# Source NAT
} elsif ($NAT_MODE eq "SNAT") {
+ my @snat_options = ( "-m", "policy", "--dir", "out", "--pol", "none" );
my @nat_options = @options;
+ # Get addresses for the configured firewall interfaces.
+ my @local_addresses = &fwlib::get_internal_firewall_ip_addresses(1);
+
+ # Check if the nat_address is one of the local addresses.
+ foreach my $local_address (@local_addresses) {
+ if ($nat_address eq $local_address) {
+ # Clear SNAT options.
+ @snat_options = ();
+
+ # Finish loop.
+ last;
+ }
+ }
+
push(@nat_options, @destination_intf_options);
push(@nat_options, @source_options);
push(@nat_options, @destination_options);
if ($LOG) {
- run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @log_limit_options -j LOG --log-prefix 'SNAT '");
+ run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @snat_options @log_limit_options -j LOG --log-prefix 'SNAT '");
}
- run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options -j SNAT --to-source $nat_address");
+ run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @snat_options -j SNAT --to-source $nat_address");
}
}
push(@options, @destination_options);
# Insert firewall rule.
- if ($LOG && !$NAT) {
+ if ($LOG) {
run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options @log_limit_options -j LOG --log-prefix '$chain '");
}
run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options -j $target");
# is granted/forbidden for any network that the firewall itself is part of, we grant/forbid access
# for the firewall, too.
if ($firewall_is_in_destination_subnet && ($target ~~ @special_input_targets)) {
- if ($LOG && !$NAT) {
+ if ($LOG) {
run("$IPTABLES -A $CHAIN_INPUT @options @source_intf_options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '");
}
run("$IPTABLES -A $CHAIN_INPUT @options @source_intf_options -j $target");
# Likewise.
if ($firewall_is_in_source_subnet && ($target ~~ @special_output_targets)) {
- if ($LOG && !$NAT) {
+ if ($LOG) {
run("$IPTABLES -A $CHAIN_OUTPUT @options @destination_intf_options @log_limit_options -j LOG --log-prefix '$CHAIN_OUTPUT '");
}
run("$IPTABLES -A $CHAIN_OUTPUT @options @destination_intf_options -j $target");