From patchwork Tue Sep 10 20:09:01 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: [v2] fff-gateway: Add firewall rules to ensure nothing is forwarded
 onto WAN
From: Fabian Blaese <fabian@blaese.de>
X-Patchwork-Id: 1188
Message-Id: <20190910200901.31225-1-fabian@blaese.de>
To: franken-dev@freifunk.net
Date: Tue, 10 Sep 2019 22:09:01 +0200

Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <fff@chrisi01.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
---
Changes in v2:
- Fix redundant --reject-with parameter
---
 .../fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan

diff --git a/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan b/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan
new file mode 100644
index 0000000..f989d6b
--- /dev/null
+++ b/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan
@@ -0,0 +1,3 @@
+# Ensure nothing is forwarded onto WAN interface
+iptables -A FORWARD -o $IF_WAN -j REJECT --reject-with icmp-net-unreachable
+ip6tables -A FORWARD -o $IF_WAN -j REJECT --reject-with no-route