Prevent clients from connecting to the natgw address.

author Ronnie Sahlberg <ronniesahlberg@gmail.com>

Tue, 1 Jun 2010 02:43:32 +0000 (12:43 +1000)

committer Ronnie Sahlberg <ronniesahlberg@gmail.com>

Tue, 1 Jun 2010 02:43:32 +0000 (12:43 +1000)
author Ronnie Sahlberg <ronniesahlberg@gmail.com>
Tue, 1 Jun 2010 02:43:32 +0000 (12:43 +1000)
committer Ronnie Sahlberg <ronniesahlberg@gmail.com>
Tue, 1 Jun 2010 02:43:32 +0000 (12:43 +1000)
diff --git a/config/events.d/11.natgw b/config/events.d/11.natgw

index e6e54f48dc2b1b3c988ff5ce28ca414297a44543..a01984c3ca14b6ec18a2e396c8c07b0fa28a2344 100644 (file)
--- a/config/events.d/11.natgw
+++ b/config/events.d/11.natgw
@@ -23,6 +23,8 @@ delete_all() {
         # were the NAT-GW
         iptables -D POSTROUTING -t nat -s $CTDB_NATGW_PRIVATE_NETWORK -d ! $CTDB_NATGW_PRIVATE_NETWORK -j MASQUERADE >/dev/null 2>/dev/null
  
+       # remove any iptables rule we may have on this address
+       iptables -D INPUT -p tcp --syn -d _ip/32 -j REJECT 2>/dev/null
  }
  
  case "$1" in 
@@ -50,6 +52,12 @@ case "$1" in
         NATGWIP=`ctdb natgwlist | head -1 | sed -e "s/^[^ ]* *//"`
  
         CTDB_NATGW_PUBLIC_IP_HOST=`echo $CTDB_NATGW_PUBLIC_IP | sed -e "s/\/.*/\/32/"`
+
+       # block all incoming connections to the natgw address
+       iptables -D INPUT -p tcp --syn -d $CTDB_NATGW_PUBLIC_IP_HOST -j REJECT 2>/dev/null 
+       iptables -I INPUT -p tcp --syn -d $CTDB_NATGW_PUBLIC_IP_HOST -j REJECT 2>/dev/null 
+
+
         if [ "$NATGWMASTER" = "-1" ]; then
                 echo "There is not NATGW master node"
                 exit 1
author	Ronnie Sahlberg <ronniesahlberg@gmail.com>
	Tue, 1 Jun 2010 02:43:32 +0000 (12:43 +1000)
committer	Ronnie Sahlberg <ronniesahlberg@gmail.com>
	Tue, 1 Jun 2010 02:43:32 +0000 (12:43 +1000)