From d65bbe813541cce6a13c524110b671e1cd5c44a6 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sun, 30 Dec 2018 21:11:36 +0100
Subject: imporved firewall for ele-router and ele-ap-*

---
 inventory/group_vars/accesspoints/main.yml |  2 +-
 inventory/host_vars/ele-router.yml         | 14 +++++++++-----
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/inventory/group_vars/accesspoints/main.yml b/inventory/group_vars/accesspoints/main.yml
index 632e7e95..44931865 100644
--- a/inventory/group_vars/accesspoints/main.yml
+++ b/inventory/group_vars/accesspoints/main.yml
@@ -117,7 +117,7 @@ openwrt_mixin:
 
       start() {
         iptables -A INPUT -i lo -j ACCEPT
-        iptables -A INPUT -i "$MGMT_IF" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT
+        iptables -A INPUT -i "$MGMT_IF" -d "$MGMT_IPADDR" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT
         iptables -P INPUT DROP
         iptables -P FORWARD DROP
       }
diff --git a/inventory/host_vars/ele-router.yml b/inventory/host_vars/ele-router.yml
index 8fa386a9..50ea7658 100644
--- a/inventory/host_vars/ele-router.yml
+++ b/inventory/host_vars/ele-router.yml
@@ -168,8 +168,8 @@ openwrt_mixin:
       MGMT_NETMASK=$(uci get network.mgmt.netmask)
 
       start() {
-        iptables -A INPUT -i lo -j ACCEPT
-        iptables -A INPUT -i "$MGMT_IF" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT
+        iptables -A INPUT -i lo -d 127.0.0.0/8 -s 127.0.0.0/8 -j ACCEPT
+        iptables -A INPUT -i "$MGMT_IF" -d "$MGMT_IPADDR" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT
 
         ### todo: limit the destination address?
         iptables -A INPUT -i "$WAN_IF" -p icmp -j ACCEPT
@@ -181,13 +181,17 @@ openwrt_mixin:
           ipaddr=$(uci get "network.$zone.ipaddr")
           netmask=$(uci get "network.$zone.netmask")
 
-          iptables -A INPUT -i "$interface" -p icmp -d "$ipaddr" -s "$ipaddr/$netmask" -j ACCEPT
-
-          ### todo: only do this if dhcp is defined in network_zone
+          ### todo: only add this if dhcp is in network_zones[zone]
           iptables -A INPUT -i "$interface" -p udp --dport 67 --sport 68 -j ACCEPT
+
+          ### todo: only do this if dhcp is in network_zones[zone] or $ipaddr is in network_zones[zone].dns
           iptables -A INPUT -i "$interface" -p udp --dport 53 -d "$ipaddr" -s "$ipaddr/$netmask" -j ACCEPT
           iptables -A INPUT -i "$interface" -p tcp --dport 53 -d "$ipaddr" -s "$ipaddr/$netmask" -j ACCEPT
 
+          iptables -A INPUT -i "$interface" -p icmp -d "$ipaddr" -s "$ipaddr/$netmask" -j ACCEPT
+          iptables -A INPUT -i "$interface" -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+
           iptables -A FORWARD -i "$interface" -o "$WAN_IF" -s "$ipaddr/$netmask" -j ACCEPT
           iptables -A FORWARD -i "$WAN_IF" -o "$interface" -m state --state RELATED,ESTABLISHED -j ACCEPT
           iptables -t nat -A POSTROUTING -o "$WAN_IF" -s "$ipaddr/$netmask" -j MASQUERADE
-- 
cgit v1.2.3