From: Arne Fitzenreiter <arne_f@ipfire.org>
Date: Sat, 5 Apr 2014 09:04:25 +0000 (+0200)
Subject: firewall: fix green only mode.
X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=commitdiff_plain;h=c926c6375d11cca11b24dee3b538da8ae6aaa1f2

firewall: fix green only mode.

disable masquerade and green IP/NET check if internet is
connected via green.
---

diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy
index 2176d6b9e..16e98a5d4 100755
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -110,8 +110,15 @@ case "${POLICY}" in
 		;;
 
 	*)
+
 		# Access from GREEN is granted to everywhere
-		iptables -A POLICYFWD -i "${GREEN_DEV}" -s "${GREEN_NETADDRESS}/${GREEN_NETMASK}" -j ACCEPT
+		if [ "${IFACE}" = "${GREEN_DEV}" ]; then
+			# internet via green
+			# don't check source IP/NET if IFACE is GREEN
+			iptables -A POLICYFWD -i "${GREEN_DEV}" -j ACCEPT
+		else
+			iptables -A POLICYFWD -i "${GREEN_DEV}" -s "${GREEN_NETADDRESS}/${GREEN_NETMASK}" -j ACCEPT
+		fi
 
 		# Grant access for IPsec VPN connections
 		iptables -A POLICYFWD -m policy --pol ipsec --dir in -j ACCEPT
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index a67af7056..246be37b9 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -311,7 +311,10 @@ iptables_red() {
 
 		# Outgoing masquerading (don't masqerade IPSEC (mark 50))
 		iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN
-		iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
+
+		if [ "$IFACE" != "$GREEN_DEV" ]; then
+			iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
+		fi
 
 	fi