Re: [Openvpn-devel] [PATCH] Fix error in example firewall.sh script

Tue, 09 Nov 2021 04:50:58 -0800 

On 08/11/2021 13:23, Frank Lichtenheld wrote:



Arne Schwabe <a...@rfc2549.org> hat am 08.11.2021 12:36 geschrieben:


  
Am 07.11.21 um 18:40 schrieb Frank Lichtenheld:

From: Adrian <adrian.cre...@protonmail.com>

The man page says:
[!] -s, --source address[/mask][,...]

Signed-off-by: Frank Lichtenheld <fr...@lichtenheld.com>
---
   sample/sample-config-files/firewall.sh | 2 +-
   1 file changed, 1 insertion(+), 1 deletion(-)

As part of an initative to clean up the Github PR submissions, submitting
this patch to the mailing list for inclusion. Looks obviously correct to
me.

diff --git a/sample/sample-config-files/firewall.sh 
b/sample/sample-config-files/firewall.sh
index 19d75ee9..456700ca 100755
--- a/sample/sample-config-files/firewall.sh
+++ b/sample/sample-config-files/firewall.sh
@@ -50,7 +50,7 @@ iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP
   iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP

   
   # Check source address validity on packets going out to internet

-iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP
+iptables -A FORWARD ! -s $PRIVATE -i eth1 -j DROP

   
   # Allow local loopback

   iptables -A INPUT -s $LOOP -j ACCEPT




I have a vague idea that this is actually different. Like one is that
condition is not fulfilled and the other is that it is not part of the
subnet if is different when there is different protocol but I might
misremember.


Certainly does not work with my iptables:
# iptables -A OUTPUT -s ! 10.0.0.0/8 -j ACCEPT
Bad argument `10.0.0.0/8'
Try `iptables -h' or 'iptables --help' for more information.
# iptables -A OUTPUT ! -s 10.0.0.0/8 -j ACCEPT
#

Regards,
    Frank



I remember iptables announced it would redo the parsing logic for the 
command line interfaces ages ago, where the negation needed to happen 
before the "rule parameter" (-s in this case).  It's probably closer to 
8-10 years since this change, unless my memory is completely corrupted.



--
kind regards,

David Sommerseth
OpenVPN Inc



_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to