From c247d4c63da141c973bb1b8e5bd9913d891d74cf Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Thu, 28 Sep 2017 14:56:21 +0100
Subject: [PATCH] Firewall for mesh tunnel

---
 src/freedombone-app-batman  |  2 +-
 src/freedombone-mesh-batman | 10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/freedombone-app-batman b/src/freedombone-app-batman
index 8511ed9a..dc51950d 100755
--- a/src/freedombone-app-batman
+++ b/src/freedombone-app-batman
@@ -169,7 +169,7 @@ function install_mesh_tunnel {
     echo '; IP address the broker will listen and accept tunnels on' >> $rootdir/opt/tunneldigger/broker/l2tp_broker.cfg
     echo 'address=127.0.0.1' >> $rootdir/opt/tunneldigger/broker/l2tp_broker.cfg
     echo '; Ports where the broker will listen on' >> $rootdir/opt/tunneldigger/broker/l2tp_broker.cfg
-    echo "port=53,123,8942" >> $rootdir/opt/tunneldigger/broker/l2tp_broker.cfg
+    echo 'port=53,8942' >> $rootdir/opt/tunneldigger/broker/l2tp_broker.cfg
     echo '; Interface with that IP address' >> $rootdir/opt/tunneldigger/broker/l2tp_broker.cfg
     echo 'interface=lo' >> $rootdir/opt/tunneldigger/broker/l2tp_broker.cfg
     echo '; Maximum number of tunnels that will be allowed by the broker' >> $rootdir/opt/tunneldigger/broker/l2tp_broker.cfg
diff --git a/src/freedombone-mesh-batman b/src/freedombone-mesh-batman
index 83981c3a..6bca08fe 100755
--- a/src/freedombone-mesh-batman
+++ b/src/freedombone-mesh-batman
@@ -158,6 +158,11 @@ function stop {
     # SSB/Patchwork
     iptables -D INPUT -p udp --dport 8008 -j ACCEPT
     iptables -D INPUT -p tcp --dport 8008 -j ACCEPT
+    # Tunnel over the internet
+    iptables -D INPUT -p tcp --dport 53 -j ACCEPT
+    iptables -D INPUT -p udp --dport 53 -j ACCEPT
+    iptables -D INPUT -p tcp --dport 8942 -j ACCEPT
+    iptables -D INPUT -p udp --dport 8942 -j ACCEPT
 
     systemctl restart network-manager
 }
@@ -313,6 +318,11 @@ function start {
     # SSB/Patchwork
     iptables -A INPUT -p udp --dport 8008 -j ACCEPT
     iptables -A INPUT -p tcp --dport 8008 -j ACCEPT
+    # Tunnel over the internet
+    iptables -A INPUT -p tcp --dport 53 -j ACCEPT
+    iptables -A INPUT -p udp --dport 53 -j ACCEPT
+    iptables -A INPUT -p tcp --dport 8942 -j ACCEPT
+    iptables -A INPUT -p udp --dport 8942 -j ACCEPT
 
     systemctl restart avahi-daemon