2011-03-10 12:08:39 +00:00
|
|
|
# This module enables Network Address Translation (NAT).
|
2012-10-06 06:11:57 +01:00
|
|
|
# XXX: todo: support multiple upstream links
|
|
|
|
# see http://yesican.chsoft.biz/lartc/MultihomedLinuxNetworking.html
|
2011-03-10 12:08:39 +00:00
|
|
|
|
|
|
|
{ config, pkgs, ... }:
|
|
|
|
|
|
|
|
with pkgs.lib;
|
|
|
|
|
|
|
|
let
|
|
|
|
|
|
|
|
cfg = config.networking.nat;
|
|
|
|
|
|
|
|
in
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
###### interface
|
|
|
|
|
|
|
|
options = {
|
2011-09-14 19:20:50 +01:00
|
|
|
|
2011-03-10 12:08:39 +00:00
|
|
|
networking.nat.enable = mkOption {
|
2013-10-30 16:37:45 +00:00
|
|
|
type = types.bool;
|
2011-03-10 12:08:39 +00:00
|
|
|
default = false;
|
|
|
|
description =
|
|
|
|
''
|
|
|
|
Whether to enable Network Address Translation (NAT).
|
|
|
|
'';
|
|
|
|
};
|
2011-09-14 19:20:50 +01:00
|
|
|
|
2011-03-10 12:08:39 +00:00
|
|
|
networking.nat.internalIPs = mkOption {
|
2013-10-30 16:37:45 +00:00
|
|
|
type = types.listOf types.str;
|
2012-10-06 06:11:57 +01:00
|
|
|
example = [ "192.168.1.0/24" ] ;
|
2011-03-10 12:08:39 +00:00
|
|
|
description =
|
|
|
|
''
|
2012-10-06 06:11:57 +01:00
|
|
|
The IP address ranges for which to perform NAT. Packets
|
|
|
|
coming from these networks and destined for the external
|
2011-03-10 12:08:39 +00:00
|
|
|
interface will be rewritten.
|
|
|
|
'';
|
|
|
|
};
|
2011-09-14 19:20:50 +01:00
|
|
|
|
2011-03-10 12:08:39 +00:00
|
|
|
networking.nat.externalInterface = mkOption {
|
2013-10-30 16:37:45 +00:00
|
|
|
type = types.str;
|
2011-03-10 12:08:39 +00:00
|
|
|
example = "eth1";
|
|
|
|
description =
|
|
|
|
''
|
|
|
|
The name of the external network interface.
|
|
|
|
'';
|
|
|
|
};
|
2011-09-14 19:20:50 +01:00
|
|
|
|
2011-03-10 12:08:39 +00:00
|
|
|
networking.nat.externalIP = mkOption {
|
2013-10-30 16:37:45 +00:00
|
|
|
type = types.nullOr types.str;
|
|
|
|
default = null;
|
2011-03-10 12:08:39 +00:00
|
|
|
example = "203.0.113.123";
|
|
|
|
description =
|
|
|
|
''
|
|
|
|
The public IP address to which packets from the local
|
|
|
|
network are to be rewritten. If this is left empty, the
|
|
|
|
IP address associated with the external interface will be
|
|
|
|
used.
|
|
|
|
'';
|
|
|
|
};
|
2011-09-14 19:20:50 +01:00
|
|
|
|
2011-03-10 12:08:39 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
###### implementation
|
|
|
|
|
|
|
|
config = mkIf config.networking.nat.enable {
|
|
|
|
|
|
|
|
environment.systemPackages = [ pkgs.iptables ];
|
|
|
|
|
2011-03-10 13:03:47 +00:00
|
|
|
boot.kernelModules = [ "nf_nat_ftp" ];
|
|
|
|
|
2011-03-10 12:08:39 +00:00
|
|
|
jobs.nat =
|
|
|
|
{ description = "Network Address Translation";
|
|
|
|
|
|
|
|
startOn = "started network-interfaces";
|
|
|
|
|
|
|
|
path = [ pkgs.iptables ];
|
|
|
|
|
|
|
|
preStart =
|
|
|
|
''
|
2011-08-04 16:33:40 +01:00
|
|
|
iptables -t nat -F POSTROUTING
|
2011-03-10 12:08:39 +00:00
|
|
|
iptables -t nat -X
|
2012-10-16 16:28:30 +01:00
|
|
|
''
|
|
|
|
+ (concatMapStrings (network:
|
2012-10-06 06:11:57 +01:00
|
|
|
''
|
2011-03-10 12:08:39 +00:00
|
|
|
iptables -t nat -A POSTROUTING \
|
2012-10-06 06:11:57 +01:00
|
|
|
-s ${network} -o ${cfg.externalInterface} \
|
2013-10-30 16:37:45 +00:00
|
|
|
${if cfg.externalIP == null
|
2011-03-10 12:08:39 +00:00
|
|
|
then "-j MASQUERADE"
|
|
|
|
else "-j SNAT --to-source ${cfg.externalIP}"}
|
2012-10-06 06:11:57 +01:00
|
|
|
''
|
|
|
|
) cfg.internalIPs) +
|
|
|
|
''
|
2011-03-10 12:08:39 +00:00
|
|
|
echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
|
|
'';
|
|
|
|
|
|
|
|
postStop =
|
|
|
|
''
|
2011-08-04 16:33:40 +01:00
|
|
|
iptables -t nat -F POSTROUTING
|
2011-03-10 12:08:39 +00:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|