diff --git a/ChangeLog b/ChangeLog index c626620..8ab71d6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ 0.9.10 - Brielle Bruns - Move clamp mss up earlier in the rules to possibly fix an issue I noticed during testing + - Move icmp allow code + - Prevent duplicate icmp allow rules in NAT code 0.9.9a - Brielle Bruns - Minor bug fixes for my coding errors introduced in diff --git a/bin/firewall-sosdg b/bin/firewall-sosdg index 9d823f4..b1448a2 100755 --- a/bin/firewall-sosdg +++ b/bin/firewall-sosdg @@ -567,6 +567,10 @@ if [ $NAT ]; then $IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -o ${NAT_RULE[3]} -j ACCEPT $IPTABLES -A FORWARD -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -o ${NAT_RULE[3]} -j ACCEPT ;; + NETMAP) + $IPTABLES -A PREROUTING -t nat -s ${NAT_RULE[2]} -j NETMAP --to ${NAT_RULE[4]} + display_c DEFAULT "\t${GREEN}NETMAP:${PURPLE}${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[4]}" + ;; *) display_c RED "Invalid NAT rule in NAT_RANGE" ;; esac done diff --git a/options.default b/options.default index 1f635fb..88b6d03 100755 --- a/options.default +++ b/options.default @@ -77,6 +77,13 @@ DONTTRACK="127.0.0.1" # Mark ipv4 packets for advanced purposes #IPv4_MARK=$BASEDIR/ipv4-marks +# IP NAT Rules +# SNAT:::: +# MASQ::: +# NETMAP:::: +#NAT_RANGE="" + + # Hacks to either block specific kinds of attacks or fix problems # # NS-IN-DDOS - Block DNS DDoS using NS/IN spoof, see: