rename post_decalrations.conf -> post_declarations.conf; fix error in handling IPv4 'forward_private_ip_arr'. Fix error setting '/proc/sys/net/ipv4/conf/all/log_martians'.

2026-01-19 16:43:40 +01:00
parent 3d27513b81
commit a5b66b755b
2 changed files with 628 additions and 6 deletions
--- a/13
+++ b/13
@@ -13,7 +13,7 @@ conf_logging=${ipt_conf_dir}/logging_ipv4.conf
 conf_interfaces=${ipt_conf_dir}/interfaces_ipv4.conf
 conf_default_settings=${ipt_conf_dir}/default_settings.conf
 conf_main=${ipt_conf_dir}/main_ipv4.conf
-conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf
+conf_post_declarations=${ipt_conf_dir}/post_declarations.conf
 conf_ban_ipv4_list="${ipt_conf_dir}/ban_ipv4.list"


@@ -225,7 +225,7 @@ if ! is_container ; then
   ## - Logging of spoofed (source routed" and "redirect") packets
   ## -
   if $kernel_log_martians ; then
-      echo "0" > /proc/sys/net/ipv4/conf/all/log_martians
+      echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
   fi

   ## - Keine ICMP Umleitungspakete akzeptieren.
@@ -478,12 +478,13 @@ fi
 echononl "\tAllow forwarding (private) IPs / IP-Ranges.."
 if [[ ${#forward_private_ip_arr[@]} -gt 0 ]] ; then
   for _ip in ${forward_private_ip_arr[@]}; do
+      # NOTE: These IPs/IP-ranges are intentionally not firewalled (pass-through).
      if $log_forwarding_priv_ip || $log_all ; then
-         $ipt -t mangle -A PREROUTING -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Accept priv ip $_ip: "
-         $ipt -t mangle -A PREROUTING -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Accept priv ip $_ip: "
+         $ipt -A FORWARD -d $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled (forward) $_ip: "
+         $ipt -A FORWARD -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Not firewalled (forward) $_ip: "
      fi
-      $ipt -t mangle -A PREROUTING -d $_ip -j ACCEPT
-      $ipt -t mangle -A PREROUTING -s $_ip -j ACCEPT
+      $ipt -A FORWARD -d $_ip -j ACCEPT
+      $ipt -A FORWARD -s $_ip -j ACCEPT
   done
   echo_done
 else