From ae9a725e8c68b14115c4607c285e9bac1e0589d7 Mon Sep 17 00:00:00 2001 From: Brielle Bruns Date: Wed, 1 Jan 2020 12:53:42 -0700 Subject: [PATCH] Refactor NETMAP a bit so it allows more flexibility with src and dst. Requires that the custom field starts with the --to address. --- CHANGELOG | 2 +- etc/ipv4/nat.conf | 10 ++++++---- lib/iptables.inc | 8 +++++++- 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 07ffd7f..ced2447 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,5 @@ 2.1p1 - 01/01/2020 - - Fix NETMAP so it works properly (was doing -d instead of -s for source address) + - Refactor NETMAP NAT target so its more flexible. See new example nat.conf file for details 2.1 Final - 07/12/2019 - Fix flush tables rule for raw diff --git a/etc/ipv4/nat.conf b/etc/ipv4/nat.conf index f8d58e9..b725f1d 100644 --- a/etc/ipv4/nat.conf +++ b/etc/ipv4/nat.conf @@ -5,15 +5,17 @@ # # # Type: Required ( SNAT | MASQ | NETMAP | ACCEPT) -# Source Interface: Optional ( interface name, aka eth0 ) +# Source Interface: Optional, ignored by NETMAP ( interface name, aka eth0 ) # Source Address: Optional ( IP address with optional netmask ) # Destination Interface: Optional for all but MASQ ( interface name, aka eth0 ) -# Destination Address: Required for all but MASQ ( IP address with optional netmask ) -# Custom: Optional, set custom section after the source/dest and before ACCEPT/DROP +# Destination Address: Required for all but MASQ and NETMAP ( IP address with optional netmask ) +# Custom: Optional for all except NETMAP, set custom section after the source/dest and before ACCEPT/DROP +# Custom: Required for NETMAP, address to map TO, then all other custom options (see example) # You can use '-' for optional fields #============================================================ # #SNAT eth1 10.0.0.0/24 eth0 172.16.1.1 #MASQ - - eth0 - -#NETMAP eth1 192.168.0.0/24 vpn0 172.16.10.0/24 +#NETMAP - 192.168.0.0/24 vpn0 - 172.16.0.0/24 +#^ ex: map src of 192.168.0.0/24 to 172.16.0.0/24 when it leaves via vpn0 diff --git a/lib/iptables.inc b/lib/iptables.inc index 91ca9f1..bba1bd7 100644 --- a/lib/iptables.inc +++ b/lib/iptables.inc @@ -484,7 +484,13 @@ function enable_nat { ${display} RED "nat.conf: Error - SNAT rule can not have empty destination address: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress}" \ && continue - ([[ ${srcaddress} != "-" ]] && [[ ${dstaddress} != "-" ]] && [[ ${type} == "NETMAP" ]]) && action="-j NETMAP" && srcaddress="-s ${srcaddress}" && dstaddress="--to ${dstaddress}" + [[ ${type} == "NETMAP" ]] && action="-j NETMAP" + ([[ ${dstaddress} != "-" ]] && [[ ${type} == "NETMAP" ]]) dstaddress="-d ${dstaddress}" + ([[ ${srcaddress} != "-" ]] && [[ ${type} == "NETMAP" ]]) srcaddress="-s ${srcaddress}" + ([[ ${custom} == "" ]] && [[ ${type} == "NETMAP" ]]) && \ + ${display} RED "nat.conf: Error - NETMAP rule can not have empty custom address: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress} ${custom}" \ + && continue + ([[ ${custom} != "" ]] && [[ ${type} == "NETMAP" ]]) && custom="--to ${custom}" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${srcinterface} ${srcaddress} ${srcport} ${dstinterface} ${dstaddress} ${dstport} ${protocol} ${custom}"