"Fossies" - the Fresh Open Source Software Archive

Member "aif-2.1.1/share/arno-iptables-firewall/plugins/90outbound-snat.plugin" (16 Sep 2020, 5602 Bytes) of package /linux/privat/aif-2.1.1.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "90outbound-snat.plugin": 2.1.0_vs_2.1.1.

    1 # ------------------------------------------------------------------------------
    2 #           -= Arno's Iptables Firewall(AIF) - Outbound SNAT plugin =-
    3 #
    4 PLUGIN_NAME="Outbound SNAT plugin"
    5 PLUGIN_VERSION="1.01"
    6 PLUGIN_CONF_FILE="outbound-snat.conf"
    7 #
    8 # Last changed          : July 12, 2016
    9 # Requirements          : AIF 2.0.0+
   10 # Comments              : When a NAT'ed external interface has multiple IPv4 addresses,
   11 #                         it may be desirable to specify which internal IP's or CIDR's
   12 #                         use which external IPv4 addresses for outbound connections.
   13 #
   14 # Author                : (C) Copyright 2012-2016 by Lonnie Abelbeck & Arno van Amersfoort
   15 # Homepage              : https://rocky.eld.leidenuniv.nl/
   16 # Email                 : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
   17 #                         (note: you must remove all spaces and substitute the @ and the .
   18 #                         at the proper locations!)
   19 # ------------------------------------------------------------------------------
   20 # This program is free software; you can redistribute it and/or
   21 # modify it under the terms of the GNU General Public License
   22 # version 2 as published by the Free Software Foundation.
   23 #
   24 # This program is distributed in the hope that it will be useful,
   25 # but WITHOUT ANY WARRANTY; without even the implied warranty of
   26 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   27 # GNU General Public License for more details.
   28 #
   29 # You should have received a copy of the GNU General Public License
   30 # along with this program; if not, write to the Free Software
   31 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
   32 # ------------------------------------------------------------------------------
   33 
   34 get_extif_ipv4_addresses()
   35 {
   36   ip -o addr show dev "$1" 2>/dev/null \
   37     | awk '$3 == "inet" { split($4, field, "/"); print field[1]; }'
   38 }
   39 
   40 get_extif_with_ipv4_address()
   41 {
   42   local host="$1" eif eip eips IFS
   43 
   44   IFS=' ,'
   45   for eif in $(wildcard_ifs ${NAT_IF:-$EXT_IF}); do
   46     eips="$(get_extif_ipv4_addresses $eif)"
   47     if [ -n "$eips" ]; then
   48       unset IFS
   49       for eip in $eips; do
   50         if [ "$host" = "$eip" ]; then
   51           echo "$eif"
   52           return 0
   53         fi
   54       done
   55     fi
   56   done
   57 
   58   return 1
   59 }
   60 
   61 # Plugin start function
   62 plugin_start()
   63 {
   64   local rule net host eif IFS
   65 
   66   ip4tables -t nat -N OUTBOUND_SNAT 2>/dev/null
   67   ip4tables -t nat -F OUTBOUND_SNAT
   68 
   69   IFS=' ,'
   70   for rule in $OUTBOUND_SNAT_NET_HOST; do
   71     net="$(echo "$rule" |cut -s -d'>' -f1)"
   72     host="$(echo "$rule" |cut -s -d'>' -f2)"
   73     if [ -n "$net" -a -n "$host" ]; then
   74 
   75       # First, look for matching external interface with "host" address.
   76       eif="$(get_extif_with_ipv4_address $host)"
   77       if [ -n "$eif" ]; then
   78         # Apply to single external interface containing "host".
   79         echo "${INDENT}Outbound SNAT internal $net via external $host for interface: $eif"
   80         ip4tables -t nat -A OUTBOUND_SNAT -o $eif -s $net ! -d $net -j SNAT --to-source $host
   81       else
   82         # Apply to all external interface(s) if "host" is not currently found.
   83         echo "${INDENT}Outbound SNAT internal $net via external $host for interface(s): ${NAT_IF:-$EXT_IF}"
   84         IFS=' ,'
   85         for eif in ${NAT_IF:-$EXT_IF}; do
   86           ip4tables -t nat -A OUTBOUND_SNAT -o $eif -s $net ! -d $net -j SNAT --to-source $host
   87         done
   88       fi
   89     else
   90       echo "** WARNING: In Variable OUTBOUND_SNAT_NET_HOST, Rule: \"$rule\" is ignored." >&2
   91     fi
   92   done
   93 
   94   ip4tables -t nat -A POSTROUTING -j OUTBOUND_SNAT
   95 
   96   return 0
   97 }
   98 
   99 
  100 # Plugin restart function
  101 plugin_restart()
  102 {
  103 
  104   # Skip plugin_stop on a restart
  105   plugin_start
  106 
  107   return 0
  108 }
  109 
  110 
  111 # Plugin stop function
  112 plugin_stop()
  113 {
  114 
  115   ip4tables -t nat -D POSTROUTING -j OUTBOUND_SNAT
  116 
  117   ip4tables -t nat -F OUTBOUND_SNAT
  118   ip4tables -t nat -X OUTBOUND_SNAT 2>/dev/null
  119 
  120   return 0
  121 }
  122 
  123 
  124 # Plugin status function
  125 plugin_status()
  126 {
  127   return 0
  128 }
  129 
  130 
  131 # Check sanity of eg. environment
  132 plugin_sanity_check()
  133 {
  134   # Sanity check
  135   if [ -z "$OUTBOUND_SNAT_NET_HOST" ]; then
  136     printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2
  137     return 1
  138   fi
  139 
  140   return 0
  141 }
  142 
  143 
  144 ############
  145 # Mainline #
  146 ############
  147 
  148 # Check where to find the config file
  149 CONF_FILE=""
  150 if [ -n "$PLUGIN_CONF_PATH" ]; then
  151   CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
  152 fi
  153 
  154 # Preinit to success:
  155 PLUGIN_RET_VAL=0
  156 
  157 # Check if the config file exists
  158 if [ ! -f "$CONF_FILE" ]; then
  159   printf "NOTE: Config file \"$CONF_FILE\" not found!\n        Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2
  160 else
  161   # Source the plugin config file
  162   . "$CONF_FILE"
  163 
  164   if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] ||
  165      [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] ||
  166      [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] ||
  167      [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then
  168     # Show who we are:
  169     echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION"
  170 
  171     # Increment indention
  172     INDENT="$INDENT "
  173 
  174     # Only proceed if environment ok
  175     if ! plugin_sanity_check; then
  176       PLUGIN_RET_VAL=1
  177     else
  178       case $PLUGIN_CMD in
  179         start|''         ) plugin_start; PLUGIN_RET_VAL=$? ;;
  180         restart          ) plugin_restart; PLUGIN_RET_VAL=$? ;;
  181         stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$? ;;
  182         status           ) plugin_status; PLUGIN_RET_VAL=$? ;;
  183         *                ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;;
  184       esac
  185     fi
  186   fi
  187 fi