firewall: fix green only mode.

disable masquerade and green IP/NET check if internet is connected via green.
2026-04-17 06:23:00 +02:00 · 2014-04-05 11:04:25 +02:00
parent fee04791f4
commit c926c6375d
2 changed files with 12 additions and 2 deletions
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -110,8 +110,15 @@ case "${POLICY}" in
 		;;

 	*)
+
 		# Access from GREEN is granted to everywhere
-		iptables -A POLICYFWD -i "${GREEN_DEV}" -s "${GREEN_NETADDRESS}/${GREEN_NETMASK}" -j ACCEPT
+		if [ "${IFACE}" = "${GREEN_DEV}" ]; then
+			# internet via green
+			# don't check source IP/NET if IFACE is GREEN
+			iptables -A POLICYFWD -i "${GREEN_DEV}" -j ACCEPT
+		else
+			iptables -A POLICYFWD -i "${GREEN_DEV}" -s "${GREEN_NETADDRESS}/${GREEN_NETMASK}" -j ACCEPT
+		fi

 		# Grant access for IPsec VPN connections
 		iptables -A POLICYFWD -m policy --pol ipsec --dir in -j ACCEPT
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -311,7 +311,10 @@ iptables_red() {

 		# Outgoing masquerading (don't masqerade IPSEC (mark 50))
 		iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN
-		iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
+
+		if [ "$IFACE" != "$GREEN_DEV" ]; then
+			iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
+		fi

 	fi