[Packetfence-devel] [Patch] Using custom iptables chains v3

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi all,

The attached patch modifies packetfence v1.6.2 so that it creates and 
writes to custom chains called PF_INPUT, PF_FORWARD, PF_PREROUTING and 
PF_POSTROUTING.

The default chains are left untouched.

This stops packetfence from touching all packets going through the box 
by default, and makes packetfence significantly safer to install on an 
existing box.

To wire in the custom chains on the interfaces of your choice, the 
following rules need to be added to the default chains:

iptables -A INPUT -t filter -j PF_INPUT
iptables -A FORWARD -t filter -j PF_FORWARD
iptables -A PREROUTING -t mangle -j PF_PREROUTING
iptables -A PREROUTING -t nat -j PF_PREROUTING
iptables -A POSTROUTING -t nat -j PF_POSTROUTING

Caveat: Make sure that you shut packetfence down, then delete the file
var/iptables.bak, and flush all your chains using iptables -F before
starting up packetfence again.

Regards,
Graham
--