🚸 dont rely on return
This commit is contained in:
parent
7b4d46601f
commit
3bee1ac760
34
xynat
34
xynat
@ -141,16 +141,13 @@ xynat_ruleset_update_in(){
|
||||
|
||||
# maybe allow host access
|
||||
if [[ "${arg_allow_host_mode:-}" == "in_out" ]]; then
|
||||
iptables -A "${chain_id}_IN" -j RETURN
|
||||
iptables -A "${chain_id}_IN" -j ACCEPT
|
||||
elif [[ "${arg_allow_host_mode:-}" == "in" ]]; then
|
||||
iptables -A "${chain_id}_IN" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
|
||||
iptables -A "${chain_id}_IN" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||
fi
|
||||
|
||||
# reject all packets
|
||||
iptables -A "${chain_id}_IN" -j REJECT --reject-with icmp-host-unreachable
|
||||
|
||||
# default: return
|
||||
iptables -A "${chain_id}_IN" -j RETURN
|
||||
}
|
||||
|
||||
|
||||
@ -165,21 +162,18 @@ xynat_ruleset_update_out(){
|
||||
|
||||
## ADD RULES ##
|
||||
# allow related icmp messages
|
||||
iptables -A "${chain_id}_OUT" -p icmp -m conntrack --ctstate RELATED -j RETURN
|
||||
iptables -A "${chain_id}_OUT" -p icmp -m conntrack --ctstate RELATED -j ACCEPT
|
||||
|
||||
# enforce correct vm address
|
||||
iptables -A "${chain_id}_OUT" ! -d "$arg_vm_address" -j REJECT --reject-with icmp-admin-prohibited
|
||||
|
||||
# maybe allow host access
|
||||
if [[ "${arg_allow_host_mode:-}" == "in_out" || "${arg_allow_host_mode:-}" == "in" ]]; then
|
||||
iptables -A "${chain_id}_OUT" -j RETURN
|
||||
iptables -A "${chain_id}_OUT" -j ACCEPT
|
||||
fi
|
||||
|
||||
# reject all other packets
|
||||
iptables -A "${chain_id}_OUT" -j REJECT --reject-with icmp-host-unreachable
|
||||
|
||||
# default: return
|
||||
iptables -A "${chain_id}_OUT" -j RETURN
|
||||
}
|
||||
|
||||
|
||||
@ -196,14 +190,14 @@ xynat_ruleset_update_fwi(){
|
||||
# enforce correct vm address
|
||||
iptables -A "${chain_id}_FWI" ! -s "$arg_vm_address" -j REJECT --reject-with icmp-admin-prohibited
|
||||
|
||||
# ignore allowed local addresses
|
||||
# accept allowed local addresses
|
||||
for a in ${arg_allow[*]:-}; do
|
||||
iptables -A "${chain_id}_FWI" -d "$a" -j RETURN
|
||||
iptables -A "${chain_id}_FWI" -d "$a" -j ACCEPT
|
||||
done
|
||||
|
||||
# ignore allowed incomming local addresses
|
||||
# accept allowed incomming local addresses
|
||||
for a in ${arg_allow_in[*]:-}; do
|
||||
iptables -A "${chain_id}_FWI" -d "$a" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
|
||||
iptables -A "${chain_id}_FWI" -d "$a" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
||||
done
|
||||
|
||||
# reject filtered packets
|
||||
@ -211,8 +205,8 @@ xynat_ruleset_update_fwi(){
|
||||
iptables -A "${chain_id}_FWI" -d "$a" -j REJECT --reject-with icmp-net-unreachable
|
||||
done
|
||||
|
||||
# default: return
|
||||
iptables -A "${chain_id}_FWI" -j RETURN
|
||||
# default: allow
|
||||
iptables -A "${chain_id}_FWI" -j ACCEPT
|
||||
}
|
||||
|
||||
|
||||
@ -229,9 +223,9 @@ xynat_ruleset_update_fwo(){
|
||||
# enforce correct vm address
|
||||
iptables -A "${chain_id}_FWO" ! -d "$arg_vm_address" -j REJECT --reject-with icmp-admin-prohibited
|
||||
|
||||
# ignore allowed local addresses
|
||||
# accept allowed local addresses
|
||||
for a in ${arg_allow[*]:-} ${arg_allow_in[*]:-}; do
|
||||
iptables -A "${chain_id}_FWO" -s "$a" -j RETURN
|
||||
iptables -A "${chain_id}_FWO" -s "$a" -j ACCEPT
|
||||
done
|
||||
|
||||
# reject filtered packets
|
||||
@ -239,8 +233,8 @@ xynat_ruleset_update_fwo(){
|
||||
iptables -A "${chain_id}_FWO" -s "$a" -j REJECT --reject-with icmp-net-unreachable
|
||||
done
|
||||
|
||||
# default: return
|
||||
iptables -A "${chain_id}_FWO" -j RETURN
|
||||
# default: accept
|
||||
iptables -A "${chain_id}_FWO" -j ACCEPT
|
||||
}
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user