forked from extern/shorewall_code
Add DNAT ONLY column to /etc/shorewall/nat
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1531 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
968bff363c
commit
3aff092003
@ -32,3 +32,5 @@ Changes since 2.0.3
|
||||
14) Show the iptables/ip/tc command that failed when failure is fatal.
|
||||
|
||||
15) Implement STARTUP_ENABLED.
|
||||
|
||||
16) Added DNAT ONLY column to /etc/shorewall/nat.
|
||||
|
||||
@ -1231,7 +1231,7 @@ setup_forwarding() {
|
||||
# Disable IPV6
|
||||
#
|
||||
disable_ipv6() {
|
||||
local foo=$(ip -f inet6 addr ls 2> /dev/null)
|
||||
local foo="$(ip -f inet6 addr ls 2> /dev/null)"
|
||||
|
||||
if [ -n "$foo" ]; then
|
||||
if qt which ip6tables; then
|
||||
@ -1900,7 +1900,22 @@ delete_proxy_arp() {
|
||||
# Setup Static Network Address Translation (NAT)
|
||||
#
|
||||
setup_nat() {
|
||||
local external= interface= internal= allints= localnat=
|
||||
local external= interface= internal= allints= localnat= dnatonly=
|
||||
|
||||
validate_one() #1 = Variable Name, $2 = Column name, $3 = value
|
||||
{
|
||||
case $3 in
|
||||
Yes|yes)
|
||||
;;
|
||||
No|no)
|
||||
eval ${1}=
|
||||
;;
|
||||
*)
|
||||
[ -n "$3" ] && \
|
||||
fatal_error "Invalid value ($3) for $2 in entry \"$external $interface $internal $allints $localnat\""
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
do_one_nat() {
|
||||
local add_ip_aliases=$ADD_IP_ALIASES, iface=${interface%:*}
|
||||
@ -1919,21 +1934,20 @@ setup_nat() {
|
||||
interface=${interface%:}
|
||||
fi
|
||||
|
||||
if [ "x$allints" = "xYes" -o "x$allints" = "xyes" ]; then
|
||||
validate_one allints "ALL INTERFACES" $allints
|
||||
validate_one localnat "LOCAL" $localnat
|
||||
validate_one dnatonly "DNAT ONLY" $dnatonly
|
||||
|
||||
if [ -n "$allints" ]; then
|
||||
addnatrule nat_in -d $external -j DNAT --to-destination $internal
|
||||
addnatrule nat_out -s $internal -j SNAT --to-source $external
|
||||
elif [ -z "$allints" -o "x$allints" = "x-" -o "x$allints" = "xNo" -o "x$allints" = "xno" ]; then
|
||||
addnatrule $(input_chain $iface) -d $external -j DNAT --to-destination $internal
|
||||
addnatrule $(output_chain $iface) -s $internal -j SNAT --to-source $external
|
||||
[ -n "$dnatonly" ] || addnatrule nat_out -s $internal -j SNAT --to-source $external
|
||||
else
|
||||
fatal_error "Invalid value ($allints) for ALL INTERFACES in entry \"$external $interface $internal $allints $localnat\""
|
||||
addnatrule $(input_chain $iface) -d $external -j DNAT --to-destination $internal
|
||||
[ -n "$dnatonly" ] || addnatrule $(output_chain $iface) -s $internal -j SNAT --to-source $external
|
||||
fi
|
||||
|
||||
if [ "x$localnat" = "xYes" -o "x$localnat" = "xyes" ]; then
|
||||
[ -n "$localnat" ] && \
|
||||
run_iptables2 -t nat -A OUTPUT -d $external -j DNAT --to-destination $internal
|
||||
elif [ "x$localnat" != "x-" -a -n "$localnat" -a "x$localnat" != "xNo" -a "x$localnat" != "xno" ]; then
|
||||
fatal_error "Invalid value ($allints) for LOCAL in entry \"$external $interface $internal $allints $localnat\""
|
||||
fi
|
||||
|
||||
if [ -n "$add_ip_aliases" ]; then
|
||||
list_search $external $aliases_to_add || \
|
||||
@ -1947,8 +1961,8 @@ setup_nat() {
|
||||
|
||||
save_progress_message "Restoring one-to-one NAT..."
|
||||
|
||||
while read external interface internal allints localnat; do
|
||||
expandv external interface internal allints localnat
|
||||
while read external interface internal allints localnat dnatonly; do
|
||||
expandv external interface internal allints localnat dnatonly
|
||||
|
||||
do_one_nat
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
##############################################################################
|
||||
#
|
||||
# Shorewall 2.0 -- Network Address Translation Table
|
||||
# Shorewall 2.1 -- Network Address Translation Table
|
||||
#
|
||||
# /etc/shorewall/nat
|
||||
#
|
||||
@ -16,6 +16,7 @@
|
||||
# EXTERNAL External IP Address - this should NOT be the primary
|
||||
# IP address of the interface named in the next
|
||||
# column and must not be a DNS Name.
|
||||
#
|
||||
# INTERFACE Interface that you want to EXTERNAL address to appear
|
||||
# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
|
||||
# follow the interface name with ":" and a digit to
|
||||
@ -29,13 +30,18 @@
|
||||
# particular entry, follow the interface name with
|
||||
# ":" and no digit (e.g., "eth0:").
|
||||
# INTERNAL Internal Address (must not be a DNS Name).
|
||||
#
|
||||
# ALL INTERFACES If Yes or yes, NAT will be effective from all hosts.
|
||||
# If No or no (or left empty) then NAT will be effective
|
||||
# only through the interface named in the INTERFACE
|
||||
# column
|
||||
#
|
||||
# LOCAL If Yes or yes, NAT will be effective from the firewall
|
||||
# system
|
||||
#
|
||||
# DNAT ONLY If Yes or yes, no SNAT will occur.
|
||||
##############################################################################
|
||||
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
||||
# INTERFACES
|
||||
#EXTERNAL INTERFACE INTERNAL ALL LOCAL DNAT
|
||||
# INTERFACES ONLY
|
||||
#
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
||||
@ -223,3 +223,7 @@ New Features:
|
||||
/etc/shorewall/hosts:
|
||||
|
||||
vpn eth0:0.0.0.0/0 ipsec
|
||||
|
||||
8) A new DNAT ONLY column has been added to the /etc/shorewall/nat
|
||||
file. If that column contains "Yes" or "yes", then no SNAT rules
|
||||
will be generated by the entry.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user