Enable optional NAT for tunnels
This commit is contained in:
parent
b71fb7003d
commit
25e8b65394
|
|
@ -9,6 +9,9 @@ tunnel = [
|
|||
|
||||
[network]
|
||||
shared-internal = true
|
||||
nats = [
|
||||
"wg2"
|
||||
]
|
||||
|
||||
[server]
|
||||
debug = true
|
||||
|
|
|
|||
58
src/rules.rs
58
src/rules.rs
|
|
@ -121,15 +121,26 @@ pub(crate) async fn unset(interfaces: &Interfaces, rule: Rule) -> Result<(), any
|
|||
.await?;
|
||||
}
|
||||
for iface in &interfaces.tunnel {
|
||||
iptables::delete_forward_postrouting(
|
||||
rule.proto,
|
||||
iface.ip,
|
||||
iface.mask,
|
||||
interfaces.external.ip,
|
||||
rule.port,
|
||||
dest_ip,
|
||||
)
|
||||
.await?;
|
||||
if interfaces
|
||||
.nats
|
||||
.iter()
|
||||
.any(|nat_iface| *nat_iface == iface.interface)
|
||||
{
|
||||
iptables::delete_forward_prerouting(
|
||||
rule.proto, iface.ip, iface.mask, rule.port, dest_ip, dest_port,
|
||||
)
|
||||
.await?;
|
||||
} else {
|
||||
iptables::delete_forward_postrouting(
|
||||
rule.proto,
|
||||
iface.ip,
|
||||
iface.mask,
|
||||
interfaces.external.ip,
|
||||
rule.port,
|
||||
dest_ip,
|
||||
)
|
||||
.await?;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -193,15 +204,26 @@ pub(crate) async fn apply(interfaces: &Interfaces, rule: Rule) -> Result<(), any
|
|||
.await?;
|
||||
}
|
||||
for iface in &interfaces.tunnel {
|
||||
iptables::forward_postrouting(
|
||||
rule.proto,
|
||||
iface.ip,
|
||||
iface.mask,
|
||||
interfaces.external.ip,
|
||||
rule.port,
|
||||
dest_ip,
|
||||
)
|
||||
.await?;
|
||||
if interfaces
|
||||
.nats
|
||||
.iter()
|
||||
.any(|nat_iface| *nat_iface == iface.interface)
|
||||
{
|
||||
iptables::forward_prerouting(
|
||||
rule.proto, iface.ip, iface.mask, rule.port, dest_ip, dest_port,
|
||||
)
|
||||
.await?;
|
||||
} else {
|
||||
iptables::forward_postrouting(
|
||||
rule.proto,
|
||||
iface.ip,
|
||||
iface.mask,
|
||||
interfaces.external.ip,
|
||||
rule.port,
|
||||
dest_ip,
|
||||
)
|
||||
.await?;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -26,6 +26,8 @@ struct InterfaceConfig {
|
|||
#[serde(rename_all = "kebab-case")]
|
||||
struct NetworkConfig {
|
||||
shared_internal: bool,
|
||||
#[serde(default)]
|
||||
nats: Vec<String>,
|
||||
}
|
||||
|
||||
#[derive(serde::Deserialize)]
|
||||
|
|
@ -39,6 +41,7 @@ pub struct Interfaces {
|
|||
pub(crate) internal: Vec<InterfaceInfo>,
|
||||
pub(crate) tunnel: Vec<InterfaceInfo>,
|
||||
pub(crate) shared_internal: bool,
|
||||
pub(crate) nats: Vec<String>,
|
||||
}
|
||||
|
||||
pub(crate) struct InterfaceInfo {
|
||||
|
|
@ -95,11 +98,17 @@ impl Interfaces {
|
|||
},
|
||||
InterfaceInfo {
|
||||
interface: String::from("wg1"),
|
||||
ip: "192.168.4.0".parse()?,
|
||||
ip: "10.42.6.0".parse()?,
|
||||
mask: 24,
|
||||
},
|
||||
InterfaceInfo {
|
||||
interface: String::from("wg2"),
|
||||
ip: "10.42.6.0".parse()?,
|
||||
mask: 24,
|
||||
},
|
||||
],
|
||||
shared_internal: false,
|
||||
nats: Vec::new(),
|
||||
});
|
||||
}
|
||||
|
||||
|
|
@ -137,6 +146,7 @@ impl Interfaces {
|
|||
internal,
|
||||
tunnel,
|
||||
shared_internal: config.network.shared_internal,
|
||||
nats: config.network.nats.clone(),
|
||||
})
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -272,6 +272,17 @@ fn nat(interfaces: &Interfaces) -> String {
|
|||
extif = interfaces.external.interface
|
||||
);
|
||||
|
||||
for nat_iface in &interfaces.nats {
|
||||
for internal in &interfaces.internal {
|
||||
nat += &format!(
|
||||
"-A POSTROUTING -s {intip}/{intmask} -o {natiface} -j MASQUERADE\n",
|
||||
intip = internal.ip,
|
||||
intmask = internal.mask,
|
||||
natiface = nat_iface,
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
nat += "COMMIT\n";
|
||||
|
||||
nat
|
||||
|
|
|
|||
Loading…
Reference in a new issue