===================================================================
RCS file: /home/cvsd/home/cvs/scripts/shell/firewall/fw-universal.sh,v
retrieving revision 2.76
retrieving revision 2.77
diff -u -p -r2.76 -r2.77
--- scripts/shell/firewall/fw-universal.sh	2011/01/16 12:18:14	2.76
+++ scripts/shell/firewall/fw-universal.sh	2011/01/24 20:26:04	2.77
@@ -1,5 +1,14 @@
 #!/bin/bash
 
+### BEGIN INIT INFO
+# Provides:		firewall
+# Required-Start:	networking
+# Required-Stop:	
+# Default-Start:	S
+# Default-Stop:		
+# Short-Description:	firewalling rules
+### END INIT INFO
+
 #
 # This will be universal firewalling script for Linux kernel (iptables) in near future
 # Can be started by init or by hand.
@@ -9,7 +18,7 @@
 # Licensed under terms of GNU General Public License.
 # All rights reserved.
 #
-# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.75 2010-10-22 12:20:42 nepto Exp $
+# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.76 2011-01-16 12:18:14 nepto Exp $
 #
 # Changelog:
 # 2003-10-24 - created
@@ -465,7 +474,7 @@ masquerade()
 			if [ "x$NAT_FORWARD_MICROSOFT" = "xno" ]; then
 				$IPTABLES -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP
 
-				for port in 69 135 445 1434 6667; do
+				for port in 67 68 69 135 445 1434 6667; do
 					$IPTABLES -A FORWARD -p TCP --dport $port -j DROP
 					$IPTABLES -A FORWARD -p UDP --dport $port -j DROP
 				done
@@ -490,6 +499,50 @@ masquerade()
 			print_info " done."
 		fi
 
+		# NAT_FORWARD_TCP_HOSTS {{{
+		if [ ! -z "$NAT_FORWARD_TCP_HOSTS" ]; then
+			print_info -en "\tAccepting FORWARD TCP hosts:"
+			for host in $NAT_FORWARD_TCP_HOSTS; do
+				print_info -en " $host"
+				$IPTABLES -A FORWARD -p TCP -d $host -m state --state NEW -j ACCEPT
+			done
+			print_info " done."
+		fi
+		# }}}
+
+		# NAT_FORWARD_UDP_HOSTS {{{
+		if [ ! -z "$NAT_FORWARD_UDP_HOSTS" ]; then
+			print_info -en "\tAccepting FORWARD UDP hosts:"
+			for host in $NAT_FORWARD_UDP_HOSTS; do
+				print_info -en " $host"
+				$IPTABLES -A FORWARD -p UDP -d $host -m state --state NEW -j ACCEPT
+			done
+			print_info " done."
+		fi
+		# }}}
+
+		# NAT_FORWARD_TCP_CLIENTS {{{
+		if [ ! -z "$NAT_FORWARD_TCP_CLIENTS" ]; then
+			print_info -en "\tAccepting FORWARD TCP clients:"
+			for client in $NAT_FORWARD_TCP_CLIENTS; do
+				print_info -en " $client"
+				$IPTABLES -A FORWARD -p TCP -s $client -m state --state NEW -j ACCEPT
+			done
+			print_info " done."
+		fi
+		# }}}
+
+		# NAT_FORWARD_UDP_CLIENTS {{{
+		if [ ! -z "$NAT_FORWARD_UDP_CLIENTS" ]; then
+			print_info -en "\tAccepting FORWARD UDP clients:"
+			for client in $NAT_FORWARD_UDP_CLIENTS; do
+				print_info -en " $client"
+				$IPTABLES -A FORWARD -p UDP -s $client -m state --state NEW -j ACCEPT
+			done
+			print_info " done."
+		fi
+		# }}}
+
 		print_info -en "\tAccepting ICMP packets:"
 		for type in $ACCEPT_ICMP_PACKETS; do
 			print_info -en " $type"
@@ -756,13 +809,17 @@ allow_input()
 				riface="IFname_$iface";
 				print_info -en " $port($iface)"`[ ! -z $src_ip ] && echo "[$src_ip]"`
 				IPS="IP_$iface";
-				for ip in ${!IPS}; do
-					if [ -z "$src_ip" ]; then
-						$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP --dport $port -j ACCEPT
-					else
-						$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP --dport $port -j ACCEPT
-					fi
-				done
+				if [ "$port" -eq 67 ]; then # DHCP requests doesn't have destination IP specified
+					$IPTABLES -A INPUT -i ${!riface} -p UDP --dport $port -j ACCEPT
+				else
+					for ip in ${!IPS}; do
+						if [ -z "$src_ip" ]; then
+							$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP --dport $port -j ACCEPT
+						else
+							$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP --dport $port -j ACCEPT
+						fi
+					done
+				fi
 			done
 		done
 		print_info " done."
@@ -916,17 +973,21 @@ allow_input()
 				print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"`
 				#$IPTABLES -A INPUT -i $iface -d ${!INET_IP} -p UDP --dport $port -j ACCEPT
 				#$IPTABLES -A INPUT -i $iface --source 192.168.1.0/16 -p UDP --dport $port -j ACCEPT
-				for ip in ${!IPS}; do
-					if [ -z $src_ip ]; then
-						$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP --dport $port -j ACCEPT
-					else
-						if [ "$port" = "ALL" ]; then
-							$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP -j ACCEPT
+				if [ "$port" -eq 67 ]; then # DHCP requests doesn't have destination IP specified
+					$IPTABLES -A INPUT -i ${!riface} -p UDP --dport $port -j ACCEPT
+				else
+					for ip in ${!IPS}; do
+						if [ -z $src_ip ]; then
+							$IPTABLES -A INPUT -i ${!riface} -d $ip -p UDP --dport $port -j ACCEPT
 						else
-							$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP --dport $port -j ACCEPT
+							if [ "$port" = "ALL" ]; then
+								$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP -j ACCEPT
+							else
+								$IPTABLES -A INPUT -i ${!riface} -s $src_ip -d $ip -p UDP --dport $port -j ACCEPT
+							fi
 						fi
-					fi
-				done
+					done
+				fi
 			done
 			print_info " done."
 		fi