🚸 dont rely on return
This commit is contained in:
parent
7b4d46601f
commit
3bee1ac760
34
xynat
34
xynat
@ -141,16 +141,13 @@ xynat_ruleset_update_in(){
|
|||||||
|
|
||||||
# maybe allow host access
|
# maybe allow host access
|
||||||
if [[ "${arg_allow_host_mode:-}" == "in_out" ]]; then
|
if [[ "${arg_allow_host_mode:-}" == "in_out" ]]; then
|
||||||
iptables -A "${chain_id}_IN" -j RETURN
|
iptables -A "${chain_id}_IN" -j ACCEPT
|
||||||
elif [[ "${arg_allow_host_mode:-}" == "in" ]]; then
|
elif [[ "${arg_allow_host_mode:-}" == "in" ]]; then
|
||||||
iptables -A "${chain_id}_IN" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
|
iptables -A "${chain_id}_IN" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# reject all packets
|
# reject all packets
|
||||||
iptables -A "${chain_id}_IN" -j REJECT --reject-with icmp-host-unreachable
|
iptables -A "${chain_id}_IN" -j REJECT --reject-with icmp-host-unreachable
|
||||||
|
|
||||||
# default: return
|
|
||||||
iptables -A "${chain_id}_IN" -j RETURN
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -165,21 +162,18 @@ xynat_ruleset_update_out(){
|
|||||||
|
|
||||||
## ADD RULES ##
|
## ADD RULES ##
|
||||||
# allow related icmp messages
|
# allow related icmp messages
|
||||||
iptables -A "${chain_id}_OUT" -p icmp -m conntrack --ctstate RELATED -j RETURN
|
iptables -A "${chain_id}_OUT" -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||||
|
|
||||||
# enforce correct vm address
|
# enforce correct vm address
|
||||||
iptables -A "${chain_id}_OUT" ! -d "$arg_vm_address" -j REJECT --reject-with icmp-admin-prohibited
|
iptables -A "${chain_id}_OUT" ! -d "$arg_vm_address" -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
|
||||||
# maybe allow host access
|
# maybe allow host access
|
||||||
if [[ "${arg_allow_host_mode:-}" == "in_out" || "${arg_allow_host_mode:-}" == "in" ]]; then
|
if [[ "${arg_allow_host_mode:-}" == "in_out" || "${arg_allow_host_mode:-}" == "in" ]]; then
|
||||||
iptables -A "${chain_id}_OUT" -j RETURN
|
iptables -A "${chain_id}_OUT" -j ACCEPT
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# reject all other packets
|
# reject all other packets
|
||||||
iptables -A "${chain_id}_OUT" -j REJECT --reject-with icmp-host-unreachable
|
iptables -A "${chain_id}_OUT" -j REJECT --reject-with icmp-host-unreachable
|
||||||
|
|
||||||
# default: return
|
|
||||||
iptables -A "${chain_id}_OUT" -j RETURN
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -196,14 +190,14 @@ xynat_ruleset_update_fwi(){
|
|||||||
# enforce correct vm address
|
# enforce correct vm address
|
||||||
iptables -A "${chain_id}_FWI" ! -s "$arg_vm_address" -j REJECT --reject-with icmp-admin-prohibited
|
iptables -A "${chain_id}_FWI" ! -s "$arg_vm_address" -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
|
||||||
# ignore allowed local addresses
|
# accept allowed local addresses
|
||||||
for a in ${arg_allow[*]:-}; do
|
for a in ${arg_allow[*]:-}; do
|
||||||
iptables -A "${chain_id}_FWI" -d "$a" -j RETURN
|
iptables -A "${chain_id}_FWI" -d "$a" -j ACCEPT
|
||||||
done
|
done
|
||||||
|
|
||||||
# ignore allowed incomming local addresses
|
# accept allowed incomming local addresses
|
||||||
for a in ${arg_allow_in[*]:-}; do
|
for a in ${arg_allow_in[*]:-}; do
|
||||||
iptables -A "${chain_id}_FWI" -d "$a" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
|
iptables -A "${chain_id}_FWI" -d "$a" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||||
done
|
done
|
||||||
|
|
||||||
# reject filtered packets
|
# reject filtered packets
|
||||||
@ -211,8 +205,8 @@ xynat_ruleset_update_fwi(){
|
|||||||
iptables -A "${chain_id}_FWI" -d "$a" -j REJECT --reject-with icmp-net-unreachable
|
iptables -A "${chain_id}_FWI" -d "$a" -j REJECT --reject-with icmp-net-unreachable
|
||||||
done
|
done
|
||||||
|
|
||||||
# default: return
|
# default: allow
|
||||||
iptables -A "${chain_id}_FWI" -j RETURN
|
iptables -A "${chain_id}_FWI" -j ACCEPT
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -229,9 +223,9 @@ xynat_ruleset_update_fwo(){
|
|||||||
# enforce correct vm address
|
# enforce correct vm address
|
||||||
iptables -A "${chain_id}_FWO" ! -d "$arg_vm_address" -j REJECT --reject-with icmp-admin-prohibited
|
iptables -A "${chain_id}_FWO" ! -d "$arg_vm_address" -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
|
||||||
# ignore allowed local addresses
|
# accept allowed local addresses
|
||||||
for a in ${arg_allow[*]:-} ${arg_allow_in[*]:-}; do
|
for a in ${arg_allow[*]:-} ${arg_allow_in[*]:-}; do
|
||||||
iptables -A "${chain_id}_FWO" -s "$a" -j RETURN
|
iptables -A "${chain_id}_FWO" -s "$a" -j ACCEPT
|
||||||
done
|
done
|
||||||
|
|
||||||
# reject filtered packets
|
# reject filtered packets
|
||||||
@ -239,8 +233,8 @@ xynat_ruleset_update_fwo(){
|
|||||||
iptables -A "${chain_id}_FWO" -s "$a" -j REJECT --reject-with icmp-net-unreachable
|
iptables -A "${chain_id}_FWO" -s "$a" -j REJECT --reject-with icmp-net-unreachable
|
||||||
done
|
done
|
||||||
|
|
||||||
# default: return
|
# default: accept
|
||||||
iptables -A "${chain_id}_FWO" -j RETURN
|
iptables -A "${chain_id}_FWO" -j ACCEPT
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user