freifunk/ansible-ffibk
9
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Role network-iptables-gateway: omit dropping invalid packets

Browse source
This commit is contained in:
Tobias Hachmer 2017-12-14 06:33:39 +01:00
parent c8b1f999fe
commit 2faa4e11dd
2 changed files with 0 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
roles/network-iptables-gateway/templates/rules.v4.j2
View file

@ -6,7 +6,6 @@
:FORWARD ACCEPT [0:0] :FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
-A INPUT -d {{ ansible_default_ipv4.address | ipaddr('public') }}/32 -p gre -j ACCEPT -A INPUT -d {{ ansible_default_ipv4.address | ipaddr('public') }}/32 -p gre -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
{% for mesh_forward in meshes %} {% for mesh_forward in meshes %}
{% for mesh_recursive in meshes recursive %} {% for mesh_recursive in meshes recursive %}
@ -15,10 +14,8 @@
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% endfor %} {% endfor %}
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s {{ ansible_default_ipv4.address | ipaddr('public') }}/32 -p gre -j ACCEPT -A OUTPUT -s {{ ansible_default_ipv4.address | ipaddr('public') }}/32 -p gre -j ACCEPT
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT COMMIT
*mangle *mangle

3
roles/network-iptables-gateway/templates/rules.v6.j2
View file

@ -5,7 +5,6 @@
:INPUT ACCEPT [0:0] :INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0] :FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
{% for mesh_forward in meshes %} {% for mesh_forward in meshes %}
{% for mesh_recursive in meshes recursive %} {% for mesh_recursive in meshes recursive %}
@ -14,9 +13,7 @@
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% endfor %} {% endfor %}
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT COMMIT
*mangle *mangle