package/firewall/files/reflection.hotplug

   1 #!/bin/sh
   2 # Setup NAT reflection rules
   3
   4 . /etc/functions.sh
   5
   6 if [ "$ACTION" = "ifup" ] && [ "$INTERFACE" = "wan" ]; then
   7         local wanip=$(uci -P/var/state get network.wan.ipaddr)
   8
   9         iptables -t nat -F nat_reflection_in 2>/dev/null || {
  10                 iptables -t nat -N nat_reflection_in
  11                 iptables -t nat -A prerouting_rule -j nat_reflection_in
  12         }
  13
  14         iptables -t nat -F nat_reflection_out 2>/dev/null || {
  15                 iptables -t nat -N nat_reflection_out
  16                 iptables -t nat -A postrouting_rule -j nat_reflection_out
  17         }
  18
  19         setup_fwd() {
  20                 local cfg="$1"
  21
  22                 local src
  23                 config_get src "$cfg" src
  24
  25                 [ "$src" = wan ] && {
  26                         local dest
  27                         config_get dest "$cfg" dest "lan"
  28
  29                         local lanip=$(uci -P/var/state get network.$dest.ipaddr)
  30                         local lanmk=$(uci -P/var/state get network.$dest.netmask)
  31
  32                         local proto
  33                         config_get proto "$cfg" proto
  34
  35                         local epmin epmax extport
  36                         config_get extport "$cfg" src_dport
  37                         [ -n "$extport" ] || return
  38
  39                         epmin="${extport%[-:]*}"; epmax="${extport#*[-:]}"
  40                         [ "$epmin" != "$epmax" ] || epmax=""
  41
  42                         local ipmin ipmax intport
  43                         config_get intport "$cfg" dest_port "$extport"
  44
  45                         ipmin="${intport%[-:]*}"; ipmax="${intport#*[-:]}"
  46                         [ "$ipmin" != "$ipmax" ] || ipmax=""
  47
  48                         local exthost
  49                         config_get exthost "$cfg" src_dip "$wanip"
  50
  51                         local inthost
  52                         config_get inthost "$cfg" dest_ip
  53                         [ -n "$inthost" ] || return
  54
  55                         [ "$proto" = tcpudp ] && proto="tcp udp"
  56
  57                         local p
  58                         for p in ${proto:-tcp udp}; do
  59                                 case "$p" in
  60                                         tcp|udp)
  61                                                 iptables -t nat -A nat_reflection_in \
  62                                                         -s $lanip/$lanmk -d $exthost \
  63                                                         -p $p --dport $epmin${epmax:+:$epmax} \
  64                                                         -j DNAT --to $inthost:$ipmin${ipmax:+-$ipmax}
  65
  66                                                 iptables -t nat -A nat_reflection_out \
  67                                                         -s $lanip/$lanmk -d $inthost \
  68                                                         -p $p --dport $ipmin${ipmax:+:$ipmax} \
  69                                                         -j SNAT --to-source $lanip
  70                                         ;;
  71                                 esac
  72                         done
  73                 }
  74         }
  75
  76         config_load firewall
  77         config_foreach setup_fwd redirect
  78 fi
  79