overcomplexity in the iptables rules for ipv4?

[Francis Dupont]

> Was there some reason why the iptables rules needed to be
> byzantine and restrict things to the local lan only?

=> for the B4/SNAT rule I tried with '-o tun0' on ida and it seemed
to work better. For the FORWARD -i ! -o I copied it from the
miniupnpd setup so it is supposed to do the right thing. BTW
I think it is in fact the security model: protect between the
different LANs. Of course it doesn't make sense if we first zap
the whole firewall thing (:-)...

> -iptables -t filter -I FORWARD -i $LANIF ! -o $LANIF -j SDCTLD
> +iptables -t filter -I FORWARD -o tun0 -j SDCTLD

=> don't understand all the security implications

> -iptables -t nat -A POSTROUTING ! -o $LANIF -p tcp -j SNAT \
> +iptables -t nat -A POSTROUTING -o tun0 -p tcp -j SNAT \
>   --to-source $MAPPED:$PRMIN-$PRMAX

=> tried it and IMHO it is a good change.

Regards

Francis Dupont <fdupont at isc.org>

PS: it was one of the TODO list items but it should be better to check
it from a client: IMHO the rule for UDP interferes badly with NAT-PMP
and PCP (the first uses an implicit source address, the second checks
if it is not changed in route).
But I didn't want to disturb you so I postponed the tests (even with
the "bad" rule I managed it to work).