data/templates/firewall/nftables-nat.tmpl


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177

#!/usr/sbin/nft -f

# Start with clean NAT table
flush table nat

{% if helper_functions == 'remove' %}
{# NAT if going to be disabled - remove rules and targets from nftables #}

{% set base_command = "delete rule ip raw" %}
{{ base_command }} PREROUTING handle {{ pre_ct_ignore }}
{{ base_command }} OUTPUT     handle {{ out_ct_ignore }}
{{ base_command }} PREROUTING handle {{ pre_ct_conntrack }}
{{ base_command }} OUTPUT     handle {{ out_ct_conntrack }}

delete chain ip raw NAT_CONNTRACK

{% elif helper_functions == 'add' %}
{# NAT if enabled - add targets to nftables #}
add chain ip raw NAT_CONNTRACK
add rule ip raw NAT_CONNTRACK counter accept

{% set base_command = "add rule ip raw" %}

{{ base_command }} PREROUTING position {{ pre_ct_ignore }}    counter jump VYATTA_CT_HELPER
{{ base_command }} OUTPUT     position {{ out_ct_ignore }}    counter jump VYATTA_CT_HELPER
{{ base_command }} PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK
{{ base_command }} OUTPUT     position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK
{% endif %}

#
# Destination NAT rules build up here
#
{% for r in destination if not r.disabled -%}
{%   set chain     = "PREROUTING" %}
{%   set src_addr  = "ip saddr " + r.source_address if r.source_address %}
{%   set src_port  = "sport { " + r.source_port +" }" if r.source_port %}
{%   set dst_addr  = "ip daddr " + r.dest_address if r.dest_address %}
{%   set dst_port  = "dport { " + r.dest_port +" }" if r.dest_port %}
{%   set trns_addr = "dnat to " + r.translation_address %}
{%   set trns_port = ":" + r.translation_port if r.translation_port %}
{%   set interface = " iifname \"" + r.interface_in + "\"" %}
{%   set comment   = "DST-NAT-" + r.number %}

{%   if r.protocol == "tcp_udp" %}
{%     set protocol  = "tcp" %}
{%     set comment   = comment + " tcp_udp" %}
{%   else %}
{%     set protocol  = r.protocol %}
{%   endif %}

{%   if r.log %}
{%     set base_log = "[NAT-DST-" + r.number %}
{%     if r.exclude %}
{%       set log = base_log + "-EXCL]" %}
{%     elif r.translation_address == 'masquerade' %}
{%       set log = base_log + "-MASQ]" %}
{%     else %}
{%       set log = base_log + "]" %}
{%     endif %}
{%   endif %}

{%   if r.exclude %}
{#     rule has been marked as "exclude" thus we simply return here #}
{%     set trns_addr = "return" %}
{%     set trns_port = "" %}
{%   endif %}

{%   set output = "add rule ip nat " + chain + interface + " counter" %}
{%   set output = output + " comment \"" + comment + "\"" %}

{%   if src_addr %}
{%     set output = output + " " + src_addr %}
{%   endif %}

{%   if src_port %}
{%     set output = output + " " + src_port %}
{%   endif %}

{%   if dst_addr %}
{%     set output = output + " " + dst_addr %}
{%   endif %}

{%   if dst_port %}
{%     set output = output + " " + protocol + " " + dst_port %}
{%   else %}
{%     set output = output + " ip protocol " + protocol %}
{%   endif %}

{#   Special handling of log option, we must repeat the entire rule before the #}
{#   NAT translation options are added, this is essential                      #}
{%   if log %}
{%     set log_output = output + " log prefix \"" + log + "\"" %}
{%   endif %}

{%   if trns_addr %}
{%     set output = output + " " + trns_addr %}
{%   endif %}

{%   if trns_port %}
{#     Do not add a whitespace here, translation port must be directly added after IP address #}
{#     e.g. 192.0.2.10:3389                                                                   #}
{%     set output = output + trns_port %}
{%   endif %}

{{ log_output if log_output }}
{{ output }}

{#   Special handling if protocol is tcp_udp, we must repeat the entire rule with udp as protocol #}
{%   if r.protocol == "tcp_udp" %}
{#     Beware of trailing whitespace, without it the comment tcp_udp will be changed to udp_udp   #}
{{ log_output | replace("tcp ", "udp ") if log_output }}
{{ output | replace("tcp ", "udp ") }}
{%   endif %}
{% endfor %}


#
# Source NAT rules build up here
#
{% for r in source if not r.disabled -%}
{%   set chain     = "POSTROUTING" %}
{%   set src_addr  = "ip saddr " + r.source_address if r.source_address %}
{%   set src_port  = "sport { " + r.source_port +" }" if r.source_port %}
{%   set dst_addr  = "ip daddr " + r.dest_address if r.dest_address %}
{%   set dst_port  = "dport { " + r.dest_port +" }" if r.dest_port %}
{%   set trns_addr = "snat to " + r.translation_address if r.translation_address != "masquerade" else "masquerade" %}
{%   set trns_port = ":" + r.translation_port if r.translation_port %}
{%   set comment   = "SRC-NAT-" + r.number %}
{%   set iface     = r.interface_out %}

{%   if r.log %}
{%     if r.exclude %}
{%       set log = "[" + comment + "-EXCL]" %}
{%     elif r.translation_address == 'masquerade' %}
{%       set log = "[" + comment + "-MASQ]" %}
{%     else %}
{%       set log = "[" + comment + "]" %}
{%     endif %}
{%   endif %}

{%   if r.exclude %}
{#     rule has been marked as "exclude" thus we simply return here #}
{%     set trns_addr = "return" %}
{%     set trns_port = "" %}
{%   endif %}

{%   if r.protocol == 'tcp_udp' %}
{#     Special handling for protocol tcp_udp which is represented as two individual rules #}
{%     set comment = comment + " tcp_udp" %}
{%     if log %}

{%       set tcp_dst_port = "tcp " + dst_port if dst_port else "ip protocol tcp" %}
{%       set udp_dst_port = "udp " + dst_port if dst_port else "ip protocol udp" %}
{%       set tcp_src_port = "tcp " + src_port if src_port %}
{%       set udp_src_port = "udp " + src_port if src_port %}

add rule ip nat {{ chain }} oifname "{{ iface }}" {{ tcp_src_port }} {{ src_port }} {{ tcp_dst_port }} {{ dst_addr }} counter log prefix "{{ log }}" comment "{{ comment }}"
{%     endif %}
add rule ip nat {{ chain }} oifname "{{ iface }}" {{ tcp_src_port }} {{ src_port }} {{ tcp_dst_port }} {{ dst_addr }} counter {{ trns_addr }}{{ trns_port }} comment "{{ comment }}"
{%     if log %}
add rule ip nat {{ chain }} oifname "{{ iface }}" {{ udp_src_port }} {{ src_port }} {{ udp_dst_port }} {{ dst_addr }} counter log prefix "{{ log }}" comment "{{ comment }}"
{%     endif %}
add rule ip nat {{ chain }} oifname "{{ iface }}" {{ udp_src_port }} {{ src_port }} {{ udp_dst_port }} {{ dst_addr }} counter {{ trns_addr }}{{ trns_port }} comment "{{ comment }}"

{%   else %}
{%       set proto_dst_port = dst_port if dst_port else "ip protocol " + r.protocol %}
{%       set proto_dst_port = proto_dst_port if r.protocol != "all" %}
{%       set proto_src_port = r.protocol + " " + src_port if r.protocol != "all" else src_port %}

{%     if log %}
add rule ip nat {{ chain }} oifname "{{ iface }}" {{ src_addr }} {{ proto_src_port }} {{ proto_dst_port }} {{ dst_addr }} counter log prefix "{{ log }}" comment "{{ comment }}"
{%     endif %}
add rule ip nat {{ chain }} oifname "{{ iface }}" {{ src_addr }} {{ proto_src_port }} {{ proto_dst_port }} {{ dst_addr }} counter {{ trns_addr }}{{ trns_port }} comment "{{ comment }}"
{%   endif %}
{% endfor %}