Revision: 2814
http://ipcop.svn.sourceforge.net/ipcop/?rev=2814&view=rev
Author: owes
Date: 2009-05-08 20:06:13 +0000 (Fri, 08 May 2009)
Log Message:
-----------
Move the SNAT rules for marked packets from POSTROUTING into (new) PORTFWNAT
chain and let puzzleFwRules create them dynamically.
Add the MARK rules into PORTFWMANGLE.
The combination of these rules makes it possible to hit a portforward from
internal network(s).
Modified Paths:
--------------
ipcop/trunk/src/libs/DataAccess.pl
ipcop/trunk/src/rc.d/rc.firewall
ipcop/trunk/src/scripts/puzzleFwRules.pl
Modified: ipcop/trunk/src/libs/DataAccess.pl
===================================================================
--- ipcop/trunk/src/libs/DataAccess.pl 2009-05-08 19:44:16 UTC (rev 2813)
+++ ipcop/trunk/src/libs/DataAccess.pl 2009-05-08 20:06:13 UTC (rev 2814)
@@ -566,6 +566,8 @@
my $defaultNetworks = shift;
my $netsettings = shift;
+ my $portFWMark = 1;
+
# Get current defined networks (Red, Green, Blue, Orange)
$defaultNetworks->{'Any'}{'IPT'} = "0.0.0.0/0.0.0.0";
$defaultNetworks->{'Any'}{'ADR'} = "0.0.0.0";
@@ -626,6 +628,8 @@
$defaultNetworks->{'Green Network'}{'MASK'} =
$netsettings{'GREEN_1_NETMASK'};
$defaultNetworks->{'Green Network'}{'LOCATION'} = "OTHER";
$defaultNetworks->{'Green Network'}{'COLOR'} = "GREEN_COLOR";
+ $defaultNetworks->{'Green Network'}{'PFWMARK'} = $portFWMark++;
+ $defaultNetworks->{'Green Network'}{'N2A'} = "Green Address";
if ($netsettings{'ORANGE_1_DEV'} ne '') {
$defaultNetworks->{'Orange Address'}{'IPT'} =
"$netsettings{'ORANGE_1_ADDRESS'}/255.255.255.255";
@@ -640,6 +644,8 @@
$defaultNetworks->{'Orange Network'}{'MASK'} =
$netsettings{'ORANGE_1_NETMASK'};
$defaultNetworks->{'Orange Network'}{'LOCATION'} = "OTHER";
$defaultNetworks->{'Orange Network'}{'COLOR'} = "ORANGE_COLOR";
+ $defaultNetworks->{'Orange Network'}{'PFWMARK'} = $portFWMark++;
+ $defaultNetworks->{'Orange Network'}{'N2A'} = "Orange Address";
}
if ($netsettings{'BLUE_1_DEV'} ne '') {
@@ -654,6 +660,8 @@
$defaultNetworks->{'Blue Network'}{'MASK'} =
$netsettings{'BLUE_1_NETMASK'};
$defaultNetworks->{'Blue Network'}{'LOCATION'} = "OTHER";
$defaultNetworks->{'Blue Network'}{'COLOR'} = "BLUE_COLOR";
+ $defaultNetworks->{'Blue Network'}{'PFWMARK'} = $portFWMark++;
+ $defaultNetworks->{'Blue Network'}{'N2A'} = "Blue Address";
}
# OpenVPN
@@ -669,6 +677,12 @@
$defaultNetworks->{'OpenVPN Network'}{'MASK'} =
$tempovpnsubnet[1];
$defaultNetworks->{'OpenVPN Network'}{'LOCATION'} = "OTHER";
$defaultNetworks->{'OpenVPN Network'}{'COLOR'} = "OVPN_COLOR";
+
+ # TODO: do we also want to do the portforward automagic for
OpenVPN ?
+ # We would need to find the server IP in that case.
+ #$defaultNetworks->{'OpenVPN Network'}{'PFWMARK'} = $portFWMark++;
+ #$defaultNetworks->{'OpenVPN Network'}{'N2A'} = "OpenVPN
Address";
+ #$defaultNetworks->{'OpenVPN Address'}{'ADR'} = "2.2.2.2";
}
} # end OpenVPN
Modified: ipcop/trunk/src/rc.d/rc.firewall
===================================================================
--- ipcop/trunk/src/rc.d/rc.firewall 2009-05-08 19:44:16 UTC (rev 2813)
+++ ipcop/trunk/src/rc.d/rc.firewall 2009-05-08 20:06:13 UTC (rev 2814)
@@ -206,20 +206,12 @@
/sbin/iptables -t nat -N PORTFW
/sbin/iptables -t nat -A PREROUTING -j PORTFW
-
- # Custom mangle chain (for port fowarding)
+ # Custom mangle/nat chains for port fowarding
/sbin/iptables -t mangle -N PORTFWMANGLE
/sbin/iptables -t mangle -A PREROUTING -j PORTFWMANGLE
+ /sbin/iptables -t nat -N PORTFWNAT
+ /sbin/iptables -t nat -A POSTROUTING -j PORTFWNAT
- # Postrouting rules (for port forwarding)
- /sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT --to-source
$GREEN_1_ADDRESS
- if [ 0$BLUE_COUNT -gt 0 ]; then
- /sbin/iptables -t nat -A POSTROUTING -m mark --mark 21 -j SNAT
--to-source $BLUE_1_ADDRESS
- fi
- if [ 0$ORANGE_COUNT -gt 0 ]; then
- /sbin/iptables -t nat -A POSTROUTING -m mark --mark 31 -j SNAT
--to-source $ORANGE_1_ADDRESS
- fi
-
# last rule in input and forward chain is for logging and block.
/sbin/iptables -N FW_LOG
/sbin/iptables -A INPUT -j FW_LOG
Modified: ipcop/trunk/src/scripts/puzzleFwRules.pl
===================================================================
--- ipcop/trunk/src/scripts/puzzleFwRules.pl 2009-05-08 19:44:16 UTC (rev
2813)
+++ ipcop/trunk/src/scripts/puzzleFwRules.pl 2009-05-08 20:06:13 UTC (rev
2814)
@@ -212,8 +212,8 @@
&prepareRule("-F FW_DMZHOLES") if ($type eq "DMZHOLES");
if($type eq "PORTFW") {
&prepareRule("-t nat -F PORTFW");
- # TODO: do we need those MANGLE rules?
- #&prepareRule("-t mangle -F PORTFWMANGLE");
+ &prepareRule("-t nat -F PORTFWNAT");
+ &prepareRule("-t mangle -F PORTFWMANGLE");
&prepareRule("-F PORTFWACCESS");
}
}
@@ -244,6 +244,19 @@
&DATA::readServiceGroupConf(\%groupServices);
foreach my $type (@runRuleTypes) {
+ if($type eq "PORTFW") {
+ # create POSTROUTING rules to be able to hit a portforward from inside
local network
+
+ foreach my $inIface (keys %defaultNetworks) {
+ next if (!defined($defaultNetworks{$inIface}{'PFWMARK'}));
+
+ my $rulebody;
+ $rulebody = " -t nat -A PORTFWNAT -m mark --mark
$defaultNetworks{$inIface}{'PFWMARK'}";
+ $rulebody .= " -j SNAT --to-source
$defaultNetworks{$defaultNetworks{$inIface}{'N2A'}}{'ADR'}";
+ &prepareRule("$rulebody");
+ } # foreach my (keys %defaultNetworks)
+ }
+
foreach my $rule (@{$ruleConfig{$type}}) {
next if ($rule->{'ENABLED'} ne 'on'); # Enabled ?
next if ($rule->{'RULEMODE'} eq 'adv' &&
$FW::fwSettings{'ADV_MODE_ENABLE'} ne 'on'); # Advanced Mode ?
@@ -827,10 +840,17 @@
} # foreach my $tmpSrcAdr (@srcAdres)
} # foreach $service (@extPfwServices)
- #######
- # TODO: May add some MANGLE rules (like in 1.4) but I
don't know if this is neccessary
- #######
+ foreach my $service (@extPfwServices) {
+ foreach my $inIface (keys %defaultNetworks) {
+ next if
(!defined($defaultNetworks{$inIface}{'PFWMARK'}));
+ # create MANGLE MARK rule string
+ $rulebody = " -t mangle -A PORTFWMANGLE -s
$defaultNetworks{$inIface}{'IPT'}";
+ $rulebody .= " -d $extPfwAdr $service -j MARK
--set-mark $defaultNetworks{$inIface}{'PFWMARK'}";
+ &prepareRule("$rulebody");
+ } # foreach my (keys %defaultNetworks)
+ } # foreach $service (@extPfwServices)
+
foreach my $service (@services) {
foreach my $tmpSrcAdr (@srcAdres) {
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image
processing features enabled. http://p.sf.net/sfu/kodak-com
_______________________________________________
Ipcop-svn mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ipcop-svn
