From 6059978db17036135202d5acb08fb6b52d7135a4 Mon Sep 17 00:00:00 2001 From: "bruns@2mbit.com" Date: Thu, 13 Aug 2009 20:40:41 +0000 Subject: [PATCH] Added port forwarding code, cleaned up options file --- options.default | 71 ++++++++++++++++++++++++++++++++++++++++--------- port-forwards | 3 +++ postrun | 1 - rc.firewall | 18 +++++++++++-- 4 files changed, 77 insertions(+), 16 deletions(-) create mode 100644 port-forwards diff --git a/options.default b/options.default index e5605b9..dacc8eb 100755 --- a/options.default +++ b/options.default @@ -1,33 +1,78 @@ -# Comment out the following to disable features -IPTABLES=/sbin/iptables -IP6TABLES=/sbin/ip6tables +# This is for testing purposes. +IPTABLES=/bin/true +IP6TABLES=/bin/true +# Uncomment below to actually activate firewall +#IPTABLES=/sbin/iptables +#IP6TABLES=/sbin/ip6tables + + +# I'm trying to make this config as simple as possible. Comment out +# options you don't want to use, uncomment them to use them. + +# Do we want NAT/Conntrack/Forward features? NAT=1 CONNTRACK=1 FORWARD=1 + +# Blocking incoming connections by default? BLOCKINCOMING=1 + +# Clamp MSS, useful on DSL/VPN links #CLAMPMSS=ppp0 +# Port forwardings, requires NAT +PORTFW=$BASEDIR/port-forwards -#IPV6 -IPV6=1 -#IPV6FORWARD=1 -IPV6BLOCKINCOMING=1 -#IPV6ROUTEDCLIENTBLOCK=1 -#IPV6INT=he-ipv6 - -#================ +# TCP/UDP/Protocol to allow TCPPORTS="20 21 22 53 80 113 123 443" UDPPORTS="53" + +# common protocols to allow include ipsec, gre, and ipv6 +ALLOWEDPROTO="41 47 50 51" + +# IPs that are allowed to bypass firewall TRUSTEDIP="127.0.0.1" + +# Don't track these IPs, useful in some occasions. Don't +# use otherwise. DONTTRACK="127.0.0.1" + +# IP range(s) to forward FORWARDRANGE="192.168.1.0/24" + +# IP ranges(s) to NAT using SNAT. NATRANGE="192.168.1.0/24" + +# External IP and interface for SNAT NATEXTIP="172.16.1.1" NATEXTIF="eth0" -ALLOWEDPROTO="41 47 50 51" -#================ + + +# IPv6 related features. Commenting out IPV6 variable disables ALL +# IPv6 related items +IPV6=1 + +# IPv6 Forwarding +#IPV6FORWARD=1 + +# Default block all incoming ipv6 connections? +IPV6BLOCKINCOMING=1 + +# Special case for routers that have ipv6 clients behind them. +# Useful if clients do not have proper ipv6 firewalls. +#IPV6ROUTEDCLIENTBLOCK=1 + +# Interface IPv6 comes in on (either tunnel or real network interface) +#IPV6INT=he-ipv6 + +# Trusted IPv6 ranges IPV6TRUSTED="::1" + +# Allowed incoming IPv6 ports (for now, use $TCPPORTS and $UDPPORTS to +# have same for both ipv4 and ipv6) IPV6TCP=$TCPPORTS IPV6UDP=$UDPPORTS + +# IPv6 range to forward #IPV6FORWARDRANGE="" diff --git a/port-forwards b/port-forwards new file mode 100644 index 0000000..eba559d --- /dev/null +++ b/port-forwards @@ -0,0 +1,3 @@ +# Format is: +# External port:internal ip:internal port +8080:tcp:192.168.0.100:80 diff --git a/postrun b/postrun index 1e0e971..a9bf588 100755 --- a/postrun +++ b/postrun @@ -1,2 +1 @@ #!/bin/bash -/etc/init.d/fail2ban restart diff --git a/rc.firewall b/rc.firewall index 1f6c423..bae1ee5 100755 --- a/rc.firewall +++ b/rc.firewall @@ -2,10 +2,10 @@ # v0.2 # By Brielle Bruns # URL: http://www.sosdg.org -# License: GPLv2 +# License: GPLv3 BASEDIR=/etc/sosdg-firewall - +#BASEDIR=`pwd` . $BASEDIR/options @@ -84,6 +84,20 @@ if [ $CONNTRACK ]; then done fi +if [ $PORTFW ] && [ $NAT ]; then + for i in `grep -v "\#" $PORTFW`; do + PORTADD=( ${i//:/ } ) + echo "Adding port forward for ext port ${PORTADD[0]}/${PORTADD[1]} to ${PORTADD[2]}:${PORTADD[3]}" + $IPTABLES -A PREROUTING -t nat -i $NATEXTIF -p ${PORTADD[1]} \ + --dport ${PORTADD[0]} -j DNAT --to \ + ${PORTADD[2]}:${PORTADD[3]} + $IPTABLES -A INPUT -p ${PORTADD[1]} -m state --state NEW \ + --dport ${PORTADD[0]} -i $NATEXTIF -j ACCEPT + + done +fi + + if [ $NAT ]; then for i in $NATRANGE; do $IPTABLES -A POSTROUTING -t nat -s $i -o $NATEXTIF -j SNAT --to-source $NATEXTIP