From 455830e5eb6462b0f0d76723c211c1a57aa81fd4 Mon Sep 17 00:00:00 2001
From: Manevolent <Manevolent@users.noreply.github.com>
Date: Mon, 29 Jan 2024 19:13:11 -0700
Subject: [PATCH] Update tinc-up.tmpl

---
 tinc/tinc-up.tmpl | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/tinc/tinc-up.tmpl b/tinc/tinc-up.tmpl
index 4f9cc26..78a9def 100644
--- a/tinc/tinc-up.tmpl
+++ b/tinc/tinc-up.tmpl
@@ -13,10 +13,11 @@ ifconfig ${internal_interface} ${internal_address6}/${internal_mask6:-128}
 iptables -t nat -I PREROUTING -d {{ . }} -i eth0 -j DNAT --to-destination ${tinc_peer_address}
 {{ end }}{{ end }}
 
+iptables -A FORWARD -i eth0 -o \$INTERFACE -j ACCEPT
+
 # Plugins may communicate over eth0, the 'internal' docker network.
 # Because of this, we should allow masquerading NAT through eth0
-iptables -A FORWARD -i eth0 -o \$INTERFACE -j ACCEPT
-iptables -t nat -A PREROUTING -i eth0 -j MARK --set-mark 1
+iptables -t nat -A PREROUTING -i eth0 ! -s ${network_address}/${global_prefix:-16} -j MARK --set-mark 1
 iptables -t nat -A POSTROUTING -m mark --mark 1 -o \$INTERFACE -j MASQUERADE
 
 # Prevent spoofing attacks