firewall: Make sure that only packets that go through the tunnel are passing OVPNBLOCK.

author Michael Tremer <michael.tremer@ipfire.org>

Sat, 1 Mar 2014 15:44:05 +0000 (16:44 +0100)

committer Michael Tremer <michael.tremer@ipfire.org>

Sat, 1 Mar 2014 15:44:05 +0000 (16:44 +0100)
author Michael Tremer <michael.tremer@ipfire.org>
Sat, 1 Mar 2014 15:44:05 +0000 (16:44 +0100)
committer Michael Tremer <michael.tremer@ipfire.org>
Sat, 1 Mar 2014 15:44:05 +0000 (16:44 +0100)
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall

index de2a04b7d15589ad741c2e36de2ae849db9c48d6..dd678893738ff22b4ecba6ab886910ef01aeb598 100644 (file)
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -106,9 +106,10 @@ iptables_init() {
  
         # Block OpenVPN transfer networks
         iptables -N OVPNBLOCK
-       for i in INPUT FORWARD; do
-               iptables -A ${i} -j OVPNBLOCK
-       done
+       iptables -A INPUT   -i tun+ -j OVPNBLOCK
+       iptables -A OUTPUT  -o tun+ -j OVPNBLOCK
+       iptables -A FORWARD -i tun+ -j OVPNBLOCK
+       iptables -A FORWARD -o tun+ -j OVPNBLOCK
  
         # OpenVPN transfer network translation
         iptables -t nat -N OVPNNAT
author	Michael Tremer <michael.tremer@ipfire.org>
	Sat, 1 Mar 2014 15:44:05 +0000 (16:44 +0100)
committer	Michael Tremer <michael.tremer@ipfire.org>
	Sat, 1 Mar 2014 15:44:05 +0000 (16:44 +0100)