New NAT code

ChangeLog

@@ -3,6 +3,9 @@
 	- stop-firewall for...  stopping the firewall!
 	- Code cleanups
 	- Use of functions for some processes
+	- Fix DHCP rule
+	- Obsoleted NATRANGE, NATEXTIP, NATEXTIF
+	- Added NAT_RANGE which can take SNAT/MASQ rules
 
 0.9.3 - Brielle Bruns <bruns@2mbit.com>
 	- Misc tweaks and reorg

include/functions

@@ -19,7 +19,7 @@
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 
-# display_c($COLOR,$TEXT,BOOL)
+# display_c $COLOR $TEXT BOOL(YN)
 # $COLOR being bash colors
 # $TEXT being what to output (make sure to put " " around text)
 # BOOL being (Y or N) to do newline at end or not
@@ -34,6 +34,18 @@ function display_c {
 	echo -e $NEWLINE "$COLOR_CODE$TEXT$DEFAULT_COLOR"
 }
 
+
+# display_m $COLOR(IGNORED) $TEXT BOOL(YN)
+# Non-color version of display_c
+function display_m {
+	unset TEXT NEWLINE
+	TEXT="$2"
+	if [ "$3" == "N" ]; then
+		NEWLINE="-n"
+	fi
+	echo -e $NEWLINE "$TEXT"
+}
+
 # pick_color $COLOR
 # returns appropriate color codes for use in display_c and such
 function pick_color {

options.default

@@ -49,12 +49,19 @@ DONTTRACK="127.0.0.1"
 # IP range(s) to forward
 ROUTING=$BASEDIR/ipv4-routing
 
+#==============
+# Obsolete - DO NOT USE ANYMORE. Will be removed in 1.0
 # IP ranges(s) to NAT using SNAT.
-NATRANGE="192.168.1.0/24"
+#NATRANGE="192.168.1.0/24"
-
 # External IP and interface for SNAT
-NATEXTIP="172.16.1.1"
+#NATEXTIP="172.16.1.1"
-NATEXTIF="eth0"
+#NATEXTIF="eth0"
+#==============
+
+# IP NAT Rules
+# SNAT:<INT IF>:<INT IP>:<EXT IF>:<EXT IP>
+# MASQ:<INT IF>:<INT IP>:<EXT IF>
+#NAT_RANGE=
 
 
 # IP Ranges to block all traffic incoming/outgoing

rc.firewall

@@ -287,7 +287,10 @@ echo -ne "\n"
 fi
 
 if [ $LANDHCPSERVER ]; then
-	$IPTABLES -A INPUT -i $INTIF -s 0.0.0.0 -j ACCEPT
+	#$IPTABLES -A INPUT -i $INTIF -s 0.0.0.0 -j ACCEPT
+	$IPTABLES  -I INPUT -i $INTIF -p udp --dport 67:68 --sport \
+     67:68 -j ACCEPT
+
 fi
 
 
@@ -297,14 +300,39 @@ if [ -s "$BASEDIR/include/ipv4_custom_nat" ]; then
 fi
 
 if [ $NAT ]; then
+	if [ $NAT_RANGE ]; then
+		display_c YELLOW "Adding NAT rule: " N
+		for i in $NAT_RANGE; do
+			NAT_RULE=( ${i//:/ } )
+			case $NAT_RULE[1] in
+			SNAT)
+				$IPTABLES -A POSTROUTING -t nat -i ${NAT_RULE[2]} -s ${NAT_RULE[3]} -j SNAT \
+					-o ${NAT_RULE[4]} --to-source ${NAT_RULE[5]} 
+					display_c PURPLE "SNAT:${NAT_RULE[2]}:${NAT_RULE[3]}->${NAT_RULE[4]}:${NAT_RULE[5]} " N
+					;;
+			MASQ)
+				$IPTABLES -A POSTROUTING -t nat -i ${NAT_RULE[2]} -s ${NAT_RULE[3]} \
+					-j MASQUERADE -o ${NAT_RULE[4]}
+					display_c PURPLE "MASQ:${NAT_RULE[2]}:${NAT_RULE[3]}->${NAT_RULE[4]} " N
+					;;
+				*) display_c RED "Invalid NAT rule in NAT_RANGE" ;;
+			esac
+			$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[4]} -j ACCEPT
+			$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[4]} -j ACCEPT
+		done
+		echo -ne "\n"
+	fi			
+	#=================
+    # This section is going away in 1.0
 	for i in $NATRANGE; do
 		$IPTABLES -A POSTROUTING -t nat -s $i -o $NATEXTIF -j SNAT --to-source $NATEXTIP
 	done
-	# This is necessary to make sure that PMTU works
+	 This is necessary to make sure that PMTU works
 	$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o $NATEXTIF \
 			-j ACCEPT
 	$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \
 			-o $NATEXTIF -j ACCEPT
+	#=================
 fi
 
 $IPTABLES --policy INPUT ACCEPT