diff options
Diffstat (limited to 'data/templates/firewall')
-rw-r--r-- | data/templates/firewall/nftables-nat.tmpl | 104 |
1 files changed, 72 insertions, 32 deletions
diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl index 9bab8b363..5ce110d82 100644 --- a/data/templates/firewall/nftables-nat.tmpl +++ b/data/templates/firewall/nftables-nat.tmpl @@ -5,10 +5,12 @@ flush table nat {% if helper_functions == 'remove' %} {# NAT if going to be disabled - remove rules and targets from nftables #} -delete rule ip raw PREROUTING handle {{ pre_ct_ignore }} -delete rule ip raw PREROUTING handle {{ pre_ct_conntrack }} -delete rule ip raw OUTPUT handle {{ out_ct_ignore }} -delete rule ip raw OUTPUT handle {{ out_ct_conntrack }} + +{% set base_command = "delete rule ip raw" %} +{{ base_command }} PREROUTING handle {{ pre_ct_ignore }} +{{ base_command }} OUTPUT handle {{ out_ct_ignore }} +{{ base_command }} PREROUTING handle {{ pre_ct_conntrack }} +{{ base_command }} OUTPUT handle {{ out_ct_conntrack }} delete chain ip raw NAT_CONNTRACK @@ -17,13 +19,17 @@ delete chain ip raw NAT_CONNTRACK add chain ip raw NAT_CONNTRACK add rule ip raw NAT_CONNTRACK counter accept -add rule ip raw PREROUTING position {{ pre_ct_ignore }} counter jump VYATTA_CT_HELPER -add rule ip raw PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK -add rule ip raw OUTPUT position {{ out_ct_ignore }} counter jump VYATTA_CT_HELPER -add rule ip raw OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK -{% endif %} +{% set base_command = "add rule ip raw" %} +{{ base_command }} PREROUTING position {{ pre_ct_ignore }} counter jump VYATTA_CT_HELPER +{{ base_command }} OUTPUT position {{ out_ct_ignore }} counter jump VYATTA_CT_HELPER +{{ base_command }} PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK +{{ base_command }} OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK +{% endif %} +# +# Destination NAT rules build up here +# {% for r in destination if not r.disabled -%} {% set chain = "PREROUTING" %} {% set src_addr = "ip saddr " + r.source_address if r.source_address %} @@ -32,16 +38,24 @@ add rule ip raw OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRAC {% set dst_port = "dport { " + r.dest_port +" }" if r.dest_port %} {% set trns_addr = "dnat to " + r.translation_address %} {% set trns_port = ":" + r.translation_port if r.translation_port %} +{% set interface = " iifname \"" + r.interface_in + "\"" %} {% set comment = "DST-NAT-" + r.number %} -{% set iface = r.interface_in %} + +{% if r.protocol == "tcp_udp" %} +{% set protocol = "tcp" %} +{% set comment = comment + " tcp_udp" %} +{% else %} +{% set protocol = r.protocol %} +{% endif %} {% if r.log %} +{% set base_log = "[NAT-DST-" + r.number %} {% if r.exclude %} -{% set log = "[" + comment + "-EXCL]" %} +{% set log = base_log + "-EXCL]" %} {% elif r.translation_address == 'masquerade' %} -{% set log = "[" + comment + "-MASQ]" %} +{% set log = base_log + "-MASQ]" %} {% else %} -{% set log = "[" + comment + "]" %} +{% set log = base_log + "]" %} {% endif %} {% endif %} @@ -51,34 +65,60 @@ add rule ip raw OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRAC {% set trns_port = "" %} {% endif %} -{% if r.protocol == 'tcp_udp' %} -{# Special handling for protocol tcp_udp which is represented as two individual rules #} -{% set comment = comment + " tcp_udp" %} -{% if log %} +{% set output = "add rule ip nat " + chain + interface + " counter" %} +{% set output = output + " comment \"" + comment + "\"" %} -{% set tcp_dst_port = "tcp " + dst_port if dst_port else "ip protocol tcp" %} -{% set udp_dst_port = "udp " + dst_port if dst_port else "ip protocol udp" %} +{% if src_addr %} +{% set output = output + " " + src_addr %} +{% endif %} -add rule ip nat {{ chain }} iifname "{{ iface }}" {{ src_addr }} {{ src_port }} {{ tcp_dst_port }} {{ dst_addr }} counter log prefix "{{ log }}" comment "{{ comment }}" -{% endif %} -add rule ip nat {{ chain }} iifname "{{ iface }}" {{ src_addr }} {{ src_port }} {{ tcp_dst_port }} {{ dst_addr }} counter {{ trns_addr }}{{ trns_port }} comment "{{ comment }}" -{% if log %} -add rule ip nat {{ chain }} iifname "{{ iface }}" {{ src_addr }} {{ src_port }} {{ udp_dst_port }} {{ dst_addr }} counter log prefix "{{ log }}" comment "{{ comment }}" -{% endif %} -add rule ip nat {{ chain }} iifname "{{ iface }}" {{ src_addr }} {{ src_port }} {{ udp_dst_port }} {{ dst_addr }} counter {{ trns_addr }}{{ trns_port }} comment "{{ comment }}" +{% if src_port %} +{% set output = output + " " + src_port %} +{% endif %} +{% if dst_addr %} +{% set output = output + " " + dst_addr %} +{% endif %} + +{% if dst_port %} +{% set output = output + " " + protocol + " " + dst_port %} {% else %} -{% set proto_dst_port = dst_port if dst_port else "ip protocol " + r.protocol %} -{% set proto_dst_port = "" if r.protocol == "all" %} +{% set output = output + " ip protocol " + protocol %} +{% endif %} -{% if log %} -add rule ip nat {{ chain }} iifname "{{ iface }}" {{ src_addr }} {{ src_port }} {{ proto_dst_port }} {{ dst_addr }} counter log prefix "{{ log }}" comment "{{ comment }}" -{% endif %} -add rule ip nat {{ chain }} iifname "{{ iface }}" {{ src_addr }} {{ src_port }} {{ proto_dst_port }} {{ dst_addr }} counter {{ trns_addr }}{{ trns_port }} comment "{{ comment }}" +{# Special handling of log option, we must repeat the entire rule before the #} +{# NAT translation options are added, this is essential #} +{% if log %} +{% set log_output = output + " log prefix \"" + log + "\"" %} +{% endif %} + +{% if trns_addr %} +{% set output = output + " " + trns_addr %} +{% endif %} + +{% if trns_port %} +{# Do not add a whitespace here, translation port must be directly added after IP address #} +{# e.g. 192.0.2.10:3389 #} +{% set output = output + trns_port %} +{% endif %} + +{{ log_output if log_output }} +{{ output }} + +{# Special handling if protocol is tcp_udp, we must repeat the entire rule with udp as protocol #} +{% if r.protocol == "tcp_udp" %} +{# Beware of trailing whitespace, without it the comment tcp_udp will be changed to udp_udp #} +{{ log_output | replace("tcp ", "udp ") if log_output }} +{{ output | replace("tcp ", "udp ") }} {% endif %} {% endfor %} + + +# +# Source NAT rules build up here +# {% for r in source if not r.disabled -%} {% set chain = "POSTROUTING" %} {% set src_addr = "ip saddr " + r.source_address if r.source_address %} |