1 | 2 | simandl | #! /bin/bash |
2 | | | # Firewall nove generace pro Czela Debian 3.0 |
3 | | | # Autor: Mirek Slugen |
4 | | | # Spoluatori: Michal Perlik, Michal Vondracek, Jan Chmelensky |
5 | | | # Vytvoreno: 06.11.2006 |
6 | | | # Naposledy zmeneno: 11.1.2009 |
7 | | | # Tento skript muzete volne sirit a upravovat. |
8 | | | # |
9 | | | # TODO: Dodelat nat typu tree, ktery potrebuje zjednoduseni, vycisteni kodu a testovani!!! |
10 | | | # |
11 | | | |
12 | | | # prevede /X na xxx.xxx.xxx.xxx |
13 | | | convert_net_to_mask() { |
14 | | | if let $(((32-$1) > 0)); then |
15 | | | M4=$(((255 << (32-$1)) & 255)) |
16 | | | else |
17 | | | M4=255 |
18 | | | fi |
19 | | | if let $(((24-$1) > 0)); then |
20 | | | M3=$(((255 << (24-$1)) & 255)) |
21 | | | else |
22 | | | M3=255 |
23 | | | fi |
24 | | | if let $(((16-$1) > 0)); then |
25 | | | M2=$(((255 << (16-$1)) & 255)) |
26 | | | else |
27 | | | M2=255 |
28 | | | fi |
29 | | | if let $(((8-$1) > 0)); then |
30 | | | M1=$(((255 << (8-$1)) & 255)) |
31 | | | else |
32 | | | M1=255 |
33 | | | fi |
34 | | | } |
35 | | | |
36 | | | # prevede napriklad 10.93.55.125/24 na 10.93.55.0/24 |
37 | | | convert_ip_to_network() { |
38 | | | IP_POM=($(tr '/' ' ' <<< "$1")) |
39 | | | BC=${IP_POM[1]} |
40 | | | IP_POM=($(tr '.' ' ' <<< "${IP_POM[0]}")) |
41 | | | BCN="$(($BC - 1))" |
42 | | | convert_net_to_mask "$BCN" |
43 | | | } |
44 | | | |
45 | | | # implementace natu |
46 | | | nat() { |
47 | | | # Tady zacina nat 1:1 |
48 | | | echo -n "Starting NAT 1:1..." |
49 | | | |
50 | | | # Kontrola na neexistujici konfiguracni soubor |
51 | | | if [ ! -e $NAT_CONFIG ] && [ "$NAT_TYPE" != "tree" ]; then |
52 | | | echo "error, $NAT_CONFIG does not exist!" |
53 | | | return 0 |
54 | | | fi |
55 | | | |
56 | | | [ "$DUMMY_IFACE" == "" ] && DUMMY_IFACE="dummy0" |
57 | | | [ "$DUMMY_IP" == "" ] && DUMMY_IP="`$IP addr show $DUMMY_IFACE | grep inet | grep -v inet6 | awk '{print \$2}' | cut -d \"/\" -f1`" |
58 | | | |
59 | | | if [ "$NAT_TYPE" == "tree" ]; then |
60 | | | # Zakladni cast celkem peti stromu |
61 | | | rm -rf $TMP |
62 | | | mkdir -p $TMP |
63 | | | # raw |
64 | | | echo "*raw" >> "$TMP/table_raw" |
65 | | | echo ":PREROUTING ACCEPT" >> "$TMP/table_raw" |
66 | | | echo ":OUTPUT ACCEPT" >> "$TMP/table_raw" |
67 | | | # nat |
68 | | | echo "*nat" >> "$TMP/table_nat2" |
69 | | | echo ":PREROUTING ACCEPT" >> "$TMP/table_nat2" |
70 | | | echo ":POSTROUTING ACCEPT" >> "$TMP/table_nat2" |
71 | | | echo ":OUTPUT ACCEPT" >> "$TMP/table_nat2" |
72 | | | # mangle |
73 | | | echo "*mangle" >> "$TMP/table_mangle" |
74 | | | echo ":PREROUTING ACCEPT" >> "$TMP/table_mangle" |
75 | | | echo ":INPUT ACCEPT" >> "$TMP/table_mangle" |
76 | | | echo ":FORWARD ACCEPT" >> "$TMP/table_mangle" |
77 | | | echo ":OUTPUT ACCEPT" >> "$TMP/table_mangle" |
78 | | | echo ":POSTROUTING ACCEPT" >> "$TMP/table_mangle" |
79 | | | # filter |
80 | | | echo "*filter" >> "$TMP/table_fwd2" |
81 | | | echo ":INPUT ACCEPT" >> "$TMP/table_fwd2" |
82 | | | echo ":FORWARD ACCEPT" >> "$TMP/table_fwd2" |
83 | | | echo ":OUTPUT ACCEPT" >> "$TMP/table_fwd2" |
84 | | | IP_POM="" |
85 | | | M1="" |
86 | | | M2="" |
87 | | | M3="" |
88 | | | M4="" |
89 | | | BC="" |
90 | | | BCN="" |
91 | | | # vytvorime zakladni chainy |
92 | | | convert_net_to_mask "`echo $INTERNAL_IP | cut -d/ -f2`" |
93 | | | INTERNAL_IP2="`echo $INTERNAL_IP | cut -d/ -f1`/$M1.$M2.$M3.$M4" |
94 | | | convert_net_to_mask "`echo $EXTERNAL_IP | cut -d/ -f2`" |
95 | | | EXTERNAL_IP2="`echo $EXTERNAL_IP | cut -d/ -f1`/$M1.$M2.$M3.$M4" |
96 | | | echo ":chain_fwd - [0:0]" >> "$TMP/table_fwd" |
97 | | | echo "-A FORWARD -s $INTERNAL_IP2 -i $NAT_DEV -j chain_fwd" >> "$TMP/table_fwd" |
98 | | | echo ":chain_pre - [0:0]" >> "$TMP/table_nat" |
99 | | | echo "-A PREROUTING -d $EXTERNAL_IP2 -i $NAT_DEV -j chain_pre" >> "$TMP/table_nat" |
100 | | | echo ":chain_pre_2 - [0:0]" >> "$TMP/table_nat" |
101 | | | echo "-A PREROUTING -s $INTERNAL_IP2 -d $EXTERNAL_IP2 ! -i $NAT_DEV -j chain_pre_2" >> "$TMP/table_nat" |
102 | | | echo ":chain_post - [0:0]" >> "$TMP/table_nat" |
103 | | | echo "-A POSTROUTING -s $INTERNAL_IP2 -o $NAT_DEV -j chain_post" >> "$TMP/table_nat" |
104 | | | echo ":chain_post_2 - [0:0]" >> "$TMP/table_nat" |
105 | | | echo "-A POSTROUTING -s $INTERNAL_IP2 -d $INTERNAL_IP2 ! -o $NAT_DEV -j chain_post_2" >> "$TMP/table_nat" |
106 | | | fi |
107 | | | |
108 | | | echo "" |
109 | | | # Ne vsude pouzivame jednotnou syntaxi |
110 | | | while read UserName PublicIP PrivateIP; do # standardni v Czela Debianu, podle me nejlepsi! :) |
111 | | | if [ "`echo $UserName | cut -c1`" == "#" ]; then |
112 | | | # Prazdne radky preskocime, jen neprazdne radky povazujeme za uzivatele, tj. oznamime je jako zakomentovane |
113 | | | if [ "`echo $UserName | cut -c2`" != " " ] && [ "`echo $UserName | cut -c2`" != "" ] && [ "`echo $UserName | cut -c2`" != "#" ]; then |
114 | | | echo " $UserName commented" |
115 | | | fi |
116 | | | else |
117 | | | echo " $UserName ($PrivateIP -> $PublicIP)" |
118 | | | for LOCAL_IP in $PrivateIP; do |
119 | | | PORT_TYPE="" |
120 | | | PUBLIC_PORT="" |
121 | | | PRIVATE_PORT="" |
122 | | | # rozdeleni na porty |
123 | | | if [ "`echo $LOCAL_IP | grep :`" != "" ]; then |
124 | | | PORT_TYPE="`echo $LOCAL_IP | cut -d: -f2`" |
125 | | | PUBLIC_PORT="`echo $LOCAL_IP | cut -d: -f3`" |
126 | | | PRIVATE_PORT="`echo $LOCAL_IP | cut -d: -f4`" |
127 | | | fi |
128 | | | # local ip musi byt jako posledni! |
129 | | | LOCAL_IP="`echo $LOCAL_IP | cut -d: -f1`" |
130 | | | if [ "`echo $PUBLIC_PORT | grep -`" != "" ]; then |
131 | | | PUBLIC_PORT="`echo $PUBLIC_PORT | cut -d- -f1`:`echo $PUBLIC_PORT | cut -d- -f2`" |
132 | | | fi |
133 | | | |
134 | | | if [ "$NAT_TYPE" == "tree" ]; then |
135 | | | LOCAL_IP3="" |
136 | | | if [ "`echo $LOCAL_IP | grep /`" == "" ]; then |
137 | | | LOCAL_IP2="$LOCAL_IP" |
138 | | | LOCAL_IP=$LOCAL_IP/32 |
139 | | | else |
140 | | | LOCAL_POM3="`echo $LOCAL_IP | cut -d/ -f2`" |
141 | | | if [ "$LOCAL_POM3" != "32" ]; then |
142 | | | convert_net_to_mask "$LOCAL_POM3" |
143 | | | LOCAL_IP2="`echo $LOCAL_IP | cut -d/ -f1`/$M1.$M2.$M3.$M4" |
144 | | | # pokud dostaneme zadany rozsah, pak natujeme na prvni adresu z daneho rozsahu |
145 | | | #LOCAL_IP3="`echo $LOCAL_IP | cut -d. -f1`.`echo $LOCAL_IP | cut -d. -f2`.`echo $LOCAL_IP | cut -d. -f3`.$((`echo $LOCAL_IP | cut -d. -f4 | cut -d/ -f1` + 1))" |
146 | | | LOCAL_IP3="`echo $LOCAL_IP | cut -d/ -f1`" |
147 | | | else |
148 | | | LOCAL_IP2="`echo $LOCAL_IP | cut -d/ -f1`" |
149 | | | fi |
150 | | | fi |
151 | | | if [ "`echo $PublicIP | grep /`" == "" ]; then |
152 | | | PublicIP2="$PublicIP" |
153 | | | PublicIP="${PublicIP}/32" |
154 | | | else |
155 | | | if [ "`echo $PublicIP | cut -d/ -f2`" != "32" ]; then |
156 | | | echo "Verejna adresa pro $UserName je zadana spatne!" |
157 | | | else |
158 | | | PublicIP2="`echo $PublicIP | cut -d/ -f1`" |
159 | | | fi |
160 | | | fi |
161 | | | # Tato cast je opet pro generovani stromu |
162 | | | # tam kde je rozdeleni podle INTERNAL_IP |
163 | | | # chain_post |
164 | | | I="0" |
165 | | | J="$((`echo $LOCAL_IP | cut -d/ -f2` - `echo $INTERNAL_IP | cut -d/ -f2`))" |
166 | | | IP_POM="$LOCAL_IP" |
167 | | | CHAINS_POST="" |
168 | | | CHAINS_POST_2="" |
169 | | | CHAINS_FWD="" |
170 | | | IP_POMS="" |
171 | | | while [ $I -lt $J ]; do |
172 | | | convert_ip_to_network "$IP_POM" |
173 | | | CHAIN="${IP_POM[0]}${IP_POM[1]}${IP_POM[2]}${IP_POM[3]}_$BC" |
174 | | | if [ "$I" == "0" ]; then |
175 | | | LOCAL_POM="$CHAIN" |
176 | | | fi |
177 | | | CHAIN_POST="chain_post_$CHAIN" |
178 | | | CHAIN_POST_2="chain_post_2_$CHAIN" |
179 | | | CHAIN_FWD="chain_fwd_$CHAIN" |
180 | | | echo ":$CHAIN_POST - [0:0]" >> "$TMP/table_nat" |
181 | | | echo ":$CHAIN_POST_2 - [0:0]" >> "$TMP/table_nat" |
182 | | | echo ":$CHAIN_FWD - [0:0]" >> "$TMP/table_fwd" |
183 | | | IP_POMS="${IP_POM[0]}.${IP_POM[1]}.${IP_POM[2]}.${IP_POM[3]}/$BC $IP_POMS" |
184 | | | CHAINS_POST="$CHAIN_POST $CHAINS_POST" |
185 | | | CHAINS_POST_2="$CHAIN_POST_2 $CHAINS_POST_2" |
186 | | | CHAINS_FWD="$CHAIN_FWD $CHAINS_FWD" |
187 | | | IP_POM="$((${IP_POM[0]} & $M1)).$((${IP_POM[1]} & $M2)).$((${IP_POM[2]} & $M3)).$((${IP_POM[3]} & $M4))/$BCN" |
188 | | | ((I++)) |
189 | | | done |
190 | | | CHAINS_POST="chain_post $CHAINS_POST" |
191 | | | CHAINS_POST_2="chain_post_2 $CHAINS_POST_2" |
192 | | | CHAINS_FWD="chain_fwd $CHAINS_FWD" |
193 | | | I="1" |
194 | | | for IP_POM in $IP_POMS; do |
195 | | | CHAIN_POST="`echo $CHAINS_POST | cut -d \" \" -f $I`" |
196 | | | CHAIN_POST_2="`echo $CHAINS_POST_2 | cut -d \" \" -f $I`" |
197 | | | CHAIN_FWD="`echo $CHAINS_FWD | cut -d \" \" -f $I`" |
198 | | | CHAIND_POST="`echo $CHAINS_POST | cut -d \" \" -f $(($I + 1))`" |
199 | | | CHAIND_POST_2="`echo $CHAINS_POST_2 | cut -d \" \" -f $(($I + 1))`" |
200 | | | CHAIND_FWD="`echo $CHAINS_FWD | cut -d \" \" -f $(($I + 1))`" |
201 | | | if [ "`echo $IP_POM | cut -d/ -f2`" != "32" ]; then |
202 | | | convert_net_to_mask "`echo $IP_POM | cut -d/ -f2`" |
203 | | | IP_POM="`echo $IP_POM | cut -d/ -f1`/$M1.$M2.$M3.$M4" |
204 | | | else |
205 | | | IP_POM="`echo $IP_POM | cut -d/ -f1`" |
206 | | | fi |
207 | | | echo "-A $CHAIN_POST -s $IP_POM -j $CHAIND_POST" >> "$TMP/table_nat" |
208 | | | echo "-A $CHAIN_POST_2 -d $IP_POM -j $CHAIND_POST_2" >> "$TMP/table_nat" |
209 | | | echo "-A $CHAIN_FWD -d $IP_POM -j $CHAIND_FWD" >> "$TMP/table_fwd" |
210 | | | ((I++)) |
211 | | | done |
212 | | | # pro ty kde je rozdeleni podle EXTERNAL_IP |
213 | | | # chain_pre |
214 | | | I="0" |
215 | | | J="$((`echo $PublicIP | cut -d/ -f2` - `echo $EXTERNAL_IP | cut -d/ -f2`))" |
216 | | | IP_POM="$PublicIP" |
217 | | | CHAINS_PRE="" |
218 | | | CHAINS_PRE_2="" |
219 | | | IP_POMS="" |
220 | | | while [ $I -lt $J ]; do |
221 | | | convert_ip_to_network "$IP_POM" |
222 | | | CHAIN="${IP_POM[0]}${IP_POM[1]}${IP_POM[2]}${IP_POM[3]}_$BC" |
223 | | | if [ "$I" == "0" ]; then |
224 | | | PUBLIC_POM="$CHAIN" |
225 | | | fi |
226 | | | CHAIN_PRE="chain_pre_$CHAIN" |
227 | | | CHAIN_PRE_2="chain_pre_2_$CHAIN" |
228 | | | echo ":$CHAIN_PRE - [0:0]" >> "$TMP/table_nat" |
229 | | | echo ":$CHAIN_PRE_2 - [0:0]" >> "$TMP/table_nat" |
230 | | | IP_POMS="${IP_POM[0]}.${IP_POM[1]}.${IP_POM[2]}.${IP_POM[3]}/$BC $IP_POMS" |
231 | | | CHAINS_PRE="$CHAIN_PRE $CHAINS_PRE" |
232 | | | CHAINS_PRE_2="$CHAIN_PRE_2 $CHAINS_PRE_2" |
233 | | | IP_POM="$((${IP_POM[0]} & $M1)).$((${IP_POM[1]} & $M2)).$((${IP_POM[2]} & $M3)).$((${IP_POM[3]} & $M4))/$BCN" |
234 | | | ((I++)) |
235 | | | done |
236 | | | CHAINS_PRE="chain_pre $CHAINS_PRE" |
237 | | | CHAINS_PRE_2="chain_pre_2 $CHAINS_PRE_2" |
238 | | | I="1" |
239 | | | for IP_POM in $IP_POMS; do |
240 | | | CHAIN_PRE="`echo $CHAINS_PRE | cut -d \" \" -f $I`" |
241 | | | CHAIN_PRE_2="`echo $CHAINS_PRE_2 | cut -d \" \" -f $I`" |
242 | | | CHAIND_PRE="`echo $CHAINS_PRE | cut -d \" \" -f $(($I + 1))`" |
243 | | | CHAIND_PRE_2="`echo $CHAINS_PRE_2 | cut -d \" \" -f $(($I + 1))`" |
244 | | | if [ "`echo $IP_POM | cut -d/ -f2`" != "32" ]; then |
245 | | | convert_net_to_mask "`echo $IP_POM | cut -d/ -f2`" |
246 | | | IP_POM="`echo $IP_POM | cut -d/ -f1`/$M1.$M2.$M3.$M4" |
247 | | | else |
248 | | | IP_POM="`echo $IP_POM | cut -d/ -f1`" |
249 | | | fi |
250 | | | echo "-A $CHAIN_PRE -d $IP_POM -j $CHAIND_PRE" >> "$TMP/table_nat" |
251 | | | echo "-A $CHAIN_PRE_2 -d $IP_POM -j $CHAIND_PRE_2" >> "$TMP/table_nat" |
252 | | | ((I++)) |
253 | | | done |
254 | | | # no a strom je za nami |
255 | | | # nat 1:1 |
256 | | | if [ "$PUBLIC_PORT" == "" ]; then |
257 | | | # Pokud je vice zaznamu na jednu verejnou ip adresu, pak bude plnohodnotna verejna jen ta prvni (jeste se to da zoptimalizovat o cca 15 vterin pro 1500 zaznamu) |
258 | | | if [ "`cat $TMP/table_nat | grep \"chain_pre_$PUBLIC_POM\" | grep DNAT | grep -v \"dport\" | cut -d \" \" -f 4`" != "$PublicIP2" ]; then |
259 | | | if [ "$LOCAL_IP3" != "" ]; then |
260 | | | echo "-A chain_pre_$PUBLIC_POM -d $PublicIP2 -j DNAT --to-destination $LOCAL_IP3" >> "$TMP/table_nat" |
261 | | | echo "-A chain_pre_2_$PUBLIC_POM -d $PublicIP2 -j DNAT --to-destination $LOCAL_IP3" >> "$TMP/table_nat" |
262 | | | echo "-A chain_post_2_$LOCAL_POM -d $LOCAL_IP3 -j SNAT --to-source $DUMMY_IP" >> "$TMP/table_nat" |
263 | | | else |
264 | | | echo "-A chain_pre_$PUBLIC_POM -d $PublicIP2 -j DNAT --to-destination $LOCAL_IP2" >> "$TMP/table_nat" |
265 | | | echo "-A chain_pre_2_$PUBLIC_POM -d $PublicIP2 -j DNAT --to-destination $LOCAL_IP2" >> "$TMP/table_nat" |
266 | | | echo "-A chain_post_2_$LOCAL_POM -d $LOCAL_IP2 -j SNAT --to-source $DUMMY_IP" >> "$TMP/table_nat" |
267 | | | fi |
268 | | | fi |
269 | | | # Pokud je vice zaznamu na jednu vnitrni ip adresu, pak zahlasime chybu, radeji otevirame fwd, ktery je kratsi! (totot jeste taky jde zoptimalizovat o cca 10 vterin pro 1500 zaznamu) |
270 | | | if [ "`cat $TMP/table_fwd | grep \"chain_fwd_$LOCAL_POM\" | grep ACCEPT | grep -v \"dport\" | cut -d \" \" -f 4`" != "$LOCAL_IP2" ]; then |
271 | | | echo "-A chain_post_"$LOCAL_POM" -s $LOCAL_IP2 -j SNAT --to-source $PublicIP2" >> "$TMP/table_nat" |
272 | | | echo "-A chain_fwd_$LOCAL_POM -d $LOCAL_IP2 -j ACCEPT" >> "$TMP/table_fwd" |
273 | | | else |
274 | | | echo "Chyba, zaznam pro lokalni adresu uz existuje!" |
275 | | | fi |
276 | | | elif [ "$PRIVATE_PORT" == "" ]; then |
277 | | | # Zatim neni jasne jestli porty funguji spravne!!! |
278 | | | # Ohlidani spravnosti je tu dost narocne, to proste musi byt spravne! |
279 | | | echo "-A chain_pre_$PUBLIC_POM -d $PublicIP2 -p $PORT_TYPE -m $PORT_TYPE --dport $PUBLIC_PORT -j DNAT --to-destination $LOCAL_IP2" >> "$TMP/table_nat" |
280 | | | echo "-A chain_post_"$LOCAL_POM" -s $LOCAL_IP2 -j SNAT --to-source $PublicIP2" >> "$TMP/table_nat" |
281 | | | echo "-A chain_fwd_$LOCAL_POM -d $LOCAL_IP2 -p $PORT_TYPE -m $PORT_TYPE --dport $PUBLIC_PORT -j ACCEPT" >> "$TMP/table_fwd" |
282 | | | echo "-A chain_pre_2_$PUBLIC_POM -d $PublicIP2 -j DNAT --to-destination $LOCAL_IP2" >> "$TMP/table_nat" |
283 | | | echo "-A chain_post_2_$LOCAL_POM -d $LOCAL_IP2 -j SNAT --to-source $DUMMY_IP" >> "$TMP/table_nat" |
284 | | | else |
285 | | | # Ohlidani spravnosti je tu dost narocne, to proste musi byt spravne! |
286 | | | echo "-A chain_pre_$PUBLIC_POM -d $PublicIP2 -p $PORT_TYPE -m $PORT_TYPE --dport $PUBLIC_PORT -j DNAT --to-destination $LOCAL_IP2:$PRIVATE_PORT" >> "$TMP/table_nat" |
287 | | | echo "-A chain_post_"$LOCAL_POM" -s $LOCAL_IP2 -j SNAT --to-source $PublicIP2" >> "$TMP/table_nat" |
288 | | | echo "-A chain_fwd_$LOCAL_POM -d $LOCAL_IP2 -p $PORT_TYPE -m $PORT_TYPE --dport $PRIVATE_PORT -j ACCEPT" >> "$TMP/table_fwd" |
289 | | | echo "-A chain_pre_2_$PUBLIC_POM -d $PublicIP2 -p $PORT_TYPE -m $PORT_TYPE --dport $PUBLIC_PORT -j DNAT --to-destination $LOCAL_IP2:$PRIVATE_PORT" >> "$TMP/table_nat" |
290 | | | echo "-A chain_post_2_$LOCAL_POM -d $LOCAL_IP2 -p $PORT_TYPE -m $PORT_TYPE --dport $PRIVATE_PORT -j SNAT --to-source $DUMMY_IP" >> "$TMP/table_nat" |
291 | | | fi |
292 | | | else |
293 | | | #echo $PublicIP $LOCAL_IP |
294 | | | # zakladni nat 1:1 - originalni verze |
295 | | | if [ "$PUBLIC_PORT" == "" ]; then |
296 | | | $IPTABLES -t nat -I PREROUTING -d $PublicIP -j DNAT --to $LOCAL_IP |
297 | | | $IPTABLES -t nat -I POSTROUTING -o $NAT_DEV -s $LOCAL_IP -j SNAT --to $PublicIP |
298 | | | $IPTABLES -I FORWARD -i $NAT_DEV -d $LOCAL_IP -j ACCEPT |
299 | | | elif [ "$PRIVATE_PORT" == "" ]; then |
300 | | | $IPTABLES -t nat -I PREROUTING -d $PublicIP -p $PORT_TYPE --dport $PUBLIC_PORT -j DNAT --to $LOCAL_IP |
301 | | | $IPTABLES -t nat -I POSTROUTING -o $NAT_DEV -s $LOCAL_IP -j SNAT --to $PublicIP |
302 | | | $IPTABLES -I FORWARD -i $NAT_DEV -d $LOCAL_IP -p $PORT_TYPE --dport $PUBLIC_PORT -j ACCEPT |
303 | | | else |
304 | | | $IPTABLES -t nat -I PREROUTING -d $PublicIP -p $PORT_TYPE --dport $PUBLIC_PORT -j DNAT --to $LOCAL_IP:$PRIVATE_PORT |
305 | | | $IPTABLES -t nat -I POSTROUTING -o $NAT_DEV -s $LOCAL_IP -j SNAT --to $PublicIP |
306 | | | $IPTABLES -I FORWARD -i $NAT_DEV -d $LOCAL_IP -p $PORT_TYPE --dport $PRIVATE_PORT -j ACCEPT |
307 | | | fi |
308 | | | # Zaroven by bylo pekne zevnitr site na svou verejnou ip pingnout, |
309 | | | # pro tohle je idealne nutne mit dummy, dalsi moznost je nastavit |
310 | | | # DUMMY_IFACE na jedno z rozhrani LAN, kde se neprovadi nat. |
311 | | | if [ "$DUMMY_IP" != "" ]; then |
312 | | | if [ "$PUBLIC_PORT" == "" ]; then |
313 | | | $IPTABLES -t nat -I PREROUTING ! -i $NAT_DEV -s $INTERNAL_IP -d $PublicIP -j DNAT --to $LOCAL_IP |
314 | | | $IPTABLES -t nat -I POSTROUTING ! -o $NAT_DEV -s $INTERNAL_IP -d $LOCAL_IP -j SNAT --to $DUMMY_IP |
315 | | | elif [ "$PRIVATE_PORT" == "" ]; then |
316 | | | $IPTABLES -t nat -I PREROUTING ! -i $NAT_DEV -s $INTERNAL_IP -d $PublicIP -p $PORT_TYPE --dport $PUBLIC_PORT -j DNAT --to $LOCAL_IP |
317 | | | $IPTABLES -t nat -I POSTROUTING ! -o $NAT_DEV -s $INTERNAL_IP -d $LOCAL_IP -p $PORT_TYPE --dport $PUBLIC_PORT -j SNAT --to $DUMMY_IP |
318 | | | else |
319 | | | $IPTABLES -t nat -I PREROUTING ! -i $NAT_DEV -s $INTERNAL_IP -d $PublicIP -p $PORT_TYPE --dport $PUBLIC_PORT -j DNAT --to $LOCAL_IP:$PRIVATE_PORT |
320 | | | $IPTABLES -t nat -I POSTROUTING ! -o $NAT_DEV -s $INTERNAL_IP -d $LOCAL_IP -p $PORT_TYPE --dport $PRIVATE_PORT -j SNAT --to $DUMMY_IP |
321 | | | fi |
322 | | | fi |
323 | | | fi |
324 | | | done |
325 | | | fi |
326 | | | done < $NAT_CONFIG |
327 | | | |
328 | | | # V pripade typu natu "tree", musime spojit soubory do jedine tabulky |
329 | | | if [ "$NAT_TYPE" == "tree" ]; then |
330 | | | cat $TMP/table_nat | sort -k 2.1 | uniq >> $TMP/table_nat2 |
331 | | | cat $TMP/table_fwd | sort -k 2.1 | uniq >> $TMP/table_fwd2 |
332 | | | cat "$TMP/table_raw" >> "$TMP/table" |
333 | | | echo "COMMIT" >> "$TMP/table" |
334 | | | cat "$TMP/table_nat2" >> "$TMP/table" |
335 | | | echo "COMMIT" >> "$TMP/table" |
336 | | | cat "$TMP/table_mangle" >> "$TMP/table" |
337 | | | echo "COMMIT" >> "$TMP/table" |
338 | | | cat "$TMP/table_fwd2" >> "$TMP/table" |
339 | | | echo "COMMIT" >> "$TMP/table" |
340 | | | echo "done." |
341 | | | fi |
342 | | | } |