From aec794cddd3591214527823c38ce9a0f15646422 Mon Sep 17 00:00:00 2001
From: "bruns@2mbit.com" <bruns@2mbit.com@e5899ace-8841-11de-95b9-8f387cfb8bc3>
Date: Mon, 17 Aug 2009 01:44:42 +0000
Subject: [PATCH] More fixes to NAT/Connection tracking

---
 rc.firewall | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/rc.firewall b/rc.firewall
index 70d1e67..e57f0d6 100755
--- a/rc.firewall
+++ b/rc.firewall
@@ -128,6 +128,16 @@ if [ $LANDHCPSERVER ]; then
 	$IPTABLES -A INPUT -i $INTIF -s 0.0.0.0 -j ACCEPT
 fi
 
+
+if [ $CONNTRACK ]; then
+	$IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT
+	$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+	$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+	$IPTABLES -A INPUT -m state --state INVALID -j DROP
+	$IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
+	$IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT
+fi
+
 if [ $NAT ]; then
 	for i in $NATRANGE; do
 		$IPTABLES -A POSTROUTING -t nat -s $i -o $NATEXTIF -j SNAT --to-source $NATEXTIP