Hi,
I'm migrating from White Russian to Backfire, and looking at the UCI
firewall script.
I have both NAT'd and routed subnets, but the default UCI firewall
script masquerades all traffic through the WAN interface.
Is there any appetite for a patch like this, to only masquerade private
addresses?
Regards,
Jon
$ diff -u uci_firewall.sh.orig uci_firewall.sh
--- uci_firewall.sh.orig 2010-08-06 16:30:05.780881723 +0100
+++ uci_firewall.sh 2010-08-06 16:33:53.946881629 +0100
@@ -90,7 +90,9 @@
$IPTABLES -I zone_${zone}_ACCEPT 1 -i "$ifname" -j ACCEPT
$IPTABLES -I zone_${zone}_DROP 1 -i "$ifname" -j DROP
$IPTABLES -I zone_${zone}_REJECT 1 -i "$ifname" -j reject
- $IPTABLES -I zone_${zone}_nat 1 -t nat -o "$ifname" -j MASQUERADE
+ $IPTABLES -I zone_${zone}_nat 1 -t nat -o "$ifname" -s 192.168.0.0/16
-j MASQUERADE
+ $IPTABLES -I zone_${zone}_nat 1 -t nat -o "$ifname" -s 172.16.0.0/12
-j MASQUERADE
+ $IPTABLES -I zone_${zone}_nat 1 -t nat -o "$ifname" -s 10.0.0.0/8 -j
MASQUERADE
$IPTABLES -I PREROUTING 1 -t nat -i "$ifname" -j zone_${zone}_prerouting
$IPTABLES -A forward -i "$ifname" -j zone_${zone}_forward
$IPTABLES -t raw -I PREROUTING 1 -i "$ifname" -j zone_${zone}_notrack
@@ -113,7 +115,9 @@
$IPTABLES -D zone_${zone}_ACCEPT -i "$ifname" -j ACCEPT
$IPTABLES -D zone_${zone}_DROP -i "$ifname" -j DROP
$IPTABLES -D zone_${zone}_REJECT -i "$ifname" -j reject
- $IPTABLES -D zone_${zone}_nat -t nat -o "$ifname" -j MASQUERADE
+ $IPTABLES -D zone_${zone}_nat -t nat -o "$ifname" -s 192.168.0.0/16 -j
MASQUERADE
+ $IPTABLES -D zone_${zone}_nat -t nat -o "$ifname" -s 172.16.0.0/12 -j
MASQUERADE
+ $IPTABLES -D zone_${zone}_nat -t nat -o "$ifname" -s 10.0.0.0/8 -j
MASQUERADE
$IPTABLES -D PREROUTING -t nat -i "$ifname" -j zone_${zone}_prerouting
$IPTABLES -D forward -i "$ifname" -j zone_${zone}_forward
uci_revert_state firewall core "${network}_ifname"
_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
