Allow traffic to forward off the weave bridge

weaveworks · Feb 1, 2017 · 8afe8e6 · 8afe8e6
1 parent a5ddfe8
commit 8afe8e6
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/weave b/weave
@@ -620,6 +620,10 @@ try_create_bridge() {
             # across our bridge. E.g. ufw
             add_iptables_rule filter FORWARD -i $BRIDGE -o $BRIDGE -j ACCEPT
         fi
+        # Forward from weave to the rest of the world
+        add_iptables_rule filter FORWARD -i $BRIDGE ! -o $BRIDGE -j ACCEPT
+        # and allow replies back
+        add_iptables_rule filter FORWARD -o $BRIDGE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
         # create a chain for masquerading
         run_iptables -t nat -N WEAVE >/dev/null 2>&1 || true
@@ -803,6 +807,8 @@ destroy_bridge() {
     run_iptables -t filter -D INPUT -i $DOCKER_BRIDGE -p udp --dst $DOCKER_BRIDGE_IP --dport $PORT          -j DROP >/dev/null 2>&1 || true
     run_iptables -t filter -D INPUT -i $DOCKER_BRIDGE -p udp --dst $DOCKER_BRIDGE_IP --dport $(($PORT + 1)) -j DROP >/dev/null 2>&1 || true
 
+    run_iptables -t filter -D FORWARD -i $BRIDGE ! -o $BRIDGE -j ACCEPT 2>/dev/null || true
+    run_iptables -t filter -D FORWARD -o $BRIDGE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true
     run_iptables -t filter -D FORWARD -i $BRIDGE -o $BRIDGE -j ACCEPT 2>/dev/null || true
     run_iptables -F WEAVE-NPC >/dev/null 2>&1 || true
     run_iptables -t filter -D FORWARD -o $BRIDGE -j WEAVE-NPC 2>/dev/null || true