brielle/SRFirewall
1
0
Fork 0
Code Issues Pull Requests Releases 1 Wiki Activity

Refactor NETMAP a bit so it allows more flexibility with src and dst. Requires that the custom field starts with the --to address.

Browse Source
This commit is contained in:
Brie Bruns 2020-01-01 12:53:42 -07:00
parent ca06b76fc2
commit ae9a725e8c
3 changed files with 14 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG
View File

@ -1,5 +1,5 @@
2.1p1 - 01/01/2020
- Fix NETMAP so it works properly (was doing -d instead of -s for source address)
- Refactor NETMAP NAT target so its more flexible. See new example nat.conf file for details
2.1 Final - 07/12/2019
- Fix flush tables rule for raw

10
etc/ipv4/nat.conf
View File

@ -5,15 +5,17 @@
# <type> <src-interface> <src-address> <dst-interface> <dst-address> <custom>
#
# Type: Required ( SNAT | MASQ | NETMAP | ACCEPT)
# Source Interface: Optional ( interface name, aka eth0 )
# Source Interface: Optional, ignored by NETMAP ( interface name, aka eth0 )
# Source Address: Optional ( IP address with optional netmask )
# Destination Interface: Optional for all but MASQ ( interface name, aka eth0 )
# Destination Address: Required for all but MASQ ( IP address with optional netmask )
# Custom: Optional, set custom section after the source/dest and before ACCEPT/DROP
# Destination Address: Required for all but MASQ and NETMAP ( IP address with optional netmask )
# Custom: Optional for all except NETMAP, set custom section after the source/dest and before ACCEPT/DROP
# Custom: Required for NETMAP, address to map TO, then all other custom options (see example)
# You can use '-' for optional fields
#============================================================
#<type> <src-interface> <src-address> <dst-interface> <dst-address> <custom>
#SNAT eth1 10.0.0.0/24 eth0 172.16.1.1
#MASQ - - eth0 -
#NETMAP eth1 192.168.0.0/24 vpn0 172.16.10.0/24
#NETMAP - 192.168.0.0/24 vpn0 - 172.16.0.0/24
#^ ex: map src of 192.168.0.0/24 to 172.16.0.0/24 when it leaves via vpn0

8
lib/iptables.inc
View File

@ -484,7 +484,13 @@ function enable_nat {
${display} RED "nat.conf: Error - SNAT rule can not have empty destination address: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress}" \
&& continue
([[ ${srcaddress} != "-" ]] && [[ ${dstaddress} != "-" ]] && [[ ${type} == "NETMAP" ]]) && action="-j NETMAP" && srcaddress="-s ${srcaddress}" && dstaddress="--to ${dstaddress}"
[[ ${type} == "NETMAP" ]] && action="-j NETMAP"
([[ ${dstaddress} != "-" ]] && [[ ${type} == "NETMAP" ]]) dstaddress="-d ${dstaddress}"
([[ ${srcaddress} != "-" ]] && [[ ${type} == "NETMAP" ]]) srcaddress="-s ${srcaddress}"
([[ ${custom} == "" ]] && [[ ${type} == "NETMAP" ]]) && \
${display} RED "nat.conf: Error - NETMAP rule can not have empty custom address: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress} ${custom}" \
&& continue
([[ ${custom} != "" ]] && [[ ${type} == "NETMAP" ]]) && custom="--to ${custom}"
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${srcinterface} ${srcaddress} ${srcport} ${dstinterface} ${dstaddress} ${dstport} ${protocol} ${custom}"