Merge branch 'bugfix/restrict-dnsmasq' into develop

upstream pull request: oblique#312
legithubert · Dec 21, 2020 · cac7e61 · cac7e61
2 parents 0d3bde6 + 8bf71dd
commit cac7e61
Showing 1 changed file with 6 additions and 6 deletions.
diff --git a/create_ap b/create_ap
@@ -785,14 +785,14 @@ _cleanup() {
 
     if [[ "$SHARE_METHOD" != "bridge" ]]; then
         if [[ $NO_DNS -eq 0 ]]; then
-            iptables -w -D INPUT -p tcp -m tcp --dport $DNS_PORT -j ACCEPT
-            iptables -w -D INPUT -p udp -m udp --dport $DNS_PORT -j ACCEPT
+            iptables -w -D INPUT -i ${WIFI_IFACE} -p tcp -m tcp --dport $DNS_PORT -j ACCEPT
+            iptables -w -D INPUT -i ${WIFI_IFACE} -p udp -m udp --dport $DNS_PORT -j ACCEPT
             iptables -w -t nat -D PREROUTING -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} \
                 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports $DNS_PORT
             iptables -w -t nat -D PREROUTING -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} \
                 -p udp -m udp --dport 53 -j REDIRECT --to-ports $DNS_PORT
         fi
-        iptables -w -D INPUT -p udp -m udp --dport 67 -j ACCEPT
+        iptables -w -D INPUT -i ${WIFI_IFACE} -p udp -m udp --dport 67 -j ACCEPT
     fi
 
     if [[ $NO_VIRT -eq 0 ]]; then
@@ -1869,8 +1869,8 @@ fi
 if [[ "$SHARE_METHOD" != "bridge" ]]; then
     if [[ $NO_DNS -eq 0 ]]; then
         DNS_PORT=5353
-        iptables -w -I INPUT -p tcp -m tcp --dport $DNS_PORT -j ACCEPT || die
-        iptables -w -I INPUT -p udp -m udp --dport $DNS_PORT -j ACCEPT || die
+        iptables -w -I INPUT -i ${WIFI_IFACE} -p tcp -m tcp --dport $DNS_PORT -j ACCEPT || die
+        iptables -w -I INPUT -i ${WIFI_IFACE} -p udp -m udp --dport $DNS_PORT -j ACCEPT || die
         iptables -w -t nat -I PREROUTING -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} \
             -p tcp -m tcp --dport 53 -j REDIRECT --to-ports $DNS_PORT || die
         iptables -w -t nat -I PREROUTING -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} \
@@ -1880,7 +1880,7 @@ if [[ "$SHARE_METHOD" != "bridge" ]]; then
     fi
 
     if [[ $NO_DNSMASQ -eq 0 ]]; then
-      iptables -w -I INPUT -p udp -m udp --dport 67 -j ACCEPT || die
+      iptables -w -I INPUT -i ${WIFI_IFACE} -p udp -m udp --dport 67 -j ACCEPT || die
 
       if which complain > /dev/null 2>&1; then
           # openSUSE's apparmor does not allow dnsmasq to read files.