simplifying and adding flexibility to the NOTRACK rules

2018-11-04 19:19:09 +00:00 · 2018-11-04 19:19:09 +00:00 · 7aabd41def
parent 249e13bac6
commit 7aabd41def
1 changed files with 11 additions and 4 deletions
--- a/files/firewall
+++ b/files/firewall
@ -51,8 +51,10 @@ case $1 in
        iptables -t nat -F
        iptables -t raw -F

-        iptables -t raw -A PREROUTING ! -i mgmt1 -j NOTRACK
-        iptables -t raw -A OUTPUT     ! -o mgmt  -j NOTRACK
+        iptables -t raw -A PREROUTING -i mgmt1 -j ACCEPT
+        iptables -t raw -A OUTPUT     -o mgmt  -j ACCEPT
+        iptables -t raw -A PREROUTING          -j NOTRACK
+        iptables -t raw -A OUTPUT              -j NOTRACK



@ -88,10 +90,15 @@ case $1 in
        ip6tables -t nat -F
        ip6tables -t raw -F

-        ip6tables -t raw -A PREROUTING ! -i mgmt1 -j NOTRACK
-        ip6tables -t raw -A OUTPUT     ! -o mgmt  -j NOTRACK
+        ip6tables -t raw -A PREROUTING -i mgmt1 -j ACCEPT
+        ip6tables -t raw -A OUTPUT     -o mgmt  -j ACCEPT
+        ip6tables -t raw -A PREROUTING          -j NOTRACK
+        ip6tables -t raw -A OUTPUT              -j NOTRACK


+       #some boxes get special addon rules
+        [ -e /etc/init.d/firewall-addon ] && source /etc/init.d/firewall-addon
+
        ;;

   stop)