{
    $OUT = "";
    my $locals = "@locals";
    if (@locals)
    {
        # Make a new local_chk chain and add any networks found in networks db
        foreach my $local (@locals)
        {
            # If the network is a remote vpn subnet, restrict it to the ipsec0
            # interface.
            my ($net, $msk) = split /\//, $local;
            my $netrec = $nets->get($net);
            die "Can't find network $net in networks db!\n" unless $netrec;
            $OUT .= "/sbin/iptables -A \$NEW_local_chk -s $local";
            if (($netrec->prop('remoteVPNSubnet') || 'no') eq 'yes')
            {
                $OUT .= " --in-interface ipsec0";
            }
            $OUT .= " -j ACCEPT\n";
        }
    }
}
