diff --git a/ChangeLog b/ChangeLog index 8ab71d6..549d640 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,8 @@ fix an issue I noticed during testing - Move icmp allow code - Prevent duplicate icmp allow rules in NAT code + - NETMAP support in NAT code + - Removed pointless(?) and unneeded dupe codeā 0.9.9a - Brielle Bruns - Minor bug fixes for my coding errors introduced in diff --git a/bin/firewall-sosdg b/bin/firewall-sosdg index b1448a2..305f468 100755 --- a/bin/firewall-sosdg +++ b/bin/firewall-sosdg @@ -530,7 +530,7 @@ fi if [ $NAT ]; then if [ "$NAT_RANGE" ]; then display_c YELLOW "Adding NAT rule:" - unset INIF_EXISTS OUTIF_EXISTS + unset INIF_EXISTS FWDIF_EXISTS for i in $NAT_RANGE; do NAT_RULE=( ${i//:/ } ) case ${NAT_RULE[0]} in @@ -538,38 +538,62 @@ if [ $NAT ]; then $IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j SNAT \ -o ${NAT_RULE[3]} --to-source ${NAT_RULE[4]} display_c DEFAULT "\t${GREEN}SNAT:${PURPLE}${NAT_RULE[1]}:${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}:${NAT_RULE[4]}" - if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}" ]]; then - $IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -j ACCEPT - $IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -j ACCEPT - INIF_EXISTS="${INIF_EXISTS} $i" + if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then + $IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \ + -s ${NAT_RULE[2]} -j ACCEPT + $IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} \ + -s ${NAT_RULE[2]} -j ACCEPT + INIF_EXISTS="${INIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}" fi - if [[ ! "$OUTIF_EXISTS" =~ "${NAT_RULE[3]}" ]]; then - $IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[3]} -j ACCEPT - $IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[3]} -j ACCEPT - OUTIF_EXISTS="${OUTIF_EXISTS} $i" + # This code seems pointless, anyone else have an opinion? + #if [[ ! "$OUTIF_EXISTS" =~ "${NAT_RULE[3]}:${NAT_RULE[4]}" ]]; then + # $IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[3]} -j ACCEPT + # $IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[3]} -j ACCEPT + # OUTIF_EXISTS="${OUTIF_EXISTS} ${NAT_RULE[3]}:${NAT_RULE[4]}" + #fi + if [[ ! "$FWDIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}" ]]; then + $IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \ + -o ${NAT_RULE[3]} -j ACCEPT + $IPTABLES -A FORWARD -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \ + -o ${NAT_RULE[3]} -j ACCEPT + FWDIF_EXISTS="${FWDIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}" fi - $IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -o ${NAT_RULE[3]} -j ACCEPT - $IPTABLES -A FORWARD -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -o ${NAT_RULE[3]} -j ACCEPT ;; MASQ) $IPTABLES -A POSTROUTING -t nat -s ${NAT_RULE[2]} -j MASQUERADE -o ${NAT_RULE[3]} display_c DEFAULT "\t${GREEN}MASQ:${PURPLE}${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[3]}" - if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}" ]]; then - $IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -j ACCEPT - $IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -j ACCEPT - INIF_EXISTS="${INIF_EXISTS} $i" + if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then + $IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \ + -s ${NAT_RULE[2]} -j ACCEPT + $IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} \ + -s ${NAT_RULE[2]} -j ACCEPT + INIF_EXISTS="${INIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}" fi - if [[ ! "$OUTIF_EXISTS" =~ "${NAT_RULE[3]}" ]]; then - $IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[3]} -j ACCEPT - $IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[3]} -j ACCEPT - OUTIF_EXISTS="${OUTIF_EXISTS} $i" + if [[ ! "$FWDIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}" ]]; then + $IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \ + -o ${NAT_RULE[3]} -j ACCEPT + $IPTABLES -A FORWARD -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \ + -o ${NAT_RULE[3]} -j ACCEPT + FWDIF_EXISTS="${FWDIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}" fi - $IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -o ${NAT_RULE[3]} -j ACCEPT - $IPTABLES -A FORWARD -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -o ${NAT_RULE[3]} -j ACCEPT ;; NETMAP) $IPTABLES -A PREROUTING -t nat -s ${NAT_RULE[2]} -j NETMAP --to ${NAT_RULE[4]} - display_c DEFAULT "\t${GREEN}NETMAP:${PURPLE}${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[4]}" + display_c DEFAULT "\t${GREEN}NETMAP:${PURPLE}${NAT_RULE[2]}${AQUA}->${BLUE}${NAT_RULE[4]}" + if [[ ! "$INIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}" ]]; then + $IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} \ + -s ${NAT_RULE[2]} -j ACCEPT + $IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} \ + -s ${NAT_RULE[2]} -j ACCEPT + INIF_EXISTS="${INIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}" + fi + if [[ ! "$FWDIF_EXISTS" =~ "${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}" ]]; then + $IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \ + -o ${NAT_RULE[3]} -j ACCEPT + $IPTABLES -A FORWARD -p icmp --icmp-type fragmentation-needed -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \ + -o ${NAT_RULE[3]} -j ACCEPT + FWDIF_EXISTS="${FWDIF_EXISTS} ${NAT_RULE[1]}:${NAT_RULE[2]}:${NAT_RULE[3]}" + fi ;; *) display_c RED "Invalid NAT rule in NAT_RANGE" ;; esac diff --git a/options.default b/options.default index 88b6d03..e779d53 100755 --- a/options.default +++ b/options.default @@ -80,7 +80,7 @@ DONTTRACK="127.0.0.1" # IP NAT Rules # SNAT:::: # MASQ::: -# NETMAP:::: +# NETMAP:::: #NAT_RANGE=""