diff --git a/files/etc/firewall.dtdlink b/files/etc/firewall.dtdlink deleted file mode 100644 index a3ee9a9a..00000000 --- a/files/etc/firewall.dtdlink +++ /dev/null @@ -1,8 +0,0 @@ -# This script is run when the node is in NAT mode to -# setup NAT only from eth0 interface on dtdlink interface -# allowing all other traffic to transport as is. - - -iptables -t nat -A zone_lan_prerouting -j MARK --set-xmark 0xe/0xffffffff -iptables -t nat -A zone_dtdlink_nat -m mark --mark 0xe -j MASQUERADE - diff --git a/files/etc/firewall.natmode b/files/etc/firewall.natmode new file mode 100644 index 00000000..a5ee6022 --- /dev/null +++ b/files/etc/firewall.natmode @@ -0,0 +1,18 @@ +# This script is run when the node is in NAT mode to +# setup addtional firewall rules needed for nat. +# allowing all other traffic to transport as is. + +dtdlinkip=`uci -q get network.dtdlink.ipaddr` +wifiip=`uci -q get network.wifi.ipaddr` + +ip rule del pref 20010 fwmark 0x15 lookup 29 > /dev/null 2>&1 +ip rule add pref 20010 fwmark 0x15 lookup 29 + +#tag traffic for use later in iprule's +iptables -t mangle -I PREROUTING -d $wifiip/32 -j MARK --set-xmark 0x15/0xffffffff +iptables -t mangle -I PREROUTING -d $dtdlinkip/32 -j MARK --set-xmark 0x15/0xffffffff + +# Mark and masq local traffic going out the dtdlink interface. +iptables -t nat -A zone_lan_prerouting -j MARK --set-xmark 0xe/0xffffffff +iptables -t nat -A zone_dtdlink_nat -m mark --mark 0xe -j MASQUERADE + diff --git a/files/usr/local/bin/node-setup b/files/usr/local/bin/node-setup index 73ba60c4..867657a9 100755 --- a/files/usr/local/bin/node-setup +++ b/files/usr/local/bin/node-setup @@ -279,7 +279,7 @@ if($cfg{dmz_mode}) { } else { print FILE "\n"; print FILE "config 'include'\n"; - print FILE " option 'path' '/etc/firewall.dtdlink'\n"; + print FILE " option 'path' '/etc/firewall.natmode'\n"; print FILE " option 'reload' '1'\n"; }