forked from freifunk-franken/firmware
firewall.d: Check for unset IF_WAN
In some cases (mostly for one-port devices) IF_WAN was used although not set, resulting in not obviously iptables error messages like - Bad argument `conntrack' - Bad argument `REJECT' Thus, check whether IF_WAN is set to something before using it. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> Reviewed-by: Robert Langhammer <rlanghammer@web.de>
This commit is contained in:
parent
40cad0a9b9
commit
6f132f858e
|
@ -1,7 +1,7 @@
|
||||||
include $(TOPDIR)/rules.mk
|
include $(TOPDIR)/rules.mk
|
||||||
|
|
||||||
PKG_NAME:=fff-firewall
|
PKG_NAME:=fff-firewall
|
||||||
PKG_RELEASE:=3
|
PKG_RELEASE:=4
|
||||||
|
|
||||||
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
|
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
# If an router has a direct internet connection simple attack act as DOS attack
|
# If an router has a direct internet connection simple attack act as DOS attack
|
||||||
iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
if [ -n "$IF_WAN" ]; then
|
||||||
iptables -A INPUT -i $IF_WAN -j REJECT
|
iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
iptables -A INPUT -i $IF_WAN -j REJECT
|
||||||
|
fi
|
||||||
|
|
||||||
# Limit ssh to 6 new connections per 60 seconds
|
# Limit ssh to 6 new connections per 60 seconds
|
||||||
/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name dropbear
|
/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name dropbear
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
include $(TOPDIR)/rules.mk
|
include $(TOPDIR)/rules.mk
|
||||||
|
|
||||||
PKG_NAME:=fff-gateway
|
PKG_NAME:=fff-gateway
|
||||||
PKG_RELEASE:=2
|
PKG_RELEASE:=3
|
||||||
|
|
||||||
PKG_BUILD_DIR:=$(BUILD_DIR)/fff-gateway
|
PKG_BUILD_DIR:=$(BUILD_DIR)/fff-gateway
|
||||||
|
|
||||||
|
|
|
@ -1,3 +1,5 @@
|
||||||
# Ensure nothing is forwarded onto WAN interface
|
# Ensure nothing is forwarded onto WAN interface
|
||||||
iptables -A FORWARD -o $IF_WAN -j REJECT --reject-with icmp-net-unreachable
|
if [ -n "$IF_WAN" ]; then
|
||||||
ip6tables -A FORWARD -o $IF_WAN -j REJECT --reject-with no-route
|
iptables -A FORWARD -o $IF_WAN -j REJECT --reject-with icmp-net-unreachable
|
||||||
|
ip6tables -A FORWARD -o $IF_WAN -j REJECT --reject-with no-route
|
||||||
|
fi
|
||||||
|
|
Loading…
Reference in New Issue