More intelligence in iptables rulesets. Account for Policy ACCEPT, with

default rule DROP or REJECT as last rule. Regex the conditions to make sure we are getting the right conditions. Reframe the logic to simplify the chains and rules Reframe the logic to simplify the chains and rules Signed-off-by: Dan Schaper <dan.schaper@pi-hole.net>
7 years ago · ccbf391913
parent 1f9b0f7cef
commit ccbf391913
2 changed files with 15 additions and 6 deletions
--- a/.idea/codeStyleSettings.xml
+++ b/.idea/codeStyleSettings.xml
@ -15,8 +15,11 @@
            <option name="USE_RELATIVE_INDENTS" value="false" />
          </value>
        </option>
+        <MarkdownNavigatorCodeStyleSettings>
+          <option name="RIGHT_MARGIN" value="72" />
+        </MarkdownNavigatorCodeStyleSettings>
      </value>
    </option>
    <option name="USE_PER_PROJECT_SETTINGS" value="true" />
  </component>
-</project>
+</project>
--- a/install/basic-install.sh
+++ b/install/basic-install.sh
@ -870,11 +870,17 @@ configureFirewall() {
    echo "::: Configuring FirewallD for httpd and dnsmasq.."
    firewall-cmd --permanent --add-port=80/tcp --add-port=53/tcp --add-port=53/udp
    firewall-cmd --reload
-  elif modinfo ip_tables &> /dev/null && iptables -S INPUT | head -n1 | grep -v "ACCEPT" &> /dev/null ; then
-    echo "::: Configuring iptables for httpd and dnsmasq.."
-    iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-    iptables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-    iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
+  # Check for proper kernel modules to prevent failure
+  elif modinfo ip_tables &> /dev/null; then
+    # If chain Policy is not ACCEPT or last Rule is not ACCEPT
+    # then check and insert our Rules above the DROP/REJECT Rule.
+    if iptables -S INPUT | head -n1 | grep -qv 'ACCEPT$' || iptables -S INPUT | tail -n1 | grep -qv '^-A.*ACCEPT$'; then
+      # Check chain first, otherwise a new rule will duplicate old ones
+      echo "::: Configuring iptables for httpd and dnsmasq.."
+      iptables -C INPUT -p tcp -m tcp --dport 80 -j ACCEPT &> /dev/null || iptables -I INPUT 1 -p tcp -m tcp --dport 80 -j ACCEPT
+      iptables -C INPUT -p tcp -m tcp --dport 53 -j ACCEPT &> /dev/null || iptables -I INPUT 1 -p tcp -m tcp --dport 53 -j ACCEPT
+      iptables -C INPUT -p udp -m udp --dport 53 -j ACCEPT &> /dev/null || iptables -I INPUT 1 -p udp -m udp --dport 53 -j ACCEPT
+    fi
  else
    echo "::: No active firewall detected.. skipping firewall configuration."
  fi