From 2fd86faf812a1771f54310db4049809970984ca0 Mon Sep 17 00:00:00 2001
From: Julien Vaubourg <julien@vaubourg.com>
Date: Tue, 14 Jun 2016 23:31:52 +0200
Subject: [PATCH] Open firewall in vpnclient_out for each address defined for
 the vpn server domain

---
 conf/hook_post-iptable-rules | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/conf/hook_post-iptable-rules b/conf/hook_post-iptable-rules
index 33e3a6e..64a90d8 100644
--- a/conf/hook_post-iptable-rules
+++ b/conf/hook_post-iptable-rules
@@ -1,7 +1,7 @@
 #!/bin/bash
 
-host6=$(dig AAAA +short <TPL:SERVER_NAME> | tail -n1)
-host4=$(dig A +short <TPL:SERVER_NAME> | tail -n1)
+host6=$(dig AAAA +short <TPL:SERVER_NAME> | grep -v '\.$')
+host4=$(dig A +short <TPL:SERVER_NAME> | grep -v '\.$')
 
 # IPv6
 
@@ -17,7 +17,9 @@ sudo ip6tables -w -A vpnclient_in -m conntrack --ctstate RELATED,ESTABLISHED -j
 sudo ip6tables -w -A vpnclient_in -j DROP
 
 if [ ! -z "${host6}" ]; then
-  sudo ip6tables -w -A vpnclient_out -d ${host6} -p <TPL:PROTO> --dport <TPL:SERVER_PORT> -j ACCEPT
+  for i in ${host6}; do
+    sudo ip6tables -w -A vpnclient_out -d "${i}" -p <TPL:PROTO> --dport <TPL:SERVER_PORT> -j ACCEPT
+  done
 fi
 
 for i in <TPL:DNS0> <TPL:DNS1>; do
@@ -50,7 +52,9 @@ sudo iptables -w -A vpnclient_in -m conntrack --ctstate RELATED,ESTABLISHED -j A
 sudo iptables -w -A vpnclient_in -j DROP
 
 if [ ! -z "${host4}" ]; then
-  sudo iptables -w -A vpnclient_out -d ${host4} -p <TPL:PROTO> --dport <TPL:SERVER_PORT> -j ACCEPT
+  for i in ${host4}; do
+    sudo iptables -w -A vpnclient_out -d "${i}" -p <TPL:PROTO> --dport <TPL:SERVER_PORT> -j ACCEPT
+  done
 fi
 
 for i in <TPL:DNS0> <TPL:DNS1>; do