iptables -N IPTVFORWARD
iptables -A FORWARD -j IPTVFORWARD
- # filtering from GUI
- iptables -N GUIINPUT
- iptables -A INPUT -j GUIINPUT
- iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT
+ # Allow to ping the firewall.
+ iptables -N ICMPINPUT
+ iptables -A INPUT -j ICMPINPUT
+ iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
# Accept everything on loopback
iptables -N LOOPBACK
iptables -t nat -A POSTROUTING -j IPSECNAT
# localhost and ethernet.
- iptables -A INPUT -i $GREEN_DEV -m conntrack --ctstate NEW -j ACCEPT ! -p icmp
+ # Always allow accessing the web GUI from GREEN.
+ iptables -N GUIINPUT
+ iptables -A INPUT -j GUIINPUT
+ iptables -A GUIINPUT -i "${GREEN_DEV}" -p tcp --dport 444 -j ACCEPT
# WIRELESS chains
iptables -N WIRELESSINPUT
# Outgoing masquerading (don't masqerade IPSEC (mark 50))
iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN
- if [ "$IFACE" != "$GREEN_DEV" ]; then
- iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
+ if [ "$IFACE" = "$GREEN_DEV" ]; then
+ MASQUERADE_GREEN="off"
+ fi
+
+ local NO_MASQ_DEVICES
+
+ if [ "${MASQUERADE_GREEN}" = "off" ]; then
+ NO_MASQ_DEVICES="${NO_MASQ_DEVICES} ${GREEN_DEV}"
+ fi
+
+ if [ "${MASQUERADE_BLUE}" = "off" ]; then
+ NO_MASQ_DEVICES="${NO_MASQ_DEVICES} ${BLUE_DEV}"
fi
+ if [ "${MASQUERADE_ORANGE}" = "off" ]; then
+ NO_MASQ_DEVICES="${NO_MASQ_DEVICES} ${ORANGE_DEV}"
+ fi
+
+ local device
+ for device in ${NO_MASQ_DEVICES}; do
+ iptables -t nat -A REDNAT -i "${device}" -o "${IFACE}" -j RETURN
+ done
+
+ # Masquerade everything else
+ iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
fi
# Reload all rules.