| 1 | #!/bin/sh |
| 2 | |
| 3 | . /lib/functions.sh |
| 4 | . /lib/functions/network.sh |
| 5 | |
| 6 | if [ "$ACTION" = "remove" ]; then |
| 7 | |
| 8 | delete_rules_by_comment() { |
| 9 | local table="$1" |
| 10 | local chain="$2" |
| 11 | local comment="$3" |
| 12 | |
| 13 | iptables -t "$table" --line-numbers -nL "$chain" 2>/dev/null | \ |
| 14 | sed -e ' |
| 15 | 1d; |
| 16 | 1! { |
| 17 | \#^[0-9]\+ .* /\* '"$comment"' \*/.*$# { |
| 18 | s/ .*$//; |
| 19 | G; h; |
| 20 | } |
| 21 | }; |
| 22 | $!d; |
| 23 | ' | xargs -n1 iptables -t "$table" -D "$chain" 2>/dev/null |
| 24 | } |
| 25 | |
| 26 | delete_rules_by_comment nat nat_reflection_in "$INTERFACE" |
| 27 | delete_rules_by_comment nat nat_reflection_out "$INTERFACE" |
| 28 | delete_rules_by_comment filter nat_reflection_fwd "$INTERFACE" |
| 29 | |
| 30 | elif [ "$ACTION" = "add" ]; then |
| 31 | |
| 32 | prepare_chains() { |
| 33 | iptables -t nat -N nat_reflection_in 2>/dev/null && { |
| 34 | iptables -t nat -A prerouting_rule -j nat_reflection_in |
| 35 | } |
| 36 | |
| 37 | iptables -t nat -N nat_reflection_out 2>/dev/null && { |
| 38 | iptables -t nat -A postrouting_rule -j nat_reflection_out |
| 39 | } |
| 40 | |
| 41 | iptables -t filter -N nat_reflection_fwd 2>/dev/null && { |
| 42 | iptables -t filter -A forwarding_rule -j nat_reflection_fwd |
| 43 | } |
| 44 | } |
| 45 | |
| 46 | find_networks() { |
| 47 | find_networks_cb() { |
| 48 | local cfg="$1" |
| 49 | local zone="$2" |
| 50 | local need_masq="${3:-0}" |
| 51 | |
| 52 | local name |
| 53 | config_get name "$cfg" name |
| 54 | |
| 55 | local masq |
| 56 | config_get_bool masq "$cfg" masq 0 |
| 57 | |
| 58 | [ "$name" = "$zone" ] && [ "$masq" -ge "$need_masq" ] && { |
| 59 | local network |
| 60 | config_get network "$cfg" network |
| 61 | |
| 62 | echo ${network:-$zone} |
| 63 | return 1 |
| 64 | } |
| 65 | } |
| 66 | |
| 67 | config_foreach find_networks_cb zone "$@" |
| 68 | } |
| 69 | |
| 70 | setup_fwd() { |
| 71 | local cfg="$1" |
| 72 | |
| 73 | local reflection |
| 74 | config_get_bool reflection "$cfg" reflection 1 |
| 75 | [ "$reflection" == 1 ] || return |
| 76 | |
| 77 | local src |
| 78 | config_get src "$cfg" src |
| 79 | [ "$src" == "$ZONE" ] || return |
| 80 | |
| 81 | local dest |
| 82 | config_get dest "$cfg" dest |
| 83 | [ "$dest" != "*" ] || return |
| 84 | |
| 85 | local target |
| 86 | config_get target "$cfg" target DNAT |
| 87 | [ "$target" = DNAT ] || return |
| 88 | |
| 89 | prepare_chains |
| 90 | |
| 91 | local net |
| 92 | for net in $(find_networks "$dest" 0); do |
| 93 | local intnet |
| 94 | network_get_subnet intnet "$net" || continue |
| 95 | |
| 96 | local proto |
| 97 | config_get proto "$cfg" proto |
| 98 | |
| 99 | local epmin epmax extport |
| 100 | config_get extport "$cfg" src_dport "1-65535" |
| 101 | [ -n "$extport" ] || return |
| 102 | |
| 103 | epmin="${extport%[-:]*}"; epmax="${extport#*[-:]}" |
| 104 | [ "${epmin#!}" != "$epmax" ] || epmax="" |
| 105 | |
| 106 | local ipmin ipmax intport |
| 107 | config_get intport "$cfg" dest_port "$extport" |
| 108 | |
| 109 | ipmin="${intport%[-:]*}"; ipmax="${intport#*[-:]}" |
| 110 | [ "${ipmin#!}" != "$ipmax" ] || ipmax="" |
| 111 | |
| 112 | local exthost |
| 113 | config_get exthost "$cfg" src_dip "$extip" |
| 114 | |
| 115 | local inthost |
| 116 | config_get inthost "$cfg" dest_ip |
| 117 | [ -n "$inthost" ] || return |
| 118 | |
| 119 | [ "$proto" = all ] && proto="tcp udp" |
| 120 | [ "$proto" = tcpudp ] && proto="tcp udp" |
| 121 | |
| 122 | [ "${inthost#!}" = "$inthost" ] || return 0 |
| 123 | [ "${exthost#!}" = "$exthost" ] || return 0 |
| 124 | |
| 125 | [ "${epmin#!}" != "$epmin" ] && \ |
| 126 | extport="! --dport ${epmin#!}${epmax:+:$epmax}" || \ |
| 127 | extport="--dport $epmin${epmax:+:$epmax}" |
| 128 | |
| 129 | [ "${ipmin#!}" != "$ipmin" ] && \ |
| 130 | intport="! --dport ${ipmin#!}${ipmax:+:$ipmax}" || \ |
| 131 | intport="--dport $ipmin${ipmax:+:$ipmax}" |
| 132 | |
| 133 | local p |
| 134 | for p in ${proto:-tcp udp}; do |
| 135 | case "$p" in |
| 136 | tcp|udp|6|17) |
| 137 | iptables -t nat -A nat_reflection_in \ |
| 138 | -s $intnet -d $exthost \ |
| 139 | -p $p $extport \ |
| 140 | -m comment --comment "$INTERFACE" \ |
| 141 | -j DNAT --to $inthost:${ipmin#!}${ipmax:+-$ipmax} |
| 142 | |
| 143 | iptables -t nat -A nat_reflection_out \ |
| 144 | -s $intnet -d $inthost \ |
| 145 | -p $p $intport \ |
| 146 | -m comment --comment "$INTERFACE" \ |
| 147 | -j SNAT --to-source ${intnet%%/*} |
| 148 | |
| 149 | iptables -t filter -A nat_reflection_fwd \ |
| 150 | -s $intnet -d $inthost \ |
| 151 | -p $p $intport \ |
| 152 | -m comment --comment "$INTERFACE" \ |
| 153 | -j ACCEPT |
| 154 | ;; |
| 155 | esac |
| 156 | done |
| 157 | done |
| 158 | } |
| 159 | |
| 160 | config_load firewall |
| 161 | |
| 162 | local is_masq_zone="$(find_networks "$ZONE" 1)" |
| 163 | [ -n "$is_masq_zone" ] || exit 0 |
| 164 | |
| 165 | local extip |
| 166 | network_get_ipaddr extip "$INTERFACE" || exit 0 |
| 167 | |
| 168 | config_foreach setup_fwd redirect |
| 169 | fi |
| 170 | |
