NAT code fixes
parent
af6518176a
commit
b753104617
22
rc.firewall
22
rc.firewall
|
@ -304,21 +304,23 @@ if [ $NAT ]; then
|
||||||
display_c YELLOW "Adding NAT rule: " N
|
display_c YELLOW "Adding NAT rule: " N
|
||||||
for i in $NAT_RANGE; do
|
for i in $NAT_RANGE; do
|
||||||
NAT_RULE=( ${i//:/ } )
|
NAT_RULE=( ${i//:/ } )
|
||||||
case $NAT_RULE[1] in
|
case $NAT_RULE[0] in
|
||||||
SNAT)
|
SNAT)
|
||||||
$IPTABLES -A POSTROUTING -t nat -i ${NAT_RULE[2]} -s ${NAT_RULE[3]} -j SNAT \
|
$IPTABLES -A POSTROUTING -t nat -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} -j SNAT \
|
||||||
-o ${NAT_RULE[4]} --to-source ${NAT_RULE[5]}
|
-o ${NAT_RULE[3]} --to-source ${NAT_RULE[4]}
|
||||||
display_c PURPLE "SNAT:${NAT_RULE[2]}:${NAT_RULE[3]}->${NAT_RULE[4]}:${NAT_RULE[5]} " N
|
display_c PURPLE "SNAT:${NAT_RULE[1]}:${NAT_RULE[2]}->${NAT_RULE[3]}:${NAT_RULE[4]} " N
|
||||||
|
$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[3]} -j ACCEPT
|
||||||
|
$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[3]} -j ACCEPT
|
||||||
;;
|
;;
|
||||||
MASQ)
|
MASQ)
|
||||||
$IPTABLES -A POSTROUTING -t nat -i ${NAT_RULE[2]} -s ${NAT_RULE[3]} \
|
$IPTABLES -A POSTROUTING -t nat -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \
|
||||||
-j MASQUERADE -o ${NAT_RULE[4]}
|
-j MASQUERADE -o ${NAT_RULE[3]}
|
||||||
display_c PURPLE "MASQ:${NAT_RULE[2]}:${NAT_RULE[3]}->${NAT_RULE[4]} " N
|
display_c PURPLE "MASQ:${NAT_RULE[1]}:${NAT_RULE[2]}->${NAT_RULE[3]} " N
|
||||||
|
$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[3]} -j ACCEPT
|
||||||
|
$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[3]} -j ACCEPT
|
||||||
;;
|
;;
|
||||||
*) display_c RED "Invalid NAT rule in NAT_RANGE" ;;
|
*) display_c RED "Invalid NAT rule in NAT_RANGE" ;;
|
||||||
esac
|
esac
|
||||||
$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[4]} -j ACCEPT
|
|
||||||
$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[4]} -j ACCEPT
|
|
||||||
done
|
done
|
||||||
echo -ne "\n"
|
echo -ne "\n"
|
||||||
fi
|
fi
|
||||||
|
@ -327,7 +329,7 @@ if [ $NAT ]; then
|
||||||
for i in $NATRANGE; do
|
for i in $NATRANGE; do
|
||||||
$IPTABLES -A POSTROUTING -t nat -s $i -o $NATEXTIF -j SNAT --to-source $NATEXTIP
|
$IPTABLES -A POSTROUTING -t nat -s $i -o $NATEXTIF -j SNAT --to-source $NATEXTIP
|
||||||
done
|
done
|
||||||
This is necessary to make sure that PMTU works
|
#This is necessary to make sure that PMTU works
|
||||||
$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o $NATEXTIF \
|
$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o $NATEXTIF \
|
||||||
-j ACCEPT
|
-j ACCEPT
|
||||||
$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \
|
$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \
|
||||||
|
|
Loading…
Reference in New Issue