Forward Firewall: enabled Portranges for DNAT

diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
index 9af2c7060ff3acb954d42b94b6cc04c2fe029d81..49a45b1a595a7cf1605e42cd2bb06ae3c61c6bd9 100755 (executable)
--- a/config/forwardfw/rules.pl
+++ b/config/forwardfw/rules.pl
@@ -287,10 +287,11 @@ sub buildrules
                                                                                if ($$hash{$key}[17] eq 'ON'){
                                                                                        print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
                                                                                }
-                                                                               my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT);
                                                                                my ($ip,$sub) =split("/",$targethash{$b}[0]);
-                                                                               print "iptables -A PORTFWACCESS $PROT -i $con -d $ip $fwaccessdport $TIME -j ACCEPT\n";
                                                                                print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $$hash{$key}[0]  --to $ip$DPORT\n";
+                                                                               $DPORT =~ s/\-/:/g;
+                                                                               my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT);
+                                                                               print "iptables -A PORTFWACCESS $PROT -i $con -d $ip $fwaccessdport $TIME -j ACCEPT\n";
                                                                        }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[32] eq 'snat'){
                                                                                print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]  --to $natip$fireport\n";
                                                                        }
@@ -327,10 +328,12 @@ sub buildrules
                                                                                if ($$hash{$key}[17] eq 'ON'){
                                                                                        system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
                                                                                }
-                                                                               my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT);
                                                                                my ($ip,$sub) =split("/",$targethash{$b}[0]);
-                                                                               system "iptables -A PORTFWACCESS $PROT -i $con -d $ip $fwaccessdport $TIME -j ACCEPT\n";
                                                                                system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $$hash{$key}[0]  --to $ip$DPORT\n";
+                                                                               $DPORT =~ s/\-/:/g;
+                                                                               my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT);
+                                                                               system "iptables -A PORTFWACCESS $PROT -i $con -d $ip $fwaccessdport $TIME -j ACCEPT\n";
+                                                                               
                                                                        }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
                                                                                if ($$hash{$key}[17] eq 'ON'){
                                                                                        system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT '\n";
@@ -519,7 +522,6 @@ sub get_port
                        return;
                }
        }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
-               
                if($$hash{$key}[14] eq 'TGT_PORT'){
                        if ($$hash{$key}[15] ne ''){
                                $$hash{$key}[15] =~ s/\|/,/g;
@@ -529,6 +531,7 @@ sub get_port
                                        if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){
                                                return "--dport $$hash{$key}[15] ";
                                         }else{
+                                                $$hash{$key}[15] =~ s/\:/-/g;
                                                return ":$$hash{$key}[15]";
                                         }
                                }

diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
index 7db9cf123855280b44835cb84fc42a0a971b5537..83917015e6a0106e09c16c433d7aa5bc0132d804 100755 (executable)
--- a/html/cgi-bin/forwardfw.cgi
+++ b/html/cgi-bin/forwardfw.cgi
@@ -731,7 +731,7 @@ sub checksource
                my @values=();
                foreach (@parts){
                        chomp($_);
-                       if ($_ =~ /^(\d+)\:(\d+)$/) {
+                       if ($_ =~ /^(\d+)\-(\d+)$/ || $_ =~ /^(\d+)\:(\d+)$/) {
                                my $check;
                                #change dashes with :
                                $_=~ tr/-/:/;
@@ -739,11 +739,11 @@ sub checksource
                                        push(@values,"1:65535");
                                        $check='on';
                                }
-                               if ($_ =~ /^(\D)\:(\d+)$/) {
+                               if ($_ =~ /^(\D)\:(\d+)$/ || $_ =~ /^(\D)\-(\d+)$/) {
                                        push(@values,"1:$2");
                                        $check='on';
                                }
-                               if ($_ =~ /^(\d+)\:(\D)$/) {
+                               if ($_ =~ /^(\d+)\:(\D)$/ || $_ =~ /^(\d+)\-(\D)$/ ) {
                                        push(@values,"$1:65535");
                                        $check='on'
                                }
@@ -837,11 +837,14 @@ sub checktarget
                if ($fwdfwsettings{'grp3'} eq 'TGT_PORT'){
                        if ($fwdfwsettings{'TGT_PROT'} eq 'TCP' || $fwdfwsettings{'TGT_PROT'} eq 'UDP'){
                                if ($fwdfwsettings{'TGT_PORT'} ne ''){
+                                       if ($fwdfwsettings{'TGT_PORT'} =~ "," && $fwdfwsettings{'USE_NAT'}) {
+                                               $errormessage=$Lang::tr{'fwdfw dnat porterr'}."<br>";
+                                       }
                                        my @parts=split(",",$fwdfwsettings{'TGT_PORT'});
                                        my @values=();
                                        foreach (@parts){
                                                chomp($_);
-                                               if ($_ =~ /^(\d+)\:(\d+)$/) {
+                                               if ($_ =~ /^(\d+)\-(\d+)$/ || $_ =~ /^(\d+)\:(\d+)$/) {
                                                        my $check;
                                                        #change dashes with :
                                                        $_=~ tr/-/:/;
@@ -849,11 +852,11 @@ sub checktarget
                                                                push(@values,"1:65535");
                                                                $check='on';
                                                        }
-                                                       if ($_ =~ /^(\D)\:(\d+)$/) {
+                                                       if ($_ =~ /^(\D)\:(\d+)$/ || $_ =~ /^(\D)\-(\d+)$/) {
                                                                push(@values,"1:$2");
                                                                $check='on';
                                                        }
-                                                       if ($_ =~ /^(\d+)\:(\D)$/) {
+                                                       if ($_ =~ /^(\d+)\:(\D)$/ || $_ =~ /^(\d+)\-(\D)$/) {
                                                                push(@values,"$1:65535");
                                                                $check='on'
                                                        }
@@ -915,7 +918,22 @@ sub checktarget
 sub check_natport
 {
        my $val=shift;
-       if ($val =~ "," || $val =~ ":" || $val>65536 || $val<0){
+       if($fwdfwsettings{'USE_NAT'} eq 'ON' && $fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} ne ''){
+               if ($fwdfwsettings{'dnatport'} =~ /^(\d+)\-(\d+)$/) {
+                       $fwdfwsettings{'dnatport'} =~ tr/-/:/;
+                       if ($fwdfwsettings{'dnatport'} eq "*") {
+                               $fwdfwsettings{'dnatport'}="1:65535";
+                       }
+                       if ($fwdfwsettings{'dnatport'} =~ /^(\D)\:(\d+)$/) {
+                               $fwdfwsettings{'dnatport'} = "1:$2";
+                       }
+                       if ($fwdfwsettings{'dnatport'} =~ /^(\d+)\:(\D)$/) {
+                               $fwdfwsettings{'dnatport'} ="$1:65535";
+                       }
+               }
+               return 1;
+       }
+       if ($val =~ "," || $val>65536 || $val<0){
                return 0;
        }
        return 1;

diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 4e07d7479b506d1fa9c3816948164f5f41b10738..3df1954a71c205cb8761a5707296fc9dfb17393c 100644 (file)
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -901,7 +901,7 @@
 'fwdfw delete'                 => 'Löschen',
 'fwdfw dnat'                   => 'DNAT/Portforward (ersetze diese IP mit der aus ZIEL)',
 'fwdfw dnat error'             => 'Für DNAT muss ein einzelner Host als ZIEL gewählt werden. Gruppen oder Netzwerke sind nicht erlaubt',
-'fwdfw dnat porterr'   => 'Für NAT muss ein einzelner PORT (TCP/UDP) angegeben werden',
+'fwdfw dnat porterr'   => 'Für NAT muss ein einzelner PORT oder PORTRANGE (TCP/UDP) angegeben werden',
 'fwdfw DROP'                   => 'Verwerfen (DROP)',
 'fwdfw edit'                   => 'Bearbeiten',
 'fwdfw err nosrc'              => 'Keine Quelle gewählt',

diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 4bea473f16b76d3304f42fa5523b2f5133d691b0..ac0d1de8ea6c48a5561ff5e86af89452b5a4dec3 100644 (file)
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -926,7 +926,7 @@
 'fwdfw delete'                 => 'Delete',
 'fwdfw dnat'                   => 'DNAT/Portforward (replace this IP with the one from TARGET)',
 'fwdfw dnat error'             => 'You have to select a single host for DNAT. Groups or networks are not allowed.',
-'fwdfw dnat porterr'   => 'You have to select a single port (tcp/udp) for NAT',
+'fwdfw dnat porterr'   => 'You have to select a single port or portrange (tcp/udp) for NAT',
 'fwdfw DROP'                   => 'DROP',
 'fwdfw edit'                   => 'Edit',
 'fwdfw err nosrc'              => 'No source selected.',