From e4051e105c2dc677e7a4650e0c8a9d4053b3b836 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 9 Mar 2011 15:11:01 +0000 Subject: [PATCH] * Use a separate chain for logging and rejecting. svn path=/nixos/trunk/; revision=26232 --- modules/services/networking/firewall.nix | 29 +++++++++++++++++------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/modules/services/networking/firewall.nix b/modules/services/networking/firewall.nix index 0c703caac20..2f0fe4f81c2 100644 --- a/modules/services/networking/firewall.nix +++ b/modules/services/networking/firewall.nix @@ -90,6 +90,23 @@ in } ip46tables -F + ip46tables -X # flush unused chains + ip46tables -P INPUT DROP + + + # The "FW_REFUSE" chain performs logging and + # rejecting/dropping of packets. + ip46tables -N FW_REFUSE + + ${optionalString cfg.logRefusedConnections '' + ip46tables -A FW_REFUSE -p tcp --syn -j LOG --log-level info --log-prefix "rejected connection: " + ''} + ${optionalString cfg.logRefusedPackets '' + ip46tables -A FW_REFUSE -j LOG --log-level info --log-prefix "rejected packet: " + ''} + + ip46tables -A FW_REFUSE -j ${if cfg.rejectPackets then "REJECT" else "DROP"} + # Accept all traffic on the loopback interface. ip46tables -A INPUT -i lo -j ACCEPT @@ -113,20 +130,16 @@ in # stuff like neighbor/router solicitation won't work. ip6tables -A INPUT -s fe80::/10 -p icmpv6 -j ACCEPT - # Drop everything else. - ${optionalString cfg.logRefusedConnections '' - ip46tables -A INPUT -p tcp --syn -j LOG --log-level info --log-prefix "rejected connection: " - ''} - ${optionalString cfg.logRefusedPackets '' - ip46tables -A INPUT -j LOG --log-level info --log-prefix "rejected packet: " - ''} - ip46tables -A INPUT -j ${if cfg.rejectPackets then "REJECT" else "DROP"} + # Reject/drop everything else. + ip46tables -A INPUT -j FW_REFUSE ''; postStop = '' iptables -F + iptables -P INPUT ACCEPT ip6tables -F + ip6tables -P INPUT ACCEPT ''; };