diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index 018187d3e..3cbcd33b3 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -22,3 +22,8 @@ Changes since 2.0.3 masq firewall + +8) Allow overriding ADD_IP_ALIASES=Yes + + nat + firewall diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 0b5c793e8..d4c0c4172 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -437,14 +437,6 @@ masq_chain() # $1 = interface echo $(chain_base $1)_masq } -# -# SNAT Chain for an interface -# -snat_chain() # $1 = interface -{ - echo $(chain_base $1)_snat -} - # # MAC Verification Chain for an interface # @@ -487,7 +479,7 @@ dnat_chain() # $1 = zone } # -# SNAT Chain to a zone +# SNAT Chain to a zone or from an interface # snat_chain() # $1 = zone { @@ -1884,7 +1876,46 @@ delete_proxy_arp() { # Setup Static Network Address Translation (NAT) # setup_nat() { - local allints + local external, interface, internal, allints, localnat + + do_one_nat() { + local add_ip_aliases=$ADD_IP_ALIASES, iface=${interface%:*} + + if [ -n "$add_ip_aliases" ]; then + case $interface in + *:) + interface=${interface%:} + add_ip_aliases= + ;; + *) + run_and_save_command qt ip addr del $external dev $iface + ;; + esac + else + interface=${interface%:} + fi + + if [ "x$allints" = "xYes" -o "x$allints" = "xyes" ]; then + addnatrule nat_in -d $external -j DNAT --to-destination $internal + addnatrule nat_out -s $internal -j SNAT --to-source $external + elif [ -z "$allints" -o "x$allints" = "x-" -o "x$allints" = "xNo" -o "x$allints" = "xno" ]; then + addnatrule $(input_chain $iface) -d $external -j DNAT --to-destination $internal + addnatrule $(output_chain $iface) -s $internal -j SNAT --to-source $external + else + fatal_error "Invalid value ($allints) for ALL INTERFACES in entry \"$external $interface $internal $allints $localnat\"" + fi + + if [ "x$localnat" = "xYes" -o "x$localnat" = "xyes" ]; then + run_iptables2 -t nat -A OUTPUT -d $external -j DNAT --to-destination $internal + elif [ "x$localnat" != "x-" -a -n "$localnat" -a "x$localnat" != "xNo" -a "x$localnat" != "xno" ]; then + fatal_error "Invalid value ($allints) for LOCAL in entry \"$external $interface $internal $allints $localnat\"" + fi + + if [ -n "$add_ip_aliases" ]; then + list_search $external $aliases_to_add || \ + aliases_to_add="$aliases_to_add $external $interface" + fi + } # # At this point, we're just interested in the network translation # @@ -1894,37 +1925,8 @@ setup_nat() { while read external interface internal allints localnat; do expandv external interface internal allints localnat - - iface=${interface%:*} - - if [ -n "$ADD_IP_ALIASES" ]; then - run_and_save_command qt ip addr del $external dev $iface - fi - - if [ "x$allints" = "xYes" -o "x$allints" = "xyes" ]; then - addnatrule nat_in -d $external -j DNAT --to-destination $internal - addnatrule nat_out -s $internal -j SNAT --to-source $external - - elif [ -z "$allints" -o "x$allints" = "x-" -o "x$allints" = "xNo" -o "x$allints" = "xno" ]; then - addnatrule $(input_chain $iface) \ - -d $external -j DNAT --to-destination $internal - addnatrule $(output_chain $iface) \ - -s $internal -j SNAT --to-source $external - else - fatal_error "Invalid value ($allints) for ALL INTERFACES in entry \"$external $interface $internal $allints $localnat\"" - fi - - if [ "x$localnat" = "xYes" -o "x$localnat" = "xyes" ]; then - run_iptables2 -t nat -A OUTPUT -d $external -j DNAT --to-destination $internal - elif [ "x$localnat" != "x-" -a -n "$localnat" -a "x$localnat" != "xNo" -a "x$localnat" != "xno" ]; then - fatal_error "Invalid value ($allints) for LOCAL in entry \"$external $interface $internal $allints $localnat\"" - fi - - - if [ -n "$ADD_IP_ALIASES" ]; then - list_search $external $aliases_to_add || \ - aliases_to_add="$aliases_to_add $external $interface" - fi + + do_one_nat progress_message " Host $internal NAT $external on $interface" done < $TMP_DIR/nat @@ -5358,7 +5360,7 @@ activate_rules() # # Jump to a RULES chain from one of the builtin nat chains. These jumps are - # are inserted before jumps to static NAT chains. + # are inserted before jumps to one-to-one NAT chains. # addrulejump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments { @@ -5375,12 +5377,11 @@ activate_rules() fi } # - # Add early SNAT jumps + # Add jumps to early SNAT chains # for interface in $all_interfaces; do - addrulejump POSTROUTING $(snat_chain $interface) -o $interface + addnatjump POSTROUTING $(snat_chain $interface) -o $interface done - # # Add jumps for dynamic nat chains # diff --git a/Shorewall2/masq b/Shorewall2/masq index 7ec769c8c..b386af063 100755 --- a/Shorewall2/masq +++ b/Shorewall2/masq @@ -35,6 +35,10 @@ # +eth0:192.0.2.32/27 # +eth0:2 # +# This feature should only be required if you need to +# insert rules in this file that preempt entries in +# /etc/shorewall/nat. +# # SUBNET -- Subnet that you wish to masquerade. You can specify this as # a subnet or as an interface. If you give the name of an # interface, you must have iproute installed and the interface diff --git a/Shorewall2/nat b/Shorewall2/nat index dbd44c4f0..ba7746c91 100755 --- a/Shorewall2/nat +++ b/Shorewall2/nat @@ -24,6 +24,10 @@ # see the alias with ifconfig. THAT IS THE ONLY THING # THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT # ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION. +# +# If you want to override ADD_IP_ALIASES=Yes for a +# particular entry, follow the interface name with +# ":" and no digit (e.g., "eth0:"). # INTERNAL Internal Address (must not be a DNS Name). # ALL INTERFACES If Yes or yes, NAT will be effective from all hosts. # If No or no (or left empty) then NAT will be effective diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 6805df752..c7d877ad4 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -60,4 +60,8 @@ New Features: eth1::192.0.2.32/27 +eth3: +3) Similar to 2), the /etc/shorewall/nat file INTERFACE column now allows + you to override the setting of ADD_IP_ALIASES=Yes by following the + interface name with ":" but no digit. +