-router.yml +++ b/inventory/host_vars/ele-router.yml @@ -168,8 +168,8 @@ openwrt_mixin: MGMT_NETMASK=$(uci get network.mgmt.netmask) start() { - iptables -A INPUT -i lo -j ACCEPT - iptables -A INPUT -i "$MGMT_IF" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT + iptables -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT + iptables -A INPUT -i "$MGMT_IF" -d "$MGMT_IPADDR" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT ### todo: limit the destination address? iptables -A INPUT -i "$WAN_IF" -p icmp -j ACCEPT @@ -181,13 +181,17 @@ openwrt_mixin: ipaddr=$(uci get "network.$zone.ipaddr") netmask=$(uci get "network.$zone.netmask") - iptables -A INPUT -i "$interface" -p icmp -d "$ipaddr" -s "$ipaddr/$netmask" -j ACCEPT - - ### todo: only do this if dhcp is defined in network_zone + ### todo: only add this if dhcp is in network_zones[zone] iptables -A INPUT -i "$interface" -p udp --dport 67 --sport 68 -j ACCEPT + + ### todo: only do this if dhcp is in network_zones[zone] or $ipaddr is in network_zones[zone].dns iptables -A INPUT -i "$interface" -p udp --dport 53 -d "$ipaddr" -s "$ipaddr/$netmask" -j ACCEPT iptables -A INPUT -i "$interface" -p tcp --dport 53 -d "$ipaddr" -s "$ipaddr/$netmask" -j ACCEPT + iptables -A INPUT -i "$interface" -p icmp -d "$ipaddr" -s "$ipaddr/$netmask" -j ACCEPT + iptables -A INPUT -i "$interface" -m state --state RELATED,ESTABLISHED -j ACCEPT + + iptables -A FORWARD -i "$interface" -o "$WAN_IF" -s "$ipaddr/$netmask" -j ACCEPT iptables -A FORWARD -i "$WAN_IF" -o "$interface" -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -t nat -A POSTROUTING -o "$WAN_IF" -s "$ipaddr/$netmask" -j MASQUERADE |