Move iptables preload configs to correct sections

2021-02-07 17:49:46 -06:00 · 2021-02-07 17:49:46 -06:00 · b71fb7003d
parent 3dabd9e629
commit b71fb7003d
1 changed files with 14 additions and 8 deletions
--- a/src/startup/preload.rs
+++ b/src/startup/preload.rs
@ -79,6 +79,13 @@ fn filter(interfaces: &Interfaces) -> String {
        );
    }

+    for iface in &interfaces.tunnel {
+        filter += &format!(
+            "-A INPUT -i {tunface} -j ACCEPT\n",
+            tunface = iface.interface,
+        );
+    }
+
    filter += &format!(
        "-A INPUT -s {universe} -d {universe} -j REJECT\n",
        universe = UNIVERSE
@ -152,6 +159,13 @@ fn filter(interfaces: &Interfaces) -> String {
        );
    }

+    for iface in &interfaces.tunnel {
+        filter += &format!(
+            "-A OUTPUT -o {tunface} -j ACCEPT\n",
+            tunface = iface.interface,
+        );
+    }
+
    // Allow traffic out from external interface to anywhere
    filter += &format!(
        "-A OUTPUT -o {extif} -s {extip}/{extmask} -d {universe} -j ACCEPT\n",
@ -186,10 +200,6 @@ fn filter(interfaces: &Interfaces) -> String {

    // Accept packets over tunnel interfaces
    for iface in &interfaces.tunnel {
-        filter += &format!(
-            "-A INPUT -o {tunface} -j ACCEPT\n",
-            tunface = iface.interface,
-        );
        filter += &format!(
            "-A FORWARD -i {tunface} -j ACCEPT\n",
            tunface = iface.interface,
@ -198,10 +208,6 @@ fn filter(interfaces: &Interfaces) -> String {
            "-A FORWARD -o {tunface} -j ACCEPT\n",
            tunface = iface.interface,
        );
-        filter += &format!(
-            "-A OUTPUT -o {tunface} -j ACCEPT\n",
-            tunface = iface.interface,
-        );
    }

    // Accept TCP packets