#!/bin/sh
# NAT Scrip V2.0
# (c) 2008 Martin Saidl
# martin.saidl(AT)tone.cz
CONF_DIR="/etc/firewall"
IPTBL="/sbin/iptables"
do_start()
{
# Creating NAT chains
$IPTBL -t nat -N s-nat
$IPTBL -t nat -N d-nat
# Adding NAT rules from config file
cat $CONF_DIR/nat.conf | egrep -v "(^#|^$)" |\
awk -v IPTBL=$IPTBL '{
if ($5 == ">") {
IP=$4;
PORT=$4;
sub(":.*","",IP)
if (sub(".*:","",PORT))
system(IPTBL" -t nat -A s-nat -o "$3" -s "IP" -p "$1" --sport "PORT" -j SNAT --to "$6);
else
system(IPTBL" -t nat -A s-nat -o "$3" -s "IP" -p "$1" -j SNAT --to "$6);
}
if ($5 == "<") {
IP=$6;
PORT=$6;
sub(":.*","",IP);
if (sub(".*:","",PORT))
system(IPTBL" -t nat -A d-nat -i "$2" -d "IP" -p "$1" --dport "PORT" -j DNAT --to "$4);
else
system(IPTBL" -t nat -A d-nat -i "$2" -d "IP" -p "$1" -j DNAT --to "$4);
}
if ($5 == "=") {
IP=$4;
PORT=$4;
sub(":.*","",IP)
if (sub(".*:","",PORT))
system(IPTBL" -t nat -A s-nat -o "$3" -s "IP" -p "$1" --sport "PORT" -j SNAT --to "$6);
else
system(IPTBL" -t nat -A s-nat -o "$3" -s "IP" -p "$1" -j SNAT --to "$6);
IP=$6;
PORT=$6;
sub(":.*","",IP);
if (sub(".*:","",PORT))
system(IPTBL" -t nat -A d-nat -i "$2" -d "IP" -p "$1" --dport "PORT" -j DNAT --to "$4);
else
system(IPTBL" -t nat -A d-nat -i "$2" -d "IP" -p "$1" -j DNAT --to "$4);
}
}'
$IPTBL -t nat -A PREROUTING -j d-nat
$IPTBL -t nat -A POSTROUTING -j s-nat
}
do_stop()
{
$IPTBL -t nat -D PREROUTING -j d-nat 2>/dev/null
$IPTBL -t nat -D POSTROUTING -j s-nat 2>/dev/null
$IPTBL -t nat -F d-nat 2>/dev/null
$IPTBL -t nat -F s-nat 2>/dev/null
$IPTBL -t nat -X d-nat 2>/dev/null
$IPTBL -t nat -X s-nat 2>/dev/null
}
case "$1" in
start)
echo -n "Starting NAT: "
do_start
echo "done"
;;
restart)
echo -n "Restarting NAT: "
do_stop
do_start
echo "done"
;;
stop)
echo -n "Stopping NAT: "
do_stop
echo "done"
;;
*)
echo "Usage: nat {start|restart|stop}"
exit 1
;;
esac
exit 0
#all eth1 eth0 10.0.0.0/24 > 1.2.3.3
#tcp eth1 eth0 10.0.0.1 = 1.2.3.4
#all eth1 eth0 10.0.0.2:22 < 1.2.3.5:1022
#all eth1 eth0 10.0.0.3:22 = 1.2.3.6:44
#all eth1 eth0 10.0.0.4 > 1.2.3.8
all eth1 eth0 192.168.1.0/24 > 192.168.2.254
udp eth1 eth0 10.10.10.1 < 192.168.1.1:53
tcp eth1 eth0 10.10.10.1 < 0.0.0.0/0:25