Merge pull request #28 from iArcanic/nat

NAT

Central-router.startup

@@ -29,6 +29,40 @@ ip link set up dev eth5
 ip addr add 10.0.6.1/24 dev eth6
 ip link set up dev eth6
 
+# Enable IP forwarding
+sysctl -w net.ipv4.ip_forward=1
+
+# NAT
+
+# Reject NAT for Management subnet
+iptables -t nat -A POSTROUTING -s 10.0.6.0/24 -o eth0 -j ACCEPT
+
+# Reject NAT for Services subnet
+iptables -t nat -A POSTROUTING -s 10.0.5.0/24 -0 eth0 -j ACCEPT
+
+# Source NAT rules
+iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+
+# Destination NAT rules
+
+# Ext-Office
+iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.2.3:80
+
+# Ext-DNS
+iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to-destination 10.0.2.4:53
+
+# Ext-WWW
+iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.2.5:80
+
+# Int-WWW
+iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.4.3:80
+
+# Int-DNS
+iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to-destination 10.0.4.4:53
+
+# OpenVPN
+iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1194 -j DNAT --to-destination 10.0.5.4:1194
+
 # Firewall rules
 
 # Allow outgoing ICMP Echo Request (ping) from Management subnet to all other subnets
@@ -66,4 +100,4 @@ iptables -A FORWARD -s 10.0.2.0/24 -d 10.0.5.4 -p icmp --icmp-type 8 -m state --
 iptables -A FORWARD -s 10.0.2.0/24 -d 10.0.5.3 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -j DROP
 
 # Drop incoming ICMP Echo Request (ping) from LDAP to External subnet
-iptables -A FORWARD -s 10.0.5.3 -d 10.0.2.0/24 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -j DROP
+iptables -A FORWARD -s 10.0.5.3 -d 10.0.2.0/24 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -j DROP