"Fossies" - the Fresh Open Source Software Archive

Member "aif-2.1.1/share/arno-iptables-firewall/plugins/90dmz-dnat.plugin" (16 Sep 2020, 6200 Bytes) of package /linux/privat/aif-2.1.1.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "90dmz-dnat.plugin": 2.1.0_vs_2.1.1.

    1 # ------------------------------------------------------------------------------
    2 # -= Arno's Iptables Firewall(AIF) - DMZ-host default port forwarding plugin =-
    3 #
    4 PLUGIN_NAME="DMZ-host DNAT plugin"
    5 PLUGIN_VERSION="0.10"
    6 PLUGIN_CONF_FILE="dmz-dnat.conf"
    7 #
    8 # Last changed          : January 5, 2019
    9 # Requirements          : AIF 2.1.0 (or newer)
   10 # Comments              : This plugin allows forwarding of all traffic to a "DMZ" host.
   11 #                         Updated to be IPv4-only
   12 #                         Updated to support parse_rule()
   13 #                         Updated to support ipt_if()
   14 #
   15 # Author                : (C) Copyright 2010-2019 by Arno van Amersfoort
   16 #                       : (C) Copyright 2010-2016 by Philip A. Prindeville
   17 # Email                 : philipp AT redfish-solutions DOT com
   18 #                         (note: you must remove all spaces and substitute the @ and the .
   19 #                         at the proper locations!)
   20 # ------------------------------------------------------------------------------
   21 # This program is free software; you can redistribute it and/or
   22 # modify it under the terms of the GNU General Public License
   23 # version 2 as published by the Free Software Foundation.
   24 #
   25 # This program is distributed in the hope that it will be useful,
   26 # but WITHOUT ANY WARRANTY; without even the implied warranty of
   27 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   28 # GNU General Public License for more details.
   29 #
   30 # You should have received a copy of the GNU General Public License
   31 # along with this program; if not, write to the Free Software
   32 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
   33 # ------------------------------------------------------------------------------
   34 
   35 # Plugin start function
   36 plugin_start()
   37 {
   38   # Forward all traffic that doesn't match an explicit port-forward to the
   39   # DMZ host.
   40   ip4tables -t nat -N NAT_PREROUTING_LOCAL 2>/dev/null
   41   ip4tables -t nat -F NAT_PREROUTING_LOCAL
   42 
   43   ip4tables -t nat -A POST_NAT_PREROUTING_CHAIN -j NAT_PREROUTING_LOCAL
   44 
   45   # bail if ICMP...
   46   IFS=' ,'
   47   for eif in ${NAT_IF:-$EXT_IF}; do
   48     ip4tables -t nat -A NAT_PREROUTING_LOCAL -i $eif -p icmp -j RETURN
   49   done
   50 
   51   local open_tcp="" open_udp="" open_ip=""
   52 
   53   unset IFS
   54   for rule in $OPEN_TCP; do
   55     open_tcp="$open_tcp $ANYHOST$SEP$rule"
   56   done
   57 
   58   # intercept HOST_OPEN_TCP and HOST_OPEN_UDP (sigh... duplicate code...)
   59   unset IFS
   60   for rule in $HOST_OPEN_TCP $open_tcp; do
   61     if parse_rule "$rule" HOST_OPEN_TCP "interfaces-destips-hosts-ports"; then
   62 
   63       IFS=','
   64       for host in `ip_range "$hosts"`; do
   65         for port in $ports; do
   66           for destip in $destips; do
   67             for interface in $interfaces; do
   68               ip4tables -t nat -A NAT_PREROUTING_LOCAL $(ipt_if -i "$interface") -s $host -d $destip -p tcp --dport $port -j RETURN
   69             done
   70           done
   71         done
   72       done
   73     fi
   74   done
   75 
   76   unset IFS
   77   for rule in $OPEN_UDP; do
   78     open_udp="$open_udp $ANYHOST$SEP$rule"
   79   done
   80 
   81   for rule in $HOST_OPEN_UDP $open_udp; do
   82     if parse_rule "$rule" HOST_OPEN_UDP "interfaces-destips-hosts-ports"; then
   83 
   84       IFS=','
   85       for host in `ip_range "$hosts"`; do
   86         for port in $ports; do
   87           for destip in $destips; do
   88             for interface in $interfaces; do
   89               ip4tables -t nat -A NAT_PREROUTING_LOCAL $(ipt_if -i "$interface") -s $host -d $destip -p udp --dport $port -j RETURN
   90             done
   91           done
   92         done
   93       done
   94     fi
   95   done
   96 
   97   unset IFS
   98   for rule in $OPEN_IP; do
   99     open_ip="$open_ip $ANYHOST$SEP$rule"
  100   done
  101 
  102   for rule in $HOST_OPEN_IP $open_ip; do
  103     if parse_rule "$rule" HOST_OPEN_IP "interfaces-destips-hosts-protos"; then
  104 
  105       IFS=','
  106       for host in `ip_range "$hosts"`; do
  107         for proto in $protos; do
  108           for destip in $destips; do
  109             for interface in $interfaces; do
  110               ip4tables -t nat -A NAT_PREROUTING_LOCAL $(ipt_if -i "$interface") -s $host -d $destip -p $proto -j RETURN
  111             done
  112           done
  113         done
  114       done
  115     fi
  116   done
  117 
  118   ## ICMP???
  119 
  120   echo "${INDENT}DMZ-DNAT: sending all non-local packets to $DMZ_IP"
  121 
  122   IFS=' ,'
  123   for eif in ${NAT_IF:-$EXT_IF}; do
  124     ip4tables -t nat -A NAT_PREROUTING_LOCAL -i $eif -j DNAT --to-destination $DMZ_IP
  125     ip4tables -A POST_FORWARD_CHAIN -i $eif -d $DMZ_IP -j ACCEPT
  126   done
  127 
  128   return 0
  129 }
  130 
  131 
  132 # Plugin stop function
  133 plugin_stop()
  134 {
  135   ip4tables -t nat -D POST_NAT_PREROUTING_CHAIN -j NAT_PREROUTING_LOCAL
  136 
  137   ip4tables -t nat -F NAT_PREROUTING_LOCAL
  138   ip4tables -t nat -X NAT_PREROUTING_LOCAL 2>/dev/null
  139 
  140   IFS=' ,'
  141   for eif in ${NAT_IF:-$EXT_IF}; do
  142     ip4tables -D POST_FORWARD_CHAIN -i $eif -d $DMZ_IP -j ACCEPT
  143   done
  144 
  145   return 0
  146 }
  147 
  148 
  149 # Plugin status function
  150 plugin_status()
  151 {
  152   return 0
  153 }
  154 
  155 # Check sanity of eg. environment
  156 plugin_sanity_check()
  157 {
  158   if [ -z "$DMZ_IP" ]; then
  159     printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not (properly) setup!\033[0m\n" >&2
  160     return 1
  161   fi
  162 
  163   return 0
  164 }
  165 
  166 
  167 ############
  168 # Mainline #
  169 ############
  170 
  171 # Check where to find the config file
  172 CONF_FILE=""
  173 if [ -n "$PLUGIN_CONF_PATH" ]; then
  174   CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
  175 fi
  176 
  177 # Preinit to success:
  178 PLUGIN_RET_VAL=0
  179 
  180 # Check if the config file exists
  181 if [ ! -f "$CONF_FILE" ]; then
  182   printf "NOTE: Config file \"$CONF_FILE\" not found!\n        Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2
  183 else
  184   # Source the plugin config file
  185   . "$CONF_FILE"
  186 
  187   if [ "$ENABLED" = "1" ] ||
  188      [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] ||
  189      [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then
  190     # Show who we are:
  191     echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION"
  192 
  193     # Increment indention
  194     INDENT="$INDENT "
  195 
  196     # Only proceed if environment ok
  197     if ! plugin_sanity_check; then
  198       PLUGIN_RET_VAL=1
  199     else
  200       case $PLUGIN_CMD in
  201         start|'') plugin_start; PLUGIN_RET_VAL=$? ;;
  202         stop    ) plugin_stop; PLUGIN_RET_VAL=$? ;;
  203         status  ) plugin_status; PLUGIN_RET_VAL=$? ;;
  204         *       ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;;
  205       esac
  206     fi
  207   fi
  208 fi