forked from freifunk-franken/firmware
firewall.d: Check for unset IF_WAN
In some cases (mostly for one-port devices) IF_WAN was used although not set, resulting in not obviously iptables error messages like - Bad argument `conntrack' - Bad argument `REJECT' Thus, check whether IF_WAN is set to something before using it. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> Reviewed-by: Robert Langhammer <rlanghammer@web.de>
This commit is contained in:
parent
40cad0a9b9
commit
6f132f858e
|
@ -1,7 +1,7 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=fff-firewall
|
||||
PKG_RELEASE:=3
|
||||
PKG_RELEASE:=4
|
||||
|
||||
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
|
||||
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
# If an router has a direct internet connection simple attack act as DOS attack
|
||||
iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
iptables -A INPUT -i $IF_WAN -j REJECT
|
||||
if [ -n "$IF_WAN" ]; then
|
||||
iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
iptables -A INPUT -i $IF_WAN -j REJECT
|
||||
fi
|
||||
|
||||
# Limit ssh to 6 new connections per 60 seconds
|
||||
/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name dropbear
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=fff-gateway
|
||||
PKG_RELEASE:=2
|
||||
PKG_RELEASE:=3
|
||||
|
||||
PKG_BUILD_DIR:=$(BUILD_DIR)/fff-gateway
|
||||
|
||||
|
|
|
@ -1,3 +1,5 @@
|
|||
# Ensure nothing is forwarded onto WAN interface
|
||||
iptables -A FORWARD -o $IF_WAN -j REJECT --reject-with icmp-net-unreachable
|
||||
ip6tables -A FORWARD -o $IF_WAN -j REJECT --reject-with no-route
|
||||
if [ -n "$IF_WAN" ]; then
|
||||
iptables -A FORWARD -o $IF_WAN -j REJECT --reject-with icmp-net-unreachable
|
||||
ip6tables -A FORWARD -o $IF_WAN -j REJECT --reject-with no-route
|
||||
fi
|
||||
|
|
Loading…
Reference in New Issue
Block a user