From 3499cfd6c866219096358d1f73af9fe242406261 Mon Sep 17 00:00:00 2001 From: ppom <> Date: Thu, 27 Apr 2023 12:38:57 +0200 Subject: [PATCH] fix iptables commands: allowlist local IPs --- config/reaction.service | 5 ++++- config/reaction.yml | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/config/reaction.service b/config/reaction.service index 429a651..2e08088 100644 --- a/config/reaction.service +++ b/config/reaction.service @@ -9,6 +9,9 @@ ExecStart=/path/to/reaction -c /etc/reaction.yml ExecStartPre=/path/to/iptables -w -N reaction # Set its default to ACCEPT ExecStartPre=/path/to/iptables -w -A reaction -j ACCEPT +# Always accept 127.0.0.1 && ::1 +ExecStartPre=/path/to/iptables -w -I reaction 1 -s 127.0.0.1 -j ACCEPT +ExecStartPre=/path/to/iptables -w -I reaction 1 -s ::1 -j ACCEPT # Insert this chain as the first item of the INPUT chain (for incoming connections) ExecStartPre=/path/to/iptables -w -I INPUT -p all -j reaction @@ -16,7 +19,7 @@ ExecStartPre=/path/to/iptables -w -I INPUT -p all -j reaction ExecStopPost=/path/to/iptables -w -D INPUT -p all -j reaction # Empty the chain ExecStopPost=/path/to/iptables -w -F reaction -# Delete te chain +# Delete the chain ExecStopPost=/path/to/iptables -w -X reaction # Ask systemd to create /var/lib/reaction (/var/lib/ is implicit) diff --git a/config/reaction.yml b/config/reaction.yml index d953817..ca07044 100644 --- a/config/reaction.yml +++ b/config/reaction.yml @@ -3,8 +3,8 @@ # definitions are just a place to put chunks of conf you want to reuse in another place # they're not readed by reaction definitions: - - &iptablesban [ "iptables" "-w" "-I" "reaction" "1" "-s" "" "-j" "block" ] - - &iptablesunban [ "iptables" "-w" "-D" "reaction" "1" "-s" "" "-j" "block" ] + - &iptablesban [ "iptables" "-w" "-A" "reaction" "1" "-s" "" "-j" "DROP" ] + - &iptablesunban [ "iptables" "-w" "-D" "reaction" "1" "-s" "" "-j" "DROP" ] # patterns are substitued in regexes. # when a filter performs an action, it replaces the found pattern