summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--extensions/libipt_DNAT.c22
-rw-r--r--extensions/libipt_DNAT.man11
-rw-r--r--extensions/libipt_MASQUERADE.man14
-rw-r--r--extensions/libipt_REDIRECT.c19
-rw-r--r--extensions/libipt_REDIRECT.man7
-rw-r--r--extensions/libipt_SNAT.c13
-rw-r--r--extensions/libipt_SNAT.man17
7 files changed, 76 insertions, 27 deletions
diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c
index 3cf839e6..b0def312 100644
--- a/extensions/libipt_DNAT.c
+++ b/extensions/libipt_DNAT.c
@@ -8,6 +8,9 @@
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter/nf_nat.h>
+#define IPT_DNAT_OPT_DEST 0x1
+#define IPT_DNAT_OPT_RANDOM 0x2
+
/* Dest NAT data consists of a multi-range, indicating where to map
to. */
struct ipt_natinfo
@@ -24,12 +27,14 @@ help(void)
"DNAT v%s options:\n"
" --to-destination <ipaddr>[-<ipaddr>][:port-port]\n"
" Address to map destination to.\n"
-" (You can use this more than once)\n\n",
+"[--random]\n"
+"\n",
IPTABLES_VERSION);
}
static struct option opts[] = {
{ "to-destination", 1, 0, '1' },
+ { "random", 0, 0, '2' },
{ 0 }
};
@@ -163,9 +168,18 @@ parse(int c, char **argv, int invert, unsigned int *flags,
"Multiple --to-destination not supported");
}
*target = parse_to(optarg, portok, info);
- *flags = 1;
+ /* WTF do we need this for?? */
+ if (*flags & IPT_DNAT_OPT_RANDOM)
+ info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ *flags |= IPT_DNAT_OPT_DEST;
return 1;
+ case '2':
+ if (*flags & IPT_DNAT_OPT_DEST) {
+ info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ *flags |= IPT_DNAT_OPT_RANDOM;
+ } else
+ *flags |= IPT_DNAT_OPT_RANDOM;
default:
return 0;
}
@@ -212,6 +226,8 @@ print(const struct ipt_ip *ip,
for (i = 0; i < info->mr.rangesize; i++) {
print_range(&info->mr.range[i]);
printf(" ");
+ if (info->mr.range[i].flags & IP_NAT_RANGE_PROTO_RANDOM)
+ printf("random ");
}
}
@@ -226,6 +242,8 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
printf("--to-destination ");
print_range(&info->mr.range[i]);
printf(" ");
+ if (info->mr.range[i].flags & IP_NAT_RANGE_PROTO_RANDOM)
+ printf("--random ");
}
}
diff --git a/extensions/libipt_DNAT.man b/extensions/libipt_DNAT.man
index 366dcb77..f11f4e22 100644
--- a/extensions/libipt_DNAT.man
+++ b/extensions/libipt_DNAT.man
@@ -20,12 +20,17 @@ or
If no port range is specified, then the destination port will never be
modified. If no IP address is specified then only the destination port
will be modified.
-.RS
-.PP
+
In Kernels up to 2.6.10 you can add several --to-destination options. For
those kernels, if you specify more than one destination address, either via an
address range or multiple --to-destination options, a simple round-robin (one
after another in cycle) load balancing takes place between these addresses.
Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges
anymore.
-
+.TP
+.BR "--random"
+If option
+.B "--random"
+is used then port mapping will be randomized (kernel >= 2.6.22).
+.RS
+.PP
diff --git a/extensions/libipt_MASQUERADE.man b/extensions/libipt_MASQUERADE.man
index 01dea51c..ea3c8de0 100644
--- a/extensions/libipt_MASQUERADE.man
+++ b/extensions/libipt_MASQUERADE.man
@@ -14,19 +14,17 @@ any established connections are lost anyway). It takes one option:
.TP
.BR "--to-ports " "\fIport\fP[-\fIport\fP]"
This specifies a range of source ports to use, overriding the default
-.TP
-.BR "--random"
-Randomize source port mapping
-.TP
.B SNAT
source port-selection heuristics (see above). This is only valid
if the rule also specifies
.B "-p tcp"
or
.BR "-p udp" .
+.TP
+.BR "--random"
+Randomize source port mapping
If option
.B "--random"
-is used then port mapping will be forcely randomized to avoid
-attacks based on port prediction (kernel >= 2.6.21).
-
-
+is used then port mapping will be randomized (kernel >= 2.6.21).
+.RS
+.PP
diff --git a/extensions/libipt_REDIRECT.c b/extensions/libipt_REDIRECT.c
index c94bb592..6b387169 100644
--- a/extensions/libipt_REDIRECT.c
+++ b/extensions/libipt_REDIRECT.c
@@ -8,6 +8,9 @@
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter/nf_nat.h>
+#define IPT_REDIRECT_OPT_DEST 0x01
+#define IPT_REDIRECT_OPT_RANDOM 0x02
+
/* Function which prints out usage message. */
static void
help(void)
@@ -21,6 +24,7 @@ IPTABLES_VERSION);
static struct option opts[] = {
{ "to-ports", 1, 0, '1' },
+ { "random", 1, 0, '2' },
{ 0 }
};
@@ -101,6 +105,17 @@ parse(int c, char **argv, int invert, unsigned int *flags,
"Unexpected `!' after --to-ports");
parse_ports(optarg, mr);
+ if (*flags & IPT_REDIRECT_OPT_RANDOM)
+ mr->range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ *flags |= IPT_REDIRECT_OPT_DEST;
+ return 1;
+
+ case '2':
+ if (*flags & IPT_REDIRECT_OPT_DEST) {
+ mr->range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ *flags |= IPT_REDIRECT_OPT_RANDOM;
+ } else
+ *flags |= IPT_REDIRECT_OPT_RANDOM;
return 1;
default:
@@ -129,6 +144,8 @@ print(const struct ipt_ip *ip,
if (r->max.tcp.port != r->min.tcp.port)
printf("-%hu", ntohs(r->max.tcp.port));
printf(" ");
+ if (mr->range[0].flags & IP_NAT_RANGE_PROTO_RANDOM)
+ printf("random ");
}
}
@@ -146,6 +163,8 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
if (r->max.tcp.port != r->min.tcp.port)
printf("-%hu", ntohs(r->max.tcp.port));
printf(" ");
+ if (mr->range[0].flags & IP_NAT_RANGE_PROTO_RANDOM)
+ printf("--random ");
}
}
diff --git a/extensions/libipt_REDIRECT.man b/extensions/libipt_REDIRECT.man
index aeca3cb7..93e29826 100644
--- a/extensions/libipt_REDIRECT.man
+++ b/extensions/libipt_REDIRECT.man
@@ -17,3 +17,10 @@ if the rule also specifies
.B "-p tcp"
or
.BR "-p udp" .
+.TP
+.BR "--random"
+If option
+.B "--random"
+is used then port mapping will be randomized (kernel >= 2.6.22).
+.RS
+.PP
diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c
index ed60ec2d..0a665a09 100644
--- a/extensions/libipt_SNAT.c
+++ b/extensions/libipt_SNAT.c
@@ -25,11 +25,10 @@ help(void)
{
printf(
"SNAT v%s options:\n"
-" --to-source <ipaddr>[-<ipaddr>][:port-port]"
-"[--random]"
-"\n"
+" --to-source <ipaddr>[-<ipaddr>][:port-port]\n"
" Address to map source to.\n"
-" (You can use this more than once)\n\n",
+"[--random]\n"
+"\n",
IPTABLES_VERSION);
}
@@ -171,13 +170,13 @@ parse(int c, char **argv, int invert, unsigned int *flags,
*target = parse_to(optarg, portok, info);
/* WTF do we need this for?? */
if (*flags & IPT_SNAT_OPT_RANDOM)
- info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
- *flags = IPT_SNAT_OPT_SOURCE;
+ info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ *flags |= IPT_SNAT_OPT_SOURCE;
return 1;
case '2':
if (*flags & IPT_SNAT_OPT_SOURCE) {
- info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
*flags |= IPT_SNAT_OPT_RANDOM;
} else
*flags |= IPT_SNAT_OPT_RANDOM;
diff --git a/extensions/libipt_SNAT.man b/extensions/libipt_SNAT.man
index daef78f1..7b34799a 100644
--- a/extensions/libipt_SNAT.man
+++ b/extensions/libipt_SNAT.man
@@ -7,7 +7,7 @@ modified (and all future packets in this connection will also be
mangled), and rules should cease being examined. It takes one type
of option:
.TP
-.BR "--to-source " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]" [ "--random" ]
+.BR "--to-source " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
which can specify a single new source IP address, an inclusive range
of IP addresses, and optionally, a port range (which is only valid if
the rule also specifies
@@ -17,15 +17,18 @@ or
If no port range is specified, then source ports below 512 will be
mapped to other ports below 512: those between 512 and 1023 inclusive
will be mapped to ports below 1024, and other ports will be mapped to
-1024 or above. Where possible, no port alteration will If option
-.B "--random"
-is used then port mapping will be forcely randomized to avoid
-attacks based on port prediction (kernel >= 2.6.21).
-.RS
-.PP
+1024 or above. Where possible, no port alteration will
+
In Kernels up to 2.6.10, you can add several --to-source options. For those
kernels, if you specify more than one source address, either via an address
range or multiple --to-source options, a simple round-robin (one after another
in cycle) takes place between these addresses.
Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges
anymore.
+.TP
+.BR "--random"
+If option
+.B "--random"
+is used then port mapping will be randomized (kernel >= 2.6.21).
+.RS
+.PP