Add 'nat_devices': a list of devices that will be natted (beside dsl devices)

2017-03-21 02:25:52 +01:00 · 2017-03-21 02:25:52 +01:00 · 729539ecfb
commit 729539ecfb
parent df03336118
4 changed files with 26 additions and 10 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,4 @@
+*.swp
 conf/interfaces_ipv4.conf
 conf/interfaces_ipv6.conf
 conf/main_ipv4.conf
--- a/conf/interfaces_ipv4.conf.sample
+++ b/conf/interfaces_ipv4.conf.sample
@ -36,6 +36,14 @@ local_if_7=""

 local_ifs="$local_if_1 $local_if_2 $local_if_3 $local_if_4 $local_if_5 $local_if_6 $local_if_7"

+# - Devices given in list "nat_devices" will be natted
+# -
+# - Notice: Devices "ext_if_dsl_n" will be natted and must not been given here.
+# -
+# - Blank separated list
+# -
+nat_devices=""
+
 # - Are local alias interfaces like eth0:0 defined"
 # -
 local_alias_interfaces=true
--- a/conf/post_decalrations.conf
+++ b/conf/post_decalrations.conf
@ -17,15 +17,22 @@ done
 # ---
 # - Extern Network interfaces (DSL, Staic Lines, All together)
 # ---
+declare -a nat_device_arr
 declare -a dsl_device_arr
 declare -a ext_if_arr
 for _dev in $ext_ifs_dsl ; do
   dsl_device_arr+=("$_dev")
   ext_if_arr+=("$_dev")
+   nat_device_arr+=("$_dev")
 done
 for _dev in $ext_ifs_static ; do
   ext_if_arr+=("$_dev")
 done
+for _dev in $nat_devices ; do
+   if ! containsElement $_dev "${nat_device_arr[@]}" ; then
+      nat_device_arr+=("$_dev")
+   fi
+done

 # ---
 # - VPN Interfaces
--- a/20
+++ b/20
@ -240,7 +240,7 @@ $ipt -Z

 $ipt -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

-for _dev in ${dsl_device_arr[@]} ; do
+for _dev in ${nat_device_arr[@]} ; do
   $ipt -t nat -A POSTROUTING -o $_dev -j MASQUERADE
 done

@ -1579,7 +1579,7 @@ if [[ ${#ssh_server_dmz_arr[@]} -gt 0 ]] ; then

            # - Nat if interface is on a dsl line
            # -
-            if containsElement "${ssh_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then
+            if containsElement "${ssh_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then
               $ipt -t nat -A PREROUTING -i ${ssh_server_dmz_arr[$_ip]} -p tcp --dport $_port -j DNAT --to $_ip:$_port
            fi
            $ipt -A FORWARD -i ${ssh_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT
@ -1739,7 +1739,7 @@ if [[ ${#vpn_server_dmz_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then

         # - Nat if interface is on a dsl line
         # -
-         if containsElement "${vpn_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then
+         if containsElement "${vpn_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then
            $ipt -t nat -A PREROUTING -i ${vpn_server_dmz_arr[$_ip]} -p udp --dport $_port -j DNAT --to $_ip:$_port
         fi
      done
@ -1849,7 +1849,7 @@ if [[ ${#http_server_dmz_arr[@]} -gt 0 ]] ; then

            # - Nat if interface is on a dsl line
            # -
-            if containsElement "${http_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then
+            if containsElement "${http_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then
               $ipt -t nat -A PREROUTING -i ${http_server_dmz_arr[$_ip]} -p tcp --dport $_port -j DNAT --to $_ip:$_port
            fi
            $ipt -A FORWARD -i ${http_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT
@ -1909,7 +1909,7 @@ if [[ ${#http_ssl_server_dmz_arr[@]} -gt 0 ]] ; then

         # - Nat if interface is on a dsl line
         # -
-         if containsElement "${http_ssl_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then
+         if containsElement "${http_ssl_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then
            $ipt -t nat -A PREROUTING -i ${http_ssl_server_dmz_arr[$_ip]} -p tcp --syn --dport $standard_https_port -j DNAT --to $_ip:$standard_https_port
         fi
         $ipt -A FORWARD -i ${http_ssl_server_dmz_arr[$_ip]} -p tcp --dport $standard_https_port -d $_ip -j ACCEPT
@ -2081,7 +2081,7 @@ if [[ ${#mail_server_dmz_arr[@]} -gt 0 ]] ; then

         # - Nat if interface is on a dsl line
         # -
-         if containsElement "${mail_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then
+         if containsElement "${mail_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then
            $ipt -t nat -A PREROUTING -i ${mail_server_dmz_arr[$_ip]} -p tcp --dport $_port -m conntrack --ctstate NEW -j DNAT --to $_ip:$_port
         fi
         $ipt -A FORWARD -i ${mail_server_dmz_arr[$_ip]} -p tcp --dport $_port -d $_ip -m conntrack --ctstate NEW -j ACCEPT
@ -2210,7 +2210,7 @@ if [[ ${#ftp_server_dmz_arr[@]} -gt 0 ]] && [[ -n $ftp_passive_port_range ]]; th

         # - Nat if interface is on a dsl line
         # -
-         if containsElement "${ftp_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then
+         if containsElement "${ftp_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then
            $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport 21 -j DNAT --to $_ip:21
            $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport 20 -j DNAT --to $_ip:20
            $ipt -t nat -A PREROUTING -i ${ftp_server_dmz_arr[$_ip]} -p tcp --dport $ftp_passive_port_range -j DNAT --to $_ip:${ftp_passive_port_arr[0]}-${ftp_passive_port_arr[1]}
@ -2377,7 +2377,7 @@ if [[ ${#samba_server_dmz_arr[@]} -gt 0 ]] ; then

            # - Nat if interface is on a dsl line
            # -
-            if containsElement "${samba_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then
+            if containsElement "${samba_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then
               IFS=':' read -a _udp_port_arr <<< ${_port}
               if [[ -n "${_udp_port_arr[1]}" ]] ; then
                  $ipt -t nat -A PREROUTING -i ${samba_server_dmz_arr[$_ip]} -p udp --dport $_port -j DNAT --to $_ip:${_udp_port_arr[0]}-${_udp_port_arr[1]}
@ -2391,7 +2391,7 @@ if [[ ${#samba_server_dmz_arr[@]} -gt 0 ]] ; then

            # - Nat if interface is on a dsl line
            # -
-            if containsElement "${samba_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then
+            if containsElement "${samba_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then
               $ipt -t nat -A PREROUTING -i ${samba_server_dmz_arr[$_ip]} -p tcp --dport $_port -j DNAT --to $_ip:$_port
            fi
         done
@ -3252,7 +3252,7 @@ if [[ ${#rm_server_dmz_arr[@]} -gt 0 ]] ; then

         # - Nat if interface is on a dsl line
         # -
-         if containsElement "${rm_server_dmz_arr[$_ip]}" "${dsl_device_arr[@]}" ; then
+         if containsElement "${rm_server_dmz_arr[$_ip]}" "${nat_device_arr[@]}" ; then
            $ipt -t nat -A PREROUTING -i ${rm_server_dmz_arr[$_ip]} -p tcp --syn --dport $remote_console_port -j DNAT --to $_ip:$remote_console_port
         fi
         $ipt -A FORWARD -i ${rm_server_dmz_arr[$_ip]} -p tcp -d $_ip --dport $remote_console_port  -m conntrack --ctstate NEW -j ACCEPT