Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#772 IPCop 1.9.9 scrip rc.firewall

closed
Olaf Westrik
None
5
2014-08-17
2010-04-02
Al~dr
No

Script rc.firewall
Subroutine iptables_red

iptables_red() {
<...skip...>
# PPPoE / PPTP Device
if [ "$IFACE" != "" ]; then
# PPPoE / PPTP
if [ "$DEVICE" != "" ]; then
/sbin/iptables -A REDINPUT -i $DEVICE -j ACCEPT
fi
if [ 0$RED_COUNT -gt 0 ]; then
if [ "$RED_1_TYPE" == "PPTP" -o "$RED_1_TYPE" == "PPPOE" ]; then
/sbin/iptables -A REDINPUT -i $RED_1_DEV -j ACCEPT
fi
fi
fi
<...skip...>
}

Why does the code above insetr two equal rows into filter table?
Result of script is
/sbin/iptables -A REDINPUT -i wan-1 -j ACCEPT
/sbin/iptables -A REDINPUT -i wan-1 -j ACCEPT
due to
$DEVICE is "wan-1"
and
$RED_1_DEV is "wan-1"
while
$IFACE is "ppp0"

Settings are made for PPTP with DHCP option via ethernet card.

Discussion

  • Olaf Westrik
    Olaf Westrik
    2010-04-02

    • assigned_to: nobody --> owes
     
  • Olaf Westrik
    Olaf Westrik
    2010-04-06

    Do you see any packets match the REDINPUT rule?
    iptables -nvL REDINPUT

    On PPPoE there do not seem to be any matches, so question is if that rule is needed at all.

     
  • Al~dr
    Al~dr
    2010-04-06

    $RED_1_DEV is "wan-1" always. $DEVICE and $IFACE had different values "wan-1" and "ppp0" accordingly I decided replace

    # PPPoE / PPTP
    if [ "$DEVICE" != "" ]; then
    /sbin/iptables -A REDINPUT -i $DEVICE -j ACCEPT
    fi

    by

    /sbin/iptables -A REDINPUT -i $IFACE -j ACCEPT

    so it yields

    # iptables -nvL REDINPUT
    Chain REDINPUT (1 references)
    pkts bytes target prot opt in out source destination
    200 21793 ACCEPT all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
    4197 402K ACCEPT all -- wan-1 * 0.0.0.0/0 0.0.0.0/0

     
  • Olaf Westrik
    Olaf Westrik
    2010-04-06

    Not sure about PPTP but in case of PPPoE that modification effectively opens IPCop to the world. Not exactly what you want to do.

    Also for PPPoE the REDINPUT chain looks not needed. In your case I would try first without any rules in REDINPUT and then determine which one (if any) is required to make things work.

     
  • Al~dr
    Al~dr
    2010-04-07

    I'll try variants.
    Thanks.

     
  • Al~dr
    Al~dr
    2010-04-07

    • status: open --> closed