New NAT code

master
bbruns 2010-08-21 16:54:46 +00:00
parent 71fad0909d
commit af6518176a
4 changed files with 57 additions and 7 deletions

View File

@ -3,6 +3,9 @@
- stop-firewall for... stopping the firewall! - stop-firewall for... stopping the firewall!
- Code cleanups - Code cleanups
- Use of functions for some processes - Use of functions for some processes
- Fix DHCP rule
- Obsoleted NATRANGE, NATEXTIP, NATEXTIF
- Added NAT_RANGE which can take SNAT/MASQ rules
0.9.3 - Brielle Bruns <bruns@2mbit.com> 0.9.3 - Brielle Bruns <bruns@2mbit.com>
- Misc tweaks and reorg - Misc tweaks and reorg

View File

@ -19,7 +19,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
# display_c($COLOR,$TEXT,BOOL) # display_c $COLOR $TEXT BOOL(YN)
# $COLOR being bash colors # $COLOR being bash colors
# $TEXT being what to output (make sure to put " " around text) # $TEXT being what to output (make sure to put " " around text)
# BOOL being (Y or N) to do newline at end or not # BOOL being (Y or N) to do newline at end or not
@ -34,6 +34,18 @@ function display_c {
echo -e $NEWLINE "$COLOR_CODE$TEXT$DEFAULT_COLOR" echo -e $NEWLINE "$COLOR_CODE$TEXT$DEFAULT_COLOR"
} }
# display_m $COLOR(IGNORED) $TEXT BOOL(YN)
# Non-color version of display_c
function display_m {
unset TEXT NEWLINE
TEXT="$2"
if [ "$3" == "N" ]; then
NEWLINE="-n"
fi
echo -e $NEWLINE "$TEXT"
}
# pick_color $COLOR # pick_color $COLOR
# returns appropriate color codes for use in display_c and such # returns appropriate color codes for use in display_c and such
function pick_color { function pick_color {

View File

@ -49,12 +49,19 @@ DONTTRACK="127.0.0.1"
# IP range(s) to forward # IP range(s) to forward
ROUTING=$BASEDIR/ipv4-routing ROUTING=$BASEDIR/ipv4-routing
#==============
# Obsolete - DO NOT USE ANYMORE. Will be removed in 1.0
# IP ranges(s) to NAT using SNAT. # IP ranges(s) to NAT using SNAT.
NATRANGE="192.168.1.0/24" #NATRANGE="192.168.1.0/24"
# External IP and interface for SNAT # External IP and interface for SNAT
NATEXTIP="172.16.1.1" #NATEXTIP="172.16.1.1"
NATEXTIF="eth0" #NATEXTIF="eth0"
#==============
# IP NAT Rules
# SNAT:<INT IF>:<INT IP>:<EXT IF>:<EXT IP>
# MASQ:<INT IF>:<INT IP>:<EXT IF>
#NAT_RANGE=
# IP Ranges to block all traffic incoming/outgoing # IP Ranges to block all traffic incoming/outgoing

View File

@ -287,7 +287,10 @@ echo -ne "\n"
fi fi
if [ $LANDHCPSERVER ]; then if [ $LANDHCPSERVER ]; then
$IPTABLES -A INPUT -i $INTIF -s 0.0.0.0 -j ACCEPT #$IPTABLES -A INPUT -i $INTIF -s 0.0.0.0 -j ACCEPT
$IPTABLES -I INPUT -i $INTIF -p udp --dport 67:68 --sport \
67:68 -j ACCEPT
fi fi
@ -297,14 +300,39 @@ if [ -s "$BASEDIR/include/ipv4_custom_nat" ]; then
fi fi
if [ $NAT ]; then if [ $NAT ]; then
if [ $NAT_RANGE ]; then
display_c YELLOW "Adding NAT rule: " N
for i in $NAT_RANGE; do
NAT_RULE=( ${i//:/ } )
case $NAT_RULE[1] in
SNAT)
$IPTABLES -A POSTROUTING -t nat -i ${NAT_RULE[2]} -s ${NAT_RULE[3]} -j SNAT \
-o ${NAT_RULE[4]} --to-source ${NAT_RULE[5]}
display_c PURPLE "SNAT:${NAT_RULE[2]}:${NAT_RULE[3]}->${NAT_RULE[4]}:${NAT_RULE[5]} " N
;;
MASQ)
$IPTABLES -A POSTROUTING -t nat -i ${NAT_RULE[2]} -s ${NAT_RULE[3]} \
-j MASQUERADE -o ${NAT_RULE[4]}
display_c PURPLE "MASQ:${NAT_RULE[2]}:${NAT_RULE[3]}->${NAT_RULE[4]} " N
;;
*) display_c RED "Invalid NAT rule in NAT_RANGE" ;;
esac
$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[4]} -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[4]} -j ACCEPT
done
echo -ne "\n"
fi
#=================
# This section is going away in 1.0
for i in $NATRANGE; do for i in $NATRANGE; do
$IPTABLES -A POSTROUTING -t nat -s $i -o $NATEXTIF -j SNAT --to-source $NATEXTIP $IPTABLES -A POSTROUTING -t nat -s $i -o $NATEXTIF -j SNAT --to-source $NATEXTIP
done done
# This is necessary to make sure that PMTU works This is necessary to make sure that PMTU works
$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o $NATEXTIF \ $IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o $NATEXTIF \
-j ACCEPT -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \ $IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \
-o $NATEXTIF -j ACCEPT -o $NATEXTIF -j ACCEPT
#=================
fi fi
$IPTABLES --policy INPUT ACCEPT $IPTABLES --policy INPUT ACCEPT