Merge remote-tracking branch 'origin/operators/tools-rewamp' into operators/tools-rewamp
This commit is contained in:
@@ -912,10 +912,54 @@ check_nym_exit_chain() {
|
||||
return $errors
|
||||
}
|
||||
|
||||
check_iptables_default_policies() {
|
||||
info "checking base iptables default policies (INPUT/FORWARD)"
|
||||
|
||||
local issues=0
|
||||
local input_policy forward_policy output_policy
|
||||
|
||||
input_policy=$(iptables -S INPUT 2>/dev/null | awk 'NR==1 && $1=="-P" {print $3}')
|
||||
forward_policy=$(iptables -S FORWARD 2>/dev/null | awk 'NR==1 && $1=="-P" {print $3}')
|
||||
output_policy=$(iptables -S OUTPUT 2>/dev/null | awk 'NR==1 && $1=="-P" {print $3}')
|
||||
|
||||
if [[ -z "${input_policy:-}" ]]; then
|
||||
error "unable to read INPUT default policy (iptables -S INPUT failed?)"
|
||||
issues=1
|
||||
elif [[ "${input_policy^^}" != "DROP" ]]; then
|
||||
error "INPUT default policy is ${input_policy^^}; expected DROP so traffic is only allowed by explicit rules."
|
||||
issues=1
|
||||
else
|
||||
ok "INPUT default policy is DROP"
|
||||
fi
|
||||
|
||||
if [[ -z "${forward_policy:-}" ]]; then
|
||||
error "unable to read FORWARD default policy (iptables -S FORWARD failed?)"
|
||||
issues=1
|
||||
elif [[ "${forward_policy^^}" != "DROP" ]]; then
|
||||
error "FORWARD default policy is ${forward_policy^^}; expected DROP to ensure traffic only flows via NYM-EXIT rules."
|
||||
issues=1
|
||||
else
|
||||
ok "FORWARD default policy is DROP"
|
||||
fi
|
||||
|
||||
if [[ -z "${output_policy:-}" ]]; then
|
||||
error "unable to read OUTPUT default policy (iptables -S OUTPUT failed?)"
|
||||
issues=1
|
||||
elif [[ "${output_policy^^}" != "ACCEPT" ]]; then
|
||||
error "OUTPUT default policy is ${output_policy^^}; expected ACCEPT"
|
||||
issues=1
|
||||
else
|
||||
ok "OUTPUT default policy is ACCEPT"
|
||||
fi
|
||||
|
||||
return $issues
|
||||
}
|
||||
|
||||
check_firewall_setup() {
|
||||
info "checking ipv4 firewall ordering…"
|
||||
local errors=0
|
||||
|
||||
check_iptables_default_policies || errors=1
|
||||
check_forward_chain || errors=1
|
||||
check_nym_exit_chain || errors=1
|
||||
|
||||
|
||||
Reference in New Issue
Block a user