mirror of
https://github.com/pi-hole/pi-hole
synced 2024-11-17 21:59:55 +00:00
More intelligence in iptables rulesets. Account for Policy ACCEPT, with
default rule DROP or REJECT as last rule. Regex the conditions to make sure we are getting the right conditions. Reframe the logic to simplify the chains and rules Reframe the logic to simplify the chains and rules Signed-off-by: Dan Schaper <dan.schaper@pi-hole.net>
This commit is contained in:
parent
1f9b0f7cef
commit
ccbf391913
@ -15,8 +15,11 @@
|
||||
<option name="USE_RELATIVE_INDENTS" value="false" />
|
||||
</value>
|
||||
</option>
|
||||
<MarkdownNavigatorCodeStyleSettings>
|
||||
<option name="RIGHT_MARGIN" value="72" />
|
||||
</MarkdownNavigatorCodeStyleSettings>
|
||||
</value>
|
||||
</option>
|
||||
<option name="USE_PER_PROJECT_SETTINGS" value="true" />
|
||||
</component>
|
||||
</project>
|
||||
</project>
|
@ -870,11 +870,17 @@ configureFirewall() {
|
||||
echo "::: Configuring FirewallD for httpd and dnsmasq.."
|
||||
firewall-cmd --permanent --add-port=80/tcp --add-port=53/tcp --add-port=53/udp
|
||||
firewall-cmd --reload
|
||||
elif modinfo ip_tables &> /dev/null && iptables -S INPUT | head -n1 | grep -v "ACCEPT" &> /dev/null ; then
|
||||
echo "::: Configuring iptables for httpd and dnsmasq.."
|
||||
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
|
||||
iptables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
|
||||
iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
|
||||
# Check for proper kernel modules to prevent failure
|
||||
elif modinfo ip_tables &> /dev/null; then
|
||||
# If chain Policy is not ACCEPT or last Rule is not ACCEPT
|
||||
# then check and insert our Rules above the DROP/REJECT Rule.
|
||||
if iptables -S INPUT | head -n1 | grep -qv 'ACCEPT$' || iptables -S INPUT | tail -n1 | grep -qv '^-A.*ACCEPT$'; then
|
||||
# Check chain first, otherwise a new rule will duplicate old ones
|
||||
echo "::: Configuring iptables for httpd and dnsmasq.."
|
||||
iptables -C INPUT -p tcp -m tcp --dport 80 -j ACCEPT &> /dev/null || iptables -I INPUT 1 -p tcp -m tcp --dport 80 -j ACCEPT
|
||||
iptables -C INPUT -p tcp -m tcp --dport 53 -j ACCEPT &> /dev/null || iptables -I INPUT 1 -p tcp -m tcp --dport 53 -j ACCEPT
|
||||
iptables -C INPUT -p udp -m udp --dport 53 -j ACCEPT &> /dev/null || iptables -I INPUT 1 -p udp -m udp --dport 53 -j ACCEPT
|
||||
fi
|
||||
else
|
||||
echo "::: No active firewall detected.. skipping firewall configuration."
|
||||
fi
|
||||
|
Loading…
Reference in New Issue
Block a user