X-Git-Url: http://git.ipfire.org/?p=people%2Fpmueller%2Fipfire-2.x.git;a=blobdiff_plain;f=config%2Ffirewall%2Frules.pl;h=40a2632005ceb09f238cd6b7e614463b2634ca74;hp=57abbdf057d1645b522bc8af51b550326fcfdde3;hb=8b58dbf32a1cd937b1ab66b9b88b17795abf968e;hpb=4e033257efd8425a6d36843c330b3762108cef1f

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 57abbdf057..40a2632005 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -505,16 +505,31 @@ sub buildrules {
 
 						# Source NAT
 						} elsif ($NAT_MODE eq "SNAT") {
+							my @snat_options = ( "-m", "policy", "--dir", "out", "--pol", "none" );
 							my @nat_options = @options;
 
+							# Get addresses for the configured firewall interfaces.
+							my @local_addresses = &fwlib::get_internal_firewall_ip_addresses(1);
+
+							# Check if the nat_address is one of the local addresses.
+							foreach my $local_address (@local_addresses) {
+								if ($nat_address eq $local_address) {
+									# Clear SNAT options.
+									@snat_options = ();
+
+									# Finish loop.
+									last;
+								}
+							}
+
 							push(@nat_options, @destination_intf_options);
 							push(@nat_options, @source_options);
 							push(@nat_options, @destination_options);
 
 							if ($LOG) {
-								run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @log_limit_options -j LOG --log-prefix 'SNAT '");
+								run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @snat_options @log_limit_options -j LOG --log-prefix 'SNAT '");
 							}
-							run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options -j SNAT --to-source $nat_address");
+							run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @snat_options -j SNAT --to-source $nat_address");
 						}
 					}
 
@@ -522,7 +537,7 @@ sub buildrules {
 					push(@options, @destination_options);
 
 					# Insert firewall rule.
-					if ($LOG && !$NAT) {
+					if ($LOG) {
 						run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options @log_limit_options -j LOG --log-prefix '$chain '");
 					}
 					run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options -j $target");
@@ -533,7 +548,7 @@ sub buildrules {
 						# is granted/forbidden for any network that the firewall itself is part of, we grant/forbid access
 						# for the firewall, too.
 						if ($firewall_is_in_destination_subnet && ($target ~~ @special_input_targets)) {
-							if ($LOG && !$NAT) {
+							if ($LOG) {
 								run("$IPTABLES -A $CHAIN_INPUT @options @source_intf_options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '");
 							}
 							run("$IPTABLES -A $CHAIN_INPUT @options @source_intf_options -j $target");
@@ -541,7 +556,7 @@ sub buildrules {
 
 						# Likewise.
 						if ($firewall_is_in_source_subnet && ($target ~~ @special_output_targets)) {
-							if ($LOG && !$NAT) {
+							if ($LOG) {
 								run("$IPTABLES -A $CHAIN_OUTPUT @options @destination_intf_options @log_limit_options -j LOG --log-prefix '$CHAIN_OUTPUT '");
 							}
 							run("$IPTABLES -A $CHAIN_OUTPUT @options @destination_intf_options -j $target");