Comment 13 for bug 247455
Revision history for this message
| Stephen T Satchell (satch89521) wrote | #13 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
a60fb26
(Get the code!)
# Implementation suggestion for this feature request:
#
# Define the following parameters in /etc/ufw/ufw.conf:
# NAT_IF=<public interface device name, like 'eth0'>
# NAT_PROTOCOLS=
#
# Derive
# NAT_IP = first IPv4 address of device
# from `ip address show NAT`, filter IP address
# /inet ([0-9]{
#
# NAT_PROTOCOLS allows adding or removing IP protocols from the
# NAT list. This list works with Microsoft, Cisco VPN, and other
# less common networking services.
# (gre used by VPN, Ciso, IPset, PPTP, and more)
# (esp used by IPSec VPN)
# (ah used by IPset VPN)
# For advanced users, other protocols can be added to or removed
# from this list, and TCP/UDP port ranges can be adjusted.
#
# The output of the default list would then look like this:
/sbin/iptables -t nat -A POSTROUTING -o NAT_IF -p tcp -j SNAT --to-source NAT_IP:1024-65535
/sbin/iptables -t nat -A POSTROUTING -o NAT_IF -p udp -j SNAT --to-source NAT_IP:1024-65535
/sbin/iptables -t nat -A POSTROUTING -o NAT_IF -p icmp -j SNAT --to-source NAT_IP
/sbin/iptables -t nat -A POSTROUTING -o NAT_IF -p 47 -j SNAT --to-source NAT_IP #gre
/sbin/iptables -t nat -A POSTROUTING -o NAT_IF -p 50 -j SNAT --to-source NAT_IP #esp
/sbin/iptables -t nat -A POSTROUTING -o NAT_IF -p 51 -j SNAT --to-source NAT_IP #ah
REASON: It simplifies the programming if the code doesn't have to deduce the "correct" interface for the public Internet. Designed so that the code is a simple add-in to the IPTABLES command generation.