From 420bcb986a4994d67cc7c1170b216aeadb88876a Mon Sep 17 00:00:00 2001 From: Jonas Smedegaard Date: Wed, 26 Jun 2002 18:19:17 +0000 Subject: ipmasq: Add files for portforwarding. --- ipmasq/rules/A80pfw.rul | 41 ++++++++++++++++++++++++++++ ipmasq/rules/A80precompute_pfw.def | 56 ++++++++++++++++++++++++++++++++++++++ ipmasq/rules/M70masq.def | 40 +++++++++++++++++++++++++++ ipmasq/rules/M80pfw.def | 47 ++++++++++++++++++++++++++++++++ 4 files changed, 184 insertions(+) create mode 100644 ipmasq/rules/A80pfw.rul create mode 100644 ipmasq/rules/A80precompute_pfw.def create mode 100644 ipmasq/rules/M70masq.def create mode 100644 ipmasq/rules/M80pfw.def (limited to 'ipmasq/rules') diff --git a/ipmasq/rules/A80pfw.rul b/ipmasq/rules/A80pfw.rul new file mode 100644 index 0000000..de86102 --- /dev/null +++ b/ipmasq/rules/A80pfw.rul @@ -0,0 +1,41 @@ +# Define masqueraded hosts with an IP address or a range of addresses: +# +# portfw_ip_="[-]" +# +# must be lowercase +# -ranges works only with iptables/netfilter (2.4.x kernels) +# + +#portfw_ip_foo="10.42.42.1" +#portfw_ip_bar="10.42.42.2" + +# Define pools either forwarding port (ranges) to same port on +# masqueraded host or redirecting a single port to another port: +# +# portfw_pool_="[,...] [:][,...]] " +# portfw_pool_="[,...] []" +# +# can only contain lowercase a-z and underscore (_) +# is either tcp or udp (or possibly others) +# can be either numbers or service names +# -ranges is denoted with colon (:) and only works with iptables/netfilter (2.4.x kernels) +# must be lowercase. +# + +#portfw_pool_ssh=" tcp ssh foo" +#portfw_pool_dns=" tcp,udp domain foo" +#portfw_pool_mail=" tcp smtp,pop3,imap foo" +#portfw_pool_mailsec=" tcp ssmtp,pop3s,imaps foo" +#portfw_pool_http=" tcp http,https foo" + +#portfw_pool_bar_ssh=" tcp 2222 bar 22" +#portfw_pool_foobar=" tcp 88,8080:8089 bar " + +# Requests from inside to the external IP of a portforwarded host will fail. +# Remap local requests so they look like coming from the firewall itself? +# (This works only eith iptables/netfilter) +# (Alternatively you need a local nameserver setup with the inside address) +# +############ This doesn't work yet... +#PORTFW_REMAP_LOCAL="y" +############ This doesn't work yet... diff --git a/ipmasq/rules/A80precompute_pfw.def b/ipmasq/rules/A80precompute_pfw.def new file mode 100644 index 0000000..491da60 --- /dev/null +++ b/ipmasq/rules/A80precompute_pfw.def @@ -0,0 +1,56 @@ +# You should not edit this file. Instead, create a file with the same +# name as this one, but with a .rul extension instead of .def. The +# .rul file will override this one. +# +# However, any changes you make to this file will be preserved. + +# Some reused regex'es +re_protos='[a-z\,]\+' +re_ports='[a-z0-9\,:]\+' +re_port='[a-z0-9:]\+' +re_host='[a-z0-9]\+' +re_pool='[a-z0-9_]\+' +re_cfg="[[:space:]]*\($re_protos\)[[:space:]]\+\($re_ports\)[[:space:]]\+\($re_host\)\([[:space:]]\+\($re_port\)\)\?[[:space:]]*" +re_cfgline="portfw_pool_\($re_pool\)[[:space:]]*=[[:space:]]*'$re_cfg'" + +# Extract portforward hosts +PFW=$(set | grep '^portfw_ip_' | sed "s/^portfw_ip_\($re_host\).*/\1/") + +# remove hosts with no pools attached +if [ -n "$PFW" ]; then + for i in $PFW; do + poolhits=$(set | grep '^portfw_pool_' | sed "s/$re_cfgline/\4/" | grep "^$i$") + if [ -z "$poolhits" ]; then + PFW=$(echo $PFW | sed "s/\( *\|^\)$i\( *\|$\)/\1/") + fi + done +fi + +# Extract ips and ports +if [ -n "$PFW" ]; then + if [ "$SHOWRULES" = "yes" ]; then + echo "#: These ports are forwarded:" + fi + PFWPOOLS="" + for i in $PFW; do + eval "ip=\"\$portfw_ip_$i\"" + pools=$(set | grep '^portfw_pool_' | sed "s/$re_cfgline/\1:\4/" | grep ":$i$" | sed "s/:$i$//") + for pool in $pools; do + PFWPOOLS="$PFWPOOLS $pool" + eval "config=\"\$portfw_pool_$pool\"" + protos_bulk=$(echo $config | sed "s/$re_cfg/\1/") + protos=$(echo $protos_bulk | sed 's/,/ /g') + origports_bulk=$(echo $config | sed "s/$re_cfg/\2/") + origports=$(echo $origports_bulk | sed 's/,/ /g') + destport=$(echo $config | sed "s/$re_cfg/\5/") + [ "$origports" = "$destport" ] && destport="" + eval "PFWPROTO_$pool=\"\$protos\"" + eval "PFWORIGPORTS_$pool=\"$origports\"" + eval "PFWIP_$pool=\"$ip\"" + eval "PFWPORT_$pool=\"$destport\"" + if [ "$SHOWRULES" = "yes" ]; then + echo -e "#: $protos_bulk \t$origports_bulk \t->\t $ip $destport \t($pool->$i)" + fi + done + done +fi diff --git a/ipmasq/rules/M70masq.def b/ipmasq/rules/M70masq.def new file mode 100644 index 0000000..8c75509 --- /dev/null +++ b/ipmasq/rules/M70masq.def @@ -0,0 +1,40 @@ +# You should not edit this file. Instead, create a file with the same +# name as this one, but with a .rul extension instead of .def. The +# .rul file will override this one. +# +# However, any changes you make to this file will be preserved. + +#: Masquerade packets from internal networks +if [ -n "$INTERNAL" -a -n "$EXTERNAL" ]; then + for j in $EXTERNAL; do + for i in $INTERNAL; do + ipnm_cache $i + case $MASQMETHOD in + ipfwadm) + $IPFWADM -F -a masq -W ${j%%:*} -S $IPOFIF/$NMOFIF + ;; + ipchains) + if [ -n "$PEEROFIF" ]; then + $IPCHAINS --no-warnings -A forward -j MASQ -i ${j%%:*} -s $PEEROFIF/$NMOFIF + else + $IPCHAINS --no-warnings -A forward -j MASQ -i ${j%%:*} -s $IPOFIF/$NMOFIF + fi + ;; + netfilter) + i=$(echo $i | cut -d ":" -f 1) + j=$(echo $j | cut -d ":" -f 1) + if [ -n "$PEEROFIF" ]; then + $IPTABLES -t nat -A POSTROUTING -s $PEEROFIF/$NMOFIF -o ${j%%:*} -j MASQUERADE + $IPTABLES -A FORWARD -i $i -o ${j%%:*} -s $PEEROFIF/$NMOFIF -j ACCEPT + $IPTABLES -A FORWARD -o $i -i ${j%%:*} -d $PEEROFIF/$NMOFIF -j ACCEPT + else + $IPTABLES -t nat -A POSTROUTING -s $IPOFIF/$NMOFIF -o ${j%%:*} -j MASQUERADE + $IPTABLES -A FORWARD -i $i -o ${j%%:*} -s $IPOFIF/$NMOFIF -j ACCEPT + $IPTABLES -A FORWARD -o $i -i ${j%%:*} -d $IPOFIF/$NMOFIF -j ACCEPT + fi + ;; + esac + done + done +fi + diff --git a/ipmasq/rules/M80pfw.def b/ipmasq/rules/M80pfw.def new file mode 100644 index 0000000..38e212f --- /dev/null +++ b/ipmasq/rules/M80pfw.def @@ -0,0 +1,47 @@ +# You should not edit this file. Instead, create a file with the same +# name as this one, but with a .rul extension instead of .def. The +# .rul file will override this one. +# +# However, any changes you make to this file will be preserved. + +#: Masquerade packets from internal networks +if [ -n "$INTERNAL" -a -n "$EXTERNAL" -a -n "$PFW" ]; then + for pool in $PFWPOOLS; do + eval "PROTOS=\"\$PFWPROTO_$pool\"" + eval "ORIGPORTS=\"\$PFWORIGPORTS_$pool\"" + eval "PFWIP=\"\$PFWIP_$pool\"" + eval "PFWPORT=\"\$PFWPORT_$pool\"" + for PROTO in $PROTOS; do + for ORIGPORT in $ORIGPORTS; do + ORIGPORT_DASH=$(echo $ORIGPORT | sed 's/:/-/g') + for j in $EXTERNAL; do + ipnm_cache $j + EXTIP=$IPOFIF + case $MASQMETHOD in + ipfwadm) + ipmasqadm portfw -a -P $PROTO -L $EXTIP $ORIGPORT_DASH -R $PFWIP $PFWPORT + ;; + ipchains) + ipmasqadm portfw -a -P $PROTO -L $EXTIP $ORIGPORT_DASH -R $PFWIP $PFWPORT + ;; + netfilter) + $IPTABLES -A PREROUTING -t nat -p $PROTO -d $EXTIP --dport $ORIGPORT -j DNAT --to $PFWIP${PFWPORT:+:$PFWPORT} + ;; + esac + for i in $INTERNAL; do + ipnm_cache $i + case $MASQMETHOD in + netfilter) + $IPTABLES -A FORWARD -i $j -o $i -p $PROTO --dport $ORIGPORT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +# TODO: This should be done only for the interface containing the portforward host +# if [ "$PORTFW_REMAP_LOCAL" = "y" ]; then +# $IPTABLES -A POSTROUTING -t nat -p $PROTO -d $PFWIP ${PFWPORT:+--dport $PFWPORT} -s $IPOFIF/$NMOFIF -j SNAT --to $IPOFIF +# fi + ;; + esac + done + done + done + done + done +fi -- cgit v1.2.3