forked from extern/shorewall_code
More NAT table Tuning
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@113 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
a53f7546bb
commit
ee19fb9ea6
@ -355,6 +355,30 @@ output_chain() # $1 = interface
|
|||||||
echo `chain_base $1`_out
|
echo `chain_base $1`_out
|
||||||
}
|
}
|
||||||
|
|
||||||
|
################################################################################
|
||||||
|
# Masquerade Chain for an interface #
|
||||||
|
################################################################################
|
||||||
|
masq_chain() # $1 = interface
|
||||||
|
{
|
||||||
|
echo `chain_base $1`_masq
|
||||||
|
}
|
||||||
|
|
||||||
|
################################################################################
|
||||||
|
# DNAT Chain from a zone #
|
||||||
|
################################################################################
|
||||||
|
dnat_chain() # $1 = zone
|
||||||
|
{
|
||||||
|
echo ${1}_dnat
|
||||||
|
}
|
||||||
|
|
||||||
|
################################################################################
|
||||||
|
# SNAT Chain to a zone #
|
||||||
|
################################################################################
|
||||||
|
snat_chain() # $1 = zone
|
||||||
|
{
|
||||||
|
echo ${1}_snat
|
||||||
|
}
|
||||||
|
|
||||||
################################################################################
|
################################################################################
|
||||||
# First chains for an interface #
|
# First chains for an interface #
|
||||||
################################################################################
|
################################################################################
|
||||||
@ -1432,13 +1456,13 @@ add_nat_rule() {
|
|||||||
run_iptables -t nat -A OUTPUT $proto $sports $addr \
|
run_iptables -t nat -A OUTPUT $proto $sports $addr \
|
||||||
$multiport $dports -j $target1
|
$multiport $dports -j $target1
|
||||||
else
|
else
|
||||||
chain=$source
|
chain=`dnat_chain $source`
|
||||||
|
|
||||||
if [ -n "$excludezones" ]; then
|
if [ -n "$excludezones" ]; then
|
||||||
chain=nonat${nonat_seq}
|
chain=nonat${nonat_seq}
|
||||||
nonat_seq=$(($nonat_seq + 1))
|
nonat_seq=$(($nonat_seq + 1))
|
||||||
createnatchain $chain
|
createnatchain $chain
|
||||||
addnatrule $source -j $chain
|
addnatrule `dnat_chain $source` -j $chain
|
||||||
for z in $excludezones; do
|
for z in $excludezones; do
|
||||||
eval hosts=\$${z}_hosts
|
eval hosts=\$${z}_hosts
|
||||||
for host in $hosts; do
|
for host in $hosts; do
|
||||||
@ -1460,14 +1484,14 @@ add_nat_rule() {
|
|||||||
|
|
||||||
if [ -n "$snat" ]; then
|
if [ -n "$snat" ]; then
|
||||||
if [ -n "$cli" ]; then
|
if [ -n "$cli" ]; then
|
||||||
run_iptables -t nat -A POSTROUTING $proto $cli $multiport \
|
addnatrule `snat_chain $dest` $proto $cli $multiport \
|
||||||
$sports -d $serv $dports -j SNAT --to-source $snat
|
$sports -d $serv $dports -j SNAT --to-source $snat
|
||||||
else
|
else
|
||||||
for source_host in $source_hosts; do
|
for source_host in $source_hosts; do
|
||||||
[ "x${source_host#*:}" = "x0.0.0.0/0" ] && \
|
[ "x${source_host#*:}" = "x0.0.0.0/0" ] && \
|
||||||
error_message "Warning: SNAT will occur on all connections to this server and port - rule \"$rule\""
|
error_message "Warning: SNAT will occur on all connections to this server and port - rule \"$rule\""
|
||||||
|
|
||||||
run_iptables -t nat -A POSTROUTING \
|
addnatrule `snat_chain $dest` \
|
||||||
-s ${source_host#*:} $proto $sports $multiport \
|
-s ${source_host#*:} $proto $sports $multiport \
|
||||||
-d $serv $dports -j SNAT --to-source $snat
|
-d $serv $dports -j SNAT --to-source $snat
|
||||||
done
|
done
|
||||||
@ -2274,7 +2298,7 @@ setup_masq()
|
|||||||
subnet="${subnet%!*}"
|
subnet="${subnet%!*}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
chain=`output_chain $interface`
|
chain=`masq_chain $interface`
|
||||||
iface=
|
iface=
|
||||||
|
|
||||||
case $subnet in
|
case $subnet in
|
||||||
@ -2842,60 +2866,52 @@ apply_policy_rules() {
|
|||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
################################################################################
|
|
||||||
# Jump to a NAT chain from one of the builtin chains #
|
|
||||||
#------------------------------------------------------------------------------#
|
|
||||||
# If NAT_BEFORE_RULES then insert the jump near the front of the source #
|
|
||||||
# chain; otherwise, append the rule #
|
|
||||||
################################################################################
|
|
||||||
addnatjump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
|
|
||||||
{
|
|
||||||
local sourcechain=$1 destchain=$2
|
|
||||||
shift
|
|
||||||
shift
|
|
||||||
|
|
||||||
if havenatchain $destchain; then
|
|
||||||
if [ -n "$NAT_BEFORE_RULES" ]; then
|
|
||||||
eval run_iptables -t nat -I $sourcechain \
|
|
||||||
\$${sourcechain}_rule $@ -j $destchain
|
|
||||||
eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\)
|
|
||||||
else
|
|
||||||
run_iptables -t nat -A $sourcechain $@ -j $destchain
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
################################################################################
|
|
||||||
# Jump to a NAT chain from one of the builtin chains #
|
|
||||||
#------------------------------------------------------------------------------#
|
|
||||||
# If not NAT_BEFORE_RULES then insert the jump near the front of the source #
|
|
||||||
# chain; otherwise, append the rule #
|
|
||||||
################################################################################
|
|
||||||
insertnatjump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
|
|
||||||
{
|
|
||||||
local sourcechain=$1 destchain=$2
|
|
||||||
shift
|
|
||||||
shift
|
|
||||||
|
|
||||||
if havenatchain $destchain; then
|
|
||||||
if [ -z "$NAT_BEFORE_RULES" ]; then
|
|
||||||
eval run_iptables -t nat -I $sourcechain \
|
|
||||||
\$${sourcechain}_rule $@ -j $destchain
|
|
||||||
eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\)
|
|
||||||
else
|
|
||||||
run_iptables -t nat -A $sourcechain $@ -j $destchain
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
################################################################################
|
################################################################################
|
||||||
# Activate the rules #
|
# Activate the rules #
|
||||||
################################################################################
|
################################################################################
|
||||||
activate_rules() {
|
activate_rules()
|
||||||
|
{
|
||||||
PREROUTING_rule=1
|
local PREROUTING_rule=1
|
||||||
POSTROUTING_rule=1
|
local POSTROUTING_rule=1
|
||||||
|
############################################################################
|
||||||
|
# Jump to a NAT chain from one of the builtin nat chains
|
||||||
|
#
|
||||||
|
addnatjump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
|
||||||
|
{
|
||||||
|
local sourcechain=$1 destchain=$2
|
||||||
|
shift
|
||||||
|
shift
|
||||||
|
|
||||||
|
havenatchain $destchain && \
|
||||||
|
run_iptables -t nat -A $sourcechain $@ -j $destchain
|
||||||
|
}
|
||||||
|
|
||||||
|
############################################################################
|
||||||
|
# Jump to a RULES chain from one of the builtin nat chains
|
||||||
|
#---------------------------------------------------------------------------
|
||||||
|
# If NAT_BEFORE_RULES then append the rule to the chain; otherwise, insert
|
||||||
|
# the jump near the front of the builtin chain
|
||||||
|
#
|
||||||
|
addrulejump() # $1 = BUILTIN chain, $2 = user chain, $3 - * other arguments
|
||||||
|
{
|
||||||
|
local sourcechain=$1 destchain=$2
|
||||||
|
shift
|
||||||
|
shift
|
||||||
|
|
||||||
|
if havenatchain $destchain; then
|
||||||
|
if [ -n "$NAT_BEFORE_RULES" ]; then
|
||||||
|
run_iptables -t nat -A $sourcechain $@ -j $destchain
|
||||||
|
else
|
||||||
|
eval run_iptables -t nat -I $sourcechain \
|
||||||
|
\$${sourcechain}_rule $@ -j $destchain
|
||||||
|
eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\)
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Add jumps from the builtin chains to the nat chains
|
||||||
|
#
|
||||||
addnatjump PREROUTING nat_in
|
addnatjump PREROUTING nat_in
|
||||||
addnatjump POSTROUTING nat_out
|
addnatjump POSTROUTING nat_out
|
||||||
|
|
||||||
@ -2915,8 +2931,11 @@ activate_rules() {
|
|||||||
|
|
||||||
run_iptables -A OUTPUT -o \
|
run_iptables -A OUTPUT -o \
|
||||||
$interface -d $subnet -j `rules_chain $FW $zone`
|
$interface -d $subnet -j `rules_chain $FW $zone`
|
||||||
|
#
|
||||||
insertnatjump PREROUTING $zone -i $interface -s $subnet
|
# Add jumps from the builtin chains for DNAT and SNAT rules
|
||||||
|
#
|
||||||
|
addrulejump PREROUTING `dnat_chain $zone` -i $interface -s $subnet
|
||||||
|
addrulejump POSTROUTING `snat_chain $zone` -o $interface -d $subnet
|
||||||
|
|
||||||
run_iptables -A `input_chain $interface` -s $subnet \
|
run_iptables -A `input_chain $interface` -s $subnet \
|
||||||
-j `rules_chain $zone $FW`
|
-j `rules_chain $zone $FW`
|
||||||
@ -2957,6 +2976,7 @@ activate_rules() {
|
|||||||
for interface in $all_interfaces; do
|
for interface in $all_interfaces; do
|
||||||
run_iptables -A FORWARD -i $interface -j `forward_chain $interface`
|
run_iptables -A FORWARD -i $interface -j `forward_chain $interface`
|
||||||
run_iptables -A INPUT -i $interface -j `input_chain $interface`
|
run_iptables -A INPUT -i $interface -j `input_chain $interface`
|
||||||
|
addnatjump POSTROUTING `masq_chain $interface` -o $interface
|
||||||
done
|
done
|
||||||
|
|
||||||
complete_standard_chain INPUT all $FW
|
complete_standard_chain INPUT all $FW
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user