Fix Kerlink firewall rule security issue.

brocaar · brocaar · commit 0c1e80c9fa9f · 2024-03-11T11:52:12.000Z
This limits accepting incoming TCP packets from the --sport for
ESTABLISHED connections only.
diff --git a/packaging/vendor/kerlink/keros-gws/files/chirpstack-gateway-bridge.init b/packaging/vendor/kerlink/keros-gws/files/chirpstack-gateway-bridge.init
@@ -10,7 +10,7 @@ function iptables_accept {
     [ -n "${1}" ] || exit 1
     local RULE="OUTPUT -t filter -p tcp --dport ${1} -j ACCEPT"
     iptables -C ${RULE} 2> /dev/null || iptables -I ${RULE}
-    local RULE="INPUT -t filter -p tcp --sport ${1} -j ACCEPT"
+    local RULE="INPUT -t filter -p tcp --sport ${1} -m conntrack --ctstate ESTABLISHED -j ACCEPT"
     iptables -C ${RULE} 2> /dev/null || iptables -I ${RULE}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@ function iptables_accept {`
`10`	`10`	`[ -n "${1}" ] \|\| exit 1`
`11`	`11`	`local RULE="OUTPUT -t filter -p tcp --dport ${1} -j ACCEPT"`
`12`	`12`	`iptables -C ${RULE} 2> /dev/null \|\| iptables -I ${RULE}`
`13`		`- local RULE="INPUT -t filter -p tcp --sport ${1} -j ACCEPT"`
	`13`	`+ local RULE="INPUT -t filter -p tcp --sport ${1} -m conntrack --ctstate ESTABLISHED -j ACCEPT"`
`14`	`14`	`iptables -C ${RULE} 2> /dev/null \|\| iptables -I ${RULE}`
`15`	`15`	`}`
`16`	`16`