From b4bdbe17a34210a2be7f5078e4038b2b2cb660ac Mon Sep 17 00:00:00 2001
From: bbruns <bbruns@e5899ace-8841-11de-95b9-8f387cfb8bc3>
Date: Tue, 2 Aug 2011 03:28:48 +0000
Subject: [PATCH] Adjusting NAT rules

---
 bin/firewall-sosdg | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/bin/firewall-sosdg b/bin/firewall-sosdg
index aad31c0..79370e2 100755
--- a/bin/firewall-sosdg
+++ b/bin/firewall-sosdg
@@ -339,10 +339,11 @@ fi
 if [ "$CONNTRACK" ]; then
 	#$IPTABLES -A INPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
 	$IPTABLES -A INPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
-	$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
+	# Now in the NAT rules
+	#$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
 	#$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} NEW -j ACCEPT
-	$IPTABLES -A OUTPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT 
-	$IPTABLES -A OUTPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
+	$IPTABLES -A OUTPUT ${M_STATE} ${C_STATE} NEW,RELATED,ESTABLISHED -j ACCEPT 
+	#$IPTABLES -A OUTPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
 	$IPTABLES -A INPUT ${M_STATE} ${C_STATE} INVALID -j DROP
 	$IPTABLES -A OUTPUT ${M_STATE} ${C_STATE} INVALID -j DROP
 	$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -j DROP
@@ -686,6 +687,7 @@ if [ $NAT ]; then
 			SNAT)
 				$IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j SNAT \
 					-o ${NAT_RULE[3]} --to-source ${NAT_RULE[4]} 
+				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -s ${NAT_RULE[2]} -j ACCEPT
 				display_c DEFAULT "\t${GREEN}SNAT:${PURPLE}${NAT_RULE[1]}:${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}:${NAT_RULE[4]}"
 				if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then
 					$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \
@@ -694,12 +696,6 @@ if [ $NAT ]; then
 						-s ${NAT_RULE[2]} -j ACCEPT
 					INIF_EXISTS="${INIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}"
 				fi
-				# This code seems pointless, anyone else have an opinion?
-				#if [[ ! "$OUTIF_EXISTS" =~ "${NAT_RULE[3]}:${NAT_RULE[4]}" ]]; then
-				#	$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[3]} -j ACCEPT
-				#	$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[3]} -j ACCEPT
-				#	OUTIF_EXISTS="${OUTIF_EXISTS} ${NAT_RULE[3]}:${NAT_RULE[4]}"
-				#fi
 				if [[ ! "$FWDIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}" ]]; then
 					$IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \
 						-o ${NAT_RULE[3]} -j ACCEPT
@@ -710,6 +706,7 @@ if [ $NAT ]; then
 					;;
 			MASQ)
 				$IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j MASQUERADE -o ${NAT_RULE[3]}
+				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -s ${NAT_RULE[2]} -j ACCEPT
 				display_c DEFAULT "\t${GREEN}MASQ:${PURPLE}${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}"
 				if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then
 					$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \
@@ -728,6 +725,7 @@ if [ $NAT ]; then
 					;;
 			NETMAP)
 				$IPTABLES -A PREROUTING -t nat -s ${NAT_RULE[2]} -j NETMAP --to ${NAT_RULE[4]}
+				$IPTABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -s ${NAT_RULE[2]} -j ACCEPT
 				display_c DEFAULT "\t${GREEN}NETMAP:${PURPLE}${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[4]}"
 				if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then
 					$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \