Docker and NAT to LAN on the same machine using iptables

I have been using iptables on my lab server (Ubuntu 18.04) to perform NAT on the rest of the devices in my network for a while:

-t nat -A PREROUTING -i eno1 -p tcp -m tcp -dport 23 -j DNAT - to-destination 10.0.1.2:22
-t nat -A POSTROUTING -o eno1 -j MASQUERADE

-A FORWARD -s 10.0.0.0/24 -i eno2 -o eno1 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED, ESTABLISHED -j ACCEPT
-A FORWARD -d 10.0.1.2 -p tcp -m tcp --dport 22 -j ACCEPT

In the past, it has worked very well. However, it broke when I installed Docker. This is almost certainly because Docker rewrote all the rules of my iptables. By default, some of my rules survive:

% sudo iptables -t nat -v -L
PREROUTING string (ACCEPT policy 257 packets, 36440 bytes)
pkts bytes target prot choose in the destination of origin
6 1384 DNAT tcp - eno1 anywhere anywhere tcp dpt: telnet a: 10.0.1.2: 22
133 8676 DOCKER all: anyone, anywhere, anywhere, ADDRTYPE, that matches dst-type LOCAL

ENTRY of the chain (policy ACCEPT 122 packets, 8474 bytes)
pkts bytes target prot choose in the destination of origin

DEPART chain (policy ACCEPTS 42 packets, 3008 bytes)
pkts bytes target prot choose in the destination of origin
0 0 DOCKER all - any any any! 127.0.0.0/8 ADDRTYPE matches dst-type LOCAL

POSTROUTING chain (ACCEPT policy 21 packages, 2395 bytes)
pkts bytes target prot choose in the destination of origin
0 0 MASQUERADE all - any! Docker0 172.17.0.0/16 anywhere
0 0 MASQUERADE all - any! Br-643d6580203c 172.18.0.0/16 anywhere
39 2900 MASQUERADE all - any eno1 anywhere
0 0 MASQUERADE tcp - anyone 172.18.0.2 172.18.0.2 tcp dpt: 8443

DOCKER chain (2 references)
pkts bytes target prot choose in the destination of origin
0 0 RETURN to all - docker0 anywhere and everywhere
0 0 BACK to all - br-643d6580203c anywhere and everywhere
0 0 DNAT tcp -! Br-643d6580203c anywhere anywhere tcp dpt: https to: 172.18.0.2: 8443

% sudo iptables -v -L
INPUT of the chain (ACCEPT policy 600 packets, 44910 bytes)
pkts bytes target prot choose in the destination of origin

FORWARD chain (DROP policy 135 packages, 27966 bytes)
pkts bytes target prot choose in the destination of origin
176 32752 DOCKER-USER all - anywhere and everywhere
176 32752 DOCKER-ISOLATION-STAGE-1 all - anywhere and everywhere
0 0 ACCEPT everything: any docker0 anywhere ctstate RELATED, ESTABLISHED
0 0 DOCKER all - any docker0 anywhere
0 0 ACCEPT everything: docker0! Docker0 anywhere
0 0 ACCEPT everything - docker0 docker0 anywhere
0 0 ACCEPT everything: any br-643d6580203c anywhere ctstate RELATED, ESTABLISHED
0 0 DOCKER all - any br-643d6580203c anywhere
0 0 ACCEPT all - br-643d6580203c! Br-643d6580203c anywhere in any place
0 0 ACCEPT all - br-643d6580203c br-643d6580203c anywhere, anywhere
0 0 ACCEPT everything - eno2 eno1 10.0.0.0/24 anywhere ctstate NEW
23 2682 ACCEPT all - any anywhere ctstate RELATED, ESTABLISHED
6 1384 ACCEPT tcp - anyone anywhere dione tcp dpt: ssh

Chain output (ACCEPT policy packets 505, 66607 bytes)
pkts bytes target prot choose in the destination of origin

DOCKER chain (2 references)
pkts bytes target prot choose in the destination of origin
0 0 ACCEPT tcp -! Br-643d6580203c br-643d6580203c anywhere 172.18.0.2 tcp dpt: 8443

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot choose in the destination of origin
0 0 DOCKER-ISOLATION-STAGE-2 all - docker0! Docker0 anywhere, anywhere
0 0 DOCKER-ISOLATION-STAGE-2 all - br-643d6580203c! Br-643d6580203c anywhere and anywhere
176 32752 RETURN everything - anyone, anywhere, anywhere

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
pkts bytes target prot choose in the destination of origin
0 0 DROP all - any docker0 anywhere in any place
0 0 DROP all - any br-643d6580203c anywhere
0 0 RETURN to all - anyone anywhere, anywhere

DOCKER-USER chain (1 references)
pkts bytes target prot choose in the destination of origin
176 32752 RETURN everything - anyone, anywhere, anywhere

For example, static routes work. I can still access my workstation in 10.0.1.2 through port 22, but that same machine can not exit. Looking at the traffic that leaves the server, it seems that a ping is not even doing it, much less back.

I tried to simply add my rules back to the top of the running Docker instance, but that did not work. The documentation for Docker suggests putting things in the DOCKER-USER chain, although that does not exist in the nat table. The docker documentation also suggests that I can disable Docker's table manipulation, although I do not know how to manually route the network to the containers.

Honestly, I do not know enough about Docker's rules. Has anyone done this work?

Leakage of IPv6 NAT information – Server error

I will go and describe some problems that I see and I will go ahead and ask some questions while describing things. I seriously hope you let me start by describing my main problem with IPv4. We all know that some bits are missing.

I was always annoyed by the amount of privacy information v4 addresses contained just for the fact that it is usually easy to know which ISP is using the address for what purposes. I also found it annoying that everyone knew the fate of any package. Correlating the information already gives a lot. Most people choose to visit similar sites if they buy a new phone.

Tbh I do not understand why someone would even consider adding the MAC could be a remote option for any given network. The usual routers do not work in a hand full of MB these days.

First question: Can anyone give a reason to choose to expose something that is hardware specific?

Someone has noticed that IoT is becoming more important these days. The security problems in the IoT teams seem to be quite frequent. I do not remember having seen any suitable piece, designed safely.

Second question: forgive my sarcastic tone, but should not we think about how to hide them instead of transmitting with each package where to find them?

I just read a search result on a complaint: NAT does not allow simply replacing the port and waiting to get to the same machine. Where I am from is a good security feature.

Third question: Why would I want that behavior? Why can not the sender simply send the appropriate package?

I want to keep asking about the "solution" that now spreads. I'm talking about "stable privacy directions." That is why I have several problems with that approach, my main concern is already in the name: "stable". I can see that a hash is cheaper than just remembering previous requests. But it's just not helping. We are still exposing all kinds of things. If you get a copy of the traffic, one can easily correlate the traffic (time, size, receiver) and retrieve a device profile. Not only is it easy to differentiate mobile phones from IoT devices or services, but also differentiate them from others. I see that it could help hide the topology of the network, but still you get profiles of individual devices. I only see two ways to avoid the leak. One is changing the address in each request, and the second is using the same address for each request.
Personally, the first one seems more attractive, since it can work without a deep inspection of the package.

Fourth question: Do you see any other method?

I want to finish with my biggest and most urgent question. We know that this method of "privacy" can hide the topology, but not the devices, which have a lot of requests.

Fifth question: Why is nobody working on a solution that has a table (protocol specific) and assigns random garments taken from a certain group?

Thanks in advance for your contribution!

ray network – How could LN mitigate the transverse NAT problem?

First, if your Lightning node is behind a NAT, you can still connect to other Lightning nodes and also open channels with them. Once you have channels, you do not need a public IP address, but your node identification is sufficient. Your channel partner and nat will solve the rest.

The problem is that your node behind a NAT does not have a public IP address. To do this, you must configure the port forwarding in your NAT.

Two bridged interfaces with multiple IPs, NAT required, iptables

I try to configure a strange configuration in a Debian-based box.

This is a type of industrial PC with two network interfaces eth0 and eth1. I'm using this as a & # 39; scanner device & # 39; to use in customer networks. Some of them use DHCP, others do not. Some can give me a fixed IP, others can not even know the DHCP address that my device would receive.

So I created the following configuration in / etc / network / interfaces:

auto what
iface what inet loopback

auto eth0
inace iface eth0 manual
auto eth1
manual inace iface eth1

# Bridge Interface
auto br0
iface br0 inet dhcp
bridge_ports eth0 eth1
bridge_hw aa: bb: cc: dd: ee: ff

# Preset interface IP for client requirements, if DHCP is not working
auto br0: 1
iface br0: 1 inet static
address 172.16.21.150
network mask 255.255.255.0
network 172.16.21.0
Issuance 172.16.21.255
# Gateway
post-up path add by default gw 172.16.21.254
pre-down route of default gw 172.16.21.254


# Set the default IP address of the backup interface
auto br0: 100
iface br0: 100 inet static
address 169.254.111.111
network mask 255.255.255.0
network 169.254.111.0
transmission 169.254.111.255

As you can see, there are three interfaces. br0 is used for DHCP, br0: 1 for static IP given by the client. In general, br0 and br0: 1 will not be used at the same time.
And br0: 100 is also static, but with a local link address. I use it to access the box without attached computer monitor, simply through IP and ssh.
Everything works perfectly, except when I connect my laptop through a direct connection to br0: 100 (remember, your virtual interface type is not a dedicated physical interface!).

By working through ssh in the box, I can access the customer's network and also connect to the Internet (in addition to the possible FW rules at the end of the client …)

But I can not access the Internet from my laptop, but only to the customer's network.
So my idea was that the configuration of local clients only allows access to the Internet from its network range. But my laptop has another range. The glorious idea was to configure NAT and I tried these simple NAT rules:

# IP Forwarding im Kernel aktivieren
echo 1> / proc / sys / net / ipv4 / ip_forward

# Masqerading auf br0 und br0.1 aktivieren
iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o br0: 1 -j MASQUERADE

# Forwarding Regeln einrichten
# Forwarding etablierter Verbindungen von extern (br0 & br0.1) nach intern (br0.100)
iptables -A FORWARD -i br0 -o br0: 100 -m status - RELATED, ESTABLISHED state -j ACCEPT
iptables -A FORWARD -i br0: 1 -o br0: 100 -m status - RELATED, ESTABLISHED state -j I ACCEPT

# Forwarding VererBindungen von intern (br0.100) nach extern (br0 & br0.1)
iptables -A FORWARD -i br0: 100 -o br0 -j ACCEPT
iptables -A FORWARD -i br0: 100 -or br0: 1 -j ACCEPT

This breaks all my configuration. The box itself can no longer connect to the network.

I have no idea what is wrong and how I can fix it. Any idea is appreciated.

regards
Olaf

nat – Ultraslow load speed at nating with iptables

I am setting up a network and I need to allow access only for certain MAC addresses.

Let eth0 and eth1 be the physical interfaces. eth1 is connected to the external network and eth0 and its vlans are in the internal network.

For that purpose, I'm using Linux iptables and I have the following code for the default configuration.

# Allowing ip and loopback forwarding

echo 1> / proc / sys / net / ipv4 / ip_forward
iptables -A ENTRY -i lo -j ACCEPT

# Configuring nat and default string settings

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -N FILTER
iptables -P ADELANTE DROP

# Configuration of the default configuration

iptables -A FORWARD -p tcp -m conntrack --ctstate NEW -i eth0 + -o eth1 -j FILTER
iptables - FORWARD -p tcp -m conntrack 
- State related, established, DNAT, SNAT, NOT VALID -i eth0 + -o eth1 -j ACCEPT
iptables - FORWARD! -p tcp -i eth0 + -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 + -m status 
- RELATED STATUS, ESTABLISHED -j I ACCEPT

In doing so, I am filtering all incoming TCP traffic with the NEW state and allowing all traffic from any other protocol or TCP with other states. I'm handling those filtered TCP requests with the following rule

# Allowing tcp traffic with ctstate NEW for certain mac

iptables -A FILTER -p tcp -m conntrack --ctstate NEW -i eth0 + -o eth1 
-m mac --mac-source  -j ACCEPT

In a test environment, with this configuration, allowed MACs can access the Internet with a normal download speed, but the upload speed is almost zero. Am I forgetting something?

list: write a function that eats a Nat and returns a (list of Nat) that contains the numbers between 1 and n that are divisible by exactly one of 2, 3 and 5

Write a function (fff n) that consumes a Nat and returns a (list of Nat) that contains all numbers between 1 and n that are divisible by exactly 2, 3, and 5.

With n = 10, numbers divisible by at least one of these values ​​are {2,3,4,5,6,8,9,10}.

But 6 and 10 are divisible by two of these numbers. Then (fff 10) => (list 2 3 4 5 8 9)

What I have so far is

;; q2

;; (divisible? n d) returns true if there is no remainder when d is divided by n
; divisible ?: Nat-> Num
;; Examples

(check-expect (divisible? 8 4) #true)

(define (divisible? n d) (= 0 (remainder n d)))

;;
(define (multiple-235? n)
(cond
((divisible? n 2) # truth)
((divisible? n 3) # truth)
((divisible? n 5) # truth)))

I'm not sure how to set a range of 1 to be examined and I'm not sure how to filter the list to only contain values ​​that are divisible by 2, 3 or 5. How can I configure it to be only Divisible by one of they.

nat – DD-WRT Port Forwarding Issues

I have configured a Linksys WRT-3200ACM router with DD-WRT (v3.0-r39956 std (06/06/19)) behind a FritzBox 7430 router. The FritzBox acts as a modem to connect to a standard DSL line. The Linksys router is configured as an exposed host (DMZ, I suppose?) And is allowed to make its own port forwarding.

What I would like to do is forward the external requests from port 80 to my web server (behind the Linksys router) that listens on port 80. What I have working is to connect to the Linksys router from the WAN (entering my WAN IP I'm redirected to the router status page, I guess this is the default behavior).

AFAIK, the only step left is to configure a forward port (in the Linksys router) like this:
forward port

However, this does not seem to work? I am always redirected to the Linksys status page, it is as if the forwarding had no effect. This applies when accessing my public IP from the WAN and from within the LAN. I suspect it has something to do with the fact that the Linksys router is behind the FritzBox (but why does the default access work perfectly?). I have configured DDNS in the Linksys that also works as expected:

DDNS
When trying to access my web server from the WAN, both the public IP and the URL are redirected to the status page of the routers. I tried redirecting other hosts on the network, to test if the problem was actually something related to the web server. But IMO, even Yes the web server would block the connection (firewall, etc.), it would simply get an error message instead of being redirected to the status page of the routers.

Here is the basic IP configuration:

[WAN IP]    FritzBox [10.0.1.10] --------------- [10.0.1.21] Linksys [10.0.0.10] 
                                                                   | [10.0.0.1] Web server

Unfortunately, I can not delete the FritzBox (even temporarily) from the network, since my provider no longer provides a username / password for PPPoE connections.

Any help would be greatly appreciated!

Amazon web services: alternative to AWS Lambda + NAT gateway

Quick introduction to my scenario: I have a VPC that contains an API gateway that redirects its calls to my Lambda functions and then accesses an RDS instance and external API calls (Internet access).

How is structured

Due to the fact that the functions need to access the RDS, I put both RDS and Lambdas in the same VPC, properly securing the RDS without public access. Now, because the Lambdas are in a VPC, they need a NAT gateway to access the Internet (almost all those functions need to call third-party APIs), and this is where I face a huge problem.

The problem

I have a small project to serve a few users (from 10 to 200 users) and with the serverless configuration that I have created, I expect the costs to be from $ 3.00 to $ 10.00 each month. That is the cost without a single NAT gateway. Now, and if we add the price of a Gateway, which is $ 0.045 per hour – and I'm not even considering the $ 0.045 per GB of data transferred – that's > $ 30 per month. It would be foolish of me not to create another to be Multi-AZ and mitigate possible failures in the availability zone, so that > $ 60.00 for 2 NAT gateways.

This is not only impractical for me, but would it not also invalidate the point of the entire serverless structure that normally follows an on-demand approach?

How to solve this?

One of my alternatives is to remove the Lambda from the VPC (that is, not the VPC) and access the RDS through some mechanism without making it public, and this is where I am also failing, how could one access it safely? to the RDS in the Scenario where Lambda functions are outside the RDS VPC?

In the worst case, I know it's bad to expose my RDS to the public, but how big is the vulnerability that is exposing it?

Keep in mind that I am not blaming AWS prices, this only focuses on finding alternatives to the NAT Gateway. I appreciate the suggestions to solve this case. Also, I'm sorry that I made a totally wrong assumption, I'm new to the AWS ecosystem.

firewalld configuration to make EC2 Amazon Linux 2 a NAT

Short question:

I am trying to configure my own instance of NAT in AWS, starting with a standard instance of AWS Linux 2, and it seems that the new "correct" way to configure things is with firewalld instead of iptables, so I'm looking for the equivalent of The answer to this question, but with firewalld.

Longest description:

I am 99% sure that I have my VPCs, subnets and routing tables configured correctly. In the instance of ec2, I have enabled IP4 forwarding, ICMP forwarding disabled, and origin / destination verification disabled.

I think the only step I need is for the old community NAT instance AMIs to run a script at startup that does this:

(iptables -t nat -C POSTROUTING -o eth0 -s $ {VPC_CIDR_RANGE} -j MASQUERADE 2> / dev / null ||
iptables -t nat -A POSTROUTING -o eth0 -s $ {VPC_CIDR_RANGE} -j MASQUERADE) ||
die

Based on this manual, I am trying to replicate the same functionality with firewalld, and I did so.

firewall-cmd --zone = internal --add-source = 10.0.4.0 / 22
firewall-cmd --zone = external --add-interface = eth0
firewall-cmd --direct --passthrough ipv4 -t nat -I POSTROUTING -o eth0 -j MASQUERADE -s 10.0.4.0/22

I have also tried to allow whistle for testing purposes, with

firewall-cmd --permanent --direct --add-rule filter ipv4 INPUT 0 -p icmp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT

I can successfully connect to the NAT instance, I can ping the outside world from it, and I can ping from the private subnet, but I can not ping the outside world from the private subnet. I suspect there is something wrong with my understanding that firewalld works when there is only one PHY (eth0), but … I am stuck. So,

a) my basic assumption is that I should use firewalld instead of iptables, right?
b) If so, how do I get NAT to work with it on a single interface?

Thank you!

linux – Firewall Blocks NAT traffic suddenly after adding a NIC

I have a server that used to have a NIC, but I added a second to provide a dedicated link to the TV tuner.

I went from having eth0 (the integrated NIC) to enp7s0 (the new NIC) and enp9s1 (the new name for the integrated NIC).

All services were updated to use the new interface names.

My iptables script was updated to use the new interface names in adapter-specific rules (everything uses enp9s1, except the DHCP server and a UDP port in enp7s0)

The configuration of my router did not change, and since the MAC address has not changed, it must still give the NIC the same IP address (and it does).

But, I'm baffled as to why everything works locally and suddenly nothing works on NAT. I can see that the router is forwarding packets, but the server still rejects them. Even after disabling the firewall completely temporarily, it still does not work. All I did was add a NIC.

So, how do I get the server to accept NATed packages again?

Attached is my firewall script:

#! / bin / bash

# ===========================================
# Command Aliases
# (to write faster)
# ===========================================
ip4 = & # 39; / sbin / iptables & # 39;
ip6 = & # 39; / sbin / ip6tables & # 39;

# logical interface names
nicmobo = & # 39; enp9s1 & # 39;
nicext1 = & # 39; enp7s0 & # 39;

# ===========================================
# Download rules, delete
# chains, zero counters
# ===========================================
$ ip4 -F; $ ip4 -X; $ ip4 -Z
$ ip6 -F; $ ip6 -X; $ ip6 -Z

# ===========================================
# Default rules
# ===========================================

# ----------------------
# IPv4
# ----------------------

# Delete all incoming connections by default
$ ip4 -P INPUT DROP
$ ip4 -P DROP FORWARD
$ ip4 -P OUTPUT I ACCEPT

# Allow all connections from the loopback interface
$ ip4 -A ENTRADA -i lo -j ACCEPT
# Allow all incoming connections related / established
$ ip4 -A ENTRY -m conntrack --ctstate ESTABLISHED, RELATED -j ACCEPT

# ----------------------
# IPv6
# ----------------------
# Delete all the incoming by default, restore the output
$ ip6 -P DROP ENTRY
$ ip6 -P DROP FORWARD
$ ip6 -P OUTPUT ACCEPT

# Allow loopback interface
$ ip6 -A ENTRADA -i lo -j ACCEPT

# Reject connection attempt not started from the host
# $ ip6 -A ENTRY -p tcp --syn -j GOTA

# Allow return connections initiated from the host
$ ip6 -A ENTRY -m conntrack --ctstate ESTABLISHED, RELATED -j ACCEPT

# Acceot ICMPv6 Packages
$ ip6 -A ENTRY -p ipv6-icmp -j ACCEPT


# ===========================================
# SSH connections in mobo
# ===========================================

# Allow incoming SSH connections on the ssh listening port (currently
# port 22 at the time of writing this)
$ ip4 -A ENTRY -p tcp -m tcp --dport 22 -j ACCEPT
$ ip6 -A ENTRY -p tcp -m tcp --dport 22 -j ACCEPT
# Also allows SSH in 2322 from the local LAN
$ ip4 -A ENTRY -s 172.26.62.0/23 -p tcp -m tcp -m status --state NEW --port 2322 -j ACCEPT


# ===========================================
# VPN Ports in Mobo
# ===========================================

# Allow L2TP / IPSEC UDP Ports 500, 4500
$ ip4 -i $ nicmobo -A ENTRY -m status - NEW status -m udp -p udp --dport 500 -j ACCEPT
$ ip6 -i $ nicmobo -A ENTRY -m status - NEW status -m udp -p udp --dport 500 -j ACCEPT
$ ip4 -i $ nicmobo -A ENTRY -m status - NEW status -m udp -p udp --dport 4500 -j ACCEPT
$ ip6 -i $ nicmobo -A ENTRY -m status - NEW status -m udp -p udp --dport 4500 -j ACCEPT
# Allow incoming TCP 992 for VPN connections
$ ip4 -i $ nicmobo -A ENTRY -m status - NEW state -m tcp -p tcp --dport 992 -j ACCEPT
$ ip6 -i $ nicmobo -A ENTRY -m status - NEW state -m tcp -p tcp --dport 992 -j ACCEPT
# Allow incoming TCP 1194 for openVPN TCP connections
$ ip4 -i $ nicmobo -A ENTRY -m status - NEW state -m tcp -p tcp --dport 1194 -j ACCEPT
$ ip6 -i $ nicmobo -A ENTRY -m status - NEW state -m tcp -p tcp --dport 1194 -j ACCEPT
# Allow incoming UDP 1194 for openVPN connections
$ ip4 -i $ nicmobo -A ENTRY -m status --state NEW -m udp -p udp --dport 1194 -j ACCEPT
$ ip6 -i $ nicmobo -A ENTRY -m status - NEW status -m udp -p udp --dport 1194 -j ACCEPT
# Allow incoming TCP 5555 for TCP VPN connections
$ ip4 -i $ nicmobo -A ENTRY -m status - NEW state -m tcp -p tcp --dport 5555 -j ACCEPT
$ ip6 -i $ nicmobo -A ENTRY -m status - NEW state -m tcp -p tcp --dport 5555 -j ACCEPT


# ===========================================
# Emby HTTPS Non-standard port (8920) in mobo
# ===========================================
$ ip4 -i $ nicmobo -A ENTRY -m status - NEW state -m tcp -p tcp --dport 8920 -j ACCEPT
$ ip6 -i $ nicmobo -A ENTRY -m status - NEW state -m tcp -p tcp --dport 8920 -j ACCEPT


# =================================================
# HDHomerun Discovery Ports Allow only from prvate lan (second NIC)
# =================================================
$ ip4 -i $ nicext1 -A ENTRY -s 172.27.0.0/28 -p udp -m status --state NEW -m udp --sport 65001 -j ACCEPT


# =================================================
# Puerto 80, 443 in Mobo
# =================================================
$ ip4 -i $ nicmobo -A ENTRY -m status - NEW state -m tcp -p tcp --dport 80 -j ACCEPT
$ ip6 -i $ nicmobo -A ENTRY -m status - NEW state -m tcp -p tcp --dport 80 -j ACCEPT
$ ip4 -i $ nicmobo -A ENTRY -m status - NEW state -m tcp -p tcp --dport 443 -j ACCEPT
$ ip6 -i $ nicmobo -A ENTRY -m status - NEW state -m tcp -p tcp --dport 443 -j ACCEPT

# =================================================
# SAMBA on the local network in mobo
# =================================================
$ ip4 -i $ nicmobo -A ENTRY -s 172.26.62.0/23 -p tcp -m status --state NEW -m tcp --dport 139 -j ACCEPT
$ ip4 -i $ nicmobo -A ENTRY -s 172.26.62.0/23 -p tcp -m status --state NEW -m tcp --dport 445 -j ACCEPT
$ ip4 -i $ nicmobo -A ENTRY -s 172.26.62.0/23 -p udp -m status --state NEW -m udp --dport 137 -j ACCEPT
$ ip4 -i $ nicmobo -A ENTRY -s 172.26.62.0/23 -p udp -m status --state NEW -m udp --dport 138 -j ACCEPT

# =================================================
# Allow DHCP to private LAN (second NIC)
# =================================================
$ ip4 -i $ nicext1 -A ENTRY -s 172.27.0.0/28 -p udp -m status --state NEW -m udp --dport 67 --sport 68 -j ACCEPT


exit 0