From 9a9ff7c3cd2903abf35a059426183a4466c5ad76 Mon Sep 17 00:00:00 2001
From: bbruns <bbruns@e5899ace-8841-11de-95b9-8f387cfb8bc3>
Date: Thu, 15 Jul 2010 04:03:28 +0000
Subject: [PATCH] Fix another messup in NAT code

---
 rc.firewall | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/rc.firewall b/rc.firewall
index 0450e56..0e3044f 100755
--- a/rc.firewall
+++ b/rc.firewall
@@ -89,9 +89,11 @@ if [ $CONNTRACK ]; then
 	$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 	$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 	$IPTABLES -A FORWARD -m state --state NEW -j ACCEPT
-	$IPTABLES -A INPUT -m state --state INVALID -j DROP
 	$IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
 	$IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT
+	$IPTABLES -A INPUT -m state --state INVALID -j DROP
+	$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
+	$IPTABLES -A FORWARD -m state --state INVALID -j DROP
 fi
 
 if [ "$BLOCKTCPPORTS" ] || [ "$BLOCKUDPPORTS" ]; then