start() {
include /lib/network
scan_interfaces
- config_load /var/state/network
config_get WAN wan ifname
config_get WANDEV wan device
config_get LAN lan ifname
+ config_get_bool NAT_LAN lan nat 1
+ if [ $NAT_LAN -ne 0 ]
+ then
+ config_get LAN_MASK lan netmask
+ config_get LAN_IP lan ipaddr
+ LAN_NET=$(/bin/ipcalc.sh $LAN_IP $LAN_MASK | grep NETWORK | cut -d= -f2)
+ fi
## CLEAR TABLES
for T in filter nat; do
iptables -t nat -A PREROUTING -j prerouting_rule
[ -z "$WAN" ] || iptables -t nat -A PREROUTING -i "$WAN" -j prerouting_wan
iptables -t nat -A POSTROUTING -j postrouting_rule
- ### Only RFC1918 addresses
- [ -z "$WAN" ] || iptables -t nat -A POSTROUTING --src 192.168.0.0/16 -o $WAN -j MASQUERADE
- [ -z "$WAN" ] || iptables -t nat -A POSTROUTING --src 172.16.0.0/12 -o $WAN -j MASQUERADE
- [ -z "$WAN" ] || iptables -t nat -A POSTROUTING --src 10.0.0.0/8 -o $WAN -j MASQUERADE
+ ### Only LAN, unless told not to
+ if [ $NAT_LAN -ne 0 ]
+ then
+ [ -z "$WAN" ] || iptables -t nat -A POSTROUTING --src $LAN_NET/$LAN_MASK -o $WAN -j MASQUERADE
+ fi
iptables -t nat -A NEW -m limit --limit 50 --limit-burst 100 -j RETURN && \
iptables -t nat -A NEW -j DROP
## USER RULES
[ -f /etc/firewall.user ] && . /etc/firewall.user
- [ -n "$WAN" -a -e /etc/config/firewall ] && {
+ [ -n "$WAN" -a -e /etc/firewall.config ] && {
export WAN
- awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/config/firewall | ash
+ awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/firewall.config | ash
}
}