fix iptables commands: allowlist local IPs

config/reaction.service

@@ -9,6 +9,9 @@ ExecStart=/path/to/reaction -c /etc/reaction.yml
 ExecStartPre=/path/to/iptables -w -N reaction
 # Set its default to ACCEPT
 ExecStartPre=/path/to/iptables -w -A reaction -j ACCEPT
+# Always accept 127.0.0.1 && ::1
+ExecStartPre=/path/to/iptables -w -I reaction 1 -s 127.0.0.1 -j ACCEPT
+ExecStartPre=/path/to/iptables -w -I reaction 1 -s ::1 -j ACCEPT
 # Insert this chain as the first item of the INPUT chain (for incoming connections)
 ExecStartPre=/path/to/iptables -w -I INPUT -p all -j reaction
 
@@ -16,7 +19,7 @@ ExecStartPre=/path/to/iptables -w -I INPUT -p all -j reaction
 ExecStopPost=/path/to/iptables -w -D INPUT -p all -j reaction
 # Empty the chain
 ExecStopPost=/path/to/iptables -w -F reaction
-# Delete te chain
+# Delete the chain
 ExecStopPost=/path/to/iptables -w -X reaction
 
 # Ask systemd to create /var/lib/reaction (/var/lib/ is implicit)

config/reaction.yml

@@ -3,8 +3,8 @@
 # definitions are just a place to put chunks of conf you want to reuse in another place
 # they're not readed by reaction
 definitions:
-  - &iptablesban [ "iptables" "-w" "-I" "reaction" "1" "-s" "<ip>" "-j" "block" ]
-  - &iptablesunban [ "iptables" "-w" "-D" "reaction" "1" "-s" "<ip>" "-j" "block" ]
+  - &iptablesban [ "iptables" "-w" "-A" "reaction" "1" "-s" "<ip>" "-j" "DROP" ]
+  - &iptablesunban [ "iptables" "-w" "-D" "reaction" "1" "-s" "<ip>" "-j" "DROP" ]
 
 # patterns are substitued in regexes.
 # when a filter performs an action, it replaces the found pattern