From 63942dfab1d4f2a6deed94eeada077ef2462b8c1 Mon Sep 17 00:00:00 2001 From: motoki317 Date: Sat, 27 May 2023 08:23:09 +0900 Subject: [PATCH] Fix iptables filtering rules when externalTrafficPolicy is Local (#54) * destination port needs to be DEST_PORT because after PREROUTING rule * redundant exclusion rule Signed-off-by: motoki317 --- entry | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/entry b/entry index a2b2701..49f6136 100755 --- a/entry +++ b/entry @@ -41,9 +41,9 @@ set_legacy() { start_proxy() { for src_range in ${SRC_RANGES}; do if echo ${src_range} | grep -Eq ":"; then - ip6tables -t filter -I FORWARD -s ${src_range} -p ${DEST_PROTO} --dport ${SRC_PORT} -j ACCEPT + ip6tables -t filter -I FORWARD -s ${src_range} -p ${DEST_PROTO} --dport ${DEST_PORT} -j ACCEPT else - iptables -t filter -I FORWARD -s ${src_range} -p ${DEST_PROTO} --dport ${SRC_PORT} -j ACCEPT + iptables -t filter -I FORWARD -s ${src_range} -p ${DEST_PROTO} --dport ${DEST_PORT} -j ACCEPT fi done @@ -51,12 +51,12 @@ start_proxy() { if echo ${dest_ip} | grep -Eq ":"; then [ $(cat /proc/sys/net/ipv6/conf/all/forwarding) == 1 ] || exit 1 ip6tables -t filter -A FORWARD -d ${dest_ip}/128 -p ${DEST_PROTO} --dport ${DEST_PORT} -j DROP - ip6tables -t nat -I PREROUTING ! -s ${dest_ip}/128 -p ${DEST_PROTO} --dport ${SRC_PORT} -j DNAT --to [${dest_ip}]:${DEST_PORT} + ip6tables -t nat -I PREROUTING -p ${DEST_PROTO} --dport ${SRC_PORT} -j DNAT --to [${dest_ip}]:${DEST_PORT} ip6tables -t nat -I POSTROUTING -d ${dest_ip}/128 -p ${DEST_PROTO} -j MASQUERADE else [ $(cat /proc/sys/net/ipv4/ip_forward) == 1 ] || exit 1 iptables -t filter -A FORWARD -d ${dest_ip}/32 -p ${DEST_PROTO} --dport ${DEST_PORT} -j DROP - iptables -t nat -I PREROUTING ! -s ${dest_ip}/32 -p ${DEST_PROTO} --dport ${SRC_PORT} -j DNAT --to ${dest_ip}:${DEST_PORT} + iptables -t nat -I PREROUTING -p ${DEST_PROTO} --dport ${SRC_PORT} -j DNAT --to ${dest_ip}:${DEST_PORT} iptables -t nat -I POSTROUTING -d ${dest_ip}/32 -p ${DEST_PROTO} -j MASQUERADE fi done