From 2d303501062fb51472a3e19ba0de32d640d2ca56 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Schneider?= <jschneider@entrouvert.com>
Date: Wed, 3 Aug 2011 12:02:59 +0200
Subject: [PATCH] Improve LAN management

---
 firewall | 18 ++++--------------
 1 file changed, 4 insertions(+), 14 deletions(-)

diff --git a/firewall b/firewall
index f575662..517b6fe 100755
--- a/firewall
+++ b/firewall
@@ -182,21 +182,11 @@ start()
 
     if [ $LAN == 1 ]; then
         log_action_msg "Allow WAN outgoing traffic from lan"
-        $IPTABLES -A FORWARD -i $LAN_INT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
-        $IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT
-
+        $IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p all -d $LAN_NETWORK -m state --state RELATED,ESTABLISHED -j ACCEPT
+        $IPTABLES -A FORWARD -i $LAN_INT -o $WAN_INT -p all -s $LAN_NETWORK -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
         log_action_msg "Allow local network"
-        $IPTABLES -A OUTPUT -o $LAN_INT -p all -j ACCEPT
-        $IPTABLES -A INPUT  -i $LAN_INT -p all -j ACCEPT
-        for ALLOW_INT in $ALLOW_INTS; do
-                log_action_msg "Allow WAN outgoing traffic for interface $ALLOW_INT"
-                $IPTABLES -A FORWARD -i $ALLOW_INT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
-                $IPTABLES -A FORWARD -i $WAN_INT -o $ALLOW_INT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT
-
-                log_action_msg "Allow local network"
-                $IPTABLES -A OUTPUT -o $ALLOW_INT -p all -j ACCEPT
-                $IPTABLES -A INPUT  -i $ALLOW_INT -p all -j ACCEPT
-        done
+        $IPTABLES -A OUTPUT -o $LAN_INT -s $LAN_NETWORK -p all -j ACCEPT
+        $IPTABLES -A INPUT  -i $LAN_INT -d $LAN_NETWORK -p all -j ACCEPT
    fi
 
     ## block spoofing