diff options
| -rw-r--r-- | ipmasq/rules/A80pfw.rul | 41 | ||||
| -rw-r--r-- | ipmasq/rules/A80precompute_pfw.def | 56 | ||||
| -rw-r--r-- | ipmasq/rules/M70masq.def | 40 | ||||
| -rw-r--r-- | ipmasq/rules/M80pfw.def | 47 |
4 files changed, 184 insertions, 0 deletions
diff --git a/ipmasq/rules/A80pfw.rul b/ipmasq/rules/A80pfw.rul new file mode 100644 index 0000000..de86102 --- /dev/null +++ b/ipmasq/rules/A80pfw.rul @@ -0,0 +1,41 @@ +# Define masqueraded hosts with an IP address or a range of addresses: +# +# portfw_ip_<hostname>="<ipaddr>[-<ipaddr>]" +# +# <hostname> must be lowercase +# <ipaddr>-ranges works only with iptables/netfilter (2.4.x kernels) +# + +#portfw_ip_foo="10.42.42.1" +#portfw_ip_bar="10.42.42.2" + +# Define pools either forwarding port (ranges) to same port on +# masqueraded host or redirecting a single port to another port: +# +# portfw_pool_<pool>="<protocol>[,<protocol>...] <port>[:<port>][,<port>...]] <hostname>" +# portfw_pool_<pool>="<protocol>[,<protocol>...] <port> <hostname> [<dest port>]" +# +# <pool> can only contain lowercase a-z and underscore (_) +# <protocol> is either tcp or udp (or possibly others) +# <port> can be either numbers or service names +# <port>-ranges is denoted with colon (:) and only works with iptables/netfilter (2.4.x kernels) +# <hostname> must be lowercase. +# + +#portfw_pool_ssh=" tcp ssh foo" +#portfw_pool_dns=" tcp,udp domain foo" +#portfw_pool_mail=" tcp smtp,pop3,imap foo" +#portfw_pool_mailsec=" tcp ssmtp,pop3s,imaps foo" +#portfw_pool_http=" tcp http,https foo" + +#portfw_pool_bar_ssh=" tcp 2222 bar 22" +#portfw_pool_foobar=" tcp 88,8080:8089 bar " + +# Requests from inside to the external IP of a portforwarded host will fail. +# Remap local requests so they look like coming from the firewall itself? +# (This works only eith iptables/netfilter) +# (Alternatively you need a local nameserver setup with the inside address) +# +############ This doesn't work yet... +#PORTFW_REMAP_LOCAL="y" +############ This doesn't work yet... diff --git a/ipmasq/rules/A80precompute_pfw.def b/ipmasq/rules/A80precompute_pfw.def new file mode 100644 index 0000000..491da60 --- /dev/null +++ b/ipmasq/rules/A80precompute_pfw.def @@ -0,0 +1,56 @@ +# You should not edit this file. Instead, create a file with the same +# name as this one, but with a .rul extension instead of .def. The +# .rul file will override this one. +# +# However, any changes you make to this file will be preserved. + +# Some reused regex'es +re_protos='[a-z\,]\+' +re_ports='[a-z0-9\,:]\+' +re_port='[a-z0-9:]\+' +re_host='[a-z0-9]\+' +re_pool='[a-z0-9_]\+' +re_cfg="[[:space:]]*\($re_protos\)[[:space:]]\+\($re_ports\)[[:space:]]\+\($re_host\)\([[:space:]]\+\($re_port\)\)\?[[:space:]]*" +re_cfgline="portfw_pool_\($re_pool\)[[:space:]]*=[[:space:]]*'$re_cfg'" + +# Extract portforward hosts +PFW=$(set | grep '^portfw_ip_' | sed "s/^portfw_ip_\($re_host\).*/\1/") + +# remove hosts with no pools attached +if [ -n "$PFW" ]; then + for i in $PFW; do + poolhits=$(set | grep '^portfw_pool_' | sed "s/$re_cfgline/\4/" | grep "^$i$") + if [ -z "$poolhits" ]; then + PFW=$(echo $PFW | sed "s/\( *\|^\)$i\( *\|$\)/\1/") + fi + done +fi + +# Extract ips and ports +if [ -n "$PFW" ]; then + if [ "$SHOWRULES" = "yes" ]; then + echo "#: These ports are forwarded:" + fi + PFWPOOLS="" + for i in $PFW; do + eval "ip=\"\$portfw_ip_$i\"" + pools=$(set | grep '^portfw_pool_' | sed "s/$re_cfgline/\1:\4/" | grep ":$i$" | sed "s/:$i$//") + for pool in $pools; do + PFWPOOLS="$PFWPOOLS $pool" + eval "config=\"\$portfw_pool_$pool\"" + protos_bulk=$(echo $config | sed "s/$re_cfg/\1/") + protos=$(echo $protos_bulk | sed 's/,/ /g') + origports_bulk=$(echo $config | sed "s/$re_cfg/\2/") + origports=$(echo $origports_bulk | sed 's/,/ /g') + destport=$(echo $config | sed "s/$re_cfg/\5/") + [ "$origports" = "$destport" ] && destport="" + eval "PFWPROTO_$pool=\"\$protos\"" + eval "PFWORIGPORTS_$pool=\"$origports\"" + eval "PFWIP_$pool=\"$ip\"" + eval "PFWPORT_$pool=\"$destport\"" + if [ "$SHOWRULES" = "yes" ]; then + echo -e "#: $protos_bulk \t$origports_bulk \t->\t $ip $destport \t($pool->$i)" + fi + done + done +fi diff --git a/ipmasq/rules/M70masq.def b/ipmasq/rules/M70masq.def new file mode 100644 index 0000000..8c75509 --- /dev/null +++ b/ipmasq/rules/M70masq.def @@ -0,0 +1,40 @@ +# You should not edit this file. Instead, create a file with the same +# name as this one, but with a .rul extension instead of .def. The +# .rul file will override this one. +# +# However, any changes you make to this file will be preserved. + +#: Masquerade packets from internal networks +if [ -n "$INTERNAL" -a -n "$EXTERNAL" ]; then + for j in $EXTERNAL; do + for i in $INTERNAL; do + ipnm_cache $i + case $MASQMETHOD in + ipfwadm) + $IPFWADM -F -a masq -W ${j%%:*} -S $IPOFIF/$NMOFIF + ;; + ipchains) + if [ -n "$PEEROFIF" ]; then + $IPCHAINS --no-warnings -A forward -j MASQ -i ${j%%:*} -s $PEEROFIF/$NMOFIF + else + $IPCHAINS --no-warnings -A forward -j MASQ -i ${j%%:*} -s $IPOFIF/$NMOFIF + fi + ;; + netfilter) + i=$(echo $i | cut -d ":" -f 1) + j=$(echo $j | cut -d ":" -f 1) + if [ -n "$PEEROFIF" ]; then + $IPTABLES -t nat -A POSTROUTING -s $PEEROFIF/$NMOFIF -o ${j%%:*} -j MASQUERADE + $IPTABLES -A FORWARD -i $i -o ${j%%:*} -s $PEEROFIF/$NMOFIF -j ACCEPT + $IPTABLES -A FORWARD -o $i -i ${j%%:*} -d $PEEROFIF/$NMOFIF -j ACCEPT + else + $IPTABLES -t nat -A POSTROUTING -s $IPOFIF/$NMOFIF -o ${j%%:*} -j MASQUERADE + $IPTABLES -A FORWARD -i $i -o ${j%%:*} -s $IPOFIF/$NMOFIF -j ACCEPT + $IPTABLES -A FORWARD -o $i -i ${j%%:*} -d $IPOFIF/$NMOFIF -j ACCEPT + fi + ;; + esac + done + done +fi + diff --git a/ipmasq/rules/M80pfw.def b/ipmasq/rules/M80pfw.def new file mode 100644 index 0000000..38e212f --- /dev/null +++ b/ipmasq/rules/M80pfw.def @@ -0,0 +1,47 @@ +# You should not edit this file. Instead, create a file with the same +# name as this one, but with a .rul extension instead of .def. The +# .rul file will override this one. +# +# However, any changes you make to this file will be preserved. + +#: Masquerade packets from internal networks +if [ -n "$INTERNAL" -a -n "$EXTERNAL" -a -n "$PFW" ]; then + for pool in $PFWPOOLS; do + eval "PROTOS=\"\$PFWPROTO_$pool\"" + eval "ORIGPORTS=\"\$PFWORIGPORTS_$pool\"" + eval "PFWIP=\"\$PFWIP_$pool\"" + eval "PFWPORT=\"\$PFWPORT_$pool\"" + for PROTO in $PROTOS; do + for ORIGPORT in $ORIGPORTS; do + ORIGPORT_DASH=$(echo $ORIGPORT | sed 's/:/-/g') + for j in $EXTERNAL; do + ipnm_cache $j + EXTIP=$IPOFIF + case $MASQMETHOD in + ipfwadm) + ipmasqadm portfw -a -P $PROTO -L $EXTIP $ORIGPORT_DASH -R $PFWIP $PFWPORT + ;; + ipchains) + ipmasqadm portfw -a -P $PROTO -L $EXTIP $ORIGPORT_DASH -R $PFWIP $PFWPORT + ;; + netfilter) + $IPTABLES -A PREROUTING -t nat -p $PROTO -d $EXTIP --dport $ORIGPORT -j DNAT --to $PFWIP${PFWPORT:+:$PFWPORT} + ;; + esac + for i in $INTERNAL; do + ipnm_cache $i + case $MASQMETHOD in + netfilter) + $IPTABLES -A FORWARD -i $j -o $i -p $PROTO --dport $ORIGPORT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +# TODO: This should be done only for the interface containing the portforward host +# if [ "$PORTFW_REMAP_LOCAL" = "y" ]; then +# $IPTABLES -A POSTROUTING -t nat -p $PROTO -d $PFWIP ${PFWPORT:+--dport $PFWPORT} -s $IPOFIF/$NMOFIF -j SNAT --to $IPOFIF +# fi + ;; + esac + done + done + done + done + done +fi |