holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Back out DNAT ONLY change; fix new IPSEC

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1536 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-08-14 16:05:28 +00:00
parent f12381f393
commit 7d85e8d36c
3 changed files with 8 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Shorewall2/firewall
View File

@ -1900,7 +1900,7 @@ delete_proxy_arp() {
# Setup Static Network Address Translation (NAT)
#
setup_nat() {
local external= interface= internal= allints= localnat= dnatonly=
local external= interface= internal= allints= localnat=
validate_one() #1 = Variable Name, $2 = Column name, $3 = value
{
@ -1936,14 +1936,13 @@ setup_nat() {
validate_one allints "ALL INTERFACES" $allints
validate_one localnat "LOCAL" $localnat
validate_one dnatonly "DNAT ONLY" $dnatonly
if [ -n "$allints" ]; then
addnatrule nat_in -d $external -j DNAT --to-destination $internal
[ -n "$dnatonly" ] || addnatrule nat_out -s $internal -j SNAT --to-source $external
addnatrule nat_out -s $internal -j SNAT --to-source $external
else
addnatrule $(input_chain $iface) -d $external -j DNAT --to-destination $internal
[ -n "$dnatonly" ] || addnatrule $(output_chain $iface) -s $internal -j SNAT --to-source $external
addnatrule $(output_chain $iface) -s $internal -j SNAT --to-source $external
fi
[ -n "$localnat" ] && \
@ -1961,8 +1960,8 @@ setup_nat() {
save_progress_message "Restoring one-to-one NAT..."
while read external interface internal allints localnat dnatonly; do
expandv external interface internal allints localnat dnatonly
while read external interface internal allints localnat; do
expandv external interface internal allints localnat
do_one_nat
@ -5714,7 +5713,7 @@ activate_rules()
addrulejump PREROUTING $(dnat_chain $zone) -i $interface $(match_source_hosts $networks) $(match_ipsec_in $zone $host)
addrulejump POSTROUTING $(snat_chain $zone) -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host)
run_iptables -A $(input_chain $interface) $(match_source_hosts $networks) -j $chain2
run_iptables -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2
[ -n "$complex" ] && \
run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain

6
Shorewall2/nat
View File

@ -38,10 +38,8 @@
#
# LOCAL If Yes or yes, NAT will be effective from the firewall
# system
#
# DNAT ONLY If Yes or yes, no SNAT will occur.
##############################################################################
#EXTERNAL INTERFACE INTERNAL ALL LOCAL DNAT
# INTERFACES ONLY
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
# INTERFACES
#
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

4
Shorewall2/releasenotes.txt
View File

@ -256,7 +256,3 @@ New Features:
/etc/shorewall/hosts:
vpn eth0:0.0.0.0/0 ipsec
8) A new DNAT ONLY column has been added to the /etc/shorewall/nat
file. If that column contains "Yes" or "yes", then no SNAT rules
will be generated by the entry.