Merge pull request hestiacp#658 from Scorcher/fix-firewall-hole-2

serghey-rodin · web-flow · commit d55c32eae5b8 · 2016-06-27T01:23:38.000+03:00
Fix hole in iptables: connect to any ports from defined in rules ports.
diff --git a/bin/v-update-firewall b/bin/v-update-firewall
@@ -64,6 +64,19 @@ tmp=$(mktemp)
 echo "$iptables -P INPUT ACCEPT" >> $tmp
 echo "$iptables -F INPUT" >> $tmp
 
+# Enabling stateful support
+if [ "$conntrack" != 'no' ]; then
+    str="$iptables -A INPUT -m state"
+    str="$str --state ESTABLISHED,RELATED -j ACCEPT"
+    echo "$str" >> $tmp
+fi
+
+# Handling local traffic
+for ip in $(ls $VESTA/data/ips); do
+    echo "$iptables -A INPUT -s $ip -j ACCEPT" >> $tmp
+done
+echo "$iptables -A INPUT -s 127.0.0.1 -j ACCEPT" >> $tmp
+
 # Pasring iptables rules
 IFS=$'\n'
 for line in $(sort -r -n -k 2 -t \' $rules); do
@@ -100,25 +113,6 @@ for line in $(sort -r -n -k 2 -t \' $rules); do
     fi
 done
 
-# Handling local traffic
-for ip in $(ls $VESTA/data/ips); do
-    echo "$iptables -A INPUT -s $ip -j ACCEPT" >> $tmp
-done
-echo "$iptables -A INPUT -s 127.0.0.1 -j ACCEPT" >> $tmp
-IFS=$'\n'
-for p_rule in $(cat $ports); do
-    eval $p_rule
-    rule="$iptables -A INPUT -p $PROTOCOL"
-    echo "$rule --sport $PORT -j ACCEPT" >> $tmp
-done
-
-# Enabling stateful support
-if [ "$conntrack" != 'no' ]; then
-    str="$iptables -A INPUT -p tcp -m state"
-    str="$str --state ESTABLISHED,RELATED -j ACCEPT"
-    echo "$str" >> $tmp
-fi
-
 # Switching chain policy to DROP
 echo "$iptables -P INPUT DROP" >> $tmp
 
