# Block OpenVPN transfer networks
iptables -N OVPNBLOCK
iptables -A INPUT -i tun+ -j OVPNBLOCK
- iptables -A OUTPUT -o tun+ -j OVPNBLOCK
iptables -A FORWARD -i tun+ -j OVPNBLOCK
iptables -A FORWARD -o tun+ -j OVPNBLOCK
iptables -A ${i} -j CONNTRACK
done
+ # Allow DHCP
+ iptables -N DHCPINPUT
+ iptables -A DHCPINPUT -p udp --sport 68 --dport 67 -j ACCEPT
+ iptables -A DHCPINPUT -p tcp --sport 68 --dport 67 -j ACCEPT
+
+ iptables -N DHCPOUTPUT
+ iptables -A DHCPOUTPUT -p udp --sport 67 --dport 68 -j ACCEPT
+ iptables -A DHCPOUTPUT -p tcp --sport 67 --dport 68 -j ACCEPT
+
+ # Allow DHCP on GREEN
+ iptables -N DHCPGREENINPUT
+ iptables -N DHCPGREENOUTPUT
+ if [ -n "${GREEN_DEV}" ]; then
+ iptables -A INPUT -i "${GREEN_DEV}" -j DHCPGREENINPUT
+ iptables -A OUTPUT -o "${GREEN_DEV}" -j DHCPGREENOUTPUT
+ fi
+
+ # allow DHCP on BLUE to be turned on/off
+ iptables -N DHCPBLUEINPUT
+ iptables -N DHCPBLUEOUTPUT
+ if [ -n "${BLUE_DEV}" ]; then
+ iptables -A INPUT -i "${BLUE_DEV}" -j DHCPBLUEINPUT
+ iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
+ fi
+
# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
iptables -N IPSECINPUT
iptables -N IPSECFORWARD
# localhost and ethernet.
iptables -A INPUT -i $GREEN_DEV -m conntrack --ctstate NEW -j ACCEPT ! -p icmp
-
- # allow DHCP on BLUE to be turned on/off
- iptables -N DHCPBLUEINPUT
- iptables -A INPUT -j DHCPBLUEINPUT
-
+
# WIRELESS chains
iptables -N WIRELESSINPUT
iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT
# DNAT rules
iptables -t nat -N NAT_DESTINATION
iptables -t nat -A PREROUTING -j NAT_DESTINATION
+ iptables -t nat -A OUTPUT -j NAT_DESTINATION
iptables -t mangle -N NAT_DESTINATION
iptables -t mangle -A PREROUTING -j NAT_DESTINATION
# Outgoing masquerading (don't masqerade IPSEC (mark 50))
iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN
- iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
+
+ if [ "$IFACE" != "$GREEN_DEV" ]; then
+ iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
+ fi
fi