aurore/aurore-firewall
11
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Use SNAT rules rather than masquerade

Browse source 
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
This commit is contained in:
ynerant 2021-02-01 17:58:16 +01:00
parent 95babc700c
commit 9ca24da0d6
Signed by untrusted user: ynerant
GPG key ID: 3A75C55819C8CF85
2 changed files with 17 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
firewall_config.example.py
View file

@ -44,7 +44,11 @@ nat = [
'eth2' : '138.230.76.0/24', 'eth2' : '138.230.76.0/24',
}, },
'ip_sources' : '10.42.0.0/16', 'ip_sources' : '10.42.0.0/16',
'extra_nat' : {'10.129.1.240' : '45.66.108.251'} 'extra_nat' : {
'eth1': {
'10.129.1.240' : '45.66.108.251'
},
},
}, },
{ {
'name' : 'nat2', 'name' : 'nat2',
@ -53,7 +57,11 @@ nat = [
'eth3' : '138.1.145.0/24' 'eth3' : '138.1.145.0/24'
}, },
'ip_sources' : '10.43.0.0/16', 'ip_sources' : '10.43.0.0/16',
'extra_nat' : {'10.129.1.240' : '45.66.108.251'} 'extra_nat' : {
'eth2': {
'10.129.1.240' : '45.66.108.251'
},
},
} }
] ]

16
main.py
View file

@ -632,16 +632,14 @@ class iptables:
if 'extra_nat' in nat_type: if 'extra_nat' in nat_type:
### Extra-nat (ex : Pour que le routeur ait accès à internet) ### Extra-nat (ex : Pour que le routeur ait accès à internet)
for ip_source, ip_to_nat in nat_type['extra_nat'].items(): for interface, rules in nat_type['extra_nat'].items():
rule = "" for ip_source, ip_to_nat in rules.items():
if 'extra_nat_group' in nat_type: rule = ''
rule = "-m set --match-set " + nat_type['extra_nat_group'] + " src " if 'extra_nat_group' in nat_type and interface in nat_type['extra_nat_group']:
rule += '-s ' + ip_source + ' -j SNAT --to-source ' + ip_to_nat rule = "-m set --match-set " + nat_type['extra_nat_group'][interface] + " src "
self.add_in_subtable("nat4", subtable, rule) rule += '-s ' + ip_source + ' -o ' + interface + ' -j SNAT --to-source ' + ip_to_nat
self.add_in_subtable("nat4", subtable, rule)
if "masquerade" in nat_type:
for ip_source in nat_type["masquerade"]:
self.jump_trafic_from_source('nat', ip_source, 'POSTROUTING', 'MASQUERADE', '4')
def gen_mangle(self, empty=False): def gen_mangle(self, empty=False):
"""Génération de la chaine mangle""" """Génération de la chaine mangle"""