summaryrefslogtreecommitdiff
path: root/data/templates/firewall/nftables-nat.tmpl
blob: 343807e792097f99edfc1eed0c7916d897d85a6f (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

#!/usr/sbin/nft -f

# Start with a "clean" NAT table
flush table nat

{% for rule in init_deinit -%}
# Add or remove conntrack helper rules for NAT operation-
{{ rule }}
{% endfor %}

add chain ip raw NAT_CONNTRACK

# insert rule after VYATTA_CT_IGNORE
add rule ip raw PREROUTING position {{ pre_ct_ignore }} counter jump VYATTA_CT_HELPER
# insert rule after VYATTA_CT_PREROUTING_HOOK
add rule ip raw PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK
# insert rule after VYATTA_CT_IGNORE
add rule ip raw OUTPUT position {{ out_ct_ignore }} counter jump VYATTA_CT_HELPER
# insert rule after VYATTA_CT_PREROUTING_HOOK
add rule ip raw OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK

add rule ip raw NAT_CONNTRACK counter accept


{% for r in destination -%}
{% if r.protocol == 'tcp_udp' %}
{# Special handling for protocol tcp_udp which is represented as two individual rules #}
add rule ip nat PREROUTING iifname "{{ r.interface_in }}" tcp dport { {{ r.dest_port }} } counter dnat to {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }} comment "DST-NAT-{{ r.number }} tcp_udp"
add rule ip nat PREROUTING iifname "{{ r.interface_in }}" udp dport { {{ r.dest_port }} } counter dnat to {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }} comment "DST-NAT-{{ r.number }} tcp_udp"
{% else %}
add rule ip nat PREROUTING iifname "{{ r.interface_in }}" {{ r.protocol }} dport { {{ r.dest_port }} } counter dnat to {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }} comment "DST-NAT-{{ r.number }}"
{% endif %}
{% endfor %}


{% for r in source -%}
{% if r.log %}
{% if r.exclude %}
{% set value = 'EXCL' %}
{% elif r.translation_address == 'masquerade' %}
{% set value = 'MASQ' %}
{% endif %}
add rule ip nat POSTROUTING oifname "{{ r.interface_out }}" ip saddr {{ r.source_address }} counter log prefix "[NAT-SRC-{{ r.number }}-{{ value }}]" comment "SRC-NAT-{{ r.number }}"
{% endif %}

{% if r.exclude %}
{% set value = 'return' %}
{% elif r.translation_address == 'masquerade' %}
{% set value = 'masquerade' %}
{% else %}
{% set value = 'snat to ' + r.translation_address %}
{% endif %}
add rule ip nat POSTROUTING oifname "{{ r.interface_out }}" ip saddr {{ r.source_address }} counter {{ value }} comment "SRC-NAT-{{ r.number }}"
{% endfor %}
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-21 21:36:28 +0000