Skip to content

Commit 0c1e80c

Browse files
committed
Fix Kerlink firewall rule security issue.
This limits accepting incoming TCP packets from the --sport for ESTABLISHED connections only.
1 parent 217e100 commit 0c1e80c

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

packaging/vendor/kerlink/keros-gws/files/chirpstack-gateway-bridge.init

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ function iptables_accept {
1010
[ -n "${1}" ] || exit 1
1111
local RULE="OUTPUT -t filter -p tcp --dport ${1} -j ACCEPT"
1212
iptables -C ${RULE} 2> /dev/null || iptables -I ${RULE}
13-
local RULE="INPUT -t filter -p tcp --sport ${1} -j ACCEPT"
13+
local RULE="INPUT -t filter -p tcp --sport ${1} -m conntrack --ctstate ESTABLISHED -j ACCEPT"
1414
iptables -C ${RULE} 2> /dev/null || iptables -I ${RULE}
1515
}
1616

0 commit comments

Comments
 (0)