github/myvesta
1
0
Fork 0
mirror of https://github.com/myvesta/vesta synced 2025-08-21 05:44:08 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix hole in iptables: connect to any ports from defined in rules ports.

Browse source
This commit is contained in:
Scorcher 2016-02-28 15:58:53 +05:00
commit 969ca7e15b
1 changed files with 13 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

32
bin/v-update-firewall
View file

@ -64,6 +64,19 @@ tmp=$(mktemp)
echo "$iptables -P INPUT ACCEPT" >> $tmp
echo "$iptables -F INPUT" >> $tmp
# Enabling stateful support
if [ "$conntrack" != 'no' ]; then
str="$iptables -A INPUT -m state"
str="$str --state ESTABLISHED,RELATED -j ACCEPT"
echo "$str" >> $tmp
fi
# Handling local traffic
for ip in $(ls $VESTA/data/ips); do
echo "$iptables -A INPUT -s $ip -j ACCEPT" >> $tmp
done
echo "$iptables -A INPUT -s 127.0.0.1 -j ACCEPT" >> $tmp
# Pasring iptables rules
IFS=$'\n'
for line in $(sort -r -n -k 2 -t \' $rules); do
@ -100,25 +113,6 @@ for line in $(sort -r -n -k 2 -t \' $rules); do
fi
done
# Handling local traffic
for ip in $(ls $VESTA/data/ips); do
echo "$iptables -A INPUT -s $ip -j ACCEPT" >> $tmp
done
echo "$iptables -A INPUT -s 127.0.0.1 -j ACCEPT" >> $tmp
IFS=$'\n'
for p_rule in $(cat $ports); do
eval $p_rule
rule="$iptables -A INPUT -p $PROTOCOL"
echo "$rule --sport $PORT -j ACCEPT" >> $tmp
done
# Enabling stateful support
if [ "$conntrack" != 'no' ]; then
str="$iptables -A INPUT -p tcp -m state"
str="$str --state ESTABLISHED,RELATED -j ACCEPT"
echo "$str" >> $tmp
fi
# Switching chain policy to DROP
echo "$iptables -P INPUT DROP" >> $tmp