ipcop bypass blue access

Therefore, you need to add all of these rules to the rc.local script. The rc.local \
script is executed AFTER the wireless network is brought up and AFTER the dmz holes \
have already been created. The rules you need are as follows:

                # Define Ethernet Settings
                . /var/ipcop/ethernet/settings

                #Flush Out All Customized Wireless Chains
                /sbin/iptables -F WIRELESSINPUT
                /sbin/iptables -F WIRELESSFORWARD

                #Allow Blue Network Access
                /sbin/iptables -A WIRELESSINPUT -i $BLUE_DEV -d 0/0 -j ACCEPT

                /sbin/iptables -A WIRELESSFORWARD -i $BLUE_DEV -o ! $GREEN_DEV -d 0/0 \
                -j ACCEPT
                /sbin/iptables -A WIRELESSFORWARD -i $BLUE_DEV -d 0/0 -j DMZHOLES
                /sbin/iptables -A WIRELESSFORWARD -i $BLUE_DEV -d 0/0 -j LOG_DROP


The rules above will do what you are asking (allow access to red from blue). If you \
want to do your blue network's domain name resolution using your internal servers \
and/or you have a web server, e-mail server, etc. you will want to add some rules \
like these as well to allow traffic onto the green and/or orange network(s):

                # Allow Specific Blue Traffic On To Green Network
                /sbin/iptables -A DMZHOLES -p tcp -i $BLUE_DEV -o $GREEN_DEV -d \
                192.168.0.2 --dport 20 -j ACCEPT #FTP-DATA
                /sbin/iptables -A DMZHOLES -p tcp -i $BLUE_DEV -o $GREEN_DEV -d \
                192.168.0.2 --dport 21 -j ACCEPT #FTP
                /sbin/iptables -A DMZHOLES -p tcp -i $BLUE_DEV -o $GREEN_DEV -d \
                192.168.0.2 --dport 25 -j ACCEPT #SMTP
                /sbin/iptables -A DMZHOLES -p udp -i $BLUE_DEV -o $GREEN_DEV -d \
                192.168.0.2 --dport 53 -j ACCEPT #DNS
                /sbin/iptables -A DMZHOLES -p udp -i $BLUE_DEV -o $GREEN_DEV -d \
                192.168.0.3 --dport 53 -j ACCEPT #DNS
                /sbin/iptables -A DMZHOLES -p tcp -i $BLUE_DEV -o $GREEN_DEV -d \
                192.168.0.2 --dport 80 -j ACCEPT #WEB
                /sbin/iptables -A DMZHOLES -p tcp -i $BLUE_DEV -o $GREEN_DEV -d \
                192.168.0.2 --dport 443 -j ACCEPT #SSL
                /sbin/iptables -A DMZHOLES -p tcp -i $BLUE_DEV -o $GREEN_DEV -d \
                192.168.0.3 --dport 1723 -j ACCEPT #VPN
                /sbin/iptables -A DMZHOLES -p tcp -i $BLUE_DEV -o $GREEN_DEV -d \
                192.168.0.3 --dport 3389 -j ACCEPT #RDC
                /sbin/iptables -A DMZHOLES -p gre -i $BLUE_DEV -o $GREEN_DEV -d \
192.168.0.2 -j ACCEPT #VPN

You will also want to add '/sbin/iptables -F DMZHOLES' to the top of rc.local where \
it flushes out all of the wireless rules. Keep in mind if you have to create DMZ \
Holes like this for the wireless network you will also need to move all of your \
existing DMZ Holes from your web interface to here. This is because there is no \
custom chain for DMZ Holes, so when you flush out DMZHOLES it will erase any rules \
that you set in the web interface. However, I think it's a nice trade-off. :)