strongswan: rootfile update.

[people/teissler/ipfire-2.x.git] / src / initscripts / init.d / firewall

diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index a67af7056486ad4e93db4786100d0a83ea80d100..f0d9c492adc9bff9844fc41bc6968d82532a92c4 100644 (file)
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -107,7 +107,6 @@ iptables_init() {
        # Block OpenVPN transfer networks
        iptables -N OVPNBLOCK
        iptables -A INPUT   -i tun+ -j OVPNBLOCK
-       iptables -A OUTPUT  -o tun+ -j OVPNBLOCK
        iptables -A FORWARD -i tun+ -j OVPNBLOCK
        iptables -A FORWARD -o tun+ -j OVPNBLOCK
 
@@ -196,6 +195,7 @@ iptables_init() {
        # DNAT rules
        iptables -t nat -N NAT_DESTINATION
        iptables -t nat -A PREROUTING -j NAT_DESTINATION
+       iptables -t nat -A OUTPUT -j NAT_DESTINATION
 
        iptables -t mangle -N NAT_DESTINATION
        iptables -t mangle -A PREROUTING -j NAT_DESTINATION
@@ -311,7 +311,10 @@ iptables_red() {
 
                # Outgoing masquerading (don't masqerade IPSEC (mark 50))
                iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN
-               iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
+
+               if [ "$IFACE" != "$GREEN_DEV" ]; then
+                       iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
+               fi
 
        fi