From 729539ecfb0a86857e611de491712f72eebe5d13 Mon Sep 17 00:00:00 2001 From: Christoph Date: Tue, 21 Mar 2017 02:25:52 +0100 Subject: [PATCH] Add 'nat_devices': a list of devices that will be natted (beside dsl devices) --- .gitignore | 1 + conf/interfaces_ipv4.conf.sample | 8 ++++++++ conf/post_decalrations.conf | 7 +++++++ ipt-firewall-gateway | 20 ++++++++++---------- 4 files changed, 26 insertions(+), 10 deletions(-) diff --git a/.gitignore b/.gitignore index 6f2b3ea..220bb38 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ +*.swp conf/interfaces_ipv4.conf conf/interfaces_ipv6.conf conf/main_ipv4.conf diff --git a/conf/interfaces_ipv4.conf.sample b/conf/interfaces_ipv4.conf.sample index 478911d..43127e1 100644 --- a/conf/interfaces_ipv4.conf.sample +++ b/conf/interfaces_ipv4.conf.sample @@ -36,6 +36,14 @@ local_if_7="" local_ifs="$local_if_1 $local_if_2 $local_if_3 $local_if_4 $local_if_5 $local_if_6 $local_if_7" +# - Devices given in list "nat_devices" will be natted +# - +# - Notice: Devices "ext_if_dsl_n" will be natted and must not been given here. +# - +# - Blank separated list +# - +nat_devices="" + # - Are local alias interfaces like eth0:0 defined" # - local_alias_interfaces=true diff --git a/conf/post_decalrations.conf b/conf/post_decalrations.conf index e24f0df..4774925 100644 --- a/conf/post_decalrations.conf +++ b/conf/post_decalrations.conf @@ -17,15 +17,22 @@ done # --- # - Extern Network interfaces (DSL, Staic Lines, All together) # --- +declare -a nat_device_arr declare -a dsl_device_arr declare -a ext_if_arr for _dev in $ext_ifs_dsl ; do dsl_device_arr+=("$_dev") ext_if_arr+=("$_dev") + nat_device_arr+=("$_dev") done for _dev in $ext_ifs_static ; do ext_if_arr+=("$_dev") done +for _dev in $nat_devices ; do + if ! containsElement $_dev "${nat_device_arr[@]}" ; then + nat_device_arr+=("$_dev") + fi +done # --- # - VPN Interfaces diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index 5a4de3d..ca6dd78 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -240,7 +240,7 @@ $ipt -Z $ipt -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -for _dev in ${dsl_device_arr[@]} ; do +for _dev in ${nat_device_arr[@]} ; do $ipt -t nat -A POSTROUTING -o $_dev -j MASQUERADE done @@ -1579,7 +1579,7 @@ if [[ ${#ssh_server_dmz_arr[@]} -gt 0 ]] ; then # - Nat if interface is on a dsl line # - - if containsElement "${ssh_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then + if containsElement "${ssh_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then $ipt -t nat -A PREROUTING -i ${ssh_server_dmz_arr[$_ip]} -p tcp --dport $_port -j DNAT --to $_ip:$_port fi $ipt -A FORWARD -i ${ssh_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT @@ -1739,7 +1739,7 @@ if [[ ${#vpn_server_dmz_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then # - Nat if interface is on a dsl line # - - if containsElement "${vpn_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then + if containsElement "${vpn_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then $ipt -t nat -A PREROUTING -i ${vpn_server_dmz_arr[$_ip]} -p udp --dport $_port -j DNAT --to $_ip:$_port fi done @@ -1849,7 +1849,7 @@ if [[ ${#http_server_dmz_arr[@]} -gt 0 ]] ; then # - Nat if interface is on a dsl line # - - if containsElement "${http_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then + if containsElement "${http_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then $ipt -t nat -A PREROUTING -i ${http_server_dmz_arr[$_ip]} -p tcp --dport $_port -j DNAT --to $_ip:$_port fi $ipt -A FORWARD -i ${http_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT @@ -1909,7 +1909,7 @@ if [[ ${#http_ssl_server_dmz_arr[@]} -gt 0 ]] ; then # - Nat if interface is on a dsl line # - - if containsElement "${http_ssl_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then + if containsElement "${http_ssl_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then $ipt -t nat -A PREROUTING -i ${http_ssl_server_dmz_arr[$_ip]} -p tcp --syn --dport $standard_https_port -j DNAT --to $_ip:$standard_https_port fi $ipt -A FORWARD -i ${http_ssl_server_dmz_arr[$_ip]} -p tcp --dport $standard_https_port -d $_ip -j ACCEPT @@ -2081,7 +2081,7 @@ if [[ ${#mail_server_dmz_arr[@]} -gt 0 ]] ; then # - Nat if interface is on a dsl line # - - if containsElement "${mail_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then + if containsElement "${mail_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then $ipt -t nat -A PREROUTING -i ${mail_server_dmz_arr[$_ip]} -p tcp --dport $_port -m conntrack --ctstate NEW -j DNAT --to $_ip:$_port fi $ipt -A FORWARD -i ${mail_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT @@ -2210,7 +2210,7 @@ if [[ ${#ftp_server_dmz_arr[@]} -gt 0 ]] && [[ -n $ftp_passive_port_range ]]; th # - Nat if interface is on a dsl line # - - if containsElement "${ftp_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then + if containsElement "${ftp_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport 21 -j DNAT --to $_ip:21 $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport 20 -j DNAT --to $_ip:20 $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport $ftp_passive_port_range -j DNAT --to $_ip:${ftp_passive_port_arr[0]}-${ftp_passive_port_arr[1]} @@ -2377,7 +2377,7 @@ if [[ ${#samba_server_dmz_arr[@]} -gt 0 ]] ; then # - Nat if interface is on a dsl line # - - if containsElement "${samba_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then + if containsElement "${samba_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then IFS=':' read -a _udp_port_arr <<< ${_port} if [[ -n "${_udp_port_arr[1]}" ]] ; then $ipt -t nat -A PREROUTING -i ${samba_server_dmz_arr[$_ip]} -p udp --dport $_port -j DNAT --to $_ip:${_udp_port_arr[0]}-${_udp_port_arr[1]} @@ -2391,7 +2391,7 @@ if [[ ${#samba_server_dmz_arr[@]} -gt 0 ]] ; then # - Nat if interface is on a dsl line # - - if containsElement "${samba_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then + if containsElement "${samba_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then $ipt -t nat -A PREROUTING -i ${samba_server_dmz_arr[$_ip]} -p tcp --dport $_port -j DNAT --to $_ip:$_port fi done @@ -3252,7 +3252,7 @@ if [[ ${#rm_server_dmz_arr[@]} -gt 0 ]] ; then # - Nat if interface is on a dsl line # - - if containsElement "${rm_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then + if containsElement "${rm_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then $ipt -t nat -A PREROUTING -i ${rm_server_dmz_arr[$_ip]} -p tcp --syn --dport $remote_console_port -j DNAT --to $_ip:$remote_console_port fi $ipt -A FORWARD -i ${rm_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT