Forward Firewall: support for SNAT/DNAT in GUI and rules.pl
authorAlexander Marx <amarx@ipfire.org>
Tue, 19 Mar 2013 03:48:23 +0000 (04:48 +0100)
committerMichael Tremer <michael.tremer@ipfire.org>
Fri, 9 Aug 2013 12:11:56 +0000 (14:11 +0200)
config/forwardfw/rules.pl
html/cgi-bin/forwardfw.cgi
langs/de/cgi-bin/de.pl
langs/en/cgi-bin/en.pl

index 2547e474f7bf3ee4eb20adb697a0e6d290764fcd..4461893ae99911854f273c3a973b5e3fc156f753 100755 (executable)
@@ -45,6 +45,7 @@ my @timeframe=();
 my %configinputfw=();
 my %configoutgoingfw=();
 my %configdmzfw=();
+my %confignatfw=();
 my %aliases=();
 my @DPROT=();
 my @p2ps=();
@@ -56,6 +57,7 @@ my $configdmz         = "${General::swroot}/forward/dmz";
 my $configfwdfw                = "${General::swroot}/forward/config";
 my $configinput            = "${General::swroot}/forward/input";
 my $configoutgoing  = "${General::swroot}/forward/outgoing";
+my $confignat          = "${General::swroot}/forward/nat";
 my $p2pfile                    = "${General::swroot}/forward/p2protocols";
 my $configgrp          = "${General::swroot}/fwhosts/customgroups";
 my $netsettings                = "${General::swroot}/ethernet/settings";
@@ -66,13 +68,16 @@ my $blue;
 my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
 my $CHAIN="FORWARDFW";
 my $conexists='off';
-
+my $command = 'iptables -A';
+my $dnat='';
+my $snat='';
 &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
 &General::readhash("$netsettings", \%defaultNetworks);
 &General::readhasharray($configdmz, \%configdmzfw);
 &General::readhasharray($configfwdfw, \%configfwdfw);
 &General::readhasharray($configinput, \%configinputfw);
 &General::readhasharray($configoutgoing, \%configoutgoingfw);
+&General::readhasharray($confignat, \%confignatfw);
 &General::readhasharray($configgrp, \%customgrp);
 &General::get_aliases(\%aliases);
 
@@ -83,7 +88,9 @@ close(CONN);
 if (-f "/var/ipfire/red/active"){
        $conexists='on';
 }
-
+open (CONN1,"/var/ipfire/red/local-ipaddress");
+my $redip = <CONN1>;
+close(CONN1);
 ################################
 #    DEBUG/TEST                #
 ################################
@@ -155,13 +162,29 @@ sub preparerules
        if (! -z  "${General::swroot}/forward/outgoing"){
                &buildrules(\%configoutgoingfw);
        }
+       if (! -z  "${General::swroot}/forward/nat"){
+               &buildrules(\%confignatfw);
+       }
 }
 sub buildrules
 {
        my $hash=shift;
        my $STAG;
+       my $natip;
+       my $snatport;
+       my $fireport;
        foreach my $key (sort {$a <=> $b} keys %$hash){
                next if ($$hash{$key}[6] eq 'RED' && $conexists eq 'off' );
+               if ($$hash{$key}[28] eq 'ON'){
+                       $command='iptables -t nat -A';
+                       $natip=&get_nat_ip($$hash{$key}[29]);
+                       if($$hash{$key}[31] eq 'dnat'){
+                               $$hash{$key}[0]='DNAT';
+                               $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0);
+                       }else{
+                               $$hash{$key}[0]='SNAT';
+                       }
+               }
                $STAG='';
                if($$hash{$key}[2] eq 'ON'){
                        #get source ip's
@@ -248,15 +271,22 @@ sub buildrules
                                                                                my @icmprule= split(",",substr($DPORT, 12,));
                                                                                foreach (@icmprule){
                                                                                        if ($$hash{$key}[17] eq 'ON'){
-                                                                                               print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j LOG\n";
+                                                                                               print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j LOG\n";
                                                                                        }
-                                                                                       print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n"; 
+                                                                                       print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n";
                                                                                }
-                                                                       }else{
+                                                                       }elsif($$hash{$key}[28] ne 'ON'){
                                                                                if ($$hash{$key}[17] eq 'ON'){
-                                                                                       print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
+                                                                                       print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
                                                                                }
-                                                                               print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; 
+                                                                               print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+                                                                       }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[32] eq 'dnat'){
+                                                                               #if ($$hash{$key}[17] eq 'ON'){
+                                                                                       #print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $targethash{$b}[0] $DPORT $TIME -j LOG\n";
+                                                                               #}
+                                                                               print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $$hash{$key}[0]  --to $targethash{$b}[0]$DPORT\n";
+                                                                       }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[32] eq 'snat'){
+                                                                               print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]  --to $natip$fireport\n";
                                                                        }
                                                                }                               
                                                        }
@@ -278,15 +308,28 @@ sub buildrules
                                                                                my @icmprule= split(",",substr($DPORT, 12,));
                                                                                foreach (@icmprule){
                                                                                        if ($$hash{$key}[17] eq 'ON'){
-                                                                                               system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] -- icmp-type $_ $TIME -j LOG");
+                                                                                               system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] -- icmp-type $_ $TIME -j LOG");
                                                                                        }
-                                                                                       system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]"); 
+                                                                                       system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]");
+                                                                               }
+                                                                       }elsif($$hash{$key}[28] ne 'ON'){
+                                                                               if ($$hash{$key}[17] eq 'ON'){
+                                                                                       system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
+                                                                               }
+                                                                               system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+                                                                       }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
+                                                                               if ($$hash{$key}[17] eq 'ON'){
+                                                                                       system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
                                                                                }
-                                                                       }else{
+                                                                               my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT);
+                                                                               my ($ip,$sub) =split("/",$targethash{$b}[0]);
+                                                                               system "iptables -A PORTFWACCESS $PROT $STAG $sourcehash{$a}[0] -d $targethash{$b}[0] $fwaccessdport $TIME \n";
+                                                                               system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $$hash{$key}[0]  --to $ip$DPORT\n";
+                                                                       }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
                                                                                if ($$hash{$key}[17] eq 'ON'){
-                                                                                       system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
+                                                                                       system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT '\n";
                                                                                }
-                                                                               system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]"); 
+                                                                               system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]  --to $natip$fireport\n";
                                                                        }
                                                                }                               
                                                        }
@@ -300,8 +343,28 @@ sub buildrules
                undef $TIME;
                undef $TIMEFROM;
                undef $TIMETILL;
+               undef $fireport;
        }
 }
+sub get_nat_ip
+{
+       my $val=shift;
+       my $result;
+       if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){
+               $result=$defaultNetworks{$val.'_ADDRESS'};
+       }elsif($val eq 'ALL'){
+               $result='-i '.$con;
+       }elsif($val eq 'Default IP'){
+               $result='-d '.$redip;
+       }else{
+               foreach my $al (sort keys %aliases){
+                       if($val eq $al){
+                               $result='-d '.$aliases{$al}{'IPT'};
+                       }
+               }
+       }
+       return $result;
+}
 sub get_time
 {
        my $val=shift;
@@ -364,7 +427,6 @@ sub p2pblock
                }
        }
 }
-
 sub get_address
 {
        my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
@@ -439,7 +501,11 @@ sub get_port
                        if(index($$hash{$key}[10],",") > 0){
                                return "-m multiport --sport $$hash{$key}[10] ";
                        }else{
-                               return "--sport $$hash{$key}[10] ";
+                               if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ||($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat')  ){
+                                       return "--sport $$hash{$key}[10] ";
+                               }else{
+                                       return ":$$hash{$key}[10]";
+                               }
                        }
                }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
                        return "--icmp-type $$hash{$key}[9] ";
@@ -454,7 +520,11 @@ sub get_port
                                if(index($$hash{$key}[15],",") > 0){
                                        return "-m multiport --dport $$hash{$key}[15] ";
                                }else{
-                                       return "--dport $$hash{$key}[15] ";
+                                       if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){
+                                               return "--dport $$hash{$key}[15] ";
+                                        }else{
+                                               return ":$$hash{$key}[15]";
+                                        }
                                }
                        }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){
                                return "--icmp-type $$hash{$key}[13] ";
index 0bf3a31c3de423c7a01fff4f0929cd75e1000d32..84e01704d8c754b6c7b15be5068d55d623b2168e 100755 (executable)
@@ -765,7 +765,35 @@ sub checksource
 sub checktarget
 {
        my ($ip,$subnet);
-
+       &General::readhasharray("$configsrv", \%customservice);
+       #check DNAT settings (has to be single Host and single Port)
+       if ($fwdfwsettings{'USE_NAT'} eq 'ON' && $fwdfwsettings{'nat'} eq 'dnat'){
+               if($fwdfwsettings{'grp2'} eq 'tgt_addr' || $fwdfwsettings{'grp2'} eq 'cust_host_tgt' || $fwdfwsettings{'grp2'} eq 'ovpn_host_tgt'){
+                       if ($fwdfwsettings{'USESRV'} eq ''){
+                               $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>";
+                       }
+                       #check if manual ip is a single Host (if set)
+                       if ($fwdfwsettings{'grp2'} eq 'tgt_addr'){
+                               my @tmp= split (/\./,$fwdfwsettings{$fwdfwsettings{'grp2'}});
+                               my @tmp1= split ("/",$tmp[3]);
+                               if (($tmp1[0] eq "0") || ($tmp1[0] eq "255"))
+                               {
+                                       $errormessage=$Lang::tr{'fwdfw dnat error'}."<br>";
+                               }
+                       }
+                       #check if Port is a single Port
+                       if ($fwdfwsettings{'nat'} eq 'dnat' &&  $fwdfwsettings{'grp3'} eq 'TGT_PORT'){
+                               if(($fwdfwsettings{'TGT_PROT'} ne 'TCP'|| $fwdfwsettings{'TGT_PROT'} ne 'UDP') && $fwdfwsettings{'TGT_PORT'} eq ''){
+                                       $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>";
+                               }
+                               if (($fwdfwsettings{'TGT_PROT'} eq 'TCP'|| $fwdfwsettings{'TGT_PROT'} eq 'UDP') && $fwdfwsettings{'TGT_PORT'} ne '' && !&check_natport($fwdfwsettings{'TGT_PORT'})){
+                                       $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>";
+                               }
+                       }
+               }else{
+                       $errormessage=$Lang::tr{'fwdfw dnat error'}."<br>";
+               }
+       }
        if ($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} ne ''){
                #check if ip with subnet
                if ($fwdfwsettings{'tgt_addr'} =~ /^(.*?)\/(.*?)$/) {
@@ -785,15 +813,12 @@ sub checktarget
                if(!&General::validipandmask($fwdfwsettings{'tgt_addr'})){
                        $errormessage.=$Lang::tr{'fwdfw err tgt_addr'}."<br>";
                }
-
        }elsif($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} eq ''){
                $errormessage.=$Lang::tr{'fwdfw err notgtip'};
                return $errormessage;
        }
-
        #check empty fields
        if ($fwdfwsettings{$fwdfwsettings{'grp2'}} eq ''){ $errormessage.=$Lang::tr{'fwdfw err notgt'}."<br>";}
-
        #check tgt services
        if ($fwdfwsettings{'USESRV'} eq 'ON'){
                if ($fwdfwsettings{'grp3'} eq 'cust_srv'){
@@ -886,8 +911,36 @@ sub checktarget
        }
        return $errormessage;
 }
+sub check_natport
+{
+       my $val=shift;
+       if ($val =~ "," || $val =~ ":" || $val>65536 || $val<0){
+               return 0;
+       }
+       return 1;
+}
 sub checkrule
 {
+       #check valid port for NAT
+       if($fwdfwsettings{'USE_NAT'} eq 'ON'){
+               if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'TGT_PORT' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$fwdfwsettings{'TGT_PORT'};}
+               if($fwdfwsettings{'nat'} eq 'dnat' && !&check_natport($fwdfwsettings{'dnatport'})){
+                       $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>";
+               }
+               elsif($fwdfwsettings{'USESRV'} eq 'ON' && $fwdfwsettings{'grp3'} eq 'cust_srv'){
+                       my $custsrvport;
+                       #get servcie Protocol and Port
+                       foreach my $key (sort keys %customservice){
+                               if($fwdfwsettings{$fwdfwsettings{'grp3'}} eq $customservice{$key}[0]){
+                                       if ($customservice{$key}[2] ne 'TCP' && $customservice{$key}[2] ne 'UDP'){
+                                               $errormessage=$Lang::tr{'fwdfw target'}.": ".$Lang::tr{'fwdfw dnat porterr'}."<br>";
+                                       }
+                                       $custsrvport= $customservice{$key}[1];
+                               }
+                       }
+                       if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$custsrvport;}
+               }
+       }
        #check valid remark
        if ($fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
                $errormessage.=$Lang::tr{'fwdfw err remark'}."<br>";
@@ -897,12 +950,10 @@ sub checkrule
                $errormessage.=$Lang::tr{'fwdfw err same'};
                return $errormessage;
        }
-
        #get source and targetip address if possible
        my ($sip,$scidr,$tip,$tcidr);
        ($sip,$scidr)=&get_ip("src","grp1");
        ($tip,$tcidr)=&get_ip("tgt","grp2");
-
        #check same iprange in source and target
        if ($sip ne '' && $scidr ne '' && $tip ne '' && $tcidr ne ''){
                my $networkip1=&General::getnetworkip($sip,$scidr);
@@ -924,7 +975,6 @@ sub checkrule
                        }
                }
        }
-
        #check source and destination protocol if manual
        if( $fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'USESRV'} eq 'ON'){
                        if($fwdfwsettings{'PROT'} ne $fwdfwsettings{'TGT_PROT'} && $fwdfwsettings{'grp3'} eq 'TGT_PORT'){
@@ -932,7 +982,6 @@ sub checkrule
                }
                #check source and destination protocol if source manual and dest servicegrp
                if ($fwdfwsettings{'grp3'} eq 'cust_srv'){
-                       &General::readhasharray("$configsrv", \%customservice);
                        foreach my $key (sort keys %customservice){
                                if($customservice{$key}[0] eq $fwdfwsettings{$fwdfwsettings{'grp3'}}){
                                        if ($customservice{$key}[2] ne $fwdfwsettings{'PROT'}){
@@ -1442,6 +1491,7 @@ sub newrule
        $checked{'TIME_FRI'}{$fwdfwsettings{'TIME_FRI'}}                = 'CHECKED';
        $checked{'TIME_SAT'}{$fwdfwsettings{'TIME_SAT'}}                = 'CHECKED';
        $checked{'TIME_SUN'}{$fwdfwsettings{'TIME_SUN'}}                = 'CHECKED';
+       $checked{'USE_NAT'}{$fwdfwsettings{'USE_NAT'}}                  = 'CHECKED';
        $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}}             = 'selected';
        $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}}                 = 'selected';
        $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected';
@@ -1481,10 +1531,9 @@ sub newrule
                                $fwdfwsettings{'TIME_FROM'}                             = $hash{$key}[26];
                                $fwdfwsettings{'TIME_TO'}                               = $hash{$key}[27];
                                $fwdfwsettings{'USE_NAT'}                               = $hash{$key}[28];
-                               $fwdfwsettings{'nat'}                                   = $hash{$key}[32]; #changed order
+                               $fwdfwsettings{'nat'}                                   = $hash{$key}[31]; #changed order
                                $fwdfwsettings{$fwdfwsettings{'nat'}}   = $hash{$key}[29];
-                               $fwdfwsettings{'snatport'}                              = $hash{$key}[30];
-                               $fwdfwsettings{'dnatport'}                              = $hash{$key}[31];
+                               $fwdfwsettings{'dnatport'}                              = $hash{$key}[30];
                                $checked{'grp1'}{$fwdfwsettings{'grp1'}}                                = 'CHECKED';
                                $checked{'grp2'}{$fwdfwsettings{'grp2'}}                                = 'CHECKED';
                                $checked{'grp3'}{$fwdfwsettings{'grp3'}}                                = 'CHECKED';
@@ -1686,11 +1735,11 @@ END
                &Header::openbox('100%', 'left', 'NAT');
                print<<END;
                <table width='100%' border='0'>
-               <tr><td width='1%'><input type='checkbox' name='USE_NAT' value='ON' $checked{'USE_NAT'}{'ON'}></td><td>USE NAT</td><td colspan='5'></td></tr>
-               <tr><td colspan='2'></td><td width='1%'><input type='radio' name='nat' value='dnat' checked ></td><td width='20%'> DNAT</td>
+               <tr><td width='1%'><input type='checkbox' name='USE_NAT' value='ON' $checked{'USE_NAT'}{'ON'}></td><td width='15%'>$Lang::tr{'fwdfw use nat'}</td><td colspan='5'></td></tr>
+               <tr><td colspan='2'></td><td width='1%'><input type='radio' name='nat' value='dnat' checked ></td><td width='50%'>$Lang::tr{'fwdfw dnat'}</td>
 END
                if (! -z "${General::swroot}/ethernet/aliases"){
-                       print"<td width='8%'>IPFire: </td><td width='20% align='right'><select name='dnat' style='width:140px;'>";
+                       print"<td width='8%'>IPFire: </td><td width='20%' align='right'><select name='dnat' style='width:140px;'>";
                        print "<option value='ALL' $selected{'dnat'}{$Lang::tr{'all'}}>$Lang::tr{'all'}</option>";
                        print "<option value='Default IP' $selected{'dnat'}{'Default IP'}>Default IP</option>";
 
@@ -1698,15 +1747,6 @@ END
                        {
                                print "<option value='$alias' $selected{'dnat'}{$alias}>$alias</option>";
                        }
-                       #foreach my $network (sort keys %defaultNetworks)
-                       #{
-                               #next if($defaultNetworks{$network}{'NAME'} eq "RED");
-                               #next if($defaultNetworks{$network}{'NAME'} eq "IPFire");
-                               #next if($defaultNetworks{$network}{'NAME'} eq "ALL");
-                               #print "<option value='$defaultNetworks{$network}{'NAME'}'";
-                               #print " selected='selected'" if ($fwdfwsettings{'snatipfire'} eq $defaultNetworks{$network}{'NAME'});
-                               #print ">$network</option>";
-                       #}
                }else{
                        print"<td></td><td style='width:200px;'><input type='hidden' name ='ipfire' value='Default IP'>";
                }
@@ -1714,9 +1754,8 @@ END
                print"<tr><td colspan='4'></td><td>Port: </td><td align='right'><input type='text' name='dnatport' style='width:130px;' value=$fwdfwsettings{'dnatport'}> </td></tr>";
                print"<tr><td colspan='8'><br></td></tr>";
                #SNAT
-               print"<tr><td colspan='2'></td><td width='1%'><input type='radio' name='nat' value='snat'  $checked{'nat'}{'snat'}></td><td width='20%'> SNAT</td>";
-               print"<td width='8%'>IPFire: </td><td width='20% align='right'><select name='snat' style='width:140px;'>";
-               print "<option value='ALL' $selected{'snat'}{$Lang::tr{'all'}}>$Lang::tr{'all'}</option>";
+               print"<tr><td colspan='2'></td><td width='1%'><input type='radio' name='nat' value='snat'  $checked{'nat'}{'snat'}></td><td width='20%'>$Lang::tr{'fwdfw snat'}</td>";
+               print"<td width='8%'>IPFire: </td><td width='20%' align='right'><select name='snat' style='width:140px;'>";
                print "<option value='Default IP' $selected{'snat'}{'Default IP'}>Default IP</option>";
                foreach my $alias (sort keys %aliases)
                        {
@@ -1727,11 +1766,11 @@ END
                        next if($defaultNetworks{$network}{'NAME'} eq "RED");
                        next if($defaultNetworks{$network}{'NAME'} eq "IPFire");
                        next if($defaultNetworks{$network}{'NAME'} eq "ALL");
+                       next if($defaultNetworks{$network}{'NAME'} =~ /OpenVPN/i);
                        print "<option value='$defaultNetworks{$network}{'NAME'}'";
                        print " selected='selected'" if ($fwdfwsettings{$fwdfwsettings{'nat'}} eq $defaultNetworks{$network}{'NAME'});
                        print ">$network</option>";
                }
-               print"<tr><td colspan='4'></td><td>Port: </td><td align='right'><input type='text' name='snatport' style='width:130px;'value=$fwdfwsettings{'snatport'} > </td></tr>";
                print"</table>";
                print"<hr>";
                &Header::closebox();
@@ -2065,9 +2104,8 @@ sub saverule
                        if($fwdfwsettings{'USE_NAT'} eq 'ON'){
                                $$hash{$key}[28] = $fwdfwsettings{'USE_NAT'};
                                $$hash{$key}[29] = $fwdfwsettings{$fwdfwsettings{'nat'}};
-                               $$hash{$key}[30] = $fwdfwsettings{'snatport'};
-                               $$hash{$key}[31] = $fwdfwsettings{'dnatport'};
-                               $$hash{$key}[32] = $fwdfwsettings{'nat'};
+                               $$hash{$key}[30] = $fwdfwsettings{'dnatport'};
+                               $$hash{$key}[31] = $fwdfwsettings{'nat'};
                        }
                        &General::writehasharray("$config", $hash);
                }else{
@@ -2104,9 +2142,8 @@ sub saverule
                                        if($fwdfwsettings{'USE_NAT'} eq 'ON'){
                                                $$hash{$key}[28] = $fwdfwsettings{'USE_NAT'};
                                                $$hash{$key}[29] = $fwdfwsettings{$fwdfwsettings{'nat'}};
-                                               $$hash{$key}[30] = $fwdfwsettings{'snatport'};
-                                               $$hash{$key}[31] = $fwdfwsettings{'dnatport'};
-                                               $$hash{$key}[32] = $fwdfwsettings{'nat'};
+                                               $$hash{$key}[30] = $fwdfwsettings{'dnatport'};
+                                               $$hash{$key}[31] = $fwdfwsettings{'nat'};
                                        }
                                        last;
                                }
@@ -2304,7 +2341,7 @@ END
                        $tdcolor='';
                        &getsrcport(\%$hash,$key);
                        #Is this a SNAT rule?
-                       if ($$hash{$key}[32] eq 'snat'){
+                       if ($$hash{$key}[31] eq 'snat'){
                                print"<br>SNAT -> $$hash{$key}[29]";
                                if ($$hash{$key}[30] ne ''){
                                        print": $$hash{$key}[30]";
@@ -2329,10 +2366,10 @@ END
                        <td align='center' width='160' $tdcolor>
 END
                        #Is this a DNAT rule?
-                       if ($$hash{$key}[32] eq 'dnat'){
+                       if ($$hash{$key}[31] eq 'dnat'){
                                print "IPFire ($$hash{$key}[29])";
-                               if($$hash{$key}[31] ne ''){
-                                       print": $$hash{$key}[31]";
+                               if($$hash{$key}[30] ne ''){
+                                       print": $$hash{$key}[30]";
                                }
                                print"<br> DNAT->";
                        }
index 6aec69d90bc08c968302fe1b6df55d79563d8a39..0537389f70936be91ad8a0818b4932c77f4dfbed 100644 (file)
 'fwdfw cust net'               => 'Custom Netzwerke:',
 'fwdfw copy'                   => 'Kopieren',
 'fwdfw delete'                 => 'Löschen',
+'fwdfw dnat'                   => 'DNAT/Portforward (ersetze diese IP mit der aus ZIEL)',
+'fwdfw dnat error'             => 'Für DNAT muss ein einzelner Host als ZIEL gewählt werden. Gruppen oder Netzwerke sind nicht erlaubt',
+'fwdfw dnat porterr'   => 'Für NAT muss ein einzelner PORT (TCP/UDP) angegeben werden',
 'fwdfw DROP'                   => 'Verwerfen (DROP)',
 'fwdfw edit'                   => 'Bearbeiten',
 'fwdfw err nosrc'              => 'Keine Quelle gewählt',
 'fwdfw rule action'    => 'Regelaktion:',
 'fwdfw rule activate'  => 'Regel aktivieren',
 'fwdfw rulepos'                        => 'Regelposition',
+'fwdfw snat'                   => 'SNAT (ersetze die Adresse(n) von QUELLE mit dieser)',
 'fwdfw source'                         => 'Quelle',
 'fwdfw sourceip'               => 'Quelladresse (MAC, IP oder Netzwerk):',
 'fwdfw std network'    => 'Standard Netzwerke:',
 'fwdfw timeframe'              => 'Zeitrahmen hinzufügen',
 'fwdfw toggle'                 => 'Aktivieren oder deaktivieren',
 'fwdfw togglelog'              => 'Log aktivieren oder deaktivieren',
+'fwdfw use nat'                        => 'NAT benutzen',
 'fwdfw useless rule'   => 'Diese Regel ist nicht zugelassen.',
 'fwdfw use srcport'            => 'Quellport benutzen',
 'fwdfw use srv'                        => 'Zielport benutzen',
index 0e875bc88033f7c921037e30f6bb8fa457165c2c..c64edcb5bd89e0ffe9a70a69a81a4e07c092e2c5 100644 (file)
 'fwdfw cust net'               => 'Custom networks:',
 'fwdfw copy'                   => 'Copy',
 'fwdfw delete'                 => 'Delete',
+'fwdfw dnat'                   => 'DNAT/Portforward (replace this IP with the one from TARGET)',
+'fwdfw dnat error'             => 'You have to select a single host for DNAT. Groups or networks are not allowed.',
+'fwdfw dnat porterr'   => 'You have to select a single port (tcp/udp) for NAT',
 'fwdfw DROP'                   => 'DROP',
 'fwdfw edit'                   => 'Edit',
 'fwdfw err nosrc'              => 'No source selected.',
 'fwdfw rule action'    => 'Rule action:',
 'fwdfw rule activate'  => 'Activate rule',
 'fwdfw rulepos'                        => 'Ruleposition',
+'fwdfw snat'                   => 'SNAT (replace the addresse(s) from SOURCE with this address)',
 'fwdfw source'                         => 'Source',
 'fwdfw sourceip'               => 'Source address (MAC, IP or Network):',
 'fwdfw std network'    => 'Standard networks:',
 'fwdfw timeframe'              => 'Add timeframe',
 'fwdfw toggle'                 => 'Activate or deactivate',
 'fwdfw togglelog'              => 'Activate or deactivate logging',
+'fwdfw use nat'                        => 'Use NAT',
 'fwdfw useless rule'   => 'This rule is rejected (useless).',
 'fwdfw use srcport'            => 'Use sourceport',
 'fwdfw use srv'                        => 'Use targetport',