From df0333611850c18b939666e87fc23d251b310ff7 Mon Sep 17 00:00:00 2001 From: Christoph Date: Mon, 20 Mar 2017 04:41:27 +0100 Subject: [PATCH] Fix printer rules (if allow_printing_between_local_nets=true) --- ip6t-firewall-gateway | 18 ++++++++++++++++++ ipt-firewall-gateway | 18 ++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway index e4bd82b..d6bccbc 100755 --- a/ip6t-firewall-gateway +++ b/ip6t-firewall-gateway @@ -2335,6 +2335,12 @@ if $kernel_forward_between_interfaces && ! $permit_between_local_networks && $al fi $ip6t -A FORWARD -i $_local_dev_1 -o $_local_dev_2 -p tcp --dport $standard_cups_port -m conntrack --ctstate NEW -j ACCEPT done + + if $local_alias_interfaces ; then + $ip6t -A FORWARD -o $_local_dev_1 -p tcp --dport $standard_cups_port --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -o $_local_dev_1 -p tcp --sport $standard_cups_port --tcp-flag ACK ACK -j ACCEPT + fi + done echo_done else @@ -2356,6 +2362,12 @@ if $kernel_forward_between_interfaces && ! $permit_between_local_networks && $al fi $ip6t -A FORWARD -i $_local_dev_1 -o $_local_dev_2 -p tcp --dport $standard_print_port -m conntrack --ctstate NEW -j ACCEPT done + + if $local_alias_interfaces ; then + $ip6t -A FORWARD -o $_local_dev_1 -p tcp --dport $standard_print_port --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -o $_local_dev_1 -p tcp --sport $standard_print_port --tcp-flag ACK ACK -j ACCEPT + fi + done echo_done else @@ -2377,6 +2389,12 @@ if $kernel_forward_between_interfaces && ! $permit_between_local_networks && $al fi $ip6t -A FORWARD -i $_local_dev_1 -o $_local_dev_2 -p tcp --dport $standard_print_raw_port -m conntrack --ctstate NEW -j ACCEPT done + + if $local_alias_interfaces ; then + $ip6t -A FORWARD -o $_local_dev_1 -p tcp --dport $standard_print_raw_port --tcp-flag ACK ACK -j ACCEPT + $ip6t -A FORWARD -o $_local_dev_1 -p tcp --sport $standard_print_raw_port --tcp-flag ACK ACK -j ACCEPT + fi + done echo_done else diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index 37404fe..5a4de3d 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -2756,6 +2756,12 @@ if $kernel_activate_forwarding && ! $permit_between_local_networks && $allow_pri fi $ipt -A FORWARD -i $_local_dev_1 -o $_local_dev_2 -p tcp --dport $standard_cups_port -m conntrack --ctstate NEW -j ACCEPT done + + if $local_alias_interfaces ; then + $ipt -A FORWARD -o $_local_dev_1 -p tcp --dport $standard_cups_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -o $_local_dev_1 -p tcp --sport $standard_cups_port --tcp-flag ACK ACK -j ACCEPT + fi + done echo_done else @@ -2777,6 +2783,12 @@ if $kernel_activate_forwarding && ! $permit_between_local_networks && $allow_pri fi $ipt -A FORWARD -i $_local_dev_1 -o $_local_dev_2 -p tcp --dport $standard_print_port -m conntrack --ctstate NEW -j ACCEPT done + + if $local_alias_interfaces ; then + $ipt -A FORWARD -o $_local_dev_1 -p tcp --dport $standard_print_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -o $_local_dev_1 -p tcp --sport $standard_print_port --tcp-flag ACK ACK -j ACCEPT + fi + done echo_done else @@ -2798,6 +2810,12 @@ if $kernel_activate_forwarding && ! $permit_between_local_networks && $allow_pri fi $ipt -A FORWARD -i $_local_dev_1 -o $_local_dev_2 -p tcp --dport $standard_print_raw_port -m conntrack --ctstate NEW -j ACCEPT done + + if $local_alias_interfaces ; then + $ipt -A FORWARD -o $_local_dev_1 -p tcp --dport $standard_print_raw_port --tcp-flag ACK ACK -j ACCEPT + $ipt -A FORWARD -o $_local_dev_1 -p tcp --sport $standard_print_raw_port --tcp-flag ACK ACK -j ACCEPT + fi + done echo_done else