From af6518176a6e15923089e9f794099a4867a77010 Mon Sep 17 00:00:00 2001 From: bbruns Date: Sat, 21 Aug 2010 16:54:46 +0000 Subject: [PATCH] New NAT code --- ChangeLog | 3 +++ include/functions | 14 +++++++++++++- options.default | 15 +++++++++++---- rc.firewall | 32 ++++++++++++++++++++++++++++++-- 4 files changed, 57 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 482c244..3f04c6d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,9 @@ - stop-firewall for... stopping the firewall! - Code cleanups - Use of functions for some processes + - Fix DHCP rule + - Obsoleted NATRANGE, NATEXTIP, NATEXTIF + - Added NAT_RANGE which can take SNAT/MASQ rules 0.9.3 - Brielle Bruns - Misc tweaks and reorg diff --git a/include/functions b/include/functions index 79dd515..34d9976 100644 --- a/include/functions +++ b/include/functions @@ -19,7 +19,7 @@ # along with this program. If not, see . -# display_c($COLOR,$TEXT,BOOL) +# display_c $COLOR $TEXT BOOL(YN) # $COLOR being bash colors # $TEXT being what to output (make sure to put " " around text) # BOOL being (Y or N) to do newline at end or not @@ -34,6 +34,18 @@ function display_c { echo -e $NEWLINE "$COLOR_CODE$TEXT$DEFAULT_COLOR" } + +# display_m $COLOR(IGNORED) $TEXT BOOL(YN) +# Non-color version of display_c +function display_m { + unset TEXT NEWLINE + TEXT="$2" + if [ "$3" == "N" ]; then + NEWLINE="-n" + fi + echo -e $NEWLINE "$TEXT" +} + # pick_color $COLOR # returns appropriate color codes for use in display_c and such function pick_color { diff --git a/options.default b/options.default index 470112b..e78abd6 100755 --- a/options.default +++ b/options.default @@ -49,12 +49,19 @@ DONTTRACK="127.0.0.1" # IP range(s) to forward ROUTING=$BASEDIR/ipv4-routing +#============== +# Obsolete - DO NOT USE ANYMORE. Will be removed in 1.0 # IP ranges(s) to NAT using SNAT. -NATRANGE="192.168.1.0/24" - +#NATRANGE="192.168.1.0/24" # External IP and interface for SNAT -NATEXTIP="172.16.1.1" -NATEXTIF="eth0" +#NATEXTIP="172.16.1.1" +#NATEXTIF="eth0" +#============== + +# IP NAT Rules +# SNAT:::: +# MASQ::: +#NAT_RANGE= # IP Ranges to block all traffic incoming/outgoing diff --git a/rc.firewall b/rc.firewall index 0805229..944405a 100755 --- a/rc.firewall +++ b/rc.firewall @@ -287,7 +287,10 @@ echo -ne "\n" fi if [ $LANDHCPSERVER ]; then - $IPTABLES -A INPUT -i $INTIF -s 0.0.0.0 -j ACCEPT + #$IPTABLES -A INPUT -i $INTIF -s 0.0.0.0 -j ACCEPT + $IPTABLES -I INPUT -i $INTIF -p udp --dport 67:68 --sport \ + 67:68 -j ACCEPT + fi @@ -297,14 +300,39 @@ if [ -s "$BASEDIR/include/ipv4_custom_nat" ]; then fi if [ $NAT ]; then + if [ $NAT_RANGE ]; then + display_c YELLOW "Adding NAT rule: " N + for i in $NAT_RANGE; do + NAT_RULE=( ${i//:/ } ) + case $NAT_RULE[1] in + SNAT) + $IPTABLES -A POSTROUTING -t nat -i ${NAT_RULE[2]} -s ${NAT_RULE[3]} -j SNAT \ + -o ${NAT_RULE[4]} --to-source ${NAT_RULE[5]} + display_c PURPLE "SNAT:${NAT_RULE[2]}:${NAT_RULE[3]}->${NAT_RULE[4]}:${NAT_RULE[5]} " N + ;; + MASQ) + $IPTABLES -A POSTROUTING -t nat -i ${NAT_RULE[2]} -s ${NAT_RULE[3]} \ + -j MASQUERADE -o ${NAT_RULE[4]} + display_c PURPLE "MASQ:${NAT_RULE[2]}:${NAT_RULE[3]}->${NAT_RULE[4]} " N + ;; + *) display_c RED "Invalid NAT rule in NAT_RANGE" ;; + esac + $IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[4]} -j ACCEPT + $IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[4]} -j ACCEPT + done + echo -ne "\n" + fi + #================= + # This section is going away in 1.0 for i in $NATRANGE; do $IPTABLES -A POSTROUTING -t nat -s $i -o $NATEXTIF -j SNAT --to-source $NATEXTIP done - # This is necessary to make sure that PMTU works + This is necessary to make sure that PMTU works $IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o $NATEXTIF \ -j ACCEPT $IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \ -o $NATEXTIF -j ACCEPT + #================= fi $IPTABLES --policy INPUT ACCEPT