From ddff7f834582f1f191734152c354e370720d1254 Mon Sep 17 00:00:00 2001 From: Christoph Date: Wed, 10 May 2017 00:22:13 +0200 Subject: [PATCH] Fix rules for 'allow_ext_net_to_local_service' --- ip6t-firewall-gateway | 5 +++++ ipt-firewall-gateway | 4 ++++ 2 files changed, 9 insertions(+) diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index d33dfaf..9c2ed26 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -839,6 +839,11 @@ if [[ ${#allow_ext_net_to_local_service_arr[@]} -gt 0 ]] \ for _val in "${allow_ext_net_to_local_service_arr[@]}" ; do IFS=',' read -a _val_arr <<< "${_val}" for _dev in ${ext_if_arr[@]} ; do + + if containsElement "${_val_arr[1]}" "${gateway_ipv6_address_arr[@]}" ; then + $ip6t -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT + fi + $ip6t -A FORWARD -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT done diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index f009171..566f541 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -1220,6 +1220,10 @@ if [[ ${#allow_ext_net_to_local_service_arr[@]} -gt 0 ]] \ IFS=':' read -a _val_arr <<< "${_val}" for _dev in ${ext_if_arr[@]} ; do + if containsElement "${_val_arr[1]}" "${gateway_ipv4_address_arr[@]}" ; then + $ipt -A INPUT -i $_dev -p ${_val_arr[3]} -s ${_val_arr[0]} -d ${_val_arr[1]} --dport ${_val_arr[2]} -m conntrack --ctstate NEW -j ACCEPT + fi + # - Traffic recieved on natted interfaces will be ommitted! # - if containsElement "$_dev" "${nat_device_arr[@]}" ; then