Browse Source

tags/v2.01a1
bbruns@gmail.com 6 years ago
parent
commit
2057c346d2
5 changed files with 86 additions and 2 deletions
  1. +4
    -0
      bin/srfirewall
  2. +7
    -1
      etc/ipv4.conf
  3. +18
    -0
      etc/ipv4/nat.conf
  4. +7
    -1
      etc/ipv6.conf
  5. +50
    -0
      lib/iptables.inc

+ 4
- 0
bin/srfirewall View File

@@ -172,6 +172,8 @@ if [ "${EnableIPv4}" == "yes" ]; then
[ "${DNSClientManualv4Servers}" ] && allow_dnsclient_manual ipv4 "${DNSClientManualv4Servers}"
[ "${Enablev4EasyBlock}" == "yes" ] && enable_easyblock ipv4
[ "${Enablev4Filtering}" == "yes" ] && enable_filtering ipv4
#[ "${Enablev4Forwarding}" == "yes" ] && enable_forwarding ipv4
[ "${Enablev4NAT}" == "yes" ] && enable_nat ipv4
fi

@@ -191,5 +193,7 @@ if [ "${EnableIPv6}" == "yes" ]; then
[ "${DNSClientManualv6Servers}" ] && allow_dnsclient_manual ipv6 "${DNSClientManualv6Servers}"
[ "${Enablev6EasyBlock}" == "yes" ] && enable_easyblock ipv6
[ "${Enablev6Filtering}" == "yes" ] && enable_filtering ipv6
#[ "${Enablev6Forwarding}" == "yes" ] && enable_forwarding ipv6
[ "${Enablev6NAT}" == "yes" ] && enable_nat ipv6
fi


+ 7
- 1
etc/ipv4.conf View File

@@ -51,4 +51,10 @@ Enablev4EasyBlock="yes"
# filtering rules.
# Config file: ipv4/acl.conf
# Values: no | yes (default)
Enablev4Filtering="yes"
Enablev4Filtering="yes"

# Enable IPv4 NAT/NETMAP rules
# This allows you to set up NAT rules, SNAT, MASQ, and NETMAP
# Config file: ipv4/nat.conf
# Values: no | yes (default)
Enablev4NAT="yes"

+ 18
- 0
etc/ipv4/nat.conf View File

@@ -0,0 +1,18 @@
# Network Address Translation Rules
# Use this file to set up network address translation rules
# Use tabs or single space to separate
#
# <type> <src-interface> <src-address> <dst-interface> <dst-address>
#
# Type: Required ( SNAT | MASQ | NETMAP )
# Source Interface: Optional ( interface name, aka eth0 )
# Source Address: Optional ( IP address with optional netmask )
# Destination Interface: Optional for all but MASQ ( interface name, aka eth0 )
# Destination Address: Required for all but MASQ ( IP address with optional netmask )
# You can use '-' for optional fields
#============================================================
#<type> <src-interface> <src-address> <dst-interface> <dst-address>
SNAT eth1 10.0.0.0/24 eth0 172.16.1.1
MASQ - - eth0 -
NETMAP eth1 192.168.0.0/24 vpn0 172.16.10.0/24


+ 7
- 1
etc/ipv6.conf View File

@@ -51,4 +51,10 @@ Enablev6EasyBlock="yes"
# filtering rules.
# Config file: ipv6/acl.conf
# Values: no | yes (default)
Enablev6Filtering="yes"
Enablev6Filtering="yes"

# Enable IPv6 NAT/NETMAP rules
# This allows you to set up NAT rules, SNAT, MASQ, and NETMAP
# Config file: ipv4/nat.conf
# Values: no | yes (default)
Enablev6NAT="yes"

+ 50
- 0
lib/iptables.inc View File

@@ -318,4 +318,54 @@ function enable_filtering {
done < "${FWCONFIGDIR}/ipv${IPVER}/acl.conf"
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
fi
}

function enable_nat {
IP_VERSION=$1
case $IP_VERSION in
ipv6) VER_IPTABLES=${IP6TABLES};
IPVER="6" ;;
ipv4|*) VER_IPTABLES=${IPTABLES}
IPVER="4" ;;
esac
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
if [ -e "${FWCONFIGDIR}/ipv${IPVER}/nat.conf" ]; then
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/nat.conf successful"
while read -r type srcinterface srcaddress dstinterface dstaddress; do
[[ ${type} = \#* ]] && continue
[[ ${type} = "" ]] && continue
([[ ${type} != "SNAT" ]] && [[ ${type} != "MASQ" ]] && [[ ${type} != "NETMAP" ]]) \
&& ${display} RED "nat.conf: Error - must begin with SNAT/MASQ/NETMAP: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress}" && continue

# Do some creative work with variables to make building the iptables rules fairly painless
[[ ${srcinterface} != "-" ]] && srcinterface="-i ${srcinterface}"
[[ ${dstinterface} != "-" ]] && dstinterface="-o ${dstinterface}"
([[ ${srcaddresss} != "-" ]] && [[ ${type} != "NETMAP" ]]) && srcaddress="-s ${srcaddress}"
([[ ${dstinterface} != "-" ]] && [[ ${type} == "MASQ" ]]) && action="-j MASQUERADE"
([[ ${dstinterface} == "-" ]] && [[ ${type} == "MASQ" ]]) && \
${display} RED "nat.conf: Error - MASQ rule can not have empty destination interface: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress}" \
&& continue

([[ ${dstaddress} != "-" ]] && [[ ${type} == "SNAT" ]]) && action="-j SNAT" && dstaddress="--to-source ${dstaddress}"
([[ ${dstaddress} == "-" ]] && [[ ${type} == "SNAT" ]]) && \
${display} RED "nat.conf: Error - SNAT rule can not have empty destination address: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress}" \
&& continue

([[ ${srcaddress} != "-" ]] && [[ ${dstaddress} != "-" ]] && [[ ${type} == "NETMAP" ]]) && action="-j NETMAP" && srcaddress="-d ${srcaddress}" && dstaddress="--to ${dstaddress}"
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol}"
# Blank variables that we're not going to use.
[[ ${srcinterface} == "-" ]] && srcinterface=""
[[ ${dstinterface} == "-" ]] && dstinterface=""
[[ ${dstaddress} == "-" ]] && dstaddress=""
[[ ${srcaddress} == "-" ]] && srcaddress=""
${VER_IPTABLES} -A ${NAT} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress} ${action}
${VER_IPTABLES} -A ${FwdFilter} ${M_STATE} ${C_STATE} RELATED,ESTABLISHED ${srcinterface} ${srcaddress} ${dstinterface} -j ACCEPT
done < "${FWCONFIGDIR}/ipv${IPVER}/nat.conf"
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
fi
}

Loading…
Cancel
Save