diff options
| author | Simon Rettberg | 2014-02-17 12:40:57 +0100 |
|---|---|---|
| committer | Simon Rettberg | 2014-02-17 12:40:57 +0100 |
| commit | df4225e21a589af046f0ca6933c246d30b8654c6 (patch) | |
| tree | b96a6639b95210620c5a0442b33ce0456f58d55d /remote/modules | |
| parent | [rfs-stage31] Don't fail when debug shell is requested (diff) | |
| download | tm-scripts-df4225e21a589af046f0ca6933c246d30b8654c6.tar.gz tm-scripts-df4225e21a589af046f0ca6933c246d30b8654c6.tar.xz tm-scripts-df4225e21a589af046f0ca6933c246d30b8654c6.zip | |
[iptables-helper] Put everything in a dedicated chain so we don't interfere with other tools writing rules directly
Diffstat (limited to 'remote/modules')
| -rwxr-xr-x | remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker | 30 |
1 files changed, 27 insertions, 3 deletions
diff --git a/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker index 350f502c..3ca0a014 100755 --- a/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker +++ b/remote/modules/iptables-helper/data/opt/openslx/iptables/iptables-reloader-worker @@ -34,18 +34,27 @@ reload_rules () { # Filter for chain in INPUT FORWARD OUTPUT; do iptables -t filter -P "$chain" ACCEPT + iptables -t filter -N "ipt-helper-$chain" 2>/dev/null + iptables -t filter -F "ipt-helper-$chain" + iptables -t filter -D "$chain" -j "ipt-helper-$chain" 2>/dev/null # make sure it's number one + iptables -t filter -I "$chain" 1 -j "ipt-helper-$chain" done - iptables -t filter -F # NAT for chain in INPUT OUTPUT PREROUTING POSTROUTING; do iptables -t nat -P "$chain" ACCEPT + iptables -t nat -N "ipt-helper-$chain" 2>/dev/null + iptables -t nat -F "ipt-helper-$chain" + iptables -t nat -D "$chain" -j "ipt-helper-$chain" 2>/dev/null # make sure it's number one + iptables -t nat -I "$chain" 1 -j "ipt-helper-$chain" done - iptables -t nat -F # Mangle for chain in INPUT FORWARD OUTPUT PREROUTING POSTROUTING; do iptables -t mangle -P "$chain" ACCEPT + iptables -t mangle -N "ipt-helper-$chain" 2>/dev/null + iptables -t mangle -F "ipt-helper-$chain" + iptables -t mangle -D "$chain" -j "ipt-helper-$chain" 2>/dev/null # make sure it's number one + iptables -t mangle -I "$chain" 1 -j "ipt-helper-$chain" done - iptables -t mangle -F # Apply local LOGFILE=$(mktemp) @@ -58,6 +67,8 @@ reload_rules () { mv "$file" "$DISABLED" continue fi + # patch chain names + sed -i -r 's/ (-A|--append|-I|--insert|-D|--delete) +(PREROUTING|INPUT|FORWARD|OUTPUT|POSTROUTING) / \1 ipt-helper-\2 /g' "$file" if ! "$file" > "$LOGFILE" 2>&1; then slxlog "firewall-script-apply" "The firewall script '$file' had nonzero exit code. Moving to disabled/" "$LOGFILE" mkdir -p "$DISABLED" @@ -65,6 +76,19 @@ reload_rules () { fi done + # Add default rule + for chain in INPUT FORWARD OUTPUT; do + iptables -t filter -A "ipt-helper-$chain" -j RETURN + done + # NAT + for chain in INPUT OUTPUT PREROUTING POSTROUTING; do + iptables -t nat -A "ipt-helper-$chain" -j RETURN + done + # Mangle + for chain in INPUT FORWARD OUTPUT PREROUTING POSTROUTING; do + iptables -t mangle -A "ipt-helper-$chain" -j RETURN + done + mv -f -- "${ALL_RULES}.new" "${ALL_RULES}" echo "iptables rules successfully updated." exit 0 |