Don't NAT tunnel traffic

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1605 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-09-06 19:58:10 +00:00
parent bc0a246113
commit b86d3f03d9
3 changed files with 18 additions and 6 deletions

View File

@ -62,3 +62,5 @@ Changes since 2.0.3
29) Correct parsing of PROTO column in setup_tc1(). 29) Correct parsing of PROTO column in setup_tc1().
30) Verify Physdev match if BRIDGING=Yes 30) Verify Physdev match if BRIDGING=Yes
31) Don't NAT tunnel traffic.

View File

@ -1967,7 +1967,7 @@ delete_proxy_arp() {
# Setup Static Network Address Translation (NAT) # Setup Static Network Address Translation (NAT)
# #
setup_nat() { setup_nat() {
local external= interface= internal= allints= localnat= local external= interface= internal= allints= localnat= policyin= policyout=
validate_one() #1 = Variable Name, $2 = Column name, $3 = value validate_one() #1 = Variable Name, $2 = Column name, $3 = value
{ {
@ -2005,15 +2005,15 @@ setup_nat() {
validate_one localnat "LOCAL" $localnat validate_one localnat "LOCAL" $localnat
if [ -n "$allints" ]; then if [ -n "$allints" ]; then
addnatrule nat_in -d $external -j DNAT --to-destination $internal addnatrule nat_in -d $external $policyin -j DNAT --to-destination $internal
addnatrule nat_out -s $internal -j SNAT --to-source $external addnatrule nat_out -s $internal $policyout -j SNAT --to-source $external
else else
addnatrule $(input_chain $iface) -d $external -j DNAT --to-destination $internal addnatrule $(input_chain $iface) -d $external $policyin -j DNAT --to-destination $internal
addnatrule $(output_chain $iface) -s $internal -j SNAT --to-source $external addnatrule $(output_chain $iface) -s $internal $policyout -j SNAT --to-source $external
fi fi
[ -n "$localnat" ] && \ [ -n "$localnat" ] && \
run_iptables2 -t nat -A OUTPUT -d $external -j DNAT --to-destination $internal run_iptables2 -t nat -A OUTPUT -d $external $policyout -j DNAT --to-destination $internal
if [ -n "$add_ip_aliases" ]; then if [ -n "$add_ip_aliases" ]; then
list_search $external $aliases_to_add || \ list_search $external $aliases_to_add || \
@ -2025,6 +2025,11 @@ setup_nat() {
# #
> ${STATEDIR}/nat > ${STATEDIR}/nat
if [ -n "$POLICY_MATCH" ]; then
policyin="-m policy --pol none --dir in"
policyout="-m policy --pol none --dir out"
fi
save_progress_message "Restoring one-to-one NAT..." save_progress_message "Restoring one-to-one NAT..."
while read external interface internal allints localnat; do while read external interface internal allints localnat; do

View File

@ -42,6 +42,11 @@ Problems corrected since 2.1.7
2) Fix parsing of PROTO column in /etc/shorewall/tcrules. 2) Fix parsing of PROTO column in /etc/shorewall/tcrules.
3) Packets that will be encrypted or that have been decrypted by IPSEC
are now exempted from the rules established by one-to-one NAT. This
allows tunnel mode IPSEC to work for local networks where some of
the systems use one-to-one NAT.
----------------------------------------------------------------------- -----------------------------------------------------------------------
Issues when migrating from Shorewall 2.0 to Shorewall 2.1: Issues when migrating from Shorewall 2.0 to Shorewall 2.1: