Added port forwarding code, cleaned up options file

master
bruns@2mbit.com 2009-08-13 20:40:41 +00:00
parent 4033c293c1
commit 6059978db1
4 changed files with 77 additions and 16 deletions

View File

@ -1,33 +1,78 @@
# Comment out the following to disable features # This is for testing purposes.
IPTABLES=/sbin/iptables IPTABLES=/bin/true
IP6TABLES=/sbin/ip6tables IP6TABLES=/bin/true
# Uncomment below to actually activate firewall
#IPTABLES=/sbin/iptables
#IP6TABLES=/sbin/ip6tables
# I'm trying to make this config as simple as possible. Comment out
# options you don't want to use, uncomment them to use them.
# Do we want NAT/Conntrack/Forward features?
NAT=1 NAT=1
CONNTRACK=1 CONNTRACK=1
FORWARD=1 FORWARD=1
# Blocking incoming connections by default?
BLOCKINCOMING=1 BLOCKINCOMING=1
# Clamp MSS, useful on DSL/VPN links
#CLAMPMSS=ppp0 #CLAMPMSS=ppp0
# Port forwardings, requires NAT
PORTFW=$BASEDIR/port-forwards
#IPV6 # TCP/UDP/Protocol to allow
IPV6=1
#IPV6FORWARD=1
IPV6BLOCKINCOMING=1
#IPV6ROUTEDCLIENTBLOCK=1
#IPV6INT=he-ipv6
#================
TCPPORTS="20 21 22 53 80 113 123 443" TCPPORTS="20 21 22 53 80 113 123 443"
UDPPORTS="53" UDPPORTS="53"
# common protocols to allow include ipsec, gre, and ipv6
ALLOWEDPROTO="41 47 50 51"
# IPs that are allowed to bypass firewall
TRUSTEDIP="127.0.0.1" TRUSTEDIP="127.0.0.1"
# Don't track these IPs, useful in some occasions. Don't
# use otherwise.
DONTTRACK="127.0.0.1" DONTTRACK="127.0.0.1"
# IP range(s) to forward
FORWARDRANGE="192.168.1.0/24" FORWARDRANGE="192.168.1.0/24"
# IP ranges(s) to NAT using SNAT.
NATRANGE="192.168.1.0/24" NATRANGE="192.168.1.0/24"
# External IP and interface for SNAT
NATEXTIP="172.16.1.1" NATEXTIP="172.16.1.1"
NATEXTIF="eth0" NATEXTIF="eth0"
ALLOWEDPROTO="41 47 50 51"
#================
# IPv6 related features. Commenting out IPV6 variable disables ALL
# IPv6 related items
IPV6=1
# IPv6 Forwarding
#IPV6FORWARD=1
# Default block all incoming ipv6 connections?
IPV6BLOCKINCOMING=1
# Special case for routers that have ipv6 clients behind them.
# Useful if clients do not have proper ipv6 firewalls.
#IPV6ROUTEDCLIENTBLOCK=1
# Interface IPv6 comes in on (either tunnel or real network interface)
#IPV6INT=he-ipv6
# Trusted IPv6 ranges
IPV6TRUSTED="::1" IPV6TRUSTED="::1"
# Allowed incoming IPv6 ports (for now, use $TCPPORTS and $UDPPORTS to
# have same for both ipv4 and ipv6)
IPV6TCP=$TCPPORTS IPV6TCP=$TCPPORTS
IPV6UDP=$UDPPORTS IPV6UDP=$UDPPORTS
# IPv6 range to forward
#IPV6FORWARDRANGE="" #IPV6FORWARDRANGE=""

3
port-forwards Normal file
View File

@ -0,0 +1,3 @@
# Format is:
# External port:internal ip:internal port
8080:tcp:192.168.0.100:80

View File

@ -1,2 +1 @@
#!/bin/bash #!/bin/bash
/etc/init.d/fail2ban restart

View File

@ -2,10 +2,10 @@
# v0.2 # v0.2
# By Brielle Bruns <bruns@2mbit.com> # By Brielle Bruns <bruns@2mbit.com>
# URL: http://www.sosdg.org # URL: http://www.sosdg.org
# License: GPLv2 # License: GPLv3
BASEDIR=/etc/sosdg-firewall BASEDIR=/etc/sosdg-firewall
#BASEDIR=`pwd`
. $BASEDIR/options . $BASEDIR/options
@ -84,6 +84,20 @@ if [ $CONNTRACK ]; then
done done
fi fi
if [ $PORTFW ] && [ $NAT ]; then
for i in `grep -v "\#" $PORTFW`; do
PORTADD=( ${i//:/ } )
echo "Adding port forward for ext port ${PORTADD[0]}/${PORTADD[1]} to ${PORTADD[2]}:${PORTADD[3]}"
$IPTABLES -A PREROUTING -t nat -i $NATEXTIF -p ${PORTADD[1]} \
--dport ${PORTADD[0]} -j DNAT --to \
${PORTADD[2]}:${PORTADD[3]}
$IPTABLES -A INPUT -p ${PORTADD[1]} -m state --state NEW \
--dport ${PORTADD[0]} -i $NATEXTIF -j ACCEPT
done
fi
if [ $NAT ]; then if [ $NAT ]; then
for i in $NATRANGE; do for i in $NATRANGE; do
$IPTABLES -A POSTROUTING -t nat -s $i -o $NATEXTIF -j SNAT --to-source $NATEXTIP $IPTABLES -A POSTROUTING -t nat -s $i -o $NATEXTIF -j SNAT --to-source $NATEXTIP