From a76180820eb08f3957ab36e25cada8ab0f0ccc5d Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Thu, 12 Mar 2009 09:20:02 -0700 Subject: Enable strict host matching Bug 4061 Host (INPUT) chain will only accept packets where destination address matches address on incoming interface. --- scripts/firewall/firewall.init.in | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'scripts/firewall/firewall.init.in') diff --git a/scripts/firewall/firewall.init.in b/scripts/firewall/firewall.init.in index 5904a3d..4d8608f 100644 --- a/scripts/firewall/firewall.init.in +++ b/scripts/firewall/firewall.init.in @@ -56,7 +56,11 @@ start () { # set up post-firewall hook iptables -N VYATTA_POST_FW_HOOK iptables -A VYATTA_POST_FW_HOOK -j ACCEPT - iptables -A INPUT -j VYATTA_POST_FW_HOOK + + # enforce strict host matching (see bug 4061) + iptables -P INPUT -j DROP + iptables -A INPUT -m strict -j VYATTA_POST_FW_HOOK + iptables -A FORWARD -j VYATTA_POST_FW_HOOK # set up pre-SNAT hook -- cgit v1.2.3