From bde9efd92b79126075da79b07d83355c4e9e9928 Mon Sep 17 00:00:00 2001
From: "bbruns@gmail.com"
 <bbruns@gmail.com@e5899ace-8841-11de-95b9-8f387cfb8bc3>
Date: Sat, 5 Apr 2014 23:15:19 +0000
Subject: [PATCH]

---
 ChangeLog        |  3 ++-
 lib/iptables.inc | 26 ++++++++++++++++++--------
 2 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 37801a4..be1a229 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -10,7 +10,8 @@
 		- ACL/Filtering functionality (IPv4/IPv6) - 4/5/2014
 		- NAT/NETMAP functionality (IPv4/IPv6) - 4/5/2014
 				- IPv6 NAT/NETMAP is untested, have no internal use for it, let me know if works/doesnt
-		
+		- Forwarding functionality (IPv4/IPv6) - 4/5/2014
+		- Deps on Enablev(4|6)ConnectionTracking for NAT functionality
 		
 =-=-=-=-= PRE 2.0 REWRITE =-=-=-=-=
 1.1 - Brielle Bruns <bruns@2mbit.com>
diff --git a/lib/iptables.inc b/lib/iptables.inc
index 231c86b..26df99c 100644
--- a/lib/iptables.inc
+++ b/lib/iptables.inc
@@ -194,21 +194,31 @@ function allow_resolvconf_servers {
 				IPVER="4" ;;
 	esac
 	${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
-	[[ ${IP_VERSION} = "ipv4" ]] && ResolvConfFile="${ResolvConfv4File}"
-	[[ ${IP_VERSION} = "ipv6" ]] && ResolvConfFile="${ResolvConfv6File}"
+	[[ ${IP_VERSION} == "ipv4" ]] && ResolvConfFile="${ResolvConfv4File}"
+	[[ ${IP_VERSION} == "ipv6" ]] && ResolvConfFile="${ResolvConfv6File}"
 	${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Using ${ResolvConfFile} as resolv.conf"
 	while read -r type server; do
 		[[ ${type} != "nameserver" ]] && continue
 		[[ ${type} = "" ]] && continue
-		# If we see a : in the server variable, we are most likely dealing with an ipv6 address
 		([[ ${server} =~ ":" ]] && [[ ${IP_VERSION} = "ipv4" ]]) && continue
 		([[ ! ${server} =~ ":" ]] && [[ ${IP_VERSION} = "ipv6" ]]) && continue
+		
+		use_conntrack="no"
+		(([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && use_conntrack="yes"
+		(([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && use_conntrack="yes"
+		
+		# If we see a : in the server variable, we are most likely dealing with an ipv6 address
 		${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Added ${server} to DNS client trusted list"
-		${VER_IPTABLES} -A ${OutPreRules} -p udp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT
-		${VER_IPTABLES} -A ${InPreRules} -p udp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT
-		${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT
-		${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT
-	done < "${ResolvConfFile}"
+		if [[ ${use_conntrack} == "yes"]]; then
+			${VER_IPTABLES} -A ${OutPreRules} -p udp -d ${server} --dport 53 ${M_STATE} ${C_STATE} NEW,ESTABLISHED -j ACCEPT
+			${VER_IPTABLES} -A ${InPreRules} -p udp -s ${server} --sport 53 ${M_STATE} ${C_STATE} ESTABLISHED,RELATED -j ACCEPT
+		else
+			${VER_IPTABLES} -A ${OutPreRules} -p udp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT
+			${VER_IPTABLES} -A ${InPreRules} -p udp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT
+			#${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT
+			#${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT
+		fi
+		done < "${ResolvConfFile}"
 	${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
 }