From 51ab1de143a9bfcbc15c4d8bf7a6689e44a607b7 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 8 Jul 2013 15:41:15 +0200
Subject: [PATCH] iptables: Create OVPNNAT chain after CUSTOM* chains.

---
 src/initscripts/init.d/firewall | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 1cbca2db85..cc6bebb1db 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -90,11 +90,9 @@ iptables_init() {
 	/sbin/iptables -N OUTGOINGFW
 	/sbin/iptables -A OUTPUT -j OUTGOINGFW
 	/sbin/iptables -t nat -N CUSTOMPREROUTING
-	/sbin/iptables -t nat -N OVPNNAT
 	/sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
 	/sbin/iptables -t nat -N CUSTOMPOSTROUTING
 	/sbin/iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
-	/sbin/iptables -t nat -A POSTROUTING -j OVPNNAT
 
 	# Guardian (IPS) chains
 	/sbin/iptables -N GUARDIAN
@@ -107,6 +105,10 @@ iptables_init() {
 		/sbin/iptables -A ${i} -j OVPNBLOCK
 	done
 
+	# OpenVPN transfer network translation
+	/sbin/iptables -t nat -N OVPNNAT
+	/sbin/iptables -t nat -A POSTROUTING -j OVPNNAT
+
 	# IPTV chains for IGMPPROXY
 	/sbin/iptables -N IPTVINPUT
 	/sbin/iptables -A INPUT -j IPTVINPUT
-- 
2.39.5