forked from extern/shorewall_code
Masquerade from all primary subnets when an interface name is in the second column of masq file entry
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@415 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
43cc73ef47
commit
94c5455c9e
@ -2898,6 +2898,47 @@ rules_chain() # $1 = source zone, $2 = destination zone
|
|||||||
fatal_error "Error: No appropriate chain for zone $1 to zone $2"
|
fatal_error "Error: No appropriate chain for zone $1 to zone $2"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Get primary addresses of an interface
|
||||||
|
#
|
||||||
|
get_primary_addresses() # $1 = interface name
|
||||||
|
{
|
||||||
|
local address
|
||||||
|
|
||||||
|
ip addr show dev $1 2> /dev/null | \
|
||||||
|
grep inet | \
|
||||||
|
grep -v secondary | \
|
||||||
|
sed s/" "// | \
|
||||||
|
cut -d' ' -f2 | \
|
||||||
|
while read address; do
|
||||||
|
[ -z "`echo "$address" | grep '/'`" ] && address="${address}/32"
|
||||||
|
echo $address
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Show network address corresponding to the passed PREFIX/VLSM using
|
||||||
|
# the ipcalc utility. This probably only works on RedHat systems :-(
|
||||||
|
#
|
||||||
|
show_network() {
|
||||||
|
local ipcalc=`which ipcalc 2> /dev/null`
|
||||||
|
local network
|
||||||
|
#
|
||||||
|
# If the distribution doesn't have ipcalc we'll just have to be ugly
|
||||||
|
#
|
||||||
|
[ -z "$ipcalc" ] && echo $1 && return
|
||||||
|
|
||||||
|
case $1 in
|
||||||
|
*/32)
|
||||||
|
echo $1
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
network=`$ipcalc -n $1`
|
||||||
|
echo ${network#*=}/${1#*/}
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Set up Source NAT (including masquerading)
|
# Set up Source NAT (including masquerading)
|
||||||
#
|
#
|
||||||
@ -2927,10 +2968,10 @@ setup_masq()
|
|||||||
chain=`masq_chain $interface`
|
chain=`masq_chain $interface`
|
||||||
iface=
|
iface=
|
||||||
|
|
||||||
|
source="$subnet"
|
||||||
|
|
||||||
case $subnet in
|
case $subnet in
|
||||||
*.*.*)
|
*.*.*)
|
||||||
source="$subnet"
|
|
||||||
subnet="-s $subnet"
|
|
||||||
;;
|
;;
|
||||||
-)
|
-)
|
||||||
#
|
#
|
||||||
@ -2943,16 +2984,9 @@ setup_masq()
|
|||||||
iface="-o $interface"
|
iface="-o $interface"
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
ipaddr="`ip addr show $subnet 2> /dev/null | grep 'inet '`"
|
subnets=`get_primary_addresses $subnet`
|
||||||
source="$subnet"
|
[ -z "$subnets" ] && startup_error "Unable to determine the address(es) for interface $subnet"
|
||||||
if [ -z "$ipaddr" ]; then
|
subnet="$subnets"
|
||||||
fatal_error \
|
|
||||||
"Interface $subnet must be up before Shorewall starts"
|
|
||||||
fi
|
|
||||||
|
|
||||||
subnet="`echo $ipaddr | sed s/" "// | cut -d' ' -f2`"
|
|
||||||
[ -z "`echo "$subnet" | grep '/'`" ] && subnet="${subnet}/32"
|
|
||||||
subnet="-s $subnet"
|
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
@ -2966,7 +3000,15 @@ setup_masq()
|
|||||||
if [ -n "$nomasq" ]; then
|
if [ -n "$nomasq" ]; then
|
||||||
newchain=masq${masq_seq}
|
newchain=masq${masq_seq}
|
||||||
createnatchain $newchain
|
createnatchain $newchain
|
||||||
addnatrule $chain -d $destnet $iface $subnet -j $newchain
|
|
||||||
|
if [ -n "$subnet" ]; then
|
||||||
|
for s in $subnet; do
|
||||||
|
addnatrule $chain -d $destnet $iface -s $s -j $newchain
|
||||||
|
done
|
||||||
|
else
|
||||||
|
addnatrule $chain -d $destnet $iface -j $newchain
|
||||||
|
fi
|
||||||
|
|
||||||
masq_seq=$(($masq_seq + 1))
|
masq_seq=$(($masq_seq + 1))
|
||||||
chain=$newchain
|
chain=$newchain
|
||||||
subnet=
|
subnet=
|
||||||
@ -2976,21 +3018,34 @@ setup_masq()
|
|||||||
for addr in `separate_list $nomasq`; do
|
for addr in `separate_list $nomasq`; do
|
||||||
addnatrule $chain -s $addr -j RETURN
|
addnatrule $chain -s $addr -j RETURN
|
||||||
done
|
done
|
||||||
|
|
||||||
|
source="$source except $nomasq"
|
||||||
else
|
else
|
||||||
destnet="-d $destnet"
|
destnet="-d $destnet"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -n "$address" ]; then
|
if [ -n "$address" ]; then
|
||||||
addnatrule $chain $subnet $destnet $iface \
|
if [ -n "$subnet" ]; then
|
||||||
-j SNAT --to-source $address
|
for s in $subnet; do
|
||||||
using=" using $address"
|
addnatrule $chain -s $s $destnet $iface \
|
||||||
|
-j SNAT --to-source $address
|
||||||
|
echo " To $destination from `show_network $s` through ${interface} using $address"
|
||||||
|
done
|
||||||
|
else
|
||||||
|
addnatrule $chain $destnet $iface \
|
||||||
|
-j SNAT --to-source $address
|
||||||
|
echo " To $destination from $source through ${interface} using $address"
|
||||||
|
fi
|
||||||
|
elif [ -n "$subnet" ]; then
|
||||||
|
for s in $subnet; do
|
||||||
|
addnatrule $chain -s $s $destnet $iface -j MASQUERADE
|
||||||
|
echo " To $destination from `show_network $s` through ${interface}"
|
||||||
|
done
|
||||||
else
|
else
|
||||||
addnatrule $chain $subnet $destnet $iface -j MASQUERADE
|
addnatrule $chain $destnet $iface -j MASQUERADE
|
||||||
using=
|
echo " To $destination from $source through ${interface}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[ -n "$nomasq" ] && source="$source except $nomasq"
|
|
||||||
echo " To $destination from $source through ${interface}${using}"
|
|
||||||
}
|
}
|
||||||
|
|
||||||
strip_file masq $1
|
strip_file masq $1
|
||||||
|
@ -16,11 +16,7 @@
|
|||||||
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
|
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
|
||||||
# a subnet or as an interface. If you give the name of an
|
# a subnet or as an interface. If you give the name of an
|
||||||
# interface, you must have iproute installed and the interface
|
# interface, you must have iproute installed and the interface
|
||||||
# must be up before you start the firewall. If you have
|
# must be up before you start the firewall.
|
||||||
# multiple IP addresses on the specified interface, Shorewall
|
|
||||||
# WILL ONLY MASQUERADE TRAFFIC FROM THE FIRST SUBNET. You will
|
|
||||||
# need to add additional entries to this file that specify
|
|
||||||
# the other subnets in this column.
|
|
||||||
#
|
#
|
||||||
# In order to exclude a subset of the specified SUBNET, you
|
# In order to exclude a subset of the specified SUBNET, you
|
||||||
# may append "!" and a comma-separated list of IP addresses
|
# may append "!" and a comma-separated list of IP addresses
|
||||||
|
@ -20,7 +20,9 @@
|
|||||||
# follow the interface name with ":" and a digit to
|
# follow the interface name with ":" and a digit to
|
||||||
# indicate that you want Shorewall to add the alias
|
# indicate that you want Shorewall to add the alias
|
||||||
# with this name (e.g., "eth0:0"). That allows you to
|
# with this name (e.g., "eth0:0"). That allows you to
|
||||||
# see the alias with ifconfig.
|
# see the alias with ifconfig. THAT IS THE ONLY THING
|
||||||
|
# THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT
|
||||||
|
# ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION.
|
||||||
# INTERNAL Internal Address (must not be a DNS Name).
|
# INTERNAL Internal Address (must not be a DNS Name).
|
||||||
# ALL INTERFACES If Yes or yes (or left empty), NAT will be effective
|
# ALL INTERFACES If Yes or yes (or left empty), NAT will be effective
|
||||||
# from all hosts. If No or no then NAT will be effective
|
# from all hosts. If No or no then NAT will be effective
|
||||||
|
Loading…
Reference in New Issue
Block a user