Conntrack fixes

2013-11-13 06:34:55 +00:00 · 2013-11-13 06:34:55 +00:00 · b35913bdb4
parent 995415770f
commit b35913bdb4
1 changed files with 8 additions and 8 deletions
--- a/bin/firewall-sosdg
+++ b/bin/firewall-sosdg
@ -701,8 +701,8 @@ if [ $NAT ]; then
 				$IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j SNAT \
 					-o ${NAT_RULE[3]} --to-source ${NAT_RULE[4]} 
 				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW,RELATED,ESTABLISHED -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} -o ${NAT_RULE[3]} -j ACCEPT
-				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -j ACCEPT
-				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -j DROP
+				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -i ${NAT_RULE[3]} -j ACCEPT
+				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -i ${NAT_RULE[3]} -j DROP
 				display_c DEFAULT "\t${GREEN}SNAT:${PURPLE}${NAT_RULE[1]}:${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}:${NAT_RULE[4]}"
 				if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then
 					$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \
@ -721,9 +721,9 @@ if [ $NAT ]; then
 					;;
 			MASQ)
 				$IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j MASQUERADE -o ${NAT_RULE[3]}
-				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW,RELATED,ESTABLISHED -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} -j ACCEPT
-				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -j ACCEPT
-				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -j DROP
+				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW,RELATED,ESTABLISHED -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} -o ${NAT_RULE[3]} -j ACCEPT
+				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -i ${NAT_RULE[3]} -j ACCEPT
+				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -i ${NAT_RULE[3]} -j DROP
 				display_c DEFAULT "\t${GREEN}MASQ:${PURPLE}${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}"
 				if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then
 					$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \
@ -742,9 +742,9 @@ if [ $NAT ]; then
 					;;
 			NETMAP)
 				$IPTABLES -A PREROUTING -t nat -s ${NAT_RULE[2]} -j NETMAP --to ${NAT_RULE[4]}
-				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW,RELATED,ESTABLISHED -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} -j ACCEPT
-				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -j ACCEPT
-				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -j DROP
+				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW,RELATED,ESTABLISHED -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} -o ${NAT_RULE[3]} -j ACCEPT
+				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -i ${NAT_RULE[3]} -j ACCEPT
+				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -o ${NAT_RULE[1]} -d ${NAT_RULE[2]} -i ${NAT_RULE[3]} -j DROP
 				display_c DEFAULT "\t${GREEN}NETMAP:${PURPLE}${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[4]}"
 				if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then
 					$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \