@jow:
I objected that SNAT will always work properly.
Take for example:
config 'redirect'
option 'src' 'lan'
option 'src_ip' '192.168.1.104'
option 'dest' 'wan'
option 'dest_ip' '178.36.7.175'
option 'target' 'SNAT'
In this context, it looks like the following:
Chain zone_lan_nat (0 references)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
SNAT tcp -- 192.168.1.104 anywhere to:178.36.7.175
SNAT udp -- 192.168.1.104 anywhere to:178.36.7.175
So SNAT chains are placed for MASQUERADE
So these two SNAT entries will never be executed.
Or take another example:
I want to do something like this:
iptables -t nat -I zone_lan_nat -p tcp --src 192.168.1.0/24 --dst 192.168.1.10 --dport 5555 -j SNAT --to 192.168.1.1
If you do this:
config 'redirect'
option 'src' 'lan'
option 'src_ip' '192.168.1.0/24'
option 'src_dport' '5555'
option 'src_dip' '192.168.1.1'
option 'dest' 'lan'
option 'dest_ip' '192.168.1.10'
option 'target' 'SNAT'
you get the following result:
Chain zone_lan_nat (0 references)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
SNAT tcp -- 192.168.1.0/24 192.168.1.1 tcp dpt:5555 to:192.168.1.10
SNAT udp -- 192.168.1.0/24 192.168.1.1 udp dpt:5555 to:192.168.1.10
And again, the chains SNAT have been placed for MASQUERADE
It is proposed to modify the file
/lib/firewall/uci_firewall.sh
on line MASQUERADE. Patch: uci_firewall.sh.diff
Index: package/firewall/files/uci_firewall.sh
===================================================================
--- package/firewall/files/uci_firewall.sh (wersja 22996)
+++ package/firewall/files/uci_firewall.sh (kopia robocza)
@@ -101,7 +101,7 @@
[ "${msrc#!}" != "$msrc" ] && msrc="! -s ${msrc#!}" || msrc="-s $msrc"
for mdst in ${masq_dest:-0.0.0.0/0}; do
[ "${mdst#!}" != "$mdst" ] && mdst="! -d ${mdst#!}" || mdst="-d $mdst"
- $IPTABLES -I zone_${zone}_nat 1 -t nat -o "$ifname" $msrc $mdst -j MASQUERADE
+ $IPTABLES -A zone_${zone}_nat -t nat -o "$ifname" $msrc $mdst -j MASQUERADE
done
done
After this change, everything looks correct
Chain zone_lan_nat (1 references)
target prot opt source destination
SNAT tcp -- 192.168.1.0/24 192.168.1.1 tcp dpt:5555 to:192.168.1.10
SNAT udp -- 192.168.1.0/24 192.168.1.1 udp dpt:5555 to:192.168.1.10
SNAT tcp -- 192.168.1.104 anywhere to:178.36.7.175
SNAT udp -- 192.168.1.104 anywhere to:178.36.7.175
MASQUERADE all -- anywhere anywhere
Yet the second question
What is unique string zone_lan_nat?
After all, this chain never fails unless we add
config 'zone'
option 'name' 'lan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'masq' '1'
Then we obtain
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
postrouting_rule all -- anywhere anywhere
zone_lan_nat all -- anywhere anywhere
zone_wan_nat all -- anywhere anywhere
but it is logical
(Last edited by rpc on 10 Sep 2010, 10:36)