mirror of
https://github.com/pi-hole/pi-hole.git
synced 2024-11-15 02:42:58 +00:00
More intelligence in iptables rulesets. Account for Policy ACCEPT, with
default rule DROP or REJECT as last rule. Regex the conditions to make sure we are getting the right conditions. Reframe the logic to simplify the chains and rules Reframe the logic to simplify the chains and rules Signed-off-by: Dan Schaper <dan.schaper@pi-hole.net>
This commit is contained in:
parent
1f9b0f7cef
commit
ccbf391913
2 changed files with 15 additions and 6 deletions
|
@ -15,6 +15,9 @@
|
||||||
<option name="USE_RELATIVE_INDENTS" value="false" />
|
<option name="USE_RELATIVE_INDENTS" value="false" />
|
||||||
</value>
|
</value>
|
||||||
</option>
|
</option>
|
||||||
|
<MarkdownNavigatorCodeStyleSettings>
|
||||||
|
<option name="RIGHT_MARGIN" value="72" />
|
||||||
|
</MarkdownNavigatorCodeStyleSettings>
|
||||||
</value>
|
</value>
|
||||||
</option>
|
</option>
|
||||||
<option name="USE_PER_PROJECT_SETTINGS" value="true" />
|
<option name="USE_PER_PROJECT_SETTINGS" value="true" />
|
||||||
|
|
|
@ -870,11 +870,17 @@ configureFirewall() {
|
||||||
echo "::: Configuring FirewallD for httpd and dnsmasq.."
|
echo "::: Configuring FirewallD for httpd and dnsmasq.."
|
||||||
firewall-cmd --permanent --add-port=80/tcp --add-port=53/tcp --add-port=53/udp
|
firewall-cmd --permanent --add-port=80/tcp --add-port=53/tcp --add-port=53/udp
|
||||||
firewall-cmd --reload
|
firewall-cmd --reload
|
||||||
elif modinfo ip_tables &> /dev/null && iptables -S INPUT | head -n1 | grep -v "ACCEPT" &> /dev/null ; then
|
# Check for proper kernel modules to prevent failure
|
||||||
|
elif modinfo ip_tables &> /dev/null; then
|
||||||
|
# If chain Policy is not ACCEPT or last Rule is not ACCEPT
|
||||||
|
# then check and insert our Rules above the DROP/REJECT Rule.
|
||||||
|
if iptables -S INPUT | head -n1 | grep -qv 'ACCEPT$' || iptables -S INPUT | tail -n1 | grep -qv '^-A.*ACCEPT$'; then
|
||||||
|
# Check chain first, otherwise a new rule will duplicate old ones
|
||||||
echo "::: Configuring iptables for httpd and dnsmasq.."
|
echo "::: Configuring iptables for httpd and dnsmasq.."
|
||||||
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
|
iptables -C INPUT -p tcp -m tcp --dport 80 -j ACCEPT &> /dev/null || iptables -I INPUT 1 -p tcp -m tcp --dport 80 -j ACCEPT
|
||||||
iptables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
|
iptables -C INPUT -p tcp -m tcp --dport 53 -j ACCEPT &> /dev/null || iptables -I INPUT 1 -p tcp -m tcp --dport 53 -j ACCEPT
|
||||||
iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
|
iptables -C INPUT -p udp -m udp --dport 53 -j ACCEPT &> /dev/null || iptables -I INPUT 1 -p udp -m udp --dport 53 -j ACCEPT
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
echo "::: No active firewall detected.. skipping firewall configuration."
|
echo "::: No active firewall detected.. skipping firewall configuration."
|
||||||
fi
|
fi
|
||||||
|
|
Loading…
Reference in a new issue