From 83ef9c40ef86a4d3c18b81295b5866862fad5257 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sat, 17 May 2014 14:08:52 +0200 Subject: [PATCH] firewall: Allow to disable masquerading. --- doc/language_issues.es | 6 +++ doc/language_issues.fr | 6 +++ doc/language_issues.nl | 6 +++ doc/language_issues.pl | 6 +++ doc/language_issues.ru | 6 +++ doc/language_issues.tr | 6 +++ doc/language_missings | 24 +++++++++++ html/cgi-bin/optionsfw.cgi | 70 ++++++++++++++++++++++++++++++++- langs/de/cgi-bin/de.pl | 6 +++ langs/en/cgi-bin/en.pl | 6 +++ src/initscripts/init.d/firewall | 25 +++++++++++- 11 files changed, 164 insertions(+), 3 deletions(-) diff --git a/doc/language_issues.es b/doc/language_issues.es index 1176883629..a00298336a 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -860,6 +860,12 @@ WARNING: untranslated string: last WARNING: untranslated string: least preferred WARNING: untranslated string: lifetime WARNING: untranslated string: mac filter +WARNING: untranslated string: masquerade blue +WARNING: untranslated string: masquerade green +WARNING: untranslated string: masquerade orange +WARNING: untranslated string: masquerading +WARNING: untranslated string: masquerading disabled +WARNING: untranslated string: masquerading enabled WARNING: untranslated string: maximum WARNING: untranslated string: minimum WARNING: untranslated string: minute diff --git a/doc/language_issues.fr b/doc/language_issues.fr index beca0080bf..de6dc8ac73 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -871,6 +871,12 @@ WARNING: untranslated string: last WARNING: untranslated string: least preferred WARNING: untranslated string: lifetime WARNING: untranslated string: mac filter +WARNING: untranslated string: masquerade blue +WARNING: untranslated string: masquerade green +WARNING: untranslated string: masquerade orange +WARNING: untranslated string: masquerading +WARNING: untranslated string: masquerading disabled +WARNING: untranslated string: masquerading enabled WARNING: untranslated string: maximum WARNING: untranslated string: minimum WARNING: untranslated string: minute diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 6162636f61..ee7096f521 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -683,6 +683,12 @@ WARNING: untranslated string: gen dh WARNING: untranslated string: generate dh key WARNING: untranslated string: imei WARNING: untranslated string: imsi +WARNING: untranslated string: masquerade blue +WARNING: untranslated string: masquerade green +WARNING: untranslated string: masquerade orange +WARNING: untranslated string: masquerading +WARNING: untranslated string: masquerading disabled +WARNING: untranslated string: masquerading enabled WARNING: untranslated string: model WARNING: untranslated string: modem hardware details WARNING: untranslated string: modem information diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 1176883629..a00298336a 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -860,6 +860,12 @@ WARNING: untranslated string: last WARNING: untranslated string: least preferred WARNING: untranslated string: lifetime WARNING: untranslated string: mac filter +WARNING: untranslated string: masquerade blue +WARNING: untranslated string: masquerade green +WARNING: untranslated string: masquerade orange +WARNING: untranslated string: masquerading +WARNING: untranslated string: masquerading disabled +WARNING: untranslated string: masquerading enabled WARNING: untranslated string: maximum WARNING: untranslated string: minimum WARNING: untranslated string: minute diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 547e1d4062..f7a84280cf 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -856,6 +856,12 @@ WARNING: untranslated string: last WARNING: untranslated string: least preferred WARNING: untranslated string: lifetime WARNING: untranslated string: mac filter +WARNING: untranslated string: masquerade blue +WARNING: untranslated string: masquerade green +WARNING: untranslated string: masquerade orange +WARNING: untranslated string: masquerading +WARNING: untranslated string: masquerading disabled +WARNING: untranslated string: masquerading enabled WARNING: untranslated string: maximum WARNING: untranslated string: minimum WARNING: untranslated string: minute diff --git a/doc/language_issues.tr b/doc/language_issues.tr index cc40178b83..9e6d3d5577 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -683,6 +683,12 @@ WARNING: untranslated string: gen dh WARNING: untranslated string: generate dh key WARNING: untranslated string: imei WARNING: untranslated string: imsi +WARNING: untranslated string: masquerade blue +WARNING: untranslated string: masquerade green +WARNING: untranslated string: masquerade orange +WARNING: untranslated string: masquerading +WARNING: untranslated string: masquerading disabled +WARNING: untranslated string: masquerading enabled WARNING: untranslated string: model WARNING: untranslated string: modem hardware details WARNING: untranslated string: modem information diff --git a/doc/language_missings b/doc/language_missings index 4699f1276d..27f9b964f7 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -334,6 +334,12 @@ < least preferred < lifetime < mac filter +< masquerade blue +< masquerade green +< masquerade orange +< masquerading +< masquerading disabled +< masquerading enabled < maximum < MB read < MB written @@ -865,6 +871,12 @@ < least preferred < lifetime < mac filter +< masquerade blue +< masquerade green +< masquerade orange +< masquerading +< masquerading disabled +< masquerading enabled < maximum < MB read < MB written @@ -1380,6 +1392,12 @@ < least preferred < lifetime < mac filter +< masquerade blue +< masquerade green +< masquerade orange +< masquerading +< masquerading disabled +< masquerading enabled < maximum < MB read < MB written @@ -1886,6 +1904,12 @@ < least preferred < lifetime < mac filter +< masquerade blue +< masquerade green +< masquerade orange +< masquerading +< masquerading disabled +< masquerading enabled < maximum < MB read < MB written diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index 00fa1b45a2..34e0cdcaba 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -70,6 +70,17 @@ if ($errormessage) { &Header::closebox(); } +# Set new defaults +if (!$settings{'MASQUERADE_GREEN'}) { + $settings{'MASQUERADE_GREEN'} = 'on'; +} +if (!$settings{'MASQUERADE_ORANGE'}) { + $settings{'MASQUERADE_ORANGE'} = 'on'; +} +if (!$settings{'MASQUERADE_BLUE'}) { + $settings{'MASQUERADE_BLUE'} = 'on'; +} + $checked{'DROPNEWNOTSYN'}{'off'} = ''; $checked{'DROPNEWNOTSYN'}{'on'} = ''; $checked{'DROPNEWNOTSYN'}{$settings{'DROPNEWNOTSYN'}} = "checked='checked'"; @@ -112,12 +123,69 @@ $checked{'SHOWDROPDOWN'}{$settings{'SHOWDROPDOWN'}} = "checked='checked'"; $selected{'FWPOLICY'}{$settings{'FWPOLICY'}}= 'selected'; $selected{'FWPOLICY1'}{$settings{'FWPOLICY1'}}= 'selected'; $selected{'FWPOLICY2'}{$settings{'FWPOLICY2'}}= 'selected'; +$selected{'MASQUERADE_GREEN'}{'off'} = ''; +$selected{'MASQUERADE_GREEN'}{'on'} = ''; +$selected{'MASQUERADE_GREEN'}{$settings{'MASQUERADE_GREEN'}} = 'selected="selected"'; +$selected{'MASQUERADE_ORANGE'}{'off'} = ''; +$selected{'MASQUERADE_ORANGE'}{'on'} = ''; +$selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="selected"'; +$selected{'MASQUERADE_BLUE'}{'off'} = ''; +$selected{'MASQUERADE_BLUE'}{'on'} = ''; +$selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"'; &Header::openbox('100%', 'center',); print "
"; -print < + + + + + + + + +END + + if (&Header::orange_used()) { + print < + + + +END + } + + if (&Header::blue_used()) { + print < + + + +END + } + + print < + +
+
$Lang::tr{'masquerading'}
$Lang::tr{'masquerade green'} + +
$Lang::tr{'masquerade orange'} + +
$Lang::tr{'masquerade blue'} + +
$Lang::tr{'fw logging'}
$Lang::tr{'drop newnotsyn'}on / diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 556e65cfd3..1f0a639422 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1432,6 +1432,12 @@ 'map to guest' => 'Map to Guest', 'march' => 'März', 'marked' => 'Markiert', +'masquerade blue' => 'NAT auf BLAU', +'masquerade green' => 'NAT auf GREEN', +'masquerade orange' => 'NAT auf ORANGE', +'masquerading' => 'Masquerading/NAT', +'masquerading disabled' => 'NAT ausgeschaltet', +'masquerading enabled' => 'NAT eingeschaltet', 'max bandwith' => 'Maximale Bandbreite', 'max incoming size' => 'Max. eingehende Größe (kB):', 'max lease time' => 'Max. Haltezeit in min:', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index f4fafca080..3266190f39 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1462,6 +1462,12 @@ 'map to guest' => 'Map to Guest', 'march' => 'March', 'marked' => 'Marked', +'masquerade blue' => 'Masquerade BLUE', +'masquerade green' => 'Masquerade GREEN', +'masquerade orange' => 'Masquerade ORANGE', +'masquerading' => 'Masquerading', +'masquerading disabled' => 'Masquerading disabled', +'masquerading enabled' => 'Masquerading enabled', 'max bandwith' => 'Maximum bandwith', 'max incoming size' => 'Max incoming size (KB):', 'max lease time' => 'Max lease time (mins):', diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 7a18502bfa..a49dcdee6d 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -336,10 +336,31 @@ iptables_red() { # Outgoing masquerading (don't masqerade IPSEC (mark 50)) iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN - if [ "$IFACE" != "$GREEN_DEV" ]; then - iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE + if [ "$IFACE" = "$GREEN_DEV" ]; then + MASQUERADE_GREEN="off" fi + local NO_MASQ_DEVICES + + if [ "${MASQUERADE_GREEN}" = "off" ]; then + NO_MASQ_DEVICES="${NO_MASQ_DEVICES} ${GREEN_DEV}" + fi + + if [ "${MASQUERADE_BLUE}" = "off" ]; then + NO_MASQ_DEVICES="${NO_MASQ_DEVICES} ${BLUE_DEV}" + fi + + if [ "${MASQUERADE_ORANGE}" = "off" ]; then + NO_MASQ_DEVICES="${NO_MASQ_DEVICES} ${ORANGE_DEV}" + fi + + local device + for device in ${NO_MASQ_DEVICES}; do + iptables -t nat -A REDNAT -i "${device}" -o "${IFACE}" -j RETURN + done + + # Masquerade everything else + iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE fi # Reload all rules. -- 2.39.2