Add option networking.nat.internalInterfaces
This allows applying NAT to an interface, rather than an IP range.
This commit is contained in:
parent
ac8c924c09
commit
a34bfbab4c
@ -10,6 +10,8 @@ let
|
||||
|
||||
cfg = config.networking.nat;
|
||||
|
||||
dest = if cfg.externalIP == null then "-j MASQUERADE" else "-j SNAT --to-source ${cfg.externalIP}";
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
@ -27,14 +29,27 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
networking.nat.internalInterfaces = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
example = [ "eth0" ];
|
||||
description =
|
||||
''
|
||||
The interfaces for which to perform NAT. Packets coming from
|
||||
these interface and destined for the external interface will
|
||||
be rewritten.
|
||||
'';
|
||||
};
|
||||
|
||||
networking.nat.internalIPs = mkOption {
|
||||
type = types.listOf types.str;
|
||||
example = [ "192.168.1.0/24" ] ;
|
||||
default = [];
|
||||
example = [ "192.168.1.0/24" ];
|
||||
description =
|
||||
''
|
||||
The IP address ranges for which to perform NAT. Packets
|
||||
coming from these networks and destined for the external
|
||||
interface will be rewritten.
|
||||
coming from these addresses (on any interface) and destined
|
||||
for the external interface will be rewritten.
|
||||
'';
|
||||
};
|
||||
|
||||
@ -80,25 +95,37 @@ in
|
||||
|
||||
preStart =
|
||||
''
|
||||
iptables -t nat -F PREROUTING
|
||||
iptables -t nat -F POSTROUTING
|
||||
iptables -t nat -X
|
||||
''
|
||||
+ (concatMapStrings (network:
|
||||
''
|
||||
iptables -t nat -A POSTROUTING \
|
||||
-s ${network} -o ${cfg.externalInterface} \
|
||||
${if cfg.externalIP == null
|
||||
then "-j MASQUERADE"
|
||||
else "-j SNAT --to-source ${cfg.externalIP}"}
|
||||
''
|
||||
) cfg.internalIPs) +
|
||||
''
|
||||
|
||||
# We can't match on incoming interface in POSTROUTING, so
|
||||
# mark packets coming from the external interfaces.
|
||||
${concatMapStrings (iface: ''
|
||||
iptables -t nat -A PREROUTING \
|
||||
-i '${iface}' -j MARK --set-mark 1
|
||||
'') cfg.internalInterfaces}
|
||||
|
||||
# NAT the marked packets.
|
||||
${optionalString (cfg.internalInterfaces != []) ''
|
||||
iptables -t nat -A POSTROUTING -m mark --mark 1 \
|
||||
-o ${cfg.externalInterface} ${dest}
|
||||
''}
|
||||
|
||||
# NAT packets coming from the internal IPs.
|
||||
${concatMapStrings (range: ''
|
||||
iptables -t nat -A POSTROUTING \
|
||||
-s '${range}' -o ${cfg.externalInterface} ${dest}}
|
||||
'') cfg.internalIPs}
|
||||
|
||||
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
'';
|
||||
|
||||
postStop =
|
||||
''
|
||||
iptables -t nat -F PREROUTING
|
||||
iptables -t nat -F POSTROUTING
|
||||
iptables -t nat -X
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
Loading…
Reference in New Issue
Block a user