# portforward.sh # # designed for bastille-firewall # Copyright (c) 2002 Peter Watkins # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # place in /etc/Bastille/firewall.d/pre-chain-split.d # as portforward.sh (directory name and .sh suffix are critical) # # # Settings: # # 1) IP_FORWARDS (all OSes/kernel versions) # # List your port forwarding info here. This should be a whitespace # separated list. Each item in the list should be be a hyphen-separated # list including the following, in this order # - interface name, e.g. "eth0" (blank for all) # - destination address, e.g. "192.168.1.1" for the single # address 192.168.1.1, "0.0.0.0" for any address, etc. # (this address may contain a netmask, e.g. 192.168.1.1/24) # - the destination port number, e.g. "80" for standard HTTP # - the protocol type or number, e.g. "tcp" # - the forwarding service address, e.g. "172.19.1.2" # - the forwarding service port, e.g. "8000" # # Example: # IP_FORWARDS="eth0-0.0.0.0-80-tcp-172.19.1.2-8000" # This says we only have one forwarding rule to establish. Any TCP # traffic destined for any address bound to the "eth0" interface's port # 80 will be forwarded to TCP port 8000 of 172.19.1.2. This is a typical # rule for a site that wants to run its Web server on an internal # machine, using a high port so the Web server can be started by a # non-root user. Whether the forwarding or running on a high port are # a *good* idea is a question we won't address here. # IP_FORWARDS="eth0-xxx.xxx.xxx.xxx-8888-tcp-192.168.0.2-80" # # # 2) IPFWADM (Linux 2.2/ipchains only) # # # For 2.2-based kernels, where is ipfwadm? IPFWADM="/sbin/ipfwadm" # if [ -z "${IPCHAINS}" -a -z "${IPTABLES}" ]; then echo "Error: only good for iptables or ipchains/ipfwadm" > /dev/stderr elif [ -n "${IPCHAINS}" -a \( \! -x "${IPFWADM}" \) ]; then echo "Please install $IPFWADM for forwarding with 2.2/ipchains systems" >/dev/stderr else if [ -n "${IPCHAINS}" -a \( -x "${IPFWADM}" \) ]; then # flush ipfwadm rules ${IPFWADM} portfw -f fi for fw_rule in ${IP_FORWARDS} ; do # ugly awk hack fw_iface=`echo "$fw_rule" | awk -F\- '{print $1}'` fw_inaddr=`echo "$fw_rule" | awk -F\- '{print $2}'` fw_inport=`echo "$fw_rule" | awk -F\- '{print $3}'` fw_inproto=`echo "$fw_rule" | awk -F\- '{print $4}'` fw_outaddr=`echo "$fw_rule" | awk -F\- '{print $5}'` fw_outport=`echo "$fw_rule" | awk -F\- '{print $6}'` if [ -n "${fw_iface}" ]; then # we have an interface specified if [ -n "${IPTABLES}" ]; then ${IPTABLES} -t nat -A PREROUTING -p $fw_inproto -i $fw_iface -d $fw_inaddr --dport $fw_inport -j DNAT --to $fw_outaddr:$fw_outport ${IPTABLES} -A FORWARD -p $fw_inproto -i $fw_iface -d $fw_outaddr --dport $fw_outport -j ACCEPT ### debug ### #echo "${IPTABLES} -t nat -A PREROUTING -p $fw_inproto -i $fw_iface -d $fw_inaddr --dport $fw_inport -j DNAT --to $fw_outaddr:$fw_outport" #echo "${IPTABLES} -A FORWARD -p $fw_inproto -i $fw_iface -d $fw_outaddr --dport $fw_outport -j ACCEPT" ### debug ### else ${IPFWADM} portfw -P $fw_proto -L $fw_inaddr $fw_inport -R $fw_outaddr $fw_outport fi else # apply forward to all interfaces if [ -n "${IPTABLES}" ]; then ${IPTABLES} -t nat -A PREROUTING -p $fw_inproto -d $fw_inaddr --dport $fw_inport -j DNAT --to $fw_outaddr:$fw_outport ${IPTABLES} -A FORWARD -p $fw_inproto -d $fw_outaddr --dport $fw_outport -j ACCEPT else # same as ipfwadm rule above, actually ${IPFWADM} portfw -P $fw_proto -L $fw_inaddr $fw_inport -R $fw_outaddr $fw_outport fi fi done fi