Move NAT gateway firewall rules to recovered|updatenatgw events.

author Martin Schwenke <martin@meltin.net>

Tue, 6 Jul 2010 07:54:43 +0000 (17:54 +1000)

committer Rusty Russell <rusty@rustcorp.com.au>

Wed, 18 Aug 2010 02:10:07 +0000 (11:40 +0930)
author Martin Schwenke <martin@meltin.net>
Tue, 6 Jul 2010 07:54:43 +0000 (17:54 +1000)
committer Rusty Russell <rusty@rustcorp.com.au>
Wed, 18 Aug 2010 02:10:07 +0000 (11:40 +0930)
diff --git a/config/events.d/11.natgw b/config/events.d/11.natgw

old mode 100644 (file)

new mode 100755 (executable)

index a01984c..46de7fa
--- a/config/events.d/11.natgw
+++ b/config/events.d/11.natgw
@@ -69,6 +69,12 @@ case "$1" in
                 # This is the first node, set it up as the NAT GW
                 echo 1 >/proc/sys/net/ipv4/ip_forward
                 iptables -A POSTROUTING -t nat -s $CTDB_NATGW_PRIVATE_NETWORK -d ! $CTDB_NATGW_PRIVATE_NETWORK -j MASQUERADE
+
+               # block all incoming connections to the natgw address
+               CTDB_NATGW_PUBLIC_IP_HOST=`echo $CTDB_NATGW_PUBLIC_IP | sed -e "s/\/.*/\/32/"`
+               iptables -D INPUT -p tcp --syn -d $CTDB_NATGW_PUBLIC_IP_HOST -j REJECT 2>/dev/null
+               iptables -I INPUT -p tcp --syn -d $CTDB_NATGW_PUBLIC_IP_HOST -j REJECT 2>/dev/null
+
                 ip addr add $CTDB_NATGW_PUBLIC_IP dev $CTDB_NATGW_PUBLIC_IFACE
                 ip route add 0.0.0.0/0 via $CTDB_NATGW_DEFAULT_GATEWAY >/dev/null 2>/dev/null
         else
author	Martin Schwenke <martin@meltin.net>
	Tue, 6 Jul 2010 07:54:43 +0000 (17:54 +1000)
committer	Rusty Russell <rusty@rustcorp.com.au>
	Wed, 18 Aug 2010 02:10:07 +0000 (11:40 +0930)