~mdw / firewall / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 960a999)
local.m4: Refactor common SSH permission between safe/untrusted hosts.
authorMark Wooding <mdw@distorted.org.uk>
Fri, 8 Jun 2012 00:27:39 +0000 (01:27 +0100)
committerMark Wooding <mdw@distorted.org.uk>
Fri, 8 Jun 2012 00:27:39 +0000 (01:27 +0100)
Actually the same rules work for IPv4 and IPv6, so we should only write
them once.

local.m4 patch | blob | blame | history

diff --git a/local.m4 b/local.m4
index 9dfc464..d57b53d 100644 (file)
--- a/local.m4
+++ b/local.m4
@@ -200,17 +200,10 @@ case $forward in
            -m state --state ESTABLISHED
 
     ## Allow SSH from safe/noloop to untrusted networks.
-    run iptables -A fwd-spec-nofrag -j ACCEPT \
+    run ip46tables -A fwd-spec-nofrag -j ACCEPT \
            -p tcp --destination-port $port_ssh \
            -m mark --mark $to_untrusted/$MASK_TO
-    run iptables -A fwd-spec-nofrag -j ACCEPT \
-           -p tcp --source-port $port_ssh \
-           -m mark --mark $from_untrusted/$MASK_FROM \
-           -m state --state ESTABLISHED
-    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
-           -p tcp --destination-port $port_ssh \
-           -m mark --mark $to_untrusted/$MASK_TO
-    run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+    run ip46tables -A fwd-spec-nofrag -j ACCEPT \
            -p tcp --source-port $port_ssh \
            -m mark --mark $from_untrusted/$MASK_FROM \
            -m state --state ESTABLISHED
Firewall scripts for distorted.org.uk.