diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 928f1ebca..7836f6069 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -1900,7 +1900,7 @@ delete_proxy_arp() { # Setup Static Network Address Translation (NAT) # setup_nat() { - local external= interface= internal= allints= localnat= dnatonly= + local external= interface= internal= allints= localnat= validate_one() #1 = Variable Name, $2 = Column name, $3 = value { @@ -1936,14 +1936,13 @@ setup_nat() { validate_one allints "ALL INTERFACES" $allints validate_one localnat "LOCAL" $localnat - validate_one dnatonly "DNAT ONLY" $dnatonly if [ -n "$allints" ]; then addnatrule nat_in -d $external -j DNAT --to-destination $internal - [ -n "$dnatonly" ] || addnatrule nat_out -s $internal -j SNAT --to-source $external + addnatrule nat_out -s $internal -j SNAT --to-source $external else addnatrule $(input_chain $iface) -d $external -j DNAT --to-destination $internal - [ -n "$dnatonly" ] || addnatrule $(output_chain $iface) -s $internal -j SNAT --to-source $external + addnatrule $(output_chain $iface) -s $internal -j SNAT --to-source $external fi [ -n "$localnat" ] && \ @@ -1961,8 +1960,8 @@ setup_nat() { save_progress_message "Restoring one-to-one NAT..." - while read external interface internal allints localnat dnatonly; do - expandv external interface internal allints localnat dnatonly + while read external interface internal allints localnat; do + expandv external interface internal allints localnat do_one_nat @@ -5714,7 +5713,7 @@ activate_rules() addrulejump PREROUTING $(dnat_chain $zone) -i $interface $(match_source_hosts $networks) $(match_ipsec_in $zone $host) addrulejump POSTROUTING $(snat_chain $zone) -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) - run_iptables -A $(input_chain $interface) $(match_source_hosts $networks) -j $chain2 + run_iptables -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2 [ -n "$complex" ] && \ run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain diff --git a/Shorewall2/nat b/Shorewall2/nat index 7eab3ac03..136405d3a 100755 --- a/Shorewall2/nat +++ b/Shorewall2/nat @@ -38,10 +38,8 @@ # # LOCAL If Yes or yes, NAT will be effective from the firewall # system -# -# DNAT ONLY If Yes or yes, no SNAT will occur. ############################################################################## -#EXTERNAL INTERFACE INTERNAL ALL LOCAL DNAT -# INTERFACES ONLY +#EXTERNAL INTERFACE INTERNAL ALL LOCAL +# INTERFACES # #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 0bd13eae9..82d30f542 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -256,7 +256,3 @@ New Features: /etc/shorewall/hosts: vpn eth0:0.0.0.0/0 ipsec - -8) A new DNAT ONLY column has been added to the /etc/shorewall/nat - file. If that column contains "Yes" or "yes", then no SNAT rules - will be generated by the entry.