From a4640001b7903d4cb445aba70c71532f9c75852d Mon Sep 17 00:00:00 2001
From: "bbruns@gmail.com"
 <bbruns@gmail.com@e5899ace-8841-11de-95b9-8f387cfb8bc3>
Date: Sat, 5 Apr 2014 22:56:00 +0000
Subject: [PATCH]

---
 etc/ipv4.conf    | 10 ++++++++++
 etc/ipv6.conf    | 10 ++++++++++
 lib/iptables.inc |  4 ++++
 3 files changed, 24 insertions(+)

diff --git a/etc/ipv4.conf b/etc/ipv4.conf
index c72893b..76559eb 100644
--- a/etc/ipv4.conf
+++ b/etc/ipv4.conf
@@ -24,6 +24,15 @@ EnableTrustedv4Hosts="yes"
 # Values: no | yes (default)
 Enablev4MSSClamp="yes"
 
+# Enable connection tracking features of netfilter/iptables
+# conntracking allows the firewall to be smart about what
+# packets it allows and refuses.  On highly loaded systems or
+# ones with low memory, this may be desirable.  Everyone else
+# should probably leave this on.
+# Depended on by: Enablev4NAT
+# Values: no | yes (default)
+Enablev4ConnectionTracking="yes"
+
 # Use /etc/resolv.conf as source for DNS servers that we communicate
 # with as a client.  If you turn this off (recommended if on static IP),
 # then you will need to manually define the DNS servers you use.
@@ -62,5 +71,6 @@ Enablev4Forwarding="yes"
 # Enable IPv4 NAT/NETMAP rules
 # This allows you to set up NAT rules, SNAT, MASQ, and NETMAP
 # Config file: ipv4/nat.conf
+# Requires: Enablev4ConnectionTracking="yes"
 # Values: no | yes (default)
 Enablev4NAT="yes"
\ No newline at end of file
diff --git a/etc/ipv6.conf b/etc/ipv6.conf
index a9c5821..a9789ec 100644
--- a/etc/ipv6.conf
+++ b/etc/ipv6.conf
@@ -24,6 +24,15 @@ EnableTrustedv6Hosts="yes"
 # Values: no | yes (default)
 Enablev6MSSClamp="yes"
 
+# Enable connection tracking features of netfilter/iptables
+# conntracking allows the firewall to be smart about what
+# packets it allows and refuses.  On highly loaded systems or
+# ones with low memory, this may be desirable.  Everyone else
+# should probably leave this on.
+# Depended on by: Enablev6NAT
+# Values: no | yes (default)
+Enablev6ConnectionTracking="yes"
+
 # Use /etc/resolv.conf as source for DNS servers that we communicate
 # with as a client.  If you turn this off (recommended if on static IP),
 # then you will need to manually define the DNS servers you use.
@@ -62,5 +71,6 @@ Enablev6Forwarding="yes"
 # Enable IPv6 NAT/NETMAP rules
 # This allows you to set up NAT rules, SNAT, MASQ, and NETMAP
 # Config file: ipv4/nat.conf
+# Requires: Enablev6ConnectionTracking="yes"
 # Values: no | yes (default)
 Enablev6NAT="yes"
\ No newline at end of file
diff --git a/lib/iptables.inc b/lib/iptables.inc
index ff24dae..231c86b 100644
--- a/lib/iptables.inc
+++ b/lib/iptables.inc
@@ -372,6 +372,9 @@ function enable_nat {
 				IPVER="4" ;;
 	esac
 	${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
+	([[ ${IPVER} == "4" ]] && [[ ${Enablev4ConnectionTracking} != "yes" ]]) && ${display} RED "${FUNCNAME}: ERROR:${DEFAULT_COLOR} Unable to load NAT rules if Enablev4ConnectionTracking=no" && return 1
+	([[ ${IPVER} == "6" ]] && [[ ${Enablev6ConnectionTracking} != "yes" ]]) && ${display} RED "${FUNCNAME}: ERROR:${DEFAULT_COLOR} Unable to load NAT rules if Enablev6ConnectionTracking=no" && return 1
+
 	if [ -e "${FWCONFIGDIR}/ipv${IPVER}/nat.conf" ]; then
 		${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/nat.conf successful"
 		while read -r type srcinterface srcaddress dstinterface dstaddress; do
@@ -411,4 +414,5 @@ function enable_nat {
 			done < "${FWCONFIGDIR}/ipv${IPVER}/nat.conf"
 		${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
 	fi
+		
 }
\ No newline at end of file