From 6ee78f45f23fbbb8ae93ecad2b90e5902d4656a2 Mon Sep 17 00:00:00 2001 From: ppom <> Date: Sun, 5 Nov 2023 12:00:00 +0100 Subject: [PATCH] fix confs iptables --- app/example.yml | 8 +++----- config/example.jsonnet | 10 ++-------- 2 files changed, 5 insertions(+), 13 deletions(-) diff --git a/app/example.yml b/app/example.yml index 5671dec..c256df3 100644 --- a/app/example.yml +++ b/app/example.yml @@ -3,8 +3,8 @@ # using YAML anchors `&name` and pointers `*name` # definitions are not readed by reaction definitions: - - &iptablesban [ 'ip46tables', '-w', '-A', 'reaction', '1', '-s', '', '-j', 'DROP' ] - - &iptablesunban [ 'ip46tables', '-w', '-D', 'reaction', '1', '-s', '', '-j', 'DROP' ] + - &iptablesban [ 'ip46tables', '-w', '-A', 'reaction', '-s', '', '-j', 'DROP' ] + - &iptablesunban [ 'ip46tables', '-w', '-D', 'reaction', '-s', '', '-j', 'DROP' ] # ip46tables is a minimal C program (only POSIX dependencies) present as a subdirectory. # it permits to handle both ipv4/iptables and ipv6/ip6tables commands @@ -21,7 +21,6 @@ patterns: # Those commands will be executed in order at start, before everything else start: - [ 'ip46tables', '-w', '-N', 'reaction' ] - - [ 'ip46tables', '-w', '-A', 'reaction', '-j', 'RETURN' ] - [ 'ip46tables', '-w', '-I', 'INPUT', '-p', 'all', '-j', 'reaction' ] # Those commands will be executed in order at stop, after everything else @@ -30,7 +29,6 @@ stop: - [ 'ip46tables', '-w', '-F', 'reaction' ] - [ 'ip46tables', '-w', '-X', 'reaction' ] - # streams are commands # they are run and their ouptut is captured # *example:* `tail -f /var/log/nginx/access.log` @@ -71,7 +69,7 @@ streams: # if you want reaction to run those pending commands before exiting, you can set this: onexit: true # (defaults to false) - # here it is not useful because we will flush the chain containing the bans anyway + # here it is not useful because we will flush and delete the chain containing the bans anyway # (with the stop commands) # persistence diff --git a/config/example.jsonnet b/config/example.jsonnet index 6a7881b..98b66d4 100644 --- a/config/example.jsonnet +++ b/config/example.jsonnet @@ -5,7 +5,7 @@ // JSONNET functions local iptables(args) = ['ip46tables', '-w'] + args; -// ip46tables is a minimal C program (only POSIX dependencies) present as a subdirectory. +// ip46tables is a minimal C program (only POSIX dependencies) present in a subdirectory of this repo. // it permits to handle both ipv4/iptables and ipv6/ip6tables commands { @@ -24,12 +24,6 @@ local iptables(args) = ['ip46tables', '-w'] + args; start: [ // Create an iptables chain for reaction iptables(['-N', 'reaction']), - // Set its default to ACCEPT - iptables(['-A', 'reaction', '-j', 'ACCEPT']), - // Always accept 127.0.0.1 - iptables(['-I', 'reaction', '1', '-s', '127.0.0.1', '-j', 'ACCEPT']), - // Always accept ::1 - iptables(['-I', 'reaction', '1', '-s', '::1', '-j', 'ACCEPT']), // Insert this chain as the first item of the INPUT chain (for incoming connections) iptables(['-I', 'INPUT', '-p', 'all', '-j', 'reaction']), ], @@ -85,7 +79,7 @@ local iptables(args) = ['ip46tables', '-w'] + args; // if you want reaction to run those pending commands before exiting, you can set this: onexit: true, // (defaults to false) - // here it is not useful because we will flush the chain containing the bans anyway + // here it is not useful because we will flush and delete the chain containing the bans anyway // (with the stop commands) }, },