61 lines
2.1 KiB
Bash
61 lines
2.1 KiB
Bash
#! /bin/bash
|
|
#
|
|
# iptables-nat.sh, v1.2 (14-05-2004) - simple script to set NAT rules
|
|
# for IPTABLES on all the network devices marked as local (ZONE=local)
|
|
#
|
|
# Copyright (c) 2003-2004 by Silvan Calarco <silvan.calarco@qilinux.it>
|
|
# Copyright (c) 2003-2006 by Davide Madrisan <davide.madrisan@qilinux.it>
|
|
|
|
. /etc/sysconfig/rc
|
|
. $rc_functions
|
|
. $rc_networkfunctions
|
|
. /etc/sysconfig/network
|
|
|
|
get_interfaces_by_zone
|
|
[ ${#ifzone_local[@]} -eq 0 ] && exit 0 # no local interfaces found
|
|
|
|
# shut down NAT routing and delete any NAT existing chains
|
|
iptables -t nat -P PREROUTING DROP && \
|
|
iptables -t nat -P POSTROUTING DROP && \
|
|
iptables -t nat -P OUTPUT DROP && \
|
|
iptables -t nat -F && \
|
|
iptables -t nat -X
|
|
|
|
for int_name in ${ifzone_local[@]}; do
|
|
# get the parameters: int_ip, int_netmask, int_network
|
|
get_interface_parameters $int_name
|
|
[ $? -ne 0 ] &&
|
|
{ echo "\
|
|
WARNING: could not determine parameters for interface $int_name.
|
|
$int_name will not be configured for NAT." 1>&2;
|
|
continue; }
|
|
|
|
[ -z "$int_network" -a "$natconfig" = 1 ] &&
|
|
{ echo "\
|
|
WARNING: NETWORK variable for interface $int_name not set.
|
|
$int_name will not be configured for NAT." 1>&2;
|
|
continue; }
|
|
|
|
[ -z "$int_netmask" -a "$natconfig" = 1 ] &&
|
|
{ int_netmask="255.255.255.0";
|
|
echo "\
|
|
WARNING: NETMASK variable missing for $int_name.
|
|
Using $int_netmask." 1>&2; }
|
|
|
|
# masquerade rules
|
|
iptables -t nat -N fromprivate.$int_name
|
|
# packets from the private IP range to another private IP range are untouched.
|
|
iptables -t nat -A fromprivate.$int_name -d $int_ip/$int_netmask -j ACCEPT
|
|
# packets that get here are from the private address range
|
|
# and are trying to get out to the internet. We NAT them.
|
|
iptables -t nat -A fromprivate.$int_name -j MASQUERADE
|
|
# siphon off any packets that are from the private IP range
|
|
iptables -t nat -A POSTROUTING -s $int_ip/$int_netmask -j fromprivate.$int_name
|
|
done
|
|
|
|
# packets that get here can just hit the default policy
|
|
iptables -t nat -P PREROUTING ACCEPT && \
|
|
iptables -t nat -P POSTROUTING ACCEPT && \
|
|
iptables -t nat -P OUTPUT ACCEPT
|
|
|