From 22601bd38b87b9679e500e60732aa699e1e47ba1 Mon Sep 17 00:00:00 2001 From: Alejandro Andreu Date: Tue, 7 Mar 2017 18:18:21 +0100 Subject: [PATCH] Ensure static uplink can work in RHEL and iptables Change-Id: I84210531ef4d7282dd21e69b80a1fef3010d9095 --- templates/gateway/create_fake_uplink_l2.sh.erb | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/templates/gateway/create_fake_uplink_l2.sh.erb b/templates/gateway/create_fake_uplink_l2.sh.erb index 678d8b5..0440b93 100644 --- a/templates/gateway/create_fake_uplink_l2.sh.erb +++ b/templates/gateway/create_fake_uplink_l2.sh.erb @@ -90,3 +90,13 @@ if [ "${MASQUERADE_ON}" == 'on' ] && [ -z "$(iptables -v -n -L -t nat | grep "MA iptables -I FORWARD -s ${FIP} -j ACCEPT echo "Succesfully enabled masquerading" fi + +# Ensure there are no malicious iptables rules +if [ -f /etc/redhat-release ]; +then + iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited || true + if [[ $(cat /etc/sysconfig/iptables | grep -v -- '-A FORWARD -j REJECT --reject-with icmp-host-prohibited') ]]; + then + cat /etc/sysconfig/iptables | grep -v -- '-A FORWARD -j REJECT --reject-with icmp-host-prohibited' > /etc/sysconfig/iptables + fi +fi