### 30 Initialization. [bookends]
### 30 Clear existing rules. [bookends]
### 32 Set safe IP options. [bookends]
-### 34 Error chains. [bookends]
+### 34 Error chains. [bookends]
### 36 Give loopback traffic a free pass. [bookends]
-### 40 Address classification. [classify]
+### 40 Address classification. [classify]
### 42 Definition of address class policies. [local]
### 44 Definition of interfaces and addresses. [local]
### 46 Handling of default interface. [classify]
-### 50 ICMP filtering. [icmp]
-### 52 Local configuration. [local]
-### 58 Finally accept ICMP, hook onto INPUT and FORWARD. [icmp]
-### 60 Local configuration. [local]
+### 50 ICMP filtering. [icmp]
+### 52 Local configuration. [local]
+### 58 Finally accept ICMP, hook onto INPUT and FORWARD. [icmp]
+### 60 Local configuration. [local]
### 90 Finishing touches. [bookends]
### 94 Set final policies. [bookends]
### 99 File footer: do-not-edit warning. [base]
for svc; do
case $svc in
*:*)
- n=2
+ n=2
left=${svc%:*} right=${svc#*:}
case $left in *[!0-9]*) eval left=\$port_$left ;; esac
case $right in *[!0-9]*) eval right=\$port_$right ;; esac
svc=$left:$right
;;
*)
- n=1
+ n=1
case $svc in *[!0-9]*) eval svc=\$port_$svc ;; esac
;;
esac
case $svc in
*: | :* | "" | *[!0-9:]*)
- echo >&2 "Bad service name"
+ echo >&2 "Bad service name"
exit 1
;;
esac
run iptables -A $chain -p $proto -m multiport -j ACCEPT \
--destination-ports ${list#,}
;;
- *)
+ *)
run iptables -A $chain -p $proto -j ACCEPT \
--destination-port ${list#,}
;;
from=$(( $from + $bit ))
done
to=$(( ($netclassindex << $BIT_TO) + \
- (0xf << $BIT_FROM) + \
+ (0xf << $BIT_FROM) + \
(1 << ($netclassindex + $BIT_MASK)) ))
trace "from $name --> set $(printf %x $from)"
trace " to $name --> and $(printf %x $from)"
## Allow SSH from safe/noloop to untrusted networks.
run iptables -A FORWARD -j ACCEPT \
- -p tcp ! -f --destination-port $port_ssh \
+ -p tcp ! -f --destination-port $port_ssh \
-m mark --mark $to_untrusted/$MASK_TO
run iptables -A FORWARD -j ACCEPT \
-p tcp ! -f --source-port $port_ssh \