[Astlinux-commits] SF.net SVN: astlinux: [1336] trunk

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Revision: 1336
          http://astlinux.svn.sourceforge.net/astlinux/?rev=1336&view=rev
Author:   krisk84
Date:     2007-10-29 13:43:09 -0700 (Mon, 29 Oct 2007)

Log Message:
-----------
rework EXTMAP and support EXTIPMAP and EXTPORTMAP

Modified Paths:
--------------
    trunk/package/iptables/astfw
    trunk/target/generic/target_skeleton/stat/etc/rc.conf

Modified: trunk/package/iptables/astfw
===================================================================

--- trunk/package/iptables/astfw	2007-10-29 18:45:41 UTC (rev 1335)
+++ trunk/package/iptables/astfw	2007-10-29 20:43:09 UTC (rev 1336)
@@ -195,53 +195,48 @@
 iptables -t nat -A PREROUTING -j USER-PREROUTING
 
 #Setup 1:1 Maps...
-for i in $EXTIFS
-do
 if [ "$EXTMAP10" ]
 then
-COUNT=10
+echo "The old EXTMAP variables are deprecated.  Please see EXTIPMAP in /stat/etc/rc.conf"
+fi
 
-while [ "$COUNT" ]
+if [ "$EXTIPMAP" ]
+then
+for i in $EXTIPMAP
 do
+EIP=`echo $i | cut -d: -f1`
+IIP=`echo $i | cut -d: -f2`
 
-IPLINE=`set | grep EXTMAP$COUNT|tr -d \'`
-PORTMAP=`set | grep OPENMAP$COUNT|tr -d \'`
-IFALIAS=`expr $COUNT - 9`
+ip addr add $EIP dev $EXTIF
+iptables -t nat -A PREROUTING -d $EIP -i $EXTIF -j DNAT --to-destination $IIP
+iptables -t nat -A POSTROUTING -s $EIP -o $EXTIF -j SNAT --to-source $IIP
+iptables -t nat -A POSTROUTING -s $IIP -o $EXTIF -j SNAT --to-source $EIP
+iptables -A FORWARD -i $EXTIF -o $INTIF -d $IIP -j ACCEPT
+done
+fi
 
-if [ $IPLINE ]
-        then
-        NATEXTIP=`echo $IPLINE | cut -d"=" -f2`
-	NATINTIP=`echo $IPLINE | cut -d"=" -f3`
-	ifconfig $i:$IFALIAS $NATEXTIP netmask $EXTNM
-	iptables -t nat -A PREROUTING -d $NATEXTIP -i $i -j DNAT --to-destination $NATINTIP
-	iptables -t nat -A POSTROUTING -s $NATEXTIP -o $i -j SNAT --to-source $NATINTIP
-	iptables -t nat -A POSTROUTING -s $NATINTIP -o $i -j SNAT --to-source $NATEXTIP
-	# iptables -A FORWARD -i $i -o $INTIF -d $NATINTIP -m state --state NEW -j ACCEPT
+if [ "$EXTPORTMAP" ]
+then
+for i in $EXTPORTMAP
+do
+EPORT=`echo $i | cut -d: -f1`
+IIP=`echo $i | cut -d: -f2`
+IPORT=`echo $i | cut -d: -f3`
 
-                if [ $PORTMAP ]
-                        then
-                        PORTS=`echo $PORTMAP | cut -d"=" -f2`
-                                (IFS=:
-                                for i in $PORTS
-                                do
-				iptables -A FORWARD -i $i -o $INTIF -d $NATINTIP -m state --state NEW -p tcp -m multiport --dport $i -j ACCEPT
-				iptables -A FORWARD -i $i -o $INTIF -d $NATINTIP -m state --state NEW -p udp -m multiport --dport $i -j ACCEPT
+if `echo $EPORT | grep -q "u"`
+then
+PROTOCOL=udp
+fi
 
-                                done)
-                fi
-
-        COUNT=`expr $COUNT + 1`
-
-else
-
-        COUNT=
-
+if `echo $EPORT | grep -q "t"`
+then
+PROTOCOL=tcp
 fi
 
+iptables -t nat -A PREROUTING -i $EXTIF -p $PROTOCOL -m $PROTOCOL --dport $EPORT -j DNAT --to-destination "$IIP":"$IPORT"
+iptables -A FORWARD -i $EXTIF -o $INTIF -d $IIP -p $PROTOCOL -m $PROTOCOL --dport $EPORT -j ACCEPT
 done
-
 fi
-done
 
 # DMZ to IP support
 if [ "$DMZIP" ]

Modified: trunk/target/generic/target_skeleton/stat/etc/rc.conf
===================================================================
--- trunk/target/generic/target_skeleton/stat/etc/rc.conf	2007-10-29 18:45:41 UTC (rev 1335)
+++ trunk/target/generic/target_skeleton/stat/etc/rc.conf	2007-10-29 20:43:09 UTC (rev 1336)
@@ -249,10 +249,21 @@
 ### astfw Firewall (iptables)
 
 ##If you have more than one IP on the EXTIF, here is where you configure 1:1 NAT maps
-##These have to start at 10!!!!!!
+##These have to start at 10!!!!!! (DEPRECATED)
 #EXTMAP10="192.168.25.11=192.168.1.100"
 #OPENMAP10="22"
 
+##If you would like to open some ports on your external interface to internal machines
+##do that here.  As usualy multiple entries can be seperated with spaces.
+##In the example - forward external TCP port 222 to 192.168.111.17 port 22
+##and UDP 4569 to 192.168.111.12
+#EXTPORTMAP="t222:192.168.111.17:22 u4569:192.168.111.12:4569"
+
+##If you have multiple IP addresses on your external interface and you want 1:1 NAT
+##sometimes called binat (bidirectional NAT), define that here. Use spaces for
+##multiple address maps. There is no filtering for these, beware!
+#EXTIPMAP="4.2.2.1:192.168.111.20"
+
 ##Default "deny action" - you want either DROP or REJECT (returns with icmp filtered)
 DENYACT="DROP"
 


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.


