forked from extern/shorewall_code
e48207bbae
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4401 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
154 lines
3.9 KiB
Bash
154 lines
3.9 KiB
Bash
#!/bin/sh
|
|
#
|
|
# Shorewall 3.2 -- /usr/share/shorewall/clib.nat
|
|
#
|
|
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
|
#
|
|
# (c) 2005,2006 - Tom Eastep (teastep@shorewall.net)
|
|
#
|
|
# Complete documentation is available at http://shorewall.net
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of Version 2 of the GNU General Public License
|
|
# as published by the Free Software Foundation.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program; if not, write to the Free Software
|
|
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
|
|
|
|
|
#
|
|
# Setup Static Network Address Translation (NAT)
|
|
#
|
|
setup_nat() {
|
|
local external= interface= internal= allints= localnat= policyin= policyout=
|
|
|
|
validate_one() #1 = Variable Name, $2 = Column name, $3 = value
|
|
{
|
|
case $3 in
|
|
Yes|yes)
|
|
;;
|
|
No|no)
|
|
eval ${1}=
|
|
;;
|
|
*)
|
|
[ -n "$3" ] && \
|
|
fatal_error "Invalid value ($3) for $2 in entry \"$external $interface $internal $allints $localnat\""
|
|
;;
|
|
esac
|
|
}
|
|
|
|
do_one_nat() {
|
|
local add_ip_aliases=$ADD_IP_ALIASES iface=${interface%:*}
|
|
|
|
if [ -n "$add_ip_aliases" ]; then
|
|
case $interface in
|
|
*:)
|
|
interface=${interface%:}
|
|
add_ip_aliases=
|
|
;;
|
|
*)
|
|
[ -n "$RETAIN_ALIASES" ] || save_command del_ip_addr $external $iface
|
|
;;
|
|
esac
|
|
else
|
|
interface=${interface%:}
|
|
fi
|
|
|
|
validate_one allints "ALL INTERFACES" $allints
|
|
validate_one localnat "LOCAL" $localnat
|
|
|
|
if [ -n "$allints" ]; then
|
|
addnatrule nat_in -d $external $policyin -j DNAT --to-destination $internal
|
|
addnatrule nat_out -s $internal $policyout -j SNAT --to-source $external
|
|
else
|
|
addnatrule $(input_chain $iface) -d $external $policyin -j DNAT --to-destination $internal
|
|
addnatrule $(output_chain $iface) -s $internal $policyout -j SNAT --to-source $external
|
|
fi
|
|
|
|
[ -n "$localnat" ] && \
|
|
run_iptables2 -t nat -A OUTPUT -d $external $policyout -j DNAT --to-destination $internal
|
|
|
|
if [ -n "$add_ip_aliases" ]; then
|
|
list_search $external $ALIASES_TO_ADD || \
|
|
ALIASES_TO_ADD="$ALIASES_TO_ADD $external $interface"
|
|
fi
|
|
}
|
|
#
|
|
# At this point, we're just interested in the network translation
|
|
#
|
|
> $STATEDIR/nat
|
|
|
|
if [ -n "$POLICY_MATCH" ]; then
|
|
policyin="-m policy --pol none --dir in"
|
|
policyout="-m policy --pol none --dir out"
|
|
fi
|
|
|
|
[ -n "$RETAIN_ALIASES" ] || save_progress_message "Setting up one-to-one NAT..."
|
|
|
|
while read external interface internal allints localnat; do
|
|
expandv external interface internal allints localnat
|
|
|
|
do_one_nat
|
|
|
|
progress_message_and_save " Host $internal NAT $external on $interface"
|
|
done < $TMP_DIR/nat
|
|
}
|
|
|
|
#
|
|
# Delete existing Static NAT
|
|
#
|
|
delete_nat() {
|
|
run_iptables -t nat -F
|
|
run_iptables -t nat -X
|
|
|
|
[ -d $STATEDIR ] && touch $STATEDIR/nat
|
|
|
|
indent >&3 << __EOF__
|
|
|
|
if [ -f \${VARDIR}/nat ]; then
|
|
while read external interface; do
|
|
del_ip_addr \$external \$interface
|
|
done < \${VARDIR}/nat
|
|
|
|
rm -f \${VARDIR}/nat
|
|
fi
|
|
|
|
__EOF__
|
|
}
|
|
|
|
#
|
|
# Setup Network Mapping (NETMAP)
|
|
#
|
|
setup_netmap() {
|
|
|
|
while read type net1 interface net2 ; do
|
|
expandv type net1 interface net2
|
|
|
|
list_search $interface $ALL_INTERFACES || \
|
|
fatal_error "Unknown interface $interface in entry \"$type $net1 $interface $net2\""
|
|
|
|
case $type in
|
|
DNAT)
|
|
addnatrule $(input_chain $interface) -d $net1 -j NETMAP --to $net2
|
|
;;
|
|
SNAT)
|
|
addnatrule $(output_chain $interface) -s $net1 -j NETMAP --to $net2
|
|
;;
|
|
*)
|
|
fatal_error "Invalid type $type in entry \"$type $net1 $interface $net2\""
|
|
;;
|
|
esac
|
|
|
|
progress_message_and_save " Network $net1 on $interface mapped to $net2 ($type)"
|
|
|
|
done < $TMP_DIR/netmap
|
|
}
|
|
|
|
CLIB_NAT_LOADED=Yes
|