From 4b154771fdb66128344ec9a563c4516bd6bb2269 Mon Sep 17 00:00:00 2001
From: bfg100k <bfg100k@gmail.com>
Date: Fri, 29 Jul 2022 18:07:34 +1000
Subject: [PATCH 1/2] Fixed firewall rules for inbound/outbound scenarios

---
 scripts/entrypoint-router.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/scripts/entrypoint-router.sh b/scripts/entrypoint-router.sh
index 8672be8..6688145 100755
--- a/scripts/entrypoint-router.sh
+++ b/scripts/entrypoint-router.sh
@@ -66,6 +66,7 @@ update_iptables() {
 			echo "$2 ${IPTABLES_CMD} rules for inbound traffic (ZeroTier to local interfaces ${PHY_IFACES})"
 			for PHY_IFACE in ${PHY_IFACES} ; do
 				${IPTABLES_CMD} -t nat -${1} POSTROUTING -o ${PHY_IFACE} -j MASQUERADE
+				${IPTABLES_CMD} -${1} FORWARD -i ${PHY_IFACE} -o ${ZT_IFACE} -j DROP
 				${IPTABLES_CMD} -${1} FORWARD -i ${PHY_IFACE} -o ${ZT_IFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
 				${IPTABLES_CMD} -${1} FORWARD -i ${ZT_IFACE} -o ${PHY_IFACE} -j ACCEPT
 			done
@@ -74,6 +75,7 @@ update_iptables() {
 			echo "$2 ${IPTABLES_CMD} rules for outbound traffic (local interfaces ${PHY_IFACES} to ZeroTier)"
 			${IPTABLES_CMD} -t nat -${1} POSTROUTING -o ${ZT_IFACE} -j MASQUERADE
 			for PHY_IFACE in ${PHY_IFACES} ; do
+				${IPTABLES_CMD} -${1} FORWARD -i ${ZT_IFACE} -o ${PHY_IFACE} -j DROP
 				${IPTABLES_CMD} -${1} FORWARD -i ${ZT_IFACE} -o ${PHY_IFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
 				${IPTABLES_CMD} -${1} FORWARD -i ${PHY_IFACE} -o ${ZT_IFACE} -j ACCEPT
 			done

From a130232f3e6ec455b86e4dd26cbbf0a10fef47f9 Mon Sep 17 00:00:00 2001
From: bfg100k <bfg100k@gmail.com>
Date: Sat, 30 Jul 2022 14:05:09 +1000
Subject: [PATCH 2/2] fixed inbound / outbound drop rule order

---
 scripts/entrypoint-router.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/entrypoint-router.sh b/scripts/entrypoint-router.sh
index 6688145..d314326 100755
--- a/scripts/entrypoint-router.sh
+++ b/scripts/entrypoint-router.sh
@@ -66,18 +66,18 @@ update_iptables() {
 			echo "$2 ${IPTABLES_CMD} rules for inbound traffic (ZeroTier to local interfaces ${PHY_IFACES})"
 			for PHY_IFACE in ${PHY_IFACES} ; do
 				${IPTABLES_CMD} -t nat -${1} POSTROUTING -o ${PHY_IFACE} -j MASQUERADE
-				${IPTABLES_CMD} -${1} FORWARD -i ${PHY_IFACE} -o ${ZT_IFACE} -j DROP
 				${IPTABLES_CMD} -${1} FORWARD -i ${PHY_IFACE} -o ${ZT_IFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
 				${IPTABLES_CMD} -${1} FORWARD -i ${ZT_IFACE} -o ${PHY_IFACE} -j ACCEPT
+				${IPTABLES_CMD} -${1} FORWARD -i ${PHY_IFACE} -o ${ZT_IFACE} -j DROP
 			done
 			;;
 		"outbound" )
 			echo "$2 ${IPTABLES_CMD} rules for outbound traffic (local interfaces ${PHY_IFACES} to ZeroTier)"
 			${IPTABLES_CMD} -t nat -${1} POSTROUTING -o ${ZT_IFACE} -j MASQUERADE
 			for PHY_IFACE in ${PHY_IFACES} ; do
-				${IPTABLES_CMD} -${1} FORWARD -i ${ZT_IFACE} -o ${PHY_IFACE} -j DROP
 				${IPTABLES_CMD} -${1} FORWARD -i ${ZT_IFACE} -o ${PHY_IFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
 				${IPTABLES_CMD} -${1} FORWARD -i ${PHY_IFACE} -o ${ZT_IFACE} -j ACCEPT
+				${IPTABLES_CMD} -${1} FORWARD -i ${ZT_IFACE} -o ${PHY_IFACE} -j DROP
 			done
 			;;
 		"both" )