More NAT table Rework

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@103 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-07-05 15:56:02 +00:00
parent 338673c29a
commit a8c6143943

View File

@ -347,6 +347,14 @@ input_chain() # $1 = interface
echo `chain_base $interface`_in
}
################################################################################
# Output Chain for an interface #
################################################################################
output_chain() # $1 = interface
{
echo `chain_base $interface`_out
}
################################################################################
# First chains for an interface #
################################################################################
@ -1197,10 +1205,9 @@ setup_nat() {
if [ -z "$allints" -o "$allints" = "Yes" \
-o "$allints" = "yes" ]
then
run_iptables -t nat -A PREROUTING -d $external \
-j DNAT --to-destination $internal
run_iptables -t nat -A POSTROUTING -s $internal \
-j SNAT --to-source $external
addnatrule nat_in -d $external -j DNAT --to-destination $internal
addnatrule nat_out -s $internal -j SNAT --to-source $external
if [ "$localnat" = "Yes" -o "$localnat" = "yes" ]; then
run_iptables -t nat -A OUTPUT -d $external \
-j DNAT --to-destination $internal
@ -1208,7 +1215,7 @@ setup_nat() {
else
addnatrule `input_chain $interface` \
-d $external -j DNAT --to-destination $internal
run_iptables -t nat -A POSTROUTING -o $interface \
addnatrule `output_chain $interface` \
-s $internal -j SNAT --to-source $external
fi
@ -1457,6 +1464,9 @@ add_nat_rule() {
$sports -d $serv $dports -j SNAT --to-source $snat
else
for source_host in $source_hosts; do
[ "x${source_host#*:}" = "x0.0.0.0/0" ] && \
error_message "Warning: SNAT will occur on all connections to this server and port - rule \"$rule\""
run_iptables -t nat -A POSTROUTING \
-s ${source_host#*:} $proto $sports $multiport \
-d $serv $dports -j SNAT --to-source $snat
@ -2264,7 +2274,8 @@ setup_masq()
subnet="${subnet%!*}"
fi
chain=POSTROUTING
chain=`output_chain $interface`
iface=
case $subnet in
[0-9]*|![0-9]*)
@ -2279,6 +2290,7 @@ setup_masq()
chain=OUTPUT
subnet=
source=$FW
iface="-o $interface"
;;
*)
ipaddr="`run_ip addr show $subnet | grep 'inet '`"
@ -2308,39 +2320,35 @@ setup_masq()
fi
destination=$destnet
iface=$interface
if [ -n "$nomasq" ]; then
newchain=masq${masq_seq}
run_iptables -t nat -N $newchain
run_iptables -t nat -A $chain -d $destnet -o $interface \
$subnet -j $newchain
addnatrule $chain -d $destnet $iface $subnet -j $newchain
masq_seq=$(($masq_seq + 1))
chain=$newchain
subnet=
interface=
iface=
destnet=
for addr in `separate_list $nomasq`; do
run_iptables -t nat -A $chain -s $addr -j RETURN
addnatrule $chain -s $addr -j RETURN
done
else
interface="-o $interface"
destnet="-d $destnet"
fi
if [ -n "$address" ]; then
run_iptables -t nat -A $chain $subnet $destnet \
$interface -j SNAT --to-source $address
addnatrule $chain $subnet $destnet $iface \
-j SNAT --to-source $address
using=" using $address"
else
run_iptables -t nat -A $chain $subnet $destnet \
$interface -j MASQUERADE
addnatrule $chain $subnet $destnet $iface -j MASQUERADE
using=
fi
[ -n "$nomasq" ] && source="$source except $nomasq"
echo " To $destination from $source through ${iface}${using}"
echo " To $destination from $source through ${interface}${using}"
}
strip_file masq $1
@ -2834,22 +2842,70 @@ apply_policy_rules() {
done
}
################################################################################
# Jump to a NAT chain from one of the builtin chains #
#------------------------------------------------------------------------------#
# If NAT_BEFORE_RULES then insert the jump near the front of the source #
# chain; otherwise, append the rule #
################################################################################
addnatjump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
{
local sourcechain=$1 destchain=$2
shift
shift
if havenatchain $destchain; then
if [ -n "$NAT_BEFORE_RULES" ]; then
eval run_iptables -t nat -I $sourcechain \
\$${sourcechain}_rule $@ -j $destchain
eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\)
else
run_iptables -t nat -A $sourcechain $@ -j $destchain
fi
fi
}
################################################################################
# Jump to a NAT chain from one of the builtin chains #
#------------------------------------------------------------------------------#
# If not NAT_BEFORE_RULES then insert the jump near the front of the source #
# chain; otherwise, append the rule #
################################################################################
insertnatjump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
{
local sourcechain=$1 destchain=$2
shift
shift
if havenatchain $destchain; then
if [ -z "$NAT_BEFORE_RULES" ]; then
eval run_iptables -t nat -I $sourcechain \
\$${sourcechain}_rule $@ -j $destchain
eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\)
else
run_iptables -t nat -A $sourcechain $@ -j $destchain
fi
fi
}
################################################################################
# Activate the rules #
################################################################################
activate_rules() {
local nat=1
PREROUTING_rule=1
POSTROUTING_rule=1
multi_interfaces=`find_interfaces_by_option multi`
addnatjump PREROUTING nat_in
addnatjump POSTROUTING nat_out
for interface in $all_interfaces; do
chain=`input_chain $interface`
havenatchain $chain && \
run_iptables -t nat -A PREROUTING -i $interface -j $chain
addnatjump PREROUTING `input_chain $interface` -i $interface
addnatjump POSTROUTING `output_chain $interface` -o $interface
done
multi_interfaces=`find_interfaces_by_option multi`
for zone in $zones; do
eval source_hosts=\$${zone}_hosts
@ -2860,16 +2916,7 @@ activate_rules() {
run_iptables -A OUTPUT -o \
$interface -d $subnet -j `rules_chain $FW $zone`
if havenatchain $zone; then
if [ -n "$NAT_BEFORE_RULES" ]; then
run_iptables -t nat -A PREROUTING \
-i $interface -s $subnet -j $zone
else
run_iptables -t nat -I PREROUTING $nat \
-i $interface -s $subnet -j $zone
nat=$((nat+1))
fi
fi
insertnatjump PREROUTING $zone -i $interface -s $subnet
run_iptables -A `input_chain $interface` -s $subnet \
-j `rules_chain $zone $FW`