Fix masquerading for LAN

e-router

@@ -39,8 +39,6 @@ droplog() {
 }
 
 forward() {
-    ${iptables} -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-    ${iptables} -A FORWARD -i ${eth0} -o ${wan} -j ACCEPT
     while read -r ip public private ; do
         [[ "$ip" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}$ ]] || continue
         [[ "$public" =~ ^[0-9]{1,}|[0-9]{1,}:[0-9]{1,}$ ]] || continue
@@ -76,6 +74,8 @@ forward() {
 lan() {
     ${iptables} -A INPUT -i ${eth0} -j ACCEPT
     ${iptables} -t nat -A POSTROUTING -o ${wan} -s ${locnet} -j MASQUERADE
+    ${iptables} -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+    ${iptables} -A FORWARD -i ${eth0} -o ${wan} -j ACCEPT
 }
 
 whitenets() {