Index: classes.d/external =================================================================== --- classes.d/external (revision 33) +++ classes.d/external (working copy) @@ -9,27 +9,32 @@ # People we allow to talk to us policy in martians -policy in ACCEPT --protocol 41 # allow IPv6 on IPv4 +if [ "$FW_PROTOCOL" -eq "4" ]; then + policy in ACCEPT --protocol 41 # allow IPv6 on IPv4 +fi policy in ACCEPT --protocol tcp --destination-port ssh policy in tcp-strict policy in udp-strict policy in icmp-trust policy in multicast-trust -# Masquerade any traffic leaving onto the IP of this interface -policy postrouting-out MASQUERADE -# If you want to restrict external access further you can add an extra -# option such as '--source 10.1.1.0/24' (no quotes) to the above command -# Advanced Configuration Examples +if [ "$FW_PROTOCOL" -eq "4" ]; then + # Masquerade any traffic leaving onto the IP of this interface + policy postrouting-out MASQUERADE + # If you want to restrict external access further you can add an extra + # option such as '--source 10.1.1.0/24' (no quotes) to the above command -# Portforward external port 1234 to 1.2.3.4:5678 -#policy prerouting-in DNAT --protocol tcp --dport 1234 --to 1.2.3.4:5678 + # Advanced Configuration Examples -# Having issues with stupid people breaking path MTU? -# policy out TCPMSS --protocol tcp --set-mss 576 --tcp-flags SYN,RST SYN \ -# --destination 1.2.3.4 + # Portforward external port 1234 to 1.2.3.4:5678 + #policy prerouting-in DNAT --protocol tcp --dport 1234 --to 1.2.3.4:5678 + # Having issues with stupid people breaking path MTU? + # policy out TCPMSS --protocol tcp --set-mss 576 --tcp-flags SYN,RST SYN \ + # --destination 1.2.3.4 +fi + # Allow any traffic generated on this machine out to the Internet policy out ACCEPT @@ -41,11 +46,16 @@ policy forward-in ACCEPT policy forward-out ACCEPT -if_feature rp_filter 1 # Enable Reverse Router Filtering +# Common if attributes if_feature accept_redirects 0 # Accept Redirects if_feature accept_source_route 0 # Accept Source Routes -if_feature bootp_relay 0 # Dont forward bootp requests -if_feature forwarding 1 # forward packets arriving on this interface -if_feature log_martians 0 # log martians? -if_feature send_redirects 1 # Send redirects? - +if_feature forwarding 1 # forwarding +# v4 if attributes +if_feature rp_filter 1 4 # Enable Reverse Router Filtering +if_feature bootp_relay 0 4 # Dont forward bootp requests +if_feature log_martians 0 4 # log martians? +if_feature send_redirects 1 4 # Send redirects? +# v6 if attributes +if_feature accept_ra 0 6 # Accept router advertisements? +if_feature autoconf 0 6 # Autoconfigure addresses? +if_feature use_tempaddr 0 6 # Generate temporary (privacy) addresses? Index: classes.d/vpn =================================================================== --- classes.d/vpn (revision 33) +++ classes.d/vpn (working copy) @@ -8,16 +8,23 @@ policy out ACCEPT -policy forward-in ACCEPT --destination 10.1.0.0/16 +if [ "$FW_PROTOCOL" -eq "4" ]; then + policy forward-in ACCEPT --destination 10.1.0.0/16 +fi polite_deny forward-in policy forward-out ACCEPT -if_feature rp_filter 0 # Disable Reverse Router Filtering +# Common if attributes if_feature accept_redirects 0 # Accept Redirects if_feature accept_source_route 0 # Accept Source Routes -if_feature bootp_relay 0 # Dont forward bootp requests if_feature forwarding 1 # forwarding -if_feature log_martians 0 # log martians? -if_feature send_redirects 1 # Send redirects? - +# v4 if attributes +if_feature rp_filter 0 4 # Enable Reverse Router Filtering +if_feature bootp_relay 0 4 # Dont forward bootp requests +if_feature log_martians 0 4 # log martians? +if_feature send_redirects 1 4 # Send redirects? +# v6 if attributes +if_feature accept_ra 0 6 # Accept router advertisements? +if_feature autoconf 0 6 # Autoconfigure addresses? +if_feature use_tempaddr 0 6 # Generate temporary (privacy) addresses? Index: classes.d/loopback =================================================================== --- classes.d/loopback (revision 33) +++ classes.d/loopback (working copy) @@ -11,11 +11,16 @@ polite_reject forward-in polite_reject forward-out -if_feature rp_filter 1 # Enable Reverse Router Filtering +# Common if attributes if_feature accept_redirects 0 # Accept Redirects if_feature accept_source_route 0 # Accept Source Routes -if_feature bootp_relay 0 # Dont forward bootp requests if_feature forwarding 0 # forwarding -if_feature log_martians 0 # log martians? -if_feature send_redirects 0 # Send redirects? - +# v4 if attributes +if_feature rp_filter 1 4 # Enable Reverse Router Filtering +if_feature bootp_relay 0 4 # Dont forward bootp requests +if_feature log_martians 0 4 # log martians? +if_feature send_redirects 0 4 # Send redirects? +# v6 if attributes +if_feature accept_ra 0 6 # Accept router advertisements? +if_feature autoconf 0 6 # Autoconfigure addresses? +if_feature use_tempaddr 0 6 # Generate temporary (privacy) addresses? Index: classes.d/internal =================================================================== --- classes.d/internal (revision 33) +++ classes.d/internal (working copy) @@ -12,11 +12,17 @@ policy forward-in ACCEPT policy forward-out ACCEPT -if_feature rp_filter 1 # Enable Reverse Router Filtering + +# Common if attributes if_feature accept_redirects 1 # Accept Redirects if_feature accept_source_route 1 # Accept Source Routes -if_feature bootp_relay 0 # Dont forward bootp requests -if_feature forwarding 1 # forward packets arriving at this interface -if_feature log_martians 0 # log martians? -if_feature send_redirects 1 # Send redirects? - +if_feature forwarding 1 # forwarding +# v4 if attributes +if_feature rp_filter 1 4 # Enable Reverse Router Filtering +if_feature bootp_relay 0 4 # Dont forward bootp requests +if_feature log_martians 0 4 # log martians? +if_feature send_redirects 1 4 # Send redirects? +# v6 if attributes +if_feature accept_ra 0 6 # Accept router advertisements? +if_feature autoconf 0 6 # Autoconfigure addresses? +if_feature use_tempaddr 0 6 # Generate temporary (privacy) addresses? Index: ruleset.d/paranoia.rule =================================================================== --- ruleset.d/paranoia.rule (revision 33) +++ ruleset.d/paranoia.rule (working copy) @@ -11,7 +11,11 @@ . support/ruleset.functions # Allow connections to localhost -$IPTABLES --append $RULE --destination 127.0.0.0/8 --jump ACCEPT +if [ "$FW_PROTOCOL" -eq "4" ]; then + $IPTABLES --append $RULE --destination 127.0.0.0/8 --jump ACCEPT +else + $IPTABLES --append $RULE --destination ::1/128 --jump ACCEPT +fi # Allow related $IPTABLES --append $RULE -m state --state ESTABLISHED,RELATED --jump ACCEPT Index: ruleset.d/multicast-strict.rule =================================================================== --- ruleset.d/multicast-strict.rule (revision 33) +++ ruleset.d/multicast-strict.rule (working copy) @@ -8,13 +8,19 @@ . support/ruleset.functions # Ignore non Multicast -$IPTABLES --append $RULE --destination 224.0.0.0/4 --jump RETURN +if [ "$FW_PROTOCOL" -eq "4" ]; then + $IPTABLES --append $RULE \! --destination 224.0.0.0/4 --jump RETURN +else + $IPTABLES --append $RULE \! --destination ff::/8 --jump RETURN +fi # TCP over Multicast doesn't work polite_drop $RULE --protocol tcp -# Allow multicast routing protocol. -$IPTABLES --append $RULE --destination 224.0.0.1 --protocol 2 --jump ACCEPT +if [ "$FW_PROTOCOL" -eq "4" ]; then + # Allow multicast routing protocol. + $IPTABLES --append $RULE --destination 224.0.0.1 --protocol 2 --jump ACCEPT +fi # Drop everything else. polite_drop $RULE Index: ruleset.d/tcp-strict.rule =================================================================== --- ruleset.d/tcp-strict.rule (revision 33) +++ ruleset.d/tcp-strict.rule (working copy) @@ -6,7 +6,7 @@ . support/ruleset.functions # Ignore non TCP -$IPTABLES --append $RULE --protocol \! tcp --jump RETURN +$IPTABLES --append $RULE \! --protocol tcp --jump RETURN # Accept any packets that were created by us $IPTABLES --append $RULE -m state --state ESTABLISHED,RELATED --jump ACCEPT Index: ruleset.d/icmp-strict.rule =================================================================== --- ruleset.d/icmp-strict.rule (revision 33) +++ ruleset.d/icmp-strict.rule (working copy) @@ -6,7 +6,11 @@ . support/ruleset.functions # Ignore non ICMP -$IPTABLES --append $RULE --protocol \! icmp --jump RETURN +if [ "$FW_PROTOCOL" -eq "4" ]; then + $IPTABLES --append $RULE \! --protocol icmp --jump RETURN +else + $IPTABLES --append $RULE \! --protocol ipv6-icmp --jump RETURN +fi # Accept any packets that were created by us $IPTABLES --append $RULE -m state --state ESTABLISHED,RELATED --jump ACCEPT Index: ruleset.d/martians.rule =================================================================== --- ruleset.d/martians.rule (revision 33) +++ ruleset.d/martians.rule (working copy) @@ -5,6 +5,8 @@ . support/ruleset.functions -for i in 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12; do - polite_drop $RULE --source $i -done +if [ "$FW_PROTOCOL" -eq "4" ]; then + for i in 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12; do + polite_drop $RULE --source $i + done +fi Index: ruleset.d/udp-strict.rule =================================================================== --- ruleset.d/udp-strict.rule (revision 33) +++ ruleset.d/udp-strict.rule (working copy) @@ -6,7 +6,7 @@ . support/ruleset.functions # Ignore non UDP -$IPTABLES --append $RULE --protocol \! udp --jump RETURN +$IPTABLES --append $RULE \! --protocol udp --jump RETURN # Accept any packet to the dynamically assigned port range $IPTABLES --append $RULE \ Index: ruleset.d/multicast-trust.rule =================================================================== --- ruleset.d/multicast-trust.rule (revision 33) +++ ruleset.d/multicast-trust.rule (working copy) @@ -8,17 +8,33 @@ . support/ruleset.functions # Ignore non Multicast -$IPTABLES --append $RULE --destination \! 224.0.0.0/4 --jump RETURN +if [ "$FW_PROTOCOL" -eq "4" ]; then + $IPTABLES --append $RULE \! --destination 224.0.0.0/4 --jump RETURN +else + $IPTABLES --append $RULE \! --destination ff::/8 --jump RETURN +fi # TCP over Multicast doesn't work polite_drop $RULE --protocol tcp # Allow multicast routing protocol. -$IPTABLES --append $RULE --destination 224.0.0.1 --protocol 2 --jump ACCEPT +if [ "$FW_PROTOCOL" -eq "4" ]; then + $IPTABLES --append $RULE --destination 224.0.0.1 --protocol 2 \ + --jump ACCEPT +fi # Allow OSPF routing updates -$IPTABLES --append $RULE --destination 224.0.0.5 --protocol 89 --jump ACCEPT -$IPTABLES --append $RULE --destination 224.0.0.6 --protocol 89 --jump ACCEPT +if [ "$FW_PROTOCOL" -eq "4" ]; then + $IPTABLES --append $RULE --destination 224.0.0.5 --protocol 89 \ + --jump ACCEPT + $IPTABLES --append $RULE --destination 224.0.0.6 --protocol 89 \ + --jump ACCEPT +else + $IPTABLES --append $RULE --destination ff02::5 --protocol 89 \ + --jump ACCEPT + $IPTABLES --append $RULE --destination ff02::6 --protocol 89 \ + --jump ACCEPT +fi # Drop everything else. polite_drop $RULE Index: ruleset.d/tcp-trust.rule =================================================================== --- ruleset.d/tcp-trust.rule (revision 33) +++ ruleset.d/tcp-trust.rule (working copy) @@ -18,7 +18,7 @@ . support/ruleset.functions -$IPTABLES --append $RULE --protocol \! tcp --jump RETURN +$IPTABLES --append $RULE \! --protocol tcp --jump RETURN # Reject the rest. polite_reject $RULE --protocol udp \ Index: ruleset.d/icmp-trust.rule =================================================================== --- ruleset.d/icmp-trust.rule (revision 33) +++ ruleset.d/icmp-trust.rule (working copy) @@ -6,7 +6,11 @@ . support/ruleset.functions # Ignore non ICMP -$IPTABLES --append $RULE --protocol \! icmp --jump RETURN +if [ "$FW_PROTOCOL" -eq "4" ]; then + $IPTABLES --append $RULE \! --protocol icmp --jump RETURN +else + $IPTABLES --append $RULE \! --protocol ipv6-icmp --jump RETURN +fi $IPTABLES --append $RULE --jump ACCEPT Index: ruleset.d/udp-trust.rule =================================================================== --- ruleset.d/udp-trust.rule (revision 33) +++ ruleset.d/udp-trust.rule (working copy) @@ -20,7 +20,7 @@ . support/ruleset.functions -$IPTABLES --append $RULE --protocol \! udp --jump RETURN +$IPTABLES --append $RULE \! --protocol udp --jump RETURN # Disallow polite_reject $RULE --protocol udp \ Index: src/firewall.in =================================================================== --- src/firewall.in (revision 33) +++ src/firewall.in (working copy) @@ -1,7 +1,7 @@ #!/bin/bash -BASEDIR=@BASEDIR@ -CONFDIR=@CONFDIR@ +BASEDIR=/home/matt/src/linuxserver-firewall +CONFDIR=/home/matt/src/linuxserver-firewall # Don't change these directly, they are filled in by make release # when a new release is built. @@ -62,92 +62,22 @@ fi # Check iptables is available and loaded - -if [ ! -f /proc/net/ip_tables_names ]; then - modprobe -q ip_tables -fi - -if [ ! -f /proc/net/ip_tables_names ]; then +AVAILABLE_IPTABLES="" +check_iptables 4 +check_iptables 6 +if [ -z "${AVAILABLE_IPTABLES}" ]; then echo No iptables in kernel? exit fi +status "Loading ${AVAILABLE_IPTABLES}" -# Now we can start building the firewall ! +if echo "${AVAILABLE_IPTABLES}" | grep -q "ip_tables"; then + load_protocol_rules 4 +fi +if echo "${AVAILABLE_IPTABLES}" | grep -q "ip6_tables"; then + load_protocol_rules 6 +fi -flush_rules -init_rules - -# Set up some reasonable default policies. These rules should never be -# met, as a logging rule above them should be used. -iptables_with_table --policy INPUT DROP -iptables_with_table --policy OUTPUT DROP -iptables_with_table --policy FORWARD DROP - -new_chain fw-in -new_chain fw-out -new_chain fw-forward -new_chain fw-prerouting-in -new_chain fw-postrouting-out -new_chain fw-forward-out - -new_chain mangle-in -new_chain mangle-out -new_chain mangle-fw-in -new_chain mangle-fw-out -new_chain mangle-pre-in -new_chain mangle-post-out - -iptables_with_table --append INPUT --jump fw-in -iptables_with_table --append OUTPUT --jump fw-out -iptables_with_table --append FORWARD --jump fw-forward -iptables_with_table --append PREROUTING --jump fw-prerouting-in -iptables_with_table --append POSTROUTING --jump fw-postrouting-out - -iptables_with_table --jump mangle-in --append INPUT -iptables_with_table --jump mangle-out --append OUTPUT -iptables_with_table --jump mangle-fw-in --append FORWARD -iptables_with_table --jump mangle-fw-out --append mangle-fw-in -iptables_with_table --jump mangle-pre-in --append PREROUTING -iptables_with_table --jump mangle-post-out --append POSTROUTING - -# This is used to add things to individual hosts. Some hosts may be allowed -# to connect to certain ports, or, alternatively, may not be allowed to. -status Configuring host overrides -for hosts in $CONFDIR/hosts.d/*.host; do - if [ $hosts == "$CONFDIR/hosts.d/*.host" ]; then - continue - fi - substatus $hosts - . $hosts -done - -# Read in the util functions that interface scripts will use -. support/firewall.functions - -# This is the meat of the script. -# For each interface (defined in the $CONFDIR/interfaces.d directory) -# Create some chains, "if-in", "if-out", "if-forward-in", "if-forward-out" -# "if-postrouting-out" -# Then source the file in that directory. -# most of your rules will be defined in these files -status Configuring interfaces -for intf in $CONFDIR/interfaces.d/*.if; do - if=$(basename $intf| sed s/\.if$//) - - export ONBOOT=1 - load_interface_rules $if -done - -# Now, at the end of each rule write something to log that the packet reached -# the end. These packets shouldn't really get here, you really should handle -# all packets in the directories. -for i in INPUT OUTPUT FORWARD; do - $IPTABLES --append $i \ - -m limit --limit 5/s \ - --jump LOG \ - --log-prefix "FW/End of ${i} -- see FAQ:" -done - status Loading connection tracking helper modules for i in /lib/modules/`uname -r`/kernel/net/{,ipv4/}netfilter/{nf,ip}_conntrack_*.$EXT; do if [ -f $i ] ; then Index: ChangeLog =================================================================== --- ChangeLog (revision 33) +++ ChangeLog (working copy) @@ -1,3 +1,7 @@ +2010-03-19: Matt Brown + +* Added basic IPv6 support. + 2006-12-11: Perry Lorier * Add mangle-{pre,post,fw}-* support. Index: support/common.functions =================================================================== --- support/common.functions (revision 33) +++ support/common.functions (working copy) @@ -1,4 +1,5 @@ -export IPTABLES=${IPTABLES:-/sbin/iptables} +export IP4TABLES=${IPTABLES:-/sbin/iptables} +export IP6TABLES=${IP6TABLES:-/sbin/ip6tables} function polite_target() { local RULE Index: support/firewall.functions =================================================================== --- support/firewall.functions (revision 33) +++ support/firewall.functions (working copy) @@ -1,14 +1,26 @@ # This function sets or clears a feature for an interface # # usage: -# if_feature featurename value +# if_feature featurename value [protocol] # eg: # if_feature ip_forwarding 1 +# if_feature rp_filter 1 4 +# if_feature accept_dad 1 6 +# if protocol is specified the feature is only set if the current protocol +# matches the third argument. function if_feature() { + local protocol + protocol=${3} + if [ -z "${protocol}" ]; then + protocol=$FW_PROTOCOL + fi + if [ $protocol -ne $FW_PROTOCOL ]; then + return + fi if [ -z "${if}" ]; then - echo $2 >/proc/sys/net/ipv4/conf/all/$1 + echo $2 >/proc/sys/net/ipv${protocol}/conf/all/$1 else - echo $2 >/proc/sys/net/ipv4/conf/${if}/$1 + echo $2 >/proc/sys/net/ipv${protocol}/conf/${if}/$1 fi } @@ -182,12 +194,127 @@ # Flush *ALL* rules in all chains in all tables. function flush_rules() { - cat /proc/net/ip_tables_names | while read table; do + local name + if [ "$FW_PROTOCOL" == "6" ]; then + name="ip6_tables" + else + name="ip_tables" + fi + cat /proc/net/${name}_names | while read table; do $IPTABLES -t $table --flush $IPTABLES -t $table --delete-chain done } +function check_iptables() { + local version name + version=$1 + + if [ "$version" == "6" ]; then + name="ip6_tables" + else + name="ip_tables" + fi + + if [ ! -f /proc/net/${name}_names ]; then + modprobe -q ${name} + fi + + if [ -f /proc/net/${name}_names ]; then + AVAILABLE_IPTABLES="${name} ${AVAILABLE_IPTABLES}" + fi +} + +# Initialise and load all rules for a specified protocol +function load_protocol_rules() { + FW_PROTOCOL=$1 + export FW_PROTOCOL + if [ "$FW_PROTOCOL" == "6" ]; then + export IPTABLES=${IP6TABLES} + else + export IPTABLES=${IP4TABLES} + fi + status "Loading rules for IPv${FW_PROTOCOL}" + + flush_rules + init_rules + + # Set up some reasonable default policies. These rules should never be + # met, as a logging rule above them should be used. + iptables_with_table --policy INPUT DROP + iptables_with_table --policy OUTPUT DROP + iptables_with_table --policy FORWARD DROP + + # Basic input/output/forwarding chains. + new_chain fw-in + new_chain fw-out + new_chain fw-forward + new_chain fw-forward-out + iptables_with_table --append INPUT --jump fw-in + iptables_with_table --append OUTPUT --jump fw-out + iptables_with_table --append FORWARD --jump fw-forward + + # NAT chains (v4 only) + if [ "$FW_PROTOCOL" == "4" ]; then + new_chain fw-prerouting-in + new_chain fw-postrouting-out + iptables_with_table --append PREROUTING --jump fw-prerouting-in + iptables_with_table --append POSTROUTING --jump fw-postrouting-out + fi + + # MANGLE chains (v4 only) + if [ "$FW_PROTOCOL" == "4" ]; then + new_chain mangle-in + new_chain mangle-out + new_chain mangle-fw-in + new_chain mangle-fw-out + new_chain mangle-pre-in + new_chain mangle-post-out + + iptables_with_table --jump mangle-in --append INPUT + iptables_with_table --jump mangle-out --append OUTPUT + iptables_with_table --jump mangle-fw-in --append FORWARD + iptables_with_table --jump mangle-fw-out --append mangle-fw-in + iptables_with_table --jump mangle-pre-in --append PREROUTING + iptables_with_table --jump mangle-post-out --append POSTROUTING + fi + + # This is used to add things to individual hosts. Some hosts may be allowed + # to connect to certain ports, or, alternatively, may not be allowed to. + status Configuring host overrides + for hosts in $CONFDIR/hosts.d/*.host; do + if [ $hosts == "$CONFDIR/hosts.d/*.host" ]; then + continue + fi + substatus $hosts + . $hosts + done + + # This is the meat of the script. + # For each interface (defined in the $CONFDIR/interfaces.d directory) + # Create some chains, "if-in", "if-out", "if-forward-in", "if-forward-out" + # "if-postrouting-out" + # Then source the file in that directory. + # most of your rules will be defined in these files + status Configuring interfaces + for intf in $CONFDIR/interfaces.d/*.if; do + if=$(basename $intf| sed s/\.if$//) + + export ONBOOT=1 + load_interface_rules $if + done + + # Now, at the end of each rule write something to log that the packet reached + # the end. These packets shouldn't really get here, you really should handle + # all packets in the directories. + for i in INPUT OUTPUT FORWARD; do + $IPTABLES --append $i \ + -m limit --limit 5/s \ + --jump LOG \ + --log-prefix "FW/End of ${i} -- see FAQ:" + done +} + function load_interface_rules() { if=$1 shift @@ -204,18 +331,10 @@ iptables_with_table --append fw-in --in-interface ${if} \ --jump ${if}-in - new_chain ${if}-mangle-in - iptables_with_table --append mangle-in --in-interface ${if} \ - --jump ${if}-mangle-in - new_chain ${if}-out iptables_with_table --append fw-out --out-interface ${if} \ --jump ${if}-out - new_chain ${if}-mangle-out - iptables_with_table --append mangle-out --out-interface ${if} \ - --jump ${if}-mangle-out - new_chain ${if}-forward-in iptables_with_table --append fw-forward --in-interface ${if} \ --jump ${if}-forward-in @@ -224,34 +343,45 @@ iptables_with_table --append fw-forward-out --out-interface ${if} \ --jump ${if}-forward-out - # We "insert" here because it doesn't matter which order the - # rules are in mangle-fw-out (they only match on in-interface). - # We need to "insert" and not "append" because the last rule in - # this table is a catchall that sends it to mangle-fw-out - new_chain ${if}-mangle-fw-in - iptables_with_table --insert mangle-fw-in --in-interface ${if} \ - --jump ${if}-mangle-fw-in + # Nat and mangle chains (v4 only) + if [ "$FW_PROTOCOL" == "4" ]; then + new_chain ${if}-mangle-in + iptables_with_table --append mangle-in --in-interface ${if} \ + --jump ${if}-mangle-in - new_chain ${if}-mangle-fw-out - iptables_with_table --insert mangle-fw-out --out-interface ${if} \ - --jump ${if}-mangle-fw-out + new_chain ${if}-mangle-out + iptables_with_table --append mangle-out --out-interface ${if} \ + --jump ${if}-mangle-out - new_chain ${if}-mangle-pre-in - iptables_with_table --insert mangle-pre-in --in-interface ${if} \ - --jump ${if}-mangle-pre-in + # We "insert" here because it doesn't matter which order the + # rules are in mangle-fw-out (they only match on in-interface). + # We need to "insert" and not "append" because the last rule in + # this table is a catchall that sends it to mangle-fw-out + new_chain ${if}-mangle-fw-in + iptables_with_table --insert mangle-fw-in --in-interface ${if} \ + --jump ${if}-mangle-fw-in - new_chain ${if}-mangle-post-out - iptables_with_table --insert mangle-post-out --out-interface ${if} \ - --jump ${if}-mangle-post-out + new_chain ${if}-mangle-fw-out + iptables_with_table --insert mangle-fw-out --out-interface ${if} \ + --jump ${if}-mangle-fw-out - new_chain ${if}-postrouting-out - iptables_with_table --append fw-postrouting-out --out-interface ${if} \ - --jump ${if}-postrouting-out + new_chain ${if}-mangle-pre-in + iptables_with_table --insert mangle-pre-in --in-interface ${if} \ + --jump ${if}-mangle-pre-in - new_chain ${if}-prerouting-in - iptables_with_table --append fw-prerouting-in --in-interface ${if} \ - --jump ${if}-prerouting-in + new_chain ${if}-mangle-post-out + iptables_with_table --insert mangle-post-out --out-interface ${if} \ + --jump ${if}-mangle-post-out + new_chain ${if}-postrouting-out + iptables_with_table --append fw-postrouting-out --out-interface ${if} \ + --jump ${if}-postrouting-out + + new_chain ${if}-prerouting-in + iptables_with_table --append fw-prerouting-in --in-interface ${if} \ + --jump ${if}-prerouting-in + fi + # Start a new environment . $CONFDIR/interfaces.d/${rulename}.if $*