iptables: Replace state module by conntrack module.

[people/teissler/ipfire-2.x.git] / config / forwardfw / rules.pl

diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
index f3e1217c1eafd38db64d9e4a0b6b3bb37e6200d1..6a91ddf5725c094da1da3dbb89f75eb476166ba5 100755 (executable)
--- a/config/forwardfw/rules.pl
+++ b/config/forwardfw/rules.pl
@@ -55,7 +55,6 @@ require "${General::swroot}/forward/bin/firewall-lib.pl";
 my $configfwdfw                = "${General::swroot}/forward/config";
 my $configinput            = "${General::swroot}/forward/input";
 my $configoutgoing  = "${General::swroot}/forward/outgoing";
-my $confignat          = "${General::swroot}/forward/nat";
 my $p2pfile                    = "${General::swroot}/forward/p2protocols";
 my $configgrp          = "${General::swroot}/fwhosts/customgroups";
 my $netsettings                = "${General::swroot}/ethernet/settings";
@@ -74,7 +73,6 @@ my $snat='';
 &General::readhasharray($configfwdfw, \%configfwdfw);
 &General::readhasharray($configinput, \%configinputfw);
 &General::readhasharray($configoutgoing, \%configoutgoingfw);
-&General::readhasharray($confignat, \%confignatfw);
 &General::readhasharray($configgrp, \%customgrp);
 &General::get_aliases(\%aliases);
 
@@ -116,25 +114,8 @@ if($param eq 'flush'){
                        &p2pblock;
                        system ("/usr/sbin/firewall-policy"); 
                }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
-                       $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'});
-                       $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
-                       if ($defaultNetworks{'BLUE_DEV'}){
-                               $defaultNetworks{'BLUE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'BLUE_NETMASK'});
-                               $blue="$defaultNetworks{'BLUE_ADDRESS'}/$defaultNetworks{'BLUE_NETMASK'}";
-                               #set default rules for BLUE
-                               system ("iptables -A $CHAIN -s $blue -d $green -j RETURN");
-                       }
-                       if ($defaultNetworks{'ORANGE_DEV'}){
-                               $defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'});
-                               $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}";
-                               #set default rules for DMZ
-                               system ("iptables -A $CHAIN -s $orange -d $green -j RETURN");
-                               if ($defaultNetworks{'BLUE_DEV'}){
-                                       system ("iptables -A $CHAIN -s $orange -d $blue -j RETURN");
-                               }
-                       }
                        &p2pblock;
-                       system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
+                       system ("iptables -A $CHAIN -m conntrack --ctstate NEW -j ACCEPT");
                        system ("/usr/sbin/firewall-policy");
                        system ("/etc/sysconfig/firewall.local reload");
                }
@@ -159,9 +140,6 @@ sub preparerules
        if (! -z  "${General::swroot}/forward/outgoing"){
                &buildrules(\%configoutgoingfw);
        }
-       if (! -z  "${General::swroot}/forward/nat"){
-               &buildrules(\%confignatfw);
-       }
 }
 sub buildrules
 {