Update tinc-up.tmpl

tinc/tinc-up.tmpl

@@ -13,10 +13,11 @@ ifconfig ${internal_interface} ${internal_address6}/${internal_mask6:-128}
 iptables -t nat -I PREROUTING -d {{ . }} -i eth0 -j DNAT --to-destination ${tinc_peer_address}
 {{ end }}{{ end }}
 
+iptables -A FORWARD -i eth0 -o \$INTERFACE -j ACCEPT
+
 # Plugins may communicate over eth0, the 'internal' docker network.
 # Because of this, we should allow masquerading NAT through eth0
-iptables -A FORWARD -i eth0 -o \$INTERFACE -j ACCEPT
-iptables -t nat -A PREROUTING -i eth0 -j MARK --set-mark 1
+iptables -t nat -A PREROUTING -i eth0 ! -s ${network_address}/${global_prefix:-16} -j MARK --set-mark 1
 iptables -t nat -A POSTROUTING -m mark --mark 1 -o \$INTERFACE -j MASQUERADE
 
 # Prevent spoofing attacks