Actually the same rules work for IPv4 and IPv6, so we should only write
them once.
-m state --state ESTABLISHED
## Allow SSH from safe/noloop to untrusted networks.
-m state --state ESTABLISHED
## Allow SSH from safe/noloop to untrusted networks.
- run iptables -A fwd-spec-nofrag -j ACCEPT \
+ run ip46tables -A fwd-spec-nofrag -j ACCEPT \
-p tcp --destination-port $port_ssh \
-m mark --mark $to_untrusted/$MASK_TO
-p tcp --destination-port $port_ssh \
-m mark --mark $to_untrusted/$MASK_TO
- run iptables -A fwd-spec-nofrag -j ACCEPT \
- -p tcp --source-port $port_ssh \
- -m mark --mark $from_untrusted/$MASK_FROM \
- -m state --state ESTABLISHED
- run ip6tables -A fwd-spec-nofrag -j ACCEPT \
- -p tcp --destination-port $port_ssh \
- -m mark --mark $to_untrusted/$MASK_TO
- run ip6tables -A fwd-spec-nofrag -j ACCEPT \
+ run ip46tables -A fwd-spec-nofrag -j ACCEPT \
-p tcp --source-port $port_ssh \
-m mark --mark $from_untrusted/$MASK_FROM \
-m state --state ESTABLISHED
-p tcp --source-port $port_ssh \
-m mark --mark $from_untrusted/$MASK_FROM \
-m state --state ESTABLISHED