overcomplexity in the iptables rules for ipv4?

[Dave Taht]

Was there some reason why the iptables rules needed to be
byzantine and restrict things to the local lan only?


--- setup4.good
+++ setup4
@@ -19,12 +19,12 @@
 iptables -t nat -I PREROUTING -d $MAPPED -i tun0 -j SDCTLD
 iptables -t filter -F SDCTLD
 iptables -t filter -N SDCTLD
-iptables -t filter -I FORWARD -i $LANIF ! -o $LANIF -j SDCTLD
+iptables -t filter -I FORWARD -o tun0 -j SDCTLD

-iptables -t nat -A POSTROUTING ! -o $LANIF -p tcp -j SNAT \
+iptables -t nat -A POSTROUTING -o tun0 -p tcp -j SNAT \
  --to-source $MAPPED:$PRMIN-$PRMAX
-iptables -t nat -A POSTROUTING ! -o $LANIF -p udp -j SNAT \
+iptables -t nat -A POSTROUTING -o tun0 -p udp -j SNAT \
  --to-source $MAPPED:$PRMIN-$PRMAX
-iptables -t nat -A POSTROUTING ! -o $LANIF -p icmp -j SNAT \
+iptables -t nat -A POSTROUTING -o tun0 -p icmp -j SNAT \
  --to-source $MAPPED:$PRMIN-$PRMAX


+iptables -t filter -I FORWARD -o tun0 -j SDCTLD
-iptables -t filter -I FORWARD -i $LANIF ! -o $LANIF -j SDCTLD



#!/bin/sh

# IPv4 part of the setup script, to be called with
# lan-interface-name mapped-address port-range-min port-range-max

LANIF=$1
MAPPED=$2
PRMIN=$3
PRMAX=$4

echo "my LAN interface is:" $LANIF
echo "the global mapped address is:" $MAPPED
echo "the port range is": $PRMIN ".." $PRMAX

#set -x

iptables -t nat -F
iptables -t nat -N SDCTLD
iptables -t nat -I PREROUTING -d $MAPPED -i tun0 -j SDCTLD
iptables -t filter -F SDCTLD
iptables -t filter -N SDCTLD
iptables -t filter -I FORWARD -o tun0 -j SDCTLD

iptables -t nat -A POSTROUTING -o tun0 -p tcp -j SNAT \
 --to-source $MAPPED:$PRMIN-$PRMAX
iptables -t nat -A POSTROUTING -o tun0 -p udp -j SNAT \
 --to-source $MAPPED:$PRMIN-$PRMAX
iptables -t nat -A POSTROUTING -o tun0 -p icmp -j SNAT \
 --to-source $MAPPED:$PRMIN-$PRMAX


-- 
Dave Täht
SKYPE: davetaht
US Tel: 1-239-829-5608
http://www.bufferbloat.net