etc/ipv4.conf

@@ -24,6 +24,15 @@ EnableTrustedv4Hosts="yes"
 # Values: no | yes (default)
 Enablev4MSSClamp="yes"
 
+# Enable connection tracking features of netfilter/iptables
+# conntracking allows the firewall to be smart about what
+# packets it allows and refuses.  On highly loaded systems or
+# ones with low memory, this may be desirable.  Everyone else
+# should probably leave this on.
+# Depended on by: Enablev4NAT
+# Values: no | yes (default)
+Enablev4ConnectionTracking="yes"
+
 # Use /etc/resolv.conf as source for DNS servers that we communicate
 # with as a client.  If you turn this off (recommended if on static IP),
 # then you will need to manually define the DNS servers you use.
@@ -62,5 +71,6 @@ Enablev4Forwarding="yes"
 # Enable IPv4 NAT/NETMAP rules
 # This allows you to set up NAT rules, SNAT, MASQ, and NETMAP
 # Config file: ipv4/nat.conf
+# Requires: Enablev4ConnectionTracking="yes"
 # Values: no | yes (default)
 Enablev4NAT="yes"

etc/ipv6.conf

@@ -24,6 +24,15 @@ EnableTrustedv6Hosts="yes"
 # Values: no | yes (default)
 Enablev6MSSClamp="yes"
 
+# Enable connection tracking features of netfilter/iptables
+# conntracking allows the firewall to be smart about what
+# packets it allows and refuses.  On highly loaded systems or
+# ones with low memory, this may be desirable.  Everyone else
+# should probably leave this on.
+# Depended on by: Enablev6NAT
+# Values: no | yes (default)
+Enablev6ConnectionTracking="yes"
+
 # Use /etc/resolv.conf as source for DNS servers that we communicate
 # with as a client.  If you turn this off (recommended if on static IP),
 # then you will need to manually define the DNS servers you use.
@@ -62,5 +71,6 @@ Enablev6Forwarding="yes"
 # Enable IPv6 NAT/NETMAP rules
 # This allows you to set up NAT rules, SNAT, MASQ, and NETMAP
 # Config file: ipv4/nat.conf
+# Requires: Enablev6ConnectionTracking="yes"
 # Values: no | yes (default)
 Enablev6NAT="yes"

lib/iptables.inc

@@ -372,6 +372,9 @@ function enable_nat {
 				IPVER="4" ;;
 	esac
 	${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
+	([[ ${IPVER} == "4" ]] && [[ ${Enablev4ConnectionTracking} != "yes" ]]) && ${display} RED "${FUNCNAME}: ERROR:${DEFAULT_COLOR} Unable to load NAT rules if Enablev4ConnectionTracking=no" && return 1
+	([[ ${IPVER} == "6" ]] && [[ ${Enablev6ConnectionTracking} != "yes" ]]) && ${display} RED "${FUNCNAME}: ERROR:${DEFAULT_COLOR} Unable to load NAT rules if Enablev6ConnectionTracking=no" && return 1
+
 	if [ -e "${FWCONFIGDIR}/ipv${IPVER}/nat.conf" ]; then
 		${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/nat.conf successful"
 		while read -r type srcinterface srcaddress dstinterface dstaddress; do
@@ -411,4 +414,5 @@ function enable_nat {
 			done < "${FWCONFIGDIR}/ipv${IPVER}/nat.conf"
 		${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
 	fi
+		
 }