firewall.d: Check for unset IF_WAN

Submitted by Adrian Schmutzler on Oct. 9, 2019, 4:27 p.m.

Details

Message ID 20191009162705.58991-1-freifunk@adrianschmutzler.de
State New
Headers show

Commit Message

Adrian Schmutzler Oct. 9, 2019, 4:27 p.m.
In some cases (mostly for one-port devices) IF_WAN was used
although not set, resulting in not obviously iptables error
messages like

- Bad argument `conntrack'

- Bad argument `REJECT'

Thus, check whether IF_WAN is set to something before using it.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
---
 src/packages/fff/fff-firewall/Makefile                      | 2 +-
 .../fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh | 6 ++++--
 src/packages/fff/fff-gateway/Makefile                       | 2 +-
 .../fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan  | 6 ++++--
 4 files changed, 10 insertions(+), 6 deletions(-)

Patch hide | download patch | download mbox

diff --git a/src/packages/fff/fff-firewall/Makefile b/src/packages/fff/fff-firewall/Makefile
index 7bb82b17..56543331 100644
--- a/src/packages/fff/fff-firewall/Makefile
+++ b/src/packages/fff/fff-firewall/Makefile
@@ -1,7 +1,7 @@ 
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=fff-firewall
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
 
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
index 50fa087b..aa04ce93 100644
--- a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
@@ -1,6 +1,8 @@ 
 # If an router has a direct internet connection simple attack act as DOS attack
-iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-iptables -A INPUT -i $IF_WAN -j REJECT
+if [ -n "$IF_WAN" ]; then
+	iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+	iptables -A INPUT -i $IF_WAN -j REJECT
+fi
 
 # Limit ssh to 6 new connections per 60 seconds
 /usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name dropbear
diff --git a/src/packages/fff/fff-gateway/Makefile b/src/packages/fff/fff-gateway/Makefile
index 7a10544c..71075858 100644
--- a/src/packages/fff/fff-gateway/Makefile
+++ b/src/packages/fff/fff-gateway/Makefile
@@ -1,7 +1,7 @@ 
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=fff-gateway
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/fff-gateway
 
diff --git a/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan b/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan
index f989d6be..2d4ee926 100644
--- a/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan
+++ b/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan
@@ -1,3 +1,5 @@ 
 # Ensure nothing is forwarded onto WAN interface
-iptables -A FORWARD -o $IF_WAN -j REJECT --reject-with icmp-net-unreachable
-ip6tables -A FORWARD -o $IF_WAN -j REJECT --reject-with no-route
+if [ -n "$IF_WAN" ]; then
+	iptables -A FORWARD -o $IF_WAN -j REJECT --reject-with icmp-net-unreachable
+	ip6tables -A FORWARD -o $IF_WAN -j REJECT --reject-with no-route
+fi