#!/bin/sh # # Shorewall 3.2 -- /usr/share/shorewall/clib.nat # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # # (c) 2005,2006 - Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # # This program is free software; you can redistribute it and/or modify # it under the terms of Version 2 of the GNU General Public License # as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # # Setup Static Network Address Translation (NAT) # setup_nat() { local external= interface= internal= allints= localnat= policyin= policyout= validate_one() #1 = Variable Name, $2 = Column name, $3 = value { case $3 in Yes|yes) ;; No|no) eval ${1}= ;; *) [ -n "$3" ] && \ fatal_error "Invalid value ($3) for $2 in entry \"$external $interface $internal $allints $localnat\"" ;; esac } do_one_nat() { local add_ip_aliases=$ADD_IP_ALIASES iface=${interface%:*} if [ -n "$add_ip_aliases" ]; then case $interface in *:) interface=${interface%:} add_ip_aliases= ;; *) [ -n "$RETAIN_ALIASES" ] || save_command del_ip_addr $external $iface ;; esac else interface=${interface%:} fi validate_one allints "ALL INTERFACES" $allints validate_one localnat "LOCAL" $localnat if [ -n "$allints" ]; then addnatrule nat_in -d $external $policyin -j DNAT --to-destination $internal addnatrule nat_out -s $internal $policyout -j SNAT --to-source $external else addnatrule $(input_chain $iface) -d $external $policyin -j DNAT --to-destination $internal addnatrule $(output_chain $iface) -s $internal $policyout -j SNAT --to-source $external fi [ -n "$localnat" ] && \ run_iptables2 -t nat -A OUTPUT -d $external $policyout -j DNAT --to-destination $internal if [ -n "$add_ip_aliases" ]; then list_search $external $ALIASES_TO_ADD || \ ALIASES_TO_ADD="$ALIASES_TO_ADD $external $interface" fi } # # At this point, we're just interested in the network translation # > $STATEDIR/nat if [ -n "$POLICY_MATCH" ]; then policyin="-m policy --pol none --dir in" policyout="-m policy --pol none --dir out" fi [ -n "$RETAIN_ALIASES" ] || save_progress_message "Setting up one-to-one NAT..." while read external interface internal allints localnat; do expandv external interface internal allints localnat do_one_nat progress_message_and_save " Host $internal NAT $external on $interface" done < $TMP_DIR/nat } # # Delete existing Static NAT # delete_nat() { run_iptables -t nat -F run_iptables -t nat -X [ -d $STATEDIR ] && touch $STATEDIR/nat indent >&3 << __EOF__ if [ -f \${VARDIR}/nat ]; then while read external interface; do del_ip_addr \$external \$interface done < \${VARDIR}/nat rm -f \${VARDIR}/nat fi __EOF__ } # # Setup Network Mapping (NETMAP) # setup_netmap() { while read type net1 interface net2 ; do expandv type net1 interface net2 list_search $interface $ALL_INTERFACES || \ fatal_error "Unknown interface $interface in entry \"$type $net1 $interface $net2\"" case $type in DNAT) addnatrule $(input_chain $interface) -d $net1 -j NETMAP --to $net2 ;; SNAT) addnatrule $(output_chain $interface) -s $net1 -j NETMAP --to $net2 ;; *) fatal_error "Invalid type $type in entry \"$type $net1 $interface $net2\"" ;; esac progress_message_and_save " Network $net1 on $interface mapped to $net2 ($type)" done < $TMP_DIR/netmap } CLIB_NAT_LOADED=Yes