linguist/samples/Click/thomer-nat.click

// This Click configuration implements a firewall and NAT, roughly based on the
// mazu-nat.click example.
//
// This example assumes there is one interface that is IP-aliased.  In this
// example, eth0 and eth0:0 have IP addresses 66.68.65.90 and 192.168.1.1,
// respectively.  There is a local network, 192.168.1.0/24, and an upstream
// gateway, 66.58.65.89.  Traffic from the local network is NATed.
//
// Connections can be initiated from the NAT box itself, also.
// 
// For bugs, suggestions, and, corrections, please email me.
//
// Author: Thomer M. Gil (click@thomer.com)

AddressInfo(
    eth0-in     192.168.1.1     192.168.1.0/24  00:0d:87:9d:1c:e9,
    eth0-ex     66.58.65.90                     00:0d:87:9d:1c:e9,
    gw-addr     66.58.65.89                     00:20:6f:14:54:c2
);


elementclass SniffGatewayDevice {
  $device |
  from :: FromDevice($device)
    -> t1 :: Tee
    -> output;
  input -> q :: Queue(1024)
    -> t2 :: PullTee
    -> to :: ToDevice($device);
  t1[1] -> ToHostSniffers;
  t2[1] -> ToHostSniffers($device);
  ScheduleInfo(from .1, to 1);
}


device :: SniffGatewayDevice(eth0);
arpq_in :: ARPQuerier(eth0-in) -> device;
ip_to_extern :: GetIPAddress(16)
        -> CheckIPHeader
        -> EtherEncap(0x800, eth0-ex, gw-addr)
        -> device;
ip_to_host :: EtherEncap(0x800, gw-addr, eth0-ex)
        -> ToHost;
ip_to_intern :: GetIPAddress(16)
        -> CheckIPHeader
        -> arpq_in;

                 
arp_class :: Classifier(
        12/0806 20/0001,        // [0] ARP requests
        12/0806 20/0002,        // [1] ARP replies to host
        12/0800);               // [2] IP packets

device -> arp_class;

// ARP crap
arp_class[0] -> ARPResponder(eth0-in, eth0-ex) -> device;
arp_class[1] -> arp_t :: Tee;
                arp_t[0] -> ToHost;
                arp_t[1] -> [1]arpq_in;


// IP packets
arp_class[2] -> Strip(14)
   -> CheckIPHeader
   -> ipclass :: IPClassifier(dst host eth0-ex,
                              dst host eth0-in,
                              src net eth0-in);

// Define pattern NAT
iprw :: IPRewriterPatterns(NAT eth0-ex 50000-65535 - -);

// Rewriting rules for UDP/TCP packets
// output[0] rewritten to go into the wild
// output[1] rewritten to come back from the wild or no match
rw :: IPRewriter(pattern NAT 0 1,
                 pass 1);

// Rewriting rules for ICMP packets
irw :: ICMPPingRewriter(eth0-ex, -);
irw[0] -> ip_to_extern;
irw[1] -> icmp_me_or_intern :: IPClassifier(dst host eth0-ex, -);
          icmp_me_or_intern[0] -> ip_to_host;
          icmp_me_or_intern[1] -> ip_to_intern;

// Rewriting rules for ICMP error packets
ierw :: ICMPRewriter(rw irw);
ierw[0] -> icmp_me_or_intern;
ierw[1] -> icmp_me_or_intern;


// Packets directed at eth0-ex.
// Send it through IPRewriter(pass).  If there was a mapping, it will be
// rewritten such that dst is eth0-in:net, otherwise dst will still be for
// eth0-ex.
ipclass[0] -> [1]rw;

// packets that were rewritten, heading into the wild world.
rw[0] -> ip_to_extern;

// packets that come back from the wild or are not part of an established
// connection.
rw[1] -> established_class :: IPClassifier(dst host eth0-ex,
                                           dst net eth0-in);

         // not established yet or returning packets for a connection that was
         // established from this host itself.
         established_class[0] ->
           firewall :: IPClassifier(dst tcp port ssh,
                                    dst tcp port smtp,
                                    dst tcp port domain,
                                    dst udp port domain,
                                    icmp type echo-reply,
                                    proto icmp,
                                    port > 4095,
                                    -);

                                    firewall[0] -> ip_to_host; // ssh
                                    firewall[1] -> ip_to_host; // smtp
                                    firewall[2] -> ip_to_host; // domain (t)
                                    firewall[3] -> ip_to_host; // domain (u)
                                    firewall[4] -> [0]irw;     // icmp reply
                                    firewall[5] -> [0]ierw;    // other icmp
                                    firewall[6] -> ip_to_host; // port > 4095, probably for connection
                                                               // originating from host itself
                                    firewall[7] -> Discard;    // don't allow incoming for port <= 4095

        // established connection
        established_class[1] -> ip_to_intern;

// To eth0-in.  Only accept from inside network.
ipclass[1] -> IPClassifier(src net eth0-in) -> ip_to_host;

// Packets from eth0-in:net either stay on local network or go to the wild.
// Those that go into the wild need to go through the appropriate rewriting
// element.  (Either UDP/TCP rewriter or ICMP rewriter.)
ipclass[2] -> inter_class :: IPClassifier(dst net eth0-in, -);
              inter_class[0] -> ip_to_intern;
              inter_class[1] -> ip_udp_class :: IPClassifier(tcp or udp,
                                                             icmp type echo);
                                ip_udp_class[0] -> [0]rw;
                                ip_udp_class[1] -> [0]irw;