Add support for routing networks through wireguard connections.

conf/interfaces_ipv4.conf.sample

@@ -54,3 +54,10 @@ local_2_ip=""
 # NOT IN USE
 local_2_ip=""
 
+
+# - Devices given in list "nat_devices" will be natted
+# -
+# - Blank separated list
+# -
+nat_devices=""
+

conf/interfaces_ipv6.conf.sample

@@ -53,3 +53,11 @@ local_1_ip=""
 local_2_ip=""
 # NOT IN USE
 local_2_ip=""
+
+
+# - Devices given in list "nat_devices" will be natted
+# -
+# - Blank separated list
+# -
+nat_devices=""
+

conf/post_decalrations.conf

@@ -5,6 +5,18 @@
 # --- Define Arrays
 # -----------
 
+# ---
+# NAT (Masquerade) Network interfaces
+# ---
+
+declare -a nat_device_arr=()
+for _dev in $nat_devices ; do
+   if ! containsElement $_dev "${nat_device_arr[@]}" ; then
+      nat_device_arr+=("$_dev")
+   fi
+done
+
+
 # ---
 # - IP Addresses to log
 # ---

ip6t-firewall-server

@@ -241,6 +241,18 @@ echo_done # Flushing firewall iptable (IPv6)..
 echo
 
 
+echononl "\tMasquerade (NAT) interfaces.."
+if [[ ${#nat_device_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
+   for _dev in ${nat_device_arr[@]} ; do
+      $ip6t -t nat -A POSTROUTING -o $_dev -j MASQUERADE
+   done
+   echo_done
+else
+   echo_skipped
+fi
+echo
+
+
 
 # -------------
 # --- Prevent bridged traffic getting pushed through the host's iptables rules
@@ -288,7 +300,6 @@ fi
 
 
 
-
 # -------------
 # ------------ Stopping firewall if only flushing was requested (parameter flush)
 # -------------
@@ -302,6 +313,34 @@ case $1 in
 esac
 
 
+# ---
+# - Permit all traffic through WireGuard lines
+# ---
+echononl "\tPermit all traffic through WireGuard lines.."
+for _wg_if in ${wg_if_arr[@]} ; do
+   $ip6t -A INPUT -i $_wg_if -j ACCEPT
+   if $kernel_forward_between_interfaces ; then
+      $ip6t -A FORWARD -i $_wg_if -j ACCEPT
+   fi
+done
+echo_done
+
+
+# ---
+# - Permit all traffic through VPN lines
+# ---
+echononl "\tPermit all traffic through VPN lines.."
+for _vpn_if in ${vpn_if_arr[@]} ; do
+   $ip6t -A INPUT -i $_vpn_if -m state --state NEW -j ACCEPT
+   $ip6t -A OUTPUT -o $_vpn_if -m state --state NEW -j ACCEPT
+   if $kernel_forward_between_interfaces ; then
+      $ip6t -A FORWARD -i $_vpn_if -m state --state NEW -j ACCEPT
+      $ip6t -A FORWARD -o $_vpn_if -m state --state NEW -j ACCEPT
+   fi
+done
+echo_done
+
+
 
 # -------------
 # --- Pass through Devices Interfaces (not firewalled)
@@ -1008,36 +1047,6 @@ else
 fi
 
 
-# ---
-# - Permit all traffic through VPN lines
-# ---
-echononl "\tPermit all traffic through VPN lines.."
-for _vpn_if in ${vpn_if_arr[@]} ; do
-   $ip6t -A INPUT -i $_vpn_if -m state --state NEW -j ACCEPT
-   $ip6t -A OUTPUT -o $_vpn_if -m state --state NEW -j ACCEPT
-   if $kernel_forward_between_interfaces ; then
-      $ip6t -A FORWARD -i $_vpn_if -m state --state NEW -j ACCEPT
-      $ip6t -A FORWARD -o $_vpn_if -m state --state NEW -j ACCEPT
-   fi
-done
-echo_done
-
-
-# ---
-# - Permit all traffic through WireGuard lines
-# ---
-echononl "\tPermit all traffic through WireGuard lines.."
-for _wg_if in ${wg_if_arr[@]} ; do
-   $ip6t -A INPUT -i $_wg_if -m conntrack --ctstate NEW -j ACCEPT
-   if $kernel_forward_between_interfaces ; then
-      for _local_dev in ${local_if_arr[@]} ; do
-         $ip6t -A FORWARD -i $_wg_if -o $_local_dev -m conntrack --ctstate NEW -j ACCEPT
-      done
-   fi
-done
-echo_done
-
-
 # ---
 # - Don't allow traffik into Unique local network (ULA)
 # ---

ipt-firewall-server

@@ -301,6 +301,18 @@ echo_done # Flushing firewall iptable (IPv6)..
 echo
 
 
+echononl "\tMasquerade (NAT) interfaces.."
+if [[ ${#nat_device_arr[@]} -gt 0 ]] && $kernel_activate_forwarding ; then
+   for _dev in ${nat_device_arr[@]} ; do
+      $ipt -t nat -A POSTROUTING -o $_dev -j MASQUERADE
+   done
+   echo_done
+else
+   echo_skipped
+fi
+echo
+
+
 
 # -------------
 # --- Prevent bridged traffic getting pushed through the host's iptables rules
@@ -348,7 +360,6 @@ fi
 
 
 
-
 # -------------
 # ------------ Stopping firewall if only flushing was requested (parameter flush)
 # -------------
@@ -362,6 +373,34 @@ case $1 in
 esac
 
 
+# ---
+# - Permit all traffic through WireGuard lines
+# ---
+echononl "\tPermit all traffic through WireGuard lines.."
+for _wg_if in ${wg_if_arr[@]} ; do
+   $ipt -A INPUT -i $_wg_if -j ACCEPT
+   if $kernel_activate_forwarding ; then
+      $ipt -A FORWARD -i $_wg_if -j ACCEPT
+   fi
+done
+echo_done
+
+
+# ---
+# - Permit all traffic through VPN lines
+# ---
+echononl "\tPermit all traffic through VPN lines.."
+for _vpn_if in ${vpn_if_arr[@]} ; do
+   $ipt -A INPUT -i $_vpn_if -m state --state NEW -j ACCEPT
+   $ipt -A OUTPUT -o $_vpn_if -m state --state NEW -j ACCEPT
+   if $kernel_activate_forwarding ; then
+      $ipt -A FORWARD -i $_vpn_if -m state --state NEW -j ACCEPT
+      $ipt -A FORWARD -o $_vpn_if -m state --state NEW -j ACCEPT
+   fi
+done
+echo_done
+
+
 
 # -------------
 # --- Pass through Devices Interfaces (not firewalled)
@@ -1169,36 +1208,6 @@ fi
 allow_all_outgoing_traffic=false
 
 
-# ---
-# - Permit all traffic through VPN lines
-# ---
-echononl "\tPermit all traffic through VPN lines.."
-for _vpn_if in ${vpn_if_arr[@]} ; do
-   $ipt -A INPUT -i $_vpn_if -m state --state NEW -j ACCEPT
-   $ipt -A OUTPUT -o $_vpn_if -m state --state NEW -j ACCEPT
-   if $kernel_activate_forwarding ; then
-      $ipt -A FORWARD -i $_vpn_if -m state --state NEW -j ACCEPT
-      $ipt -A FORWARD -o $_vpn_if -m state --state NEW -j ACCEPT
-   fi
-done
-echo_done
-
-
-# ---
-# - Permit all traffic through WireGuard lines
-# ---
-echononl "\tPermit all traffic through WireGuard lines.."
-for _wg_if in ${wg_if_arr[@]} ; do
-   $ipt -A INPUT -i $_wg_if -m conntrack --ctstate NEW -j ACCEPT
-   if $kernel_activate_forwarding ; then
-      for _local_dev in ${local_if_arr[@]} ; do
-         $ipt -A FORWARD -i $_wg_if -o $_local_dev -m conntrack --ctstate NEW -j ACCEPT
-      done
-   fi
-done
-echo_done
-
-
 # ---
 # - Don't allow traffic into private networks
 # ---