Add option networking.nat.internalInterfaces

This allows applying NAT to an interface, rather than an IP range.

nixos/modules/services/networking/nat.nix

@@ -10,6 +10,8 @@ let
 
   cfg = config.networking.nat;
 
+  dest = if cfg.externalIP == null then "-j MASQUERADE" else "-j SNAT --to-source ${cfg.externalIP}";
+
 in
 
 {
@@ -27,14 +29,27 @@ in
         '';
     };
 
+    networking.nat.internalInterfaces = mkOption {
+      type = types.listOf types.str;
+      default = [];
+      example = [ "eth0" ];
+      description =
+        ''
+          The interfaces for which to perform NAT. Packets coming from
+          these interface and destined for the external interface will
+          be rewritten.
+        '';
+    };
+
     networking.nat.internalIPs = mkOption {
       type = types.listOf types.str;
-      example = [ "192.168.1.0/24" ] ;
+      default = [];
+      example = [ "192.168.1.0/24" ];
       description =
         ''
           The IP address ranges for which to perform NAT.  Packets
-          coming from these networks and destined for the external
+          coming from these addresses (on any interface) and destined
-          interface will be rewritten.
+          for the external interface will be rewritten.
         '';
     };
 
@@ -80,25 +95,37 @@ in
 
         preStart =
           ''
+            iptables -t nat -F PREROUTING
             iptables -t nat -F POSTROUTING
             iptables -t nat -X
-          ''
+
-          + (concatMapStrings (network:
+            # We can't match on incoming interface in POSTROUTING, so
-            ''
+            # mark packets coming from the external interfaces.
-            iptables -t nat -A POSTROUTING \
+            ${concatMapStrings (iface: ''
-              -s ${network} -o ${cfg.externalInterface} \
+              iptables -t nat -A PREROUTING \
-              ${if cfg.externalIP == null
+                -i '${iface}' -j MARK --set-mark 1
-                then "-j MASQUERADE"
+            '') cfg.internalInterfaces}
-                else "-j SNAT --to-source ${cfg.externalIP}"}
+
-            ''
+            # NAT the marked packets.
-          ) cfg.internalIPs) +
+            ${optionalString (cfg.internalInterfaces != []) ''
-          ''
+              iptables -t nat -A POSTROUTING -m mark --mark 1 \
+                -o ${cfg.externalInterface} ${dest}
+            ''}
+
+            # NAT packets coming from the internal IPs.
+            ${concatMapStrings (range: ''
+              iptables -t nat -A POSTROUTING \
+                -s '${range}' -o ${cfg.externalInterface} ${dest}}
+            '') cfg.internalIPs}
+
             echo 1 > /proc/sys/net/ipv4/ip_forward
           '';
 
         postStop =
           ''
+            iptables -t nat -F PREROUTING
             iptables -t nat -F POSTROUTING
+            iptables -t nat -X
           '';
       };
   };