verzia 2.32, 2006/01/09 00:52:06 |
verzia 2.35, 2006/01/10 01:33:26 |
|
|
echo -en " $src_port -> $local_machine:$dest_port" |
echo -en " $src_port -> $local_machine:$dest_port" |
$IPTABLES -t nat -A PREROUTING -p TCP -i $NAT_LAN_IFACE -d ${!lan_ip} \ |
$IPTABLES -t nat -A PREROUTING -p TCP -i $NAT_LAN_IFACE -d ${!lan_ip} \ |
--dport $src_port -j DNAT --to $local_machine:$dest_port |
--dport $src_port -j DNAT --to $local_machine:$dest_port |
$IPTABLES -A FORWARD -p TCP -i eth0 -d $local_machine --dport $dest_port -j ACCEPT |
$IPTABLES -A FORWARD -p TCP -i $NAT_LAN_IFACE -d $local_machine --dport $dest_port -j ACCEPT |
done |
done |
echo " done." |
echo " done." |
fi |
fi |
Riadok 660 do_ip_accounting() |
|
Riadok 660 do_ip_accounting() |
|
|
|
if [ ! "x$DO_LOCAL_IP_ACCOUNTING" = "xno" ]; then |
if [ ! "x$DO_LOCAL_IP_ACCOUNTING" = "xno" ]; then |
if [ ! -z "$NAT_LAN_IFACE" ]; then |
if [ ! -z "$NAT_LAN_IFACE" ]; then |
IPACCT_IN_NAME="IPACCT_IN" |
IPACCT_NAME="ZORBCOUNT" |
IPACCT_OUT_NAME="IPACCT_OUT" |
IPACCT_IN_NAME="ZORBCOUNTIN" |
|
IPACCT_OUT_NAME="ZORBCOUNTOUT" |
|
$IPTABLES -N $IPACCT_NAME # whole network |
$IPTABLES -N $IPACCT_IN_NAME # download: from server to client |
$IPTABLES -N $IPACCT_IN_NAME # download: from server to client |
|
$IPTABLES -A $IPACCT_IN_NAME |
$IPTABLES -N $IPACCT_OUT_NAME # upload: from client to server |
$IPTABLES -N $IPACCT_OUT_NAME # upload: from client to server |
|
$IPTABLES -A $IPACCT_OUT_NAME |
|
|
ip="IP_$NAT_SUBNET_IFACE"; |
ip="IP_$NAT_SUBNET_IFACE"; |
netmask="Mask_$NAT_SUBNET_IFACE" |
netmask="Mask_$NAT_SUBNET_IFACE" |
localnet="${!ip}/${!netmask}" |
localnet="${!ip}/${!netmask}" |
|
|
$IPTABLES -A FORWARD -i $NAT_LAN_IFACE -d $localnet -j $IPACCT_IN_NAME |
$IPTABLES -I INPUT -i $NAT_LAN_IFACE -j $IPACCT_IN_NAME |
$IPTABLES -A FORWARD -o $NAT_LAN_IFACE -s $localnet -j $IPACCT_OUT_NAME |
$IPTABLES -I OUTPUT -o $NAT_LAN_IFACE -j $IPACCT_OUT_NAME |
|
|
|
$IPTABLES -I FORWARD -s $localnet -o $NAT_LAN_IFACE -j $IPACCT_NAME |
|
$IPTABLES -I FORWARD -d $localnet -i $NAT_LAN_IFACE -j $IPACCT_NAME |
|
|
for client_ip in $IP_ACCT_CLIENTS; do |
for client_ip in $IP_ACCT_CLIENTS; do |
$IPTABLES -A $IPACCT_IN_NAME -d $client_ip -j RETURN |
$IPTABLES -A $IPACCT_NAME -s $client_ip |
$IPTABLES -A $IPACCT_OUT_NAME -s $client_ip -j RETURN |
$IPTABLES -A $IPACCT_NAME -d $client_ip |
done |
done |
|
|
$IPTABLES -A $IPACCT_IN_NAME -j RETURN |
if [ ! "x$DO_LOCAL_IP_ACCOUNTING" = "xno" ]; then |
$IPTABLES -A $IPACCT_OUT_NAME -j RETURN |
accountig_ports=`echo "$NAT_TCP_PORT_REDIRECT " | awk -v RS=' ' -v FS=: '{ print $2; }' | sort -u -r -g ` |
|
for port in $accountig_ports; do |
|
$IPTABLES -I INPUT -i $NAT_SUBNET_IFACE -p TCP --dport $port -j $IPACCT_NAME |
|
$IPTABLES -I INPUT -i $NAT_SUBNET_IFACE -p UDP --dport $port -j $IPACCT_NAME |
|
$IPTABLES -I OUTPUT -o $NAT_SUBNET_IFACE -p TCP --sport $port -j $IPACCT_NAME |
|
$IPTABLES -I OUTPUT -o $NAT_SUBNET_IFACE -p UDP --sport $port -j $IPACCT_NAME |
|
done |
|
fi |
|
|
|
$IPTABLES -A $IPACCT_NAME -s $localnet |
|
$IPTABLES -A $IPACCT_NAME -d $localnet |
|
|
fi |
fi |
fi |
fi |
|
|
mangle_output |
mangle_output |
log_new_connections |
log_new_connections |
drop_output |
drop_output |
do_ip_accounting |
|
allow_input |
allow_input |
allow_output |
allow_output |
allow_icmp |
allow_icmp |
|
|
log_output_drop |
log_output_drop |
log_forward_drop |
log_forward_drop |
forward_on |
forward_on |
|
do_ip_accounting |
$IPTABLES_SAVE -c > $CACHE_FILE |
$IPTABLES_SAVE -c > $CACHE_FILE |
;; |
;; |
|
|