firewall/ipt-gateway
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add 'nat_devices': a list of devices that will be natted (beside dsl devices)

Browse Source
This commit is contained in:
Christoph 2017-03-21 02:25:52 +01:00
parent df03336118
commit 729539ecfb
4 changed files with 26 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,3 +1,4 @@
*.swp
conf/interfaces_ipv4.conf conf/interfaces_ipv4.conf
conf/interfaces_ipv6.conf conf/interfaces_ipv6.conf
conf/main_ipv4.conf conf/main_ipv4.conf

8
conf/interfaces_ipv4.conf.sample
View File

@ -36,6 +36,14 @@ local_if_7=""
local_ifs="$local_if_1 $local_if_2 $local_if_3 $local_if_4 $local_if_5 $local_if_6 $local_if_7" local_ifs="$local_if_1 $local_if_2 $local_if_3 $local_if_4 $local_if_5 $local_if_6 $local_if_7"
# - Devices given in list "nat_devices" will be natted
# -
# - Notice: Devices "ext_if_dsl_n" will be natted and must not been given here.
# -
# - Blank separated list
# -
nat_devices=""
# - Are local alias interfaces like eth0:0 defined" # - Are local alias interfaces like eth0:0 defined"
# - # -
local_alias_interfaces=true local_alias_interfaces=true

7
conf/post_decalrations.conf
View File

@ -17,15 +17,22 @@ done
# --- # ---
# - Extern Network interfaces (DSL, Staic Lines, All together) # - Extern Network interfaces (DSL, Staic Lines, All together)
# --- # ---
declare -a nat_device_arr
declare -a dsl_device_arr declare -a dsl_device_arr
declare -a ext_if_arr declare -a ext_if_arr
for _dev in $ext_ifs_dsl ; do for _dev in $ext_ifs_dsl ; do
dsl_device_arr+=("$_dev") dsl_device_arr+=("$_dev")
ext_if_arr+=("$_dev") ext_if_arr+=("$_dev")
nat_device_arr+=("$_dev")
done done
for _dev in $ext_ifs_static ; do for _dev in $ext_ifs_static ; do
ext_if_arr+=("$_dev") ext_if_arr+=("$_dev")
done done
for _dev in $nat_devices ; do
if ! containsElement $_dev "${nat_device_arr[@]}" ; then
nat_device_arr+=("$_dev")
fi
done
# --- # ---
# - VPN Interfaces # - VPN Interfaces

20
ipt-firewall-gateway
View File

@ -240,7 +240,7 @@ $ipt -Z
$ipt -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu $ipt -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
for _dev in ${dsl_device_arr[@]} ; do for _dev in ${nat_device_arr[@]} ; do
$ipt -t nat -A POSTROUTING -o $_dev -j MASQUERADE $ipt -t nat -A POSTROUTING -o $_dev -j MASQUERADE
done done
@ -1579,7 +1579,7 @@ if [[ ${#ssh_server_dmz_arr[@]} -gt 0 ]] ; then
# - Nat if interface is on a dsl line # - Nat if interface is on a dsl line
# - # -
if containsElement "${ssh_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then if containsElement "${ssh_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then
$ipt -t nat -A PREROUTING -i ${ssh_server_dmz_arr[$_ip]} -p tcp --dport $_port -j DNAT --to $_ip:$_port $ipt -t nat -A PREROUTING -i ${ssh_server_dmz_arr[$_ip]} -p tcp --dport $_port -j DNAT --to $_ip:$_port
fi fi
$ipt -A FORWARD -i ${ssh_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -i ${ssh_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT
@ -1739,7 +1739,7 @@ if [[ ${#vpn_server_dmz_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
# - Nat if interface is on a dsl line # - Nat if interface is on a dsl line
# - # -
if containsElement "${vpn_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then if containsElement "${vpn_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then
$ipt -t nat -A PREROUTING -i ${vpn_server_dmz_arr[$_ip]} -p udp --dport $_port -j DNAT --to $_ip:$_port $ipt -t nat -A PREROUTING -i ${vpn_server_dmz_arr[$_ip]} -p udp --dport $_port -j DNAT --to $_ip:$_port
fi fi
done done
@ -1849,7 +1849,7 @@ if [[ ${#http_server_dmz_arr[@]} -gt 0 ]] ; then
# - Nat if interface is on a dsl line # - Nat if interface is on a dsl line
# - # -
if containsElement "${http_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then if containsElement "${http_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then
$ipt -t nat -A PREROUTING -i ${http_server_dmz_arr[$_ip]} -p tcp --dport $_port -j DNAT --to $_ip:$_port $ipt -t nat -A PREROUTING -i ${http_server_dmz_arr[$_ip]} -p tcp --dport $_port -j DNAT --to $_ip:$_port
fi fi
$ipt -A FORWARD -i ${http_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -i ${http_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT
@ -1909,7 +1909,7 @@ if [[ ${#http_ssl_server_dmz_arr[@]} -gt 0 ]] ; then
# - Nat if interface is on a dsl line # - Nat if interface is on a dsl line
# - # -
if containsElement "${http_ssl_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then if containsElement "${http_ssl_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then
$ipt -t nat -A PREROUTING -i ${http_ssl_server_dmz_arr[$_ip]} -p tcp --syn --dport $standard_https_port -j DNAT --to $_ip:$standard_https_port $ipt -t nat -A PREROUTING -i ${http_ssl_server_dmz_arr[$_ip]} -p tcp --syn --dport $standard_https_port -j DNAT --to $_ip:$standard_https_port
fi fi
$ipt -A FORWARD -i ${http_ssl_server_dmz_arr[$_ip]} -p tcp --dport $standard_https_port -d $_ip -j ACCEPT $ipt -A FORWARD -i ${http_ssl_server_dmz_arr[$_ip]} -p tcp --dport $standard_https_port -d $_ip -j ACCEPT
@ -2081,7 +2081,7 @@ if [[ ${#mail_server_dmz_arr[@]} -gt 0 ]] ; then
# - Nat if interface is on a dsl line # - Nat if interface is on a dsl line
# - # -
if containsElement "${mail_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then if containsElement "${mail_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then
$ipt -t nat -A PREROUTING -i ${mail_server_dmz_arr[$_ip]} -p tcp --dport $_port -m conntrack --ctstate NEW -j DNAT --to $_ip:$_port $ipt -t nat -A PREROUTING -i ${mail_server_dmz_arr[$_ip]} -p tcp --dport $_port -m conntrack --ctstate NEW -j DNAT --to $_ip:$_port
fi fi
$ipt -A FORWARD -i ${mail_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -i ${mail_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT
@ -2210,7 +2210,7 @@ if [[ ${#ftp_server_dmz_arr[@]} -gt 0 ]] && [[ -n $ftp_passive_port_range ]]; th
# - Nat if interface is on a dsl line # - Nat if interface is on a dsl line
# - # -
if containsElement "${ftp_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then if containsElement "${ftp_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then
$ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport 21 -j DNAT --to $_ip:21 $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport 21 -j DNAT --to $_ip:21
$ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport 20 -j DNAT --to $_ip:20 $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport 20 -j DNAT --to $_ip:20
$ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport $ftp_passive_port_range -j DNAT --to $_ip:${ftp_passive_port_arr[0]}-${ftp_passive_port_arr[1]} $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport $ftp_passive_port_range -j DNAT --to $_ip:${ftp_passive_port_arr[0]}-${ftp_passive_port_arr[1]}
@ -2377,7 +2377,7 @@ if [[ ${#samba_server_dmz_arr[@]} -gt 0 ]] ; then
# - Nat if interface is on a dsl line # - Nat if interface is on a dsl line
# - # -
if containsElement "${samba_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then if containsElement "${samba_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then
IFS=':' read -a _udp_port_arr <<< ${_port} IFS=':' read -a _udp_port_arr <<< ${_port}
if [[ -n "${_udp_port_arr[1]}" ]] ; then if [[ -n "${_udp_port_arr[1]}" ]] ; then
$ipt -t nat -A PREROUTING -i ${samba_server_dmz_arr[$_ip]} -p udp --dport $_port -j DNAT --to $_ip:${_udp_port_arr[0]}-${_udp_port_arr[1]} $ipt -t nat -A PREROUTING -i ${samba_server_dmz_arr[$_ip]} -p udp --dport $_port -j DNAT --to $_ip:${_udp_port_arr[0]}-${_udp_port_arr[1]}
@ -2391,7 +2391,7 @@ if [[ ${#samba_server_dmz_arr[@]} -gt 0 ]] ; then
# - Nat if interface is on a dsl line # - Nat if interface is on a dsl line
# - # -
if containsElement "${samba_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then if containsElement "${samba_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then
$ipt -t nat -A PREROUTING -i ${samba_server_dmz_arr[$_ip]} -p tcp --dport $_port -j DNAT --to $_ip:$_port $ipt -t nat -A PREROUTING -i ${samba_server_dmz_arr[$_ip]} -p tcp --dport $_port -j DNAT --to $_ip:$_port
fi fi
done done
@ -3252,7 +3252,7 @@ if [[ ${#rm_server_dmz_arr[@]} -gt 0 ]] ; then
# - Nat if interface is on a dsl line # - Nat if interface is on a dsl line
# - # -
if containsElement "${rm_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then if containsElement "${rm_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then
$ipt -t nat -A PREROUTING -i ${rm_server_dmz_arr[$_ip]} -p tcp --syn --dport $remote_console_port -j DNAT --to $_ip:$remote_console_port $ipt -t nat -A PREROUTING -i ${rm_server_dmz_arr[$_ip]} -p tcp --syn --dport $remote_console_port -j DNAT --to $_ip:$remote_console_port
fi fi
$ipt -A FORWARD -i ${rm_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT $ipt -A FORWARD -i ${rm_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport $remote_console_port -m conntrack --ctstate NEW -j ACCEPT