diff options
| author | Simon Rettberg | 2018-01-31 14:04:22 +0100 |
|---|---|---|
| committer | Simon Rettberg | 2018-01-31 14:09:51 +0100 |
| commit | d5ed671f63dda268bcac9a78c19e74065f144b58 (patch) | |
| tree | 07ad9df870ec9d0fb36e6afbe52a2443b9bbbbc6 /core/modules/printergui | |
| parent | [vmware12] sync data/ to vmware14 module (diff) | |
| download | mltk-d5ed671f63dda268bcac9a78c19e74065f144b58.tar.gz mltk-d5ed671f63dda268bcac9a78c19e74065f144b58.tar.xz mltk-d5ed671f63dda268bcac9a78c19e74065f144b58.zip | |
[printergui] Refine port redirect rules to only match what's coming from VM and is intended for printergui
Fixes #3295
Diffstat (limited to 'core/modules/printergui')
| -rwxr-xr-x | core/modules/printergui/data/opt/openslx/iptables/rules.d/50-lpd-redirect-and-fw | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/core/modules/printergui/data/opt/openslx/iptables/rules.d/50-lpd-redirect-and-fw b/core/modules/printergui/data/opt/openslx/iptables/rules.d/50-lpd-redirect-and-fw index c0b724a2..0a7d0a9a 100755 --- a/core/modules/printergui/data/opt/openslx/iptables/rules.d/50-lpd-redirect-and-fw +++ b/core/modules/printergui/data/opt/openslx/iptables/rules.d/50-lpd-redirect-and-fw @@ -1,8 +1,18 @@ #!/bin/ash -# Close from outside -iptables -A INPUT -i br0 -p tcp --dport 515 -j DROP -iptables -A INPUT -i br0 -p tcp --dport 5515 -j DROP # Redirect from VM to lpd -iptables -t nat -A PREROUTING -s 192.168.0.0/16 -p tcp --dport 515 -j REDIRECT --to-port 5515 +for br in br0 nat1 vsw2; do + [ -d "/sys/class/net/${br}/brif" ] || continue + devs=$(ls -1 "/sys/class/net/${br}/brif/") + for dev in $devs; do + case "$dev" in eth?|eth??|tun?|tun??) continue ;; esac + iptables -t nat -A PREROUTING -m physdev --physdev-in "$dev" -d 192.168.101.1 -p tcp --dport 515 -j REDIRECT --to-port 5515 + iptables -t nat -A PREROUTING -m physdev --physdev-in "$dev" -d 100.100.100.100 -p tcp --dport 515 -j REDIRECT --to-port 5515 + iptables -A INPUT -m physdev --physdev-in "$dev" -p tcp --dport 5515 -j ACCEPT + done +done +# Close from outside +iptables -A INPUT -p tcp --dport 515 -j DROP +iptables -A INPUT -p tcp --dport 5515 -j DROP +exit 0 |