Changeset 8ecd62957f2caca419e633605e4b81d2936660ae

Timestamp:

04/06/09 09:08:31 (3 years ago)

Author:

Neutron Soutmun <neo.neutron@…>

Children:

ae7e7e4f3e3672207f051839f33df6649f41dca1

Parents:

b5e3f15c3ecb424e105dd5a93288c5f134de6816

git-committer:

Neutron Soutmun <neo.neutron@…> (04/06/09 09:08:31)

Message:

Add additional firewall rules to allow clients

2009-04-06 Neutron Soutmun <neo.neutron@…>

• example/firewall.sh.in: Add the additional rules to allow in some situation the connections could not established before the FORWARD rules allow the clients, thus the connections never mark. Just allow them passthrough the rules if the connections do not mark but the clients are in the set (allow them).

Files:

• ChangeLog (modified) (1 diff)
• example/firewall.sh.in (modified) (1 diff)

ChangeLog

@@ +1 @@
+2009-04-06  Neutron Soutmun <neo.neutron@gmail.com>
+
+        * example/firewall.sh.in: Add the additional rules to allow in some situation 
+          the connections could not established before the FORWARD rules allow the 
+          clients, thus the connections never mark.  Just allow them passthrough the 
+          rules if the connections do not mark but the clients are in the set 
+          (allow them).
+
 2009-04-06  Neutron Soutmun <neo.neutron@gmail.com>
 

example/firewall.sh.in

@@ -246 +246 @@
     $DEV_IN_PARAM $DEV_INTERNAL -s $CLIENTS \
     -j $CHAIN_FORWARD
+
+  # In some situation the connections could not established before
+  # the FORWARD rules allow the clients, thus the connections never mark.
+  # Just allow them passthrough the rules if the connections do not mark but
+  # the clients are in the set (allow them).
+  $IPTABLES $action FORWARD -m set --set $SETNAME dst -j $CHAIN_FORWARD_AUTH
+  $IPTABLES $action FORWARD -m set --set $SETNAME src -j $CHAIN_FORWARD_AUTH
+
   $IPTABLES $action FORWARD -m connmark --mark 2/2 \
     $DEV_OUT_PARAM $DEV_INTERNAL -d $CLIENTS \