From: Mark Wooding Date: Tue, 6 Mar 2012 00:01:11 +0000 (+0000) Subject: Merge branch 'master' into emergency X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/commitdiff_plain/f513127acd3ccf2f6ec695ba5d9396739bd21aba Merge branch 'master' into emergency * master: functions.m4: Write the netclass ids to the trace output. bookends.m4: If debugging, dump the final tables. Determine forwarding and reverse-path filtering from host definitions. Overhaul address classification. local.m4: Promote the NTP server configuration to a proper variable. Renumber the diversions. fixup! WIP on emergency: 7a108d1 Makefile: New target for tracking diversions. Makefile: New target for tracking diversions. Makefile, base.m4: Inject the target hostname into the generated script. Semantic conflict: The variable `if_dmz' is no longer set, so just hardwire the interface name. --- f513127acd3ccf2f6ec695ba5d9396739bd21aba diff --cc vampire.m4 index 2cf1a13,fa79ee2..44eef03 --- a/vampire.m4 +++ b/vampire.m4 @@@ -93,31 -70,5 +71,31 @@@ run iptables -A OUTPUT -m multiport dnsresolver inbound ntpclient inbound $ntp_servers +## NAT for RFC1918 addresses. +for i in PREROUTING OUTPUT POSTROUTING; do + run iptables -t nat -P $i ACCEPT 2>/dev/null || : + run iptables -t nat -F $i 2>/dev/null || : +done +run iptables -t nat -F +run iptables -t nat -X + +run iptables -t nat -N outbound - run iptables -t nat -A outbound -j RETURN ! -o $if_dmz ++run iptables -t nat -A outbound -j RETURN ! -o eth0.0 +run iptables -t nat -A outbound -j RETURN ! -s 172.29.198.0/23 +run iptables -t nat -A outbound -j RETURN -d 62.49.204.144/28 +run iptables -t nat -A outbound -j RETURN -d 172.29.198.0/23 +run iptables -t nat -A outbound -j SNAT --to-source 62.49.204.158 +run iptables -t nat -A POSTROUTING -j outbound + +## Set up NAT protocol helpers. In particular, SIP needs some special +## twiddling. +run modprobe nf_conntrack_sip \ + ports=5060 \ + sip_direct_signalling=0 \ + sip_direct_media=0 +for p in ftp sip h323; do + run modprobe nf_nat_$p +done + m4_divert(-1) ###----- That's all, folks --------------------------------------------------