[Astlinux-commits] SF.net SVN: astlinux: [994] trunk

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Revision: 994
          http://svn.sourceforge.net/astlinux/?rev=994&view=rev
Author:   krisk84
Date:     2007-05-01 09:04:02 -0700 (Tue, 01 May 2007)

Log Message:
-----------
a few iptables fixes - we now support NODMZPORTS

Modified Paths:
--------------
    trunk/package/iptables/astfw
    trunk/target/generic/target_skeleton/stat/etc/rc.conf

Modified: trunk/package/iptables/astfw
===================================================================

--- trunk/package/iptables/astfw	2007-04-30 19:32:01 UTC (rev 993)
+++ trunk/package/iptables/astfw	2007-05-01 16:04:02 UTC (rev 994)
@@ -151,7 +151,7 @@
 iptables -N USER-FORWARD
 iptables -A FORWARD -j USER-FORWARD
 
-#allow forwaring from each interface to the internet...
+#allow forwarding from each interface to the internet...
 for i in $EXTIFS
 do
 iptables -A FORWARD -i $INTIF -o $i -j ACCEPT
@@ -167,6 +167,10 @@
 fi
 done
 
+#Create user NAT table and send everything through it
+iptables -t nat -N USER-PREROUTING
+iptables -t nat -A PREROUTING -j USER-PREROUTING
+
 #Setup 1:1 Maps...
 for i in $EXTIFS
 do
@@ -233,19 +237,44 @@
 IF="$INTIF"
 fi
 
-if [ "$DMZSRC" ]
+if [ "$NODMZPORTS" ]
 then
-
-for i in $DMZSRC
+for i in $NODMZPORTS
 do
 
-iptables -t nat -A PREROUTING -p tcp -i $EXTIF -s \! "$i" -j DNAT --to-destination $DMZIP
-iptables -t nat -A PREROUTING -p udp -i $EXTIF -s \! "$i" -j DNAT --to-destination $DMZIP
+if `echo $i | grep -q "u"`
+then
+PROTOCOL=udp
+fi
 
-iptables -A FORWARD -i $EXTIF -o $IF -s \! "$i" -d $DMZIP -m state --state NEW -p tcp -j ACCEPT
-iptables -A FORWARD -i $EXTIF -o $IF -s \! "$i" -d $DMZIP -m state --state NEW -p udp -j ACCEPT
+if `echo $i | grep -q "t"`
+then
+PROTOCOL=tcp
+fi
+
+PORT=`echo $i | tr -d itu`
+
+if [ "$DMZSRC" ]
+then
+iptables -t nat -A PREROUTING -i $EXTIF -s "$DMZSRC" -p $PROTOCOL -m $PROTOCOL --dport $PORT -j DNAT --to-destination "$DMZIP":"$PORT"
+iptables -A FORWARD -i $EXTIF -d $DMZIP -s "$DMZSRC" -p $PROTOCOL -m $PROTOCOL --dport $PORT -j ACCEPT
+else
+iptables -t nat -A PREROUTING -i $EXTIF -p $PROTOCOL -m $PROTOCOL --dport $PORT -j DNAT --to-destination "$DMZIP":"$PORT"
+iptables -A FORWARD -i $EXTIF -d $DMZIP -p $PROTOCOL -m $PROTOCOL --dport $PORT -j ACCEPT
+fi
+
 done
+fi
 
+if [ "$DMZSRC" ]
+then
+
+iptables -t nat -A PREROUTING -p tcp -i $EXTIF -s \! "$DMZSRC" -j DNAT --to-destination $DMZIP
+iptables -t nat -A PREROUTING -p udp -i $EXTIF -s \! "$DMZSRC" -j DNAT --to-destination $DMZIP
+
+iptables -A FORWARD -i $EXTIF -o $IF -s \! "$DMZSRC" -d $DMZIP -m state --state NEW -p tcp -j ACCEPT
+iptables -A FORWARD -i $EXTIF -o $IF -s \! "$DMZSRC" -d $DMZIP -m state --state NEW -p udp -j ACCEPT
+
 else
 
 iptables -t nat -A PREROUTING -p tcp -i $EXTIF -j DNAT --to-destination $DMZIP

Modified: trunk/target/generic/target_skeleton/stat/etc/rc.conf
===================================================================
--- trunk/target/generic/target_skeleton/stat/etc/rc.conf	2007-04-30 19:32:01 UTC (rev 993)
+++ trunk/target/generic/target_skeleton/stat/etc/rc.conf	2007-05-01 16:04:02 UTC (rev 994)
@@ -195,6 +195,10 @@
 ##a real name or another variable from this file.
 #DMZIPIF="$INT2IF"
 
+##You can also specify a list of ports to bypass your DMZSRC exclusion.
+##Use this if you need to connect to a specific service on DMZIP from DMZSRC
+#NODMZPORTS="t25 t110 t143"
+
 ##PPPoE support from Roaring Penguin.  If you define PPPOEUSER below, AstLinux
 ##will run rp-pppoe on your $PPPOEIF. You will also need to set EXTIF to "ppp0".
 ##PPPoE kernel support


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.


