From 1e5553305203cee8b5b83dab82da16ac7b9f8713 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 8 Jul 2013 15:36:45 +0200
Subject: [PATCH] iptables: Cleanup creating the OVPNBLOCK chain.

This should happen after the CUSTOM* chains.
---
 src/initscripts/init.d/firewall | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 59dbfecf1e..33afbef7f7 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -85,13 +85,10 @@ iptables_init() {
 	/sbin/iptables -A INPUT -j CUSTOMINPUT
 	/sbin/iptables -N GUARDIAN
 	/sbin/iptables -A INPUT -j GUARDIAN
-	/sbin/iptables -N OVPNBLOCK
-	/sbin/iptables -A FORWARD -j OVPNBLOCK
 	/sbin/iptables -A FORWARD -j GUARDIAN
 	/sbin/iptables -N CUSTOMFORWARD
 	/sbin/iptables -A FORWARD -j CUSTOMFORWARD
 	/sbin/iptables -N CUSTOMOUTPUT
-	/sbin/iptables -A OUTPUT -j OVPNBLOCK
 	/sbin/iptables -A OUTPUT -j CUSTOMOUTPUT
 	/sbin/iptables -N OUTGOINGFW
 	/sbin/iptables -A OUTPUT -j OUTGOINGFW
@@ -102,15 +99,18 @@ iptables_init() {
 	/sbin/iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
 	/sbin/iptables -t nat -A POSTROUTING -j OVPNNAT
 
+	# Block OpenVPN transfer networks
+	/sbin/iptables -N OVPNBLOCK
+	for i in INPUT FORWARD OUTPUT; do
+		/sbin/iptables -A ${i} -j OVPNBLOCK
+	done
+
 	# IPTV chains for IGMPPROXY
 	/sbin/iptables -N IPTVINPUT
 	/sbin/iptables -A INPUT -j IPTVINPUT
 	/sbin/iptables -N IPTVFORWARD
 	/sbin/iptables -A FORWARD -j IPTVFORWARD
 
-	# Filtering ovpn networks INPUT
-	/sbin/iptables -A INPUT -j OVPNBLOCK
-
 	# filtering from GUI
 	/sbin/iptables -N GUIINPUT
 	/sbin/iptables -A INPUT -j GUIINPUT
-- 
2.39.5