improved firewall for ele-router

1 files changed, 7 insertions, 3 deletions

diff --git a/inventory/host_vars/ele-router.yml b/inventory/host_vars/ele-router.yml
index 2d5cb1b3..8fa386a9 100644
--- a/inventory/host_vars/ele-router.yml
+++ b/inventory/host_vars/ele-router.yml
@@ -168,9 +168,11 @@ openwrt_mixin:
       MGMT_NETMASK=$(uci get network.mgmt.netmask)
 
       start() {
-        iptables -A INPUT -p icmp -j ACCEPT
         iptables -A INPUT -i lo -j ACCEPT
         iptables -A INPUT -i "$MGMT_IF" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT
+
+        ### todo: limit the destination address?
+        iptables -A INPUT -i "$WAN_IF" -p icmp -j ACCEPT
         iptables -A INPUT -i "$WAN_IF" -p tcp --dport 22000 -j ACCEPT
         iptables -A INPUT -i "$WAN_IF" -m state --state RELATED,ESTABLISHED -j ACCEPT
 
@@ -179,10 +181,12 @@ openwrt_mixin:
           ipaddr=$(uci get "network.$zone.ipaddr")
           netmask=$(uci get "network.$zone.netmask")
 
+          iptables -A INPUT -i "$interface" -p icmp -d "$ipaddr" -s "$ipaddr/$netmask" -j ACCEPT
+
           ### todo: only do this if dhcp is defined in network_zone
           iptables -A INPUT -i "$interface" -p udp --dport 67 --sport 68 -j ACCEPT
-          iptables -A INPUT -i "$interface" -p udp --dport 53 -j ACCEPT
-          iptables -A INPUT -i "$interface" -p tcp --dport 53 -j ACCEPT
+          iptables -A INPUT -i "$interface" -p udp --dport 53 -d "$ipaddr" -s "$ipaddr/$netmask" -j ACCEPT
+          iptables -A INPUT -i "$interface" -p tcp --dport 53 -d "$ipaddr" -s "$ipaddr/$netmask" -j ACCEPT
 
           iptables -A FORWARD -i "$interface" -o "$WAN_IF" -s "$ipaddr/$netmask" -j ACCEPT
           iptables -A FORWARD -i "$WAN_IF" -o "$interface" -m state --state RELATED,ESTABLISHED -j ACCEPT