From 2a9ab29e7d7b97d12bba5a17d1c9c5e480e079be Mon Sep 17 00:00:00 2001
From: Quentin McGaw <quentin.mcgaw@gmail.com>
Date: Mon, 5 Aug 2024 13:57:30 +0000
Subject: [PATCH] fix(firewall): `VPN_PORT_FORWARDING_LISTENING_PORT` behavior
 fixed again - allow redirection destination port in INPUT table

---
 internal/firewall/iptables.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/internal/firewall/iptables.go b/internal/firewall/iptables.go
index c57ae5e5..b380f5ee 100644
--- a/internal/firewall/iptables.go
+++ b/internal/firewall/iptables.go
@@ -212,8 +212,12 @@ func (c *Config) redirectPort(ctx context.Context, intf string,
 	err = c.runIptablesInstructions(ctx, []string{
 		fmt.Sprintf("-t nat %s PREROUTING %s -p tcp --dport %d -j REDIRECT --to-ports %d",
 			appendOrDelete(remove), interfaceFlag, sourcePort, destinationPort),
+		fmt.Sprintf("%s INPUT %s -p tcp -m tcp --dport %d -j ACCEPT",
+			appendOrDelete(remove), interfaceFlag, destinationPort),
 		fmt.Sprintf("-t nat %s PREROUTING %s -p udp --dport %d -j REDIRECT --to-ports %d",
 			appendOrDelete(remove), interfaceFlag, sourcePort, destinationPort),
+		fmt.Sprintf("%s INPUT %s -p udp -m udp --dport %d -j ACCEPT",
+			appendOrDelete(remove), interfaceFlag, destinationPort),
 	})
 	if err != nil {
 		return fmt.Errorf("redirecting IPv4 source port %d to destination port %d on interface %s: %w",
@@ -223,8 +227,12 @@ func (c *Config) redirectPort(ctx context.Context, intf string,
 	err = c.runIP6tablesInstructions(ctx, []string{
 		fmt.Sprintf("-t nat %s PREROUTING %s -p tcp --dport %d -j REDIRECT --to-ports %d",
 			appendOrDelete(remove), interfaceFlag, sourcePort, destinationPort),
+		fmt.Sprintf("%s INPUT %s -p tcp -m tcp --dport %d -j ACCEPT",
+			appendOrDelete(remove), interfaceFlag, destinationPort),
 		fmt.Sprintf("-t nat %s PREROUTING %s -p udp --dport %d -j REDIRECT --to-ports %d",
 			appendOrDelete(remove), interfaceFlag, sourcePort, destinationPort),
+		fmt.Sprintf("%s INPUT %s -p udp -m udp --dport %d -j ACCEPT",
+			appendOrDelete(remove), interfaceFlag, destinationPort),
 	})
 	if err != nil {
 		return fmt.Errorf("redirecting IPv6 source port %d to destination port %d on interface %s: %w",