NAT code fixes

master
bbruns 2010-08-21 17:00:41 +00:00
parent af6518176a
commit b753104617
1 changed files with 12 additions and 10 deletions

View File

@ -304,21 +304,23 @@ if [ $NAT ]; then
display_c YELLOW "Adding NAT rule: " N display_c YELLOW "Adding NAT rule: " N
for i in $NAT_RANGE; do for i in $NAT_RANGE; do
NAT_RULE=( ${i//:/ } ) NAT_RULE=( ${i//:/ } )
case $NAT_RULE[1] in case $NAT_RULE[0] in
SNAT) SNAT)
$IPTABLES -A POSTROUTING -t nat -i ${NAT_RULE[2]} -s ${NAT_RULE[3]} -j SNAT \ $IPTABLES -A POSTROUTING -t nat -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} -j SNAT \
-o ${NAT_RULE[4]} --to-source ${NAT_RULE[5]} -o ${NAT_RULE[3]} --to-source ${NAT_RULE[4]}
display_c PURPLE "SNAT:${NAT_RULE[2]}:${NAT_RULE[3]}->${NAT_RULE[4]}:${NAT_RULE[5]} " N display_c PURPLE "SNAT:${NAT_RULE[1]}:${NAT_RULE[2]}->${NAT_RULE[3]}:${NAT_RULE[4]} " N
$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[3]} -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[3]} -j ACCEPT
;; ;;
MASQ) MASQ)
$IPTABLES -A POSTROUTING -t nat -i ${NAT_RULE[2]} -s ${NAT_RULE[3]} \ $IPTABLES -A POSTROUTING -t nat -i ${NAT_RULE[1]} -s ${NAT_RULE[2]} \
-j MASQUERADE -o ${NAT_RULE[4]} -j MASQUERADE -o ${NAT_RULE[3]}
display_c PURPLE "MASQ:${NAT_RULE[2]}:${NAT_RULE[3]}->${NAT_RULE[4]} " N display_c PURPLE "MASQ:${NAT_RULE[1]}:${NAT_RULE[2]}->${NAT_RULE[3]} " N
$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[3]} -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[3]} -j ACCEPT
;; ;;
*) display_c RED "Invalid NAT rule in NAT_RANGE" ;; *) display_c RED "Invalid NAT rule in NAT_RANGE" ;;
esac esac
$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o ${NAT_RULE[4]} -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed -o ${NAT_RULE[4]} -j ACCEPT
done done
echo -ne "\n" echo -ne "\n"
fi fi
@ -327,7 +329,7 @@ if [ $NAT ]; then
for i in $NATRANGE; do for i in $NATRANGE; do
$IPTABLES -A POSTROUTING -t nat -s $i -o $NATEXTIF -j SNAT --to-source $NATEXTIP $IPTABLES -A POSTROUTING -t nat -s $i -o $NATEXTIF -j SNAT --to-source $NATEXTIP
done done
This is necessary to make sure that PMTU works #This is necessary to make sure that PMTU works
$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o $NATEXTIF \ $IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o $NATEXTIF \
-j ACCEPT -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \ $IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \