From 2aa18dd2931c085f884506c899a12532268ff806 Mon Sep 17 00:00:00 2001 From: Daniel Dehennin Date: Tue, 12 Apr 2016 11:01:13 +0200 Subject: [PATCH] Forteresse: toujours accepter les paquets retours MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Les paquets ESTABLISHED,RELATED ne sont acceptés que si le SSH est activé pour l’interface. Ces paquets devraient toujours être autorisés. * tmpl/forteresse.sh (forteresse_start): Factorisation de la règle d’autorisation des paquets ESTABLISHED,RELATED. Ref: #15832 --- tmpl/forteresse.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tmpl/forteresse.sh b/tmpl/forteresse.sh index 9c00b95..1c3a77c 100644 --- a/forteresse.sh +++ b/forteresse.sh @@ -71,7 +71,6 @@ forteresse_start() { log_begin_msg "Activation du mode forteresse sur %%interface_name" %if %%activer_firewall == u'non' /sbin/iptables -A INPUT -i %%interface_name -p tcp --syn -s 0/0 --dport ssh -m state --state NEW -j ACCEPT - /sbin/iptables -A INPUT -i %%interface_name -m state --state ESTABLISHED,RELATED -j ACCEPT %else %if %%getVar(u'ssh_{0}'.format(%%phy_interface), u'non') == u'oui' %set %%mask_attribute_name = u'netmask_ssh_{0}'.format(%%phy_interface) @@ -79,10 +78,10 @@ forteresse_start() { µµµµµµµµµµ Get netmask attribute %set %%res_mask = %%getattr(%%res_ssh,%%mask_attribute_name) /sbin/iptables -A INPUT -i %%interface_name -p tcp --syn -s %%res_ssh/%%res_mask --dport ssh -m state --state NEW -j ACCEPT - /sbin/iptables -A INPUT -i %%interface_name -m state --state ESTABLISHED,RELATED -j ACCEPT %end for %end if %end if + /sbin/iptables -A INPUT -i %%interface_name -m state --state ESTABLISHED,RELATED -j ACCEPT fi %end for -- 2.8.0.rc3