2007-03-15 22:55:22 +01:00
|
|
|
#
|
2007-03-28 18:19:35 +02:00
|
|
|
# Shorewall-perl 3.9 -- /usr/share/shorewall-perl/Shorewall/Nat.pm
|
2007-03-15 22:55:22 +01:00
|
|
|
#
|
|
|
|
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
|
|
|
#
|
|
|
|
# (c) 2007 - Tom Eastep (teastep@shorewall.net)
|
|
|
|
#
|
|
|
|
# Complete documentation is available at http://shorewall.net
|
|
|
|
#
|
|
|
|
# This program is free software; you can redistribute it and/or modify
|
|
|
|
# it under the terms of Version 2 of the GNU General Public License
|
|
|
|
# as published by the Free Software Foundation.
|
|
|
|
#
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
# along with this program; if not, write to the Free Software
|
|
|
|
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
|
|
|
#
|
|
|
|
#
|
2007-03-15 02:04:43 +01:00
|
|
|
package Shorewall::Nat;
|
|
|
|
require Exporter;
|
|
|
|
use Shorewall::Common;
|
|
|
|
use Shorewall::Config;
|
|
|
|
use Shorewall::Zones;
|
|
|
|
use Shorewall::Chains;
|
2007-03-22 01:14:56 +01:00
|
|
|
use Shorewall::IPAddrs;
|
2007-03-15 02:04:43 +01:00
|
|
|
|
|
|
|
use strict;
|
|
|
|
|
|
|
|
our @ISA = qw(Exporter);
|
2007-03-25 23:04:24 +02:00
|
|
|
our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
|
2007-03-15 02:04:43 +01:00
|
|
|
our @EXPORT_OK = ();
|
|
|
|
our @VERSION = 1.00;
|
|
|
|
|
2007-03-22 00:14:33 +01:00
|
|
|
my @addresses_to_add;
|
|
|
|
my %addresses_to_add;
|
|
|
|
|
2007-03-15 02:04:43 +01:00
|
|
|
#
|
|
|
|
# Handle IPSEC Options in a masq record
|
|
|
|
#
|
|
|
|
sub do_ipsec_options($)
|
|
|
|
{
|
|
|
|
my %validoptions = ( strict => NOTHING,
|
|
|
|
next => NOTHING,
|
|
|
|
reqid => NUMERIC,
|
|
|
|
spi => NUMERIC,
|
|
|
|
proto => IPSECPROTO,
|
|
|
|
mode => IPSECMODE,
|
|
|
|
"tunnel-src" => NETWORK,
|
|
|
|
"tunnel-dst" => NETWORK,
|
|
|
|
);
|
|
|
|
my $list=$_[0];
|
|
|
|
my $options = '-m policy';
|
|
|
|
my $fmt;
|
|
|
|
|
|
|
|
for my $e ( split ',' , $list ) {
|
|
|
|
my $val = undef;
|
|
|
|
my $invert = '';
|
|
|
|
|
|
|
|
if ( $e =~ /([\w-]+)!=(.+)/ ) {
|
|
|
|
$val = $2;
|
|
|
|
$e = $1;
|
|
|
|
$invert = '! ';
|
|
|
|
} elsif ( $e =~ /([\w-]+)=(.+)/ ) {
|
|
|
|
$val = $2;
|
|
|
|
$e = $1;
|
|
|
|
}
|
|
|
|
|
|
|
|
$fmt = $validoptions{$e};
|
|
|
|
|
|
|
|
fatal_error "Invalid Option ($e)" unless $fmt;
|
|
|
|
|
|
|
|
if ( $fmt eq NOTHING ) {
|
|
|
|
fatal_error "Option $e does not take a value" if defined $val;
|
|
|
|
} else {
|
|
|
|
fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/;
|
|
|
|
}
|
|
|
|
|
|
|
|
$options .= $invert;
|
|
|
|
$options .= "--$e";
|
|
|
|
$options .= " $val" if defined $val;
|
|
|
|
}
|
|
|
|
|
|
|
|
$options . ' ';
|
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# Process a single rule from the the masq file
|
|
|
|
#
|
|
|
|
sub setup_one_masq($$$$$$)
|
|
|
|
{
|
|
|
|
my ($fullinterface, $networks, $addresses, $proto, $ports, $ipsec) = @_;
|
|
|
|
|
|
|
|
my $rule = '';
|
|
|
|
my $pre_nat;
|
|
|
|
my $add_snat_aliases = $config{ADD_SNAT_ALIASES};
|
|
|
|
my $destnets = '';
|
|
|
|
my $target = '-j MASQUERADE ';
|
|
|
|
|
2007-03-29 19:02:13 +02:00
|
|
|
require_capability( 'NAT_ENABLED' , 'a non-empty masq file' );
|
2007-03-15 02:04:43 +01:00
|
|
|
#
|
|
|
|
# Handle IPSEC options, if any
|
|
|
|
#
|
2007-03-26 01:18:20 +02:00
|
|
|
if ( $ipsec ne '-' ) {
|
2007-03-15 02:04:43 +01:00
|
|
|
fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables" unless $env{ORIGINAL_POLICY_MATCH};
|
|
|
|
|
|
|
|
if ( $ipsec =~ /^yes$/i ) {
|
|
|
|
$rule .= '-m policy --pol ipsec --dir out ';
|
|
|
|
} elsif ( $ipsec =~ /^no$/i ) {
|
|
|
|
$rule .= '-m policy --pol none --dir out ';
|
|
|
|
} else {
|
|
|
|
$rule .= do_ipsec_options $ipsec;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# Leading '+'
|
|
|
|
#
|
|
|
|
if ( $fullinterface =~ /^\+/ ) {
|
|
|
|
$pre_nat = 1;
|
|
|
|
$fullinterface =~ s/\+//;
|
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# Parse the remaining part of the INTERFACE column
|
|
|
|
#
|
|
|
|
if ( $fullinterface =~ /^([^:]+)::([^:]*)$/ ) {
|
2007-03-22 00:14:33 +01:00
|
|
|
$add_snat_aliases = 0;
|
2007-03-15 02:04:43 +01:00
|
|
|
$destnets = $2;
|
|
|
|
$fullinterface = $1;
|
|
|
|
} elsif ( $fullinterface =~ /^([^:]+:[^:]+):([^:]+)$/ ) {
|
|
|
|
$destnets = $2;
|
|
|
|
$fullinterface = $1;
|
|
|
|
} elsif ( $fullinterface =~ /^([^:]+):$/ ) {
|
2007-03-22 00:14:33 +01:00
|
|
|
$add_snat_aliases = 0;
|
2007-03-15 02:04:43 +01:00
|
|
|
$fullinterface = $1;
|
|
|
|
} elsif ( $fullinterface =~ /^([^:]+):([^:]*)$/ ) {
|
|
|
|
my ( $one, $two ) = ( $1, $2 );
|
|
|
|
if ( $2 =~ /\./ ) {
|
|
|
|
$fullinterface = $one;
|
|
|
|
$destnets = $two;
|
2007-03-27 01:17:46 +02:00
|
|
|
}
|
2007-03-15 02:04:43 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# Isolate and verify the interface part
|
|
|
|
#
|
|
|
|
( my $interface = $fullinterface ) =~ s/:.*//;
|
|
|
|
|
|
|
|
fatal_error "Unknown interface $interface, rule \"$line\"" unless $interfaces{$interface}{root};
|
|
|
|
|
2007-03-19 00:06:46 +01:00
|
|
|
my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);
|
2007-03-15 02:04:43 +01:00
|
|
|
#
|
|
|
|
# If there is no source or destination then allow all addresses
|
|
|
|
#
|
2007-03-26 01:18:20 +02:00
|
|
|
$networks = ALLIPv4 if $networks eq '-';
|
|
|
|
$destnets = ALLIPv4 if $destnets eq '-';
|
2007-03-15 02:04:43 +01:00
|
|
|
#
|
|
|
|
# Handle Protocol and Ports
|
|
|
|
#
|
|
|
|
$rule .= do_proto $proto, $ports, '';
|
2007-03-27 01:17:46 +02:00
|
|
|
|
2007-03-19 00:06:46 +01:00
|
|
|
my $detectaddress = 0;
|
2007-03-15 02:04:43 +01:00
|
|
|
#
|
|
|
|
# Parse the ADDRESSES column
|
|
|
|
#
|
2007-03-26 01:18:20 +02:00
|
|
|
if ( $addresses ne '-' ) {
|
2007-03-15 02:04:43 +01:00
|
|
|
if ( $addresses =~ /^SAME:nodst:/ ) {
|
2007-03-18 18:57:37 +01:00
|
|
|
$target = '-j SAME --nodst';
|
2007-03-15 02:04:43 +01:00
|
|
|
$addresses =~ s/.*://;
|
|
|
|
for my $addr ( split /,/, $addresses ) {
|
|
|
|
$target .= "--to $addr ";
|
|
|
|
}
|
2007-03-19 00:06:46 +01:00
|
|
|
} elsif ( $addresses =~ /^SAME:nodst:/ ) {
|
2007-03-18 18:57:37 +01:00
|
|
|
$target = '-j SAME ';
|
2007-03-15 02:04:43 +01:00
|
|
|
$addresses =~ s/.*://;
|
|
|
|
for my $addr ( split /,/, $addresses ) {
|
|
|
|
$target .= "--to $addr ";
|
|
|
|
}
|
2007-03-19 00:06:46 +01:00
|
|
|
} elsif ( $addresses eq 'detect' ) {
|
2007-03-23 20:19:43 +01:00
|
|
|
add_command( $chainref , 'addrlist=' );
|
2007-03-27 20:41:55 +02:00
|
|
|
add_command( $chainref , join( '', 'for address in ' , get_interface_addresses( $interface ), '; do' ) );
|
2007-03-23 20:19:43 +01:00
|
|
|
add_command( $chainref , ' addrlist="$addrlist --to-source $address"' );
|
2007-03-19 00:06:46 +01:00
|
|
|
add_command( $chainref , 'done' );
|
2007-03-23 20:19:43 +01:00
|
|
|
|
|
|
|
$target = '-j SNAT $addrlist';
|
2007-03-15 02:04:43 +01:00
|
|
|
} else {
|
|
|
|
my $addrlist = '';
|
|
|
|
for my $addr ( split /,/, $addresses ) {
|
|
|
|
if ( $addr =~ /^.*\..*\..*\./ ) {
|
|
|
|
$target = '-j SNAT ';
|
|
|
|
$addrlist .= "--to-source $addr ";
|
|
|
|
} else {
|
|
|
|
$addr =~ s/^://;
|
|
|
|
$addrlist .= "--to-ports $addr ";
|
2007-03-23 22:24:28 +01:00
|
|
|
}
|
2007-03-15 02:04:43 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
$target .= $addrlist;
|
|
|
|
}
|
2007-03-22 00:14:33 +01:00
|
|
|
} else {
|
|
|
|
$add_snat_aliases = 0;
|
2007-03-19 00:06:46 +01:00
|
|
|
}
|
2007-03-15 02:04:43 +01:00
|
|
|
#
|
|
|
|
# And Generate the Rule(s)
|
|
|
|
#
|
2007-03-19 00:06:46 +01:00
|
|
|
expand_rule $chainref , POSTROUTE_RESTRICT , $rule, $networks, $destnets, '', $target, '', '' , '';
|
2007-03-15 02:04:43 +01:00
|
|
|
|
2007-03-22 02:51:11 +01:00
|
|
|
if ( $add_snat_aliases ) {
|
|
|
|
my ( $interface, $alias ) = split /:/, $fullinterface;
|
|
|
|
for my $address ( split /,/, $addresses ) {
|
|
|
|
my ( $addrs, $port ) = split /:/, $address;
|
|
|
|
next unless $addrs;
|
|
|
|
for my $addr ( ip_range_explicit $addrs ) {
|
|
|
|
unless ( $addresses_to_add{$addr} ) {
|
|
|
|
emit "del_ip_addr $addr $interface" unless $config{RETAIN_ALIASES};
|
|
|
|
$addresses_to_add{$addr} = 1;
|
2007-03-23 22:24:28 +01:00
|
|
|
if ( defined $alias ) {
|
|
|
|
push @addresses_to_add, $addr, "$interface:$alias";
|
|
|
|
$alias++;
|
|
|
|
} else {
|
|
|
|
push @addresses_to_add, $addr, $interface;
|
|
|
|
}
|
2007-03-22 02:51:11 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2007-03-15 02:04:43 +01:00
|
|
|
|
2007-03-22 00:14:33 +01:00
|
|
|
progress_message " Masq record \"$line\" $done";
|
2007-03-27 01:17:46 +02:00
|
|
|
|
2007-03-15 02:04:43 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# Process the masq file
|
|
|
|
#
|
|
|
|
sub setup_masq()
|
|
|
|
{
|
2007-03-29 19:02:13 +02:00
|
|
|
open_file 'masq';
|
2007-03-15 02:04:43 +01:00
|
|
|
|
2007-03-29 19:02:13 +02:00
|
|
|
while ( read_a_line ) {
|
2007-03-15 02:04:43 +01:00
|
|
|
|
2007-03-25 18:38:00 +02:00
|
|
|
my ($fullinterface, $networks, $addresses, $proto, $ports, $ipsec) = split_line 6, 'masq file';
|
2007-03-15 02:04:43 +01:00
|
|
|
|
|
|
|
if ( $fullinterface eq 'COMMENT' ) {
|
|
|
|
if ( $capabilities{COMMENTS} ) {
|
|
|
|
( $comment = $line ) =~ s/^\s*COMMENT\s*//;
|
|
|
|
$comment =~ s/\s*$//;
|
|
|
|
} else {
|
|
|
|
warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter";
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
setup_one_masq $fullinterface, $networks, $addresses, $proto, $ports, $ipsec;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
$comment = '';
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# Validate the ALL INTERFACES or LOCAL column in the NAT file
|
|
|
|
#
|
|
|
|
sub validate_nat_column( $$ ) {
|
|
|
|
my $ref = $_[1];
|
|
|
|
my $val = $$ref;
|
|
|
|
|
|
|
|
if ( defined $val ) {
|
|
|
|
unless ( ( $val = "\L$val" ) eq 'yes' ) {
|
|
|
|
if ( ( $val eq 'no' ) || ( $val eq '-' ) ) {
|
|
|
|
$$ref = '';
|
|
|
|
} else {
|
|
|
|
fatal_error "Invalid value ($val) for $_[0] in NAT entry \"$line\"";
|
|
|
|
}
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
$$ref = '';
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# Process a record from the NAT file
|
|
|
|
#
|
|
|
|
sub do_one_nat( $$$$$ )
|
|
|
|
{
|
2007-03-27 20:41:55 +02:00
|
|
|
my ( $external, $fullinterface, $internal, $allints, $localnat ) = @_;
|
|
|
|
|
|
|
|
my ( $interface, $alias ) = split /:/, $fullinterface;
|
2007-03-15 02:04:43 +01:00
|
|
|
|
|
|
|
sub add_nat_rule( $$ ) {
|
|
|
|
add_rule ensure_chain( 'nat', $_[0] ) , $_[1];
|
|
|
|
}
|
2007-03-27 01:17:46 +02:00
|
|
|
|
2007-03-15 02:04:43 +01:00
|
|
|
my $add_ip_aliases = $config{ADD_IP_ALIASES};
|
|
|
|
|
|
|
|
my $policyin = '';
|
|
|
|
my $policyout = '';
|
|
|
|
|
2007-03-29 19:02:13 +02:00
|
|
|
require_capability( 'NAT_ENABLED' , 'a non-empty nat file' );
|
|
|
|
|
2007-03-15 02:04:43 +01:00
|
|
|
if ( $capabilities{POLICY_MATCH} ) {
|
|
|
|
$policyin = ' -m policy --pol none --dir in';
|
|
|
|
$policyout = '-m policy --pol none --dir out';
|
|
|
|
}
|
|
|
|
|
2007-03-23 22:24:28 +01:00
|
|
|
fatal_error "Invalid nat file entry \"$line\"" unless defined $interface && defined $internal;
|
2007-03-15 02:04:43 +01:00
|
|
|
|
|
|
|
if ( $add_ip_aliases ) {
|
|
|
|
if ( $interface =~ s/:$// ) {
|
|
|
|
$add_ip_aliases = '';
|
|
|
|
} else {
|
2007-03-22 02:51:11 +01:00
|
|
|
my ( $iface , undef ) = split /:/, $interface;
|
|
|
|
emit "del_ip_addr $external $iface" unless $config{RETAIN_ALIASES};
|
2007-03-15 02:04:43 +01:00
|
|
|
}
|
|
|
|
} else {
|
|
|
|
$interface =~ s/:$//;
|
|
|
|
}
|
|
|
|
|
|
|
|
validate_nat_column 'ALL INTERFACES', \$allints;
|
|
|
|
validate_nat_column 'LOCAL' , \$localnat;
|
2007-03-27 01:17:46 +02:00
|
|
|
|
2007-03-15 02:04:43 +01:00
|
|
|
if ( $allints ) {
|
|
|
|
add_nat_rule 'nat_in' , "-d $external $policyin -j DNAT --to-destination $internal";
|
|
|
|
add_nat_rule 'nat_out' , "-s $internal $policyout -j SNAT --to-source $external";
|
|
|
|
} else {
|
|
|
|
add_nat_rule input_chain( $interface ) , "-d $external $policyin -j DNAT --to-destination $internal";
|
|
|
|
add_nat_rule output_chain( $interface ) , "-s $internal $policyout -j SNAT --to-source $external";
|
|
|
|
}
|
2007-03-27 01:17:46 +02:00
|
|
|
|
2007-03-15 02:04:43 +01:00
|
|
|
add_nat_rule 'OUTPUT' , "-d $external$policyout -j DNAT --to-destination $internal " if $localnat;
|
|
|
|
|
2007-03-22 02:51:11 +01:00
|
|
|
if ( $add_ip_aliases ) {
|
|
|
|
unless ( $addresses_to_add{$external} ) {
|
|
|
|
$addresses_to_add{$external} = 1;
|
2007-03-27 20:41:55 +02:00
|
|
|
push @addresses_to_add, ( $external , $fullinterface );
|
2007-03-22 02:51:11 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2007-03-15 02:04:43 +01:00
|
|
|
progress_message " NAT entry \"$line\" $done";
|
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# Process NAT file
|
|
|
|
#
|
|
|
|
sub setup_nat() {
|
2007-03-27 01:17:46 +02:00
|
|
|
|
2007-03-29 19:02:13 +02:00
|
|
|
open_file 'nat';
|
2007-03-15 02:04:43 +01:00
|
|
|
|
2007-03-29 19:02:13 +02:00
|
|
|
while ( read_a_line ) {
|
2007-03-15 02:04:43 +01:00
|
|
|
|
2007-03-25 18:38:00 +02:00
|
|
|
my ( $external, $interface, $internal, $allints, $localnat ) = split_line 5, 'nat file';
|
2007-03-15 02:04:43 +01:00
|
|
|
|
|
|
|
if ( $external eq 'COMMENT' ) {
|
|
|
|
if ( $capabilities{COMMENTS} ) {
|
|
|
|
( $comment = $line ) =~ s/^\s*COMMENT\s*//;
|
|
|
|
$comment =~ s/\s*$//;
|
|
|
|
} else {
|
|
|
|
warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter";
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
do_one_nat $external, $interface, $internal, $allints, $localnat;
|
|
|
|
}
|
2007-03-27 01:17:46 +02:00
|
|
|
|
2007-03-15 02:04:43 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
$comment = '';
|
|
|
|
}
|
2007-03-22 00:26:23 +01:00
|
|
|
|
2007-03-25 23:04:24 +02:00
|
|
|
#
|
|
|
|
# Setup Network Mapping
|
|
|
|
#
|
|
|
|
sub setup_netmap() {
|
2007-03-27 01:17:46 +02:00
|
|
|
|
2007-03-29 19:02:13 +02:00
|
|
|
open_file 'netmap';
|
2007-03-25 23:04:24 +02:00
|
|
|
|
2007-03-29 19:02:13 +02:00
|
|
|
while ( read_a_line ) {
|
2007-03-25 23:04:24 +02:00
|
|
|
|
|
|
|
my ( $type, $net1, $interface, $net2 ) = split_line 4, 'netmap file';
|
|
|
|
|
2007-03-29 19:02:13 +02:00
|
|
|
require_capability( 'NAT_ENABLED' , 'a non-empty netmap file' );
|
|
|
|
|
2007-03-25 23:04:24 +02:00
|
|
|
if ( $type eq 'DNAT' ) {
|
|
|
|
add_rule ensure_chain( 'nat' , input_chain $interface ) , "-d $net1 -j NETMAP --to $net2";
|
|
|
|
} elsif ( $type eq 'SNAT' ) {
|
|
|
|
add_rule ensure_chain( 'nat' , output_chain $interface ) , "-s $net1 -j NETMAP --to $net2";
|
|
|
|
} else {
|
|
|
|
fatal_error "Invalid type $type in netmap entry \"$line\"";
|
|
|
|
}
|
|
|
|
|
|
|
|
progress_message " Network $net1 on $interface mapped to $net2 ($type)";
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
2007-03-22 03:13:30 +01:00
|
|
|
sub add_addresses () {
|
|
|
|
if ( @addresses_to_add ) {
|
|
|
|
my $arg = '';
|
|
|
|
|
|
|
|
while ( @addresses_to_add ) {
|
|
|
|
my $addr = shift @addresses_to_add;
|
|
|
|
my $interface = shift @addresses_to_add;
|
|
|
|
$arg = "$arg $addr $interface";
|
|
|
|
}
|
|
|
|
|
|
|
|
emit "add_ip_aliases $arg";
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2007-03-22 00:26:23 +01:00
|
|
|
1;
|