[Firewall] NAT Loopback, code review

Lonnie Abelbeck lists at lonnie.abelbeck.com
Wed Oct 10 23:12:53 CEST 2012


Hi, Eli and others that would like to test a NAT Loopback feature.

A "custom-rules" script is attached.  The feature can be easily disabled by commenting out the last "custom_nat_loopback" line and restarting AIF.  It uses the existing NAT_FORWARD_TCP and NAT_FORWARD_UDP rules, so no configuring is needed.

Though, the variable NAT_LOOPBACK_NET can define what local nets the rules apply to, if not defined, NAT_INTERNAL_NET is used by default.

Please take a look at this script, a code review of sorts.  Do we need to restrict the iptables rules any more ?

It seems to work in my tests.

Assumptions:
1) Static external IPv4 address, or the firewall is reloaded if/when the external address changes.

2) AIF is started after the external interface is defined, on system startup.

3) If more than one external interface is defined, only the first is used to extract the default IPv4 address.

Please report results.


Lonnie

PS: Some time ago Arno received an email from Guzman Braso with a somewhat different (and clever) approach, unfortunately I was not able to get it to work.  If Guzman is listening and have suggestions, please do.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: custom-rules
Type: application/octet-stream
Size: 2799 bytes
Desc: not available
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20121010/397130cf/attachment.obj>
-------------- next part --------------




More information about the Firewall mailing list