From 722808a0e40d71c774d25018bbf6ef5d70aebd6a Mon Sep 17 00:00:00 2001
From: Girish Ramakrishnan <girish@cloudron.io>
Date: Wed, 9 Sep 2020 17:47:20 -0700
Subject: [PATCH] firewall: make sure blocklist is first in the forward chain

---
 setup/start/cloudron-firewall.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/setup/start/cloudron-firewall.sh b/setup/start/cloudron-firewall.sh
index 288d5d2fd..89221342c 100755
--- a/setup/start/cloudron-firewall.sh
+++ b/setup/start/cloudron-firewall.sh
@@ -12,12 +12,12 @@ ipset create cloudron_blocklist hash:net || true
 
 iptables -t filter -A CLOUDRON -m set --match-set cloudron_blocklist src -j DROP
 if ! iptables -t filter -C FORWARD -m set --match-set cloudron_blocklist src -j DROP; then
-    iptables -t filter -I FORWARD -m set --match-set cloudron_blocklist src -j DROP
+    iptables -t filter -A FORWARD -m set --match-set cloudron_blocklist src -j DROP
 fi
 
 # allow related and establisted connections
-iptables -t filter -I CLOUDRON -m state --state RELATED,ESTABLISHED -j ACCEPT
-iptables -A CLOUDRON -p tcp -m tcp -m multiport --dports 22,25,80,202,443 -j ACCEPT # 202 is the alternate ssh port
+iptables -t filter -A CLOUDRON -m state --state RELATED,ESTABLISHED -j ACCEPT
+iptables -t filter -A CLOUDRON -p tcp -m tcp -m multiport --dports 22,25,80,202,443 -j ACCEPT # 202 is the alternate ssh port
 
 # whitelist any user ports
 user_firewall_json="/home/yellowtent/boxdata/firewall-config.json"