Fix Kerlink firewall rule security issue.

This limits accepting incoming TCP packets from the --sport for ESTABLISHED connections only.
chirpstack · Mar 11, 2024 · 0c1e80c · 0c1e80c
1 parent 217e100
commit 0c1e80c
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/packaging/vendor/kerlink/keros-gws/files/chirpstack-gateway-bridge.init b/packaging/vendor/kerlink/keros-gws/files/chirpstack-gateway-bridge.init
@@ -10,7 +10,7 @@ function iptables_accept {
     [ -n "${1}" ] || exit 1
     local RULE="OUTPUT -t filter -p tcp --dport ${1} -j ACCEPT"
     iptables -C ${RULE} 2> /dev/null || iptables -I ${RULE}
-    local RULE="INPUT -t filter -p tcp --sport ${1} -j ACCEPT"
+    local RULE="INPUT -t filter -p tcp --sport ${1} -m conntrack --ctstate ESTABLISHED -j ACCEPT"
     iptables -C ${RULE} 2> /dev/null || iptables -I ${RULE}
 }