#! /bin/bash # # iptables-nat.sh, v1.2 (14-05-2004) - simple script to set NAT rules # for IPTABLES on all the network devices marked as local (ZONE=local) # # Copyright (c) 2003-2004 by Silvan Calarco # Copyright (c) 2003-2006 by Davide Madrisan . /etc/sysconfig/rc . $rc_functions . $rc_networkfunctions . /etc/sysconfig/network get_interfaces_by_zone [ ${#ifzone_local[@]} -eq 0 ] && exit 0 # no local interfaces found # shut down NAT routing and delete any NAT existing chains iptables -t nat -P PREROUTING DROP && \ iptables -t nat -P POSTROUTING DROP && \ iptables -t nat -P OUTPUT DROP && \ iptables -t nat -F && \ iptables -t nat -X for int_name in ${ifzone_local[@]}; do # get the parameters: int_ip, int_netmask, int_network get_interface_parameters $int_name [ $? -ne 0 ] && { echo "\ WARNING: could not determine parameters for interface $int_name. $int_name will not be configured for NAT." 1>&2; continue; } [ -z "$int_network" -a "$natconfig" = 1 ] && { echo "\ WARNING: NETWORK variable for interface $int_name not set. $int_name will not be configured for NAT." 1>&2; continue; } [ -z "$int_netmask" -a "$natconfig" = 1 ] && { int_netmask="255.255.255.0"; echo "\ WARNING: NETMASK variable missing for $int_name. Using $int_netmask." 1>&2; } # masquerade rules iptables -t nat -N fromprivate.$int_name # packets from the private IP range to another private IP range are untouched. iptables -t nat -A fromprivate.$int_name -d $int_ip/$int_netmask -j ACCEPT # packets that get here are from the private address range # and are trying to get out to the internet. We NAT them. iptables -t nat -A fromprivate.$int_name -j MASQUERADE # siphon off any packets that are from the private IP range iptables -t nat -A POSTROUTING -s $int_ip/$int_netmask -j fromprivate.$int_name done # packets that get here can just hit the default policy iptables -t nat -P PREROUTING ACCEPT && \ iptables -t nat -P POSTROUTING ACCEPT && \ iptables -t nat -P OUTPUT ACCEPT