From 9ca24da0d6217d7e014c50a278842d23fff2813e Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Mon, 1 Feb 2021 17:58:16 +0100
Subject: [PATCH] Use SNAT rules rather than masquerade

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 firewall_config.example.py | 12 ++++++++++--
 main.py                    | 18 ++++++++----------
 2 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/firewall_config.example.py b/firewall_config.example.py
index d6c3bb3..6574d30 100644
--- a/firewall_config.example.py
+++ b/firewall_config.example.py
@@ -44,7 +44,11 @@ nat = [
             'eth2' : '138.230.76.0/24',
         },
         'ip_sources' : '10.42.0.0/16',
-        'extra_nat' : {'10.129.1.240' : '45.66.108.251'}
+        'extra_nat' : {
+            'eth1': {
+                '10.129.1.240' : '45.66.108.251'
+            },
+        },
     },
     {
         'name' : 'nat2',
@@ -53,7 +57,11 @@ nat = [
             'eth3' : '138.1.145.0/24'
         },
         'ip_sources' : '10.43.0.0/16',
-        'extra_nat' : {'10.129.1.240' : '45.66.108.251'}
+        'extra_nat' : {
+            'eth2': {
+                '10.129.1.240' : '45.66.108.251'
+            },
+        },
     }
 ]
 
diff --git a/main.py b/main.py
index 59488e5..35a300a 100755
--- a/main.py
+++ b/main.py
@@ -632,16 +632,14 @@ class iptables:
 
         if 'extra_nat' in nat_type:
             ### Extra-nat (ex : Pour que le routeur ait accès à internet)
-            for ip_source, ip_to_nat in nat_type['extra_nat'].items():
-                rule = ""
-                if 'extra_nat_group' in nat_type:
-                    rule = "-m set --match-set " + nat_type['extra_nat_group'] + " src "
-                rule += '-s ' + ip_source + ' -j SNAT --to-source ' + ip_to_nat
-                self.add_in_subtable("nat4", subtable, rule)
-
-        if "masquerade" in nat_type:
-            for ip_source in nat_type["masquerade"]:
-                self.jump_trafic_from_source('nat', ip_source, 'POSTROUTING', 'MASQUERADE', '4')
+            for interface, rules in nat_type['extra_nat'].items():
+                for ip_source, ip_to_nat in rules.items():
+                    rule = ''
+                    if 'extra_nat_group' in nat_type and interface in nat_type['extra_nat_group']:
+                        rule = "-m set --match-set " + nat_type['extra_nat_group'][interface] + " src "
+                    rule += '-s ' + ip_source + ' -o ' + interface + ' -j SNAT --to-source ' + ip_to_nat
+                    self.add_in_subtable("nat4", subtable, rule)
+
 
     def gen_mangle(self, empty=False):
         """Génération de la chaine mangle"""