From 8e59a6022bf7cb225c3509be2964833cce0e630c Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 20 May 2014 11:27:24 +0200 Subject: [PATCH 1/2] firewall: Rename GUIINPUT chain to ICMPINPUT. The name of the chain does not really explain what it does. --- src/initscripts/init.d/firewall | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 837178110..853f195cf 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -120,10 +120,10 @@ iptables_init() { iptables -N IPTVFORWARD iptables -A FORWARD -j IPTVFORWARD - # filtering from GUI - iptables -N GUIINPUT - iptables -A INPUT -j GUIINPUT - iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT + # Allow to ping the firewall. + iptables -N ICMPINPUT + iptables -A INPUT -j ICMPINPUT + iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT # Accept everything on loopback iptables -N LOOPBACK From c0e0848f999ed8944ae551047fdea32bfee88d03 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 20 May 2014 11:41:23 +0200 Subject: [PATCH 2/2] firewall: Allow blocking access to GREEN from GREEN. --- config/firewall/firewall-policy | 3 +++ src/initscripts/init.d/firewall | 5 ++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy index 96b9b2fe5..4ba1ace8c 100755 --- a/config/firewall/firewall-policy +++ b/config/firewall/firewall-policy @@ -57,6 +57,9 @@ HAVE_OPENVPN="true" # INPUT +# Allow access from GREEN +iptables -A POLICYIN -i "${GREEN_DEV}" -j ACCEPT + # IPsec INPUT case "${HAVE_IPSEC},${POLICY}" in true,MODE1) ;; diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 853f195cf..7a18502bf 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -179,7 +179,10 @@ iptables_init() { iptables -t nat -A POSTROUTING -j IPSECNAT # localhost and ethernet. - iptables -A INPUT -i $GREEN_DEV -m conntrack --ctstate NEW -j ACCEPT ! -p icmp + # Always allow accessing the web GUI from GREEN. + iptables -N GUIINPUT + iptables -A INPUT -j GUIINPUT + iptables -A GUIINPUT -i "${GREEN_DEV}" -p tcp --dport 444 -j ACCEPT # WIRELESS chains iptables -N WIRELESSINPUT