Prevent clients from connecting to the natgw address.

author Ronnie Sahlberg <ronniesahlberg@gmail.com>

Wed, 2 Jun 2010 02:47:01 +0000 (12:47 +1000)

committer Ronnie Sahlberg <ronniesahlberg@gmail.com>

Wed, 2 Jun 2010 02:47:01 +0000 (12:47 +1000)
author Ronnie Sahlberg <ronniesahlberg@gmail.com>
Wed, 2 Jun 2010 02:47:01 +0000 (12:47 +1000)
committer Ronnie Sahlberg <ronniesahlberg@gmail.com>
Wed, 2 Jun 2010 02:47:01 +0000 (12:47 +1000)
diff --git a/config/events.d/11.natgw b/config/events.d/11.natgw

index ae56f23100cb7ab2ca44b1c60d0ff33b61e06a9c..7ae9c98ed144500940d6d6370332c0f798d9433e 100644 (file)
--- a/config/events.d/11.natgw
+++ b/config/events.d/11.natgw
@@ -13,6 +13,8 @@ loadconfig
  delete_all() {
         CTDB_NATGW_PUBLIC_IP_HOST=`echo $CTDB_NATGW_PUBLIC_IP | sed -e "s/\/.*/\/32/"`
  
+       iptables -D INPUT -p tcp --syn -d $CTDB_NATGW_PUBLIC_IP_HOST -j REJECT 2>/dev/null
+
         remove_ip $CTDB_NATGW_PUBLIC_IP $CTDB_NATGW_PUBLIC_IFACE
         remove_ip $CTDB_NATGW_PUBLIC_IP_HOST lo
  
@@ -35,6 +37,12 @@ case "$1" in
                 exit 1
         }
  
+       # block all incoming connections to the natgw address
+       CTDB_NATGW_PUBLIC_IP_HOST=`echo $CTDB_NATGW_PUBLIC_IP | sed -e "s/\/.*/\/32/"`
+       iptables -D INPUT -p tcp --syn -d $CTDB_NATGW_PUBLIC_IP_HOST -j REJECT 2>/dev/null
+       iptables -I INPUT -p tcp --syn -d $CTDB_NATGW_PUBLIC_IP_HOST -j REJECT 2>/dev/null
+
+
         # do not respond to ARPs that are for ip addresses with scope 'host'
         echo 3 > /proc/sys/net/ipv4/conf/all/arp_ignore
         # do not send out arp requests from loopback addresses
author	Ronnie Sahlberg <ronniesahlberg@gmail.com>
	Wed, 2 Jun 2010 02:47:01 +0000 (12:47 +1000)
committer	Ronnie Sahlberg <ronniesahlberg@gmail.com>
	Wed, 2 Jun 2010 02:47:01 +0000 (12:47 +1000)