From: Alexander Marx Date: Mon, 1 Apr 2013 04:26:58 +0000 (+0200) Subject: Forward Firewall: enabled Portranges for DNAT X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=commitdiff_plain;h=829697d076d1b74a2499bd3bda6b70cfa56d6b49 Forward Firewall: enabled Portranges for DNAT --- diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 9af2c7060..49a45b1a5 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -287,10 +287,11 @@ sub buildrules if ($$hash{$key}[17] eq 'ON'){ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; } - my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT); my ($ip,$sub) =split("/",$targethash{$b}[0]); - print "iptables -A PORTFWACCESS $PROT -i $con -d $ip $fwaccessdport $TIME -j ACCEPT\n"; print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $$hash{$key}[0] --to $ip$DPORT\n"; + $DPORT =~ s/\-/:/g; + my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT); + print "iptables -A PORTFWACCESS $PROT -i $con -d $ip $fwaccessdport $TIME -j ACCEPT\n"; }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[32] eq 'snat'){ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0] --to $natip$fireport\n"; } @@ -327,10 +328,12 @@ sub buildrules if ($$hash{$key}[17] eq 'ON'){ system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; } - my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT); my ($ip,$sub) =split("/",$targethash{$b}[0]); - system "iptables -A PORTFWACCESS $PROT -i $con -d $ip $fwaccessdport $TIME -j ACCEPT\n"; system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $$hash{$key}[0] --to $ip$DPORT\n"; + $DPORT =~ s/\-/:/g; + my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT); + system "iptables -A PORTFWACCESS $PROT -i $con -d $ip $fwaccessdport $TIME -j ACCEPT\n"; + }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ if ($$hash{$key}[17] eq 'ON'){ system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT '\n"; @@ -519,7 +522,6 @@ sub get_port return; } }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){ - if($$hash{$key}[14] eq 'TGT_PORT'){ if ($$hash{$key}[15] ne ''){ $$hash{$key}[15] =~ s/\|/,/g; @@ -529,6 +531,7 @@ sub get_port if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){ return "--dport $$hash{$key}[15] "; }else{ + $$hash{$key}[15] =~ s/\:/-/g; return ":$$hash{$key}[15]"; } } diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 7db9cf123..83917015e 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -731,7 +731,7 @@ sub checksource my @values=(); foreach (@parts){ chomp($_); - if ($_ =~ /^(\d+)\:(\d+)$/) { + if ($_ =~ /^(\d+)\-(\d+)$/ || $_ =~ /^(\d+)\:(\d+)$/) { my $check; #change dashes with : $_=~ tr/-/:/; @@ -739,11 +739,11 @@ sub checksource push(@values,"1:65535"); $check='on'; } - if ($_ =~ /^(\D)\:(\d+)$/) { + if ($_ =~ /^(\D)\:(\d+)$/ || $_ =~ /^(\D)\-(\d+)$/) { push(@values,"1:$2"); $check='on'; } - if ($_ =~ /^(\d+)\:(\D)$/) { + if ($_ =~ /^(\d+)\:(\D)$/ || $_ =~ /^(\d+)\-(\D)$/ ) { push(@values,"$1:65535"); $check='on' } @@ -837,11 +837,14 @@ sub checktarget if ($fwdfwsettings{'grp3'} eq 'TGT_PORT'){ if ($fwdfwsettings{'TGT_PROT'} eq 'TCP' || $fwdfwsettings{'TGT_PROT'} eq 'UDP'){ if ($fwdfwsettings{'TGT_PORT'} ne ''){ + if ($fwdfwsettings{'TGT_PORT'} =~ "," && $fwdfwsettings{'USE_NAT'}) { + $errormessage=$Lang::tr{'fwdfw dnat porterr'}."
"; + } my @parts=split(",",$fwdfwsettings{'TGT_PORT'}); my @values=(); foreach (@parts){ chomp($_); - if ($_ =~ /^(\d+)\:(\d+)$/) { + if ($_ =~ /^(\d+)\-(\d+)$/ || $_ =~ /^(\d+)\:(\d+)$/) { my $check; #change dashes with : $_=~ tr/-/:/; @@ -849,11 +852,11 @@ sub checktarget push(@values,"1:65535"); $check='on'; } - if ($_ =~ /^(\D)\:(\d+)$/) { + if ($_ =~ /^(\D)\:(\d+)$/ || $_ =~ /^(\D)\-(\d+)$/) { push(@values,"1:$2"); $check='on'; } - if ($_ =~ /^(\d+)\:(\D)$/) { + if ($_ =~ /^(\d+)\:(\D)$/ || $_ =~ /^(\d+)\-(\D)$/) { push(@values,"$1:65535"); $check='on' } @@ -915,7 +918,22 @@ sub checktarget sub check_natport { my $val=shift; - if ($val =~ "," || $val =~ ":" || $val>65536 || $val<0){ + if($fwdfwsettings{'USE_NAT'} eq 'ON' && $fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} ne ''){ + if ($fwdfwsettings{'dnatport'} =~ /^(\d+)\-(\d+)$/) { + $fwdfwsettings{'dnatport'} =~ tr/-/:/; + if ($fwdfwsettings{'dnatport'} eq "*") { + $fwdfwsettings{'dnatport'}="1:65535"; + } + if ($fwdfwsettings{'dnatport'} =~ /^(\D)\:(\d+)$/) { + $fwdfwsettings{'dnatport'} = "1:$2"; + } + if ($fwdfwsettings{'dnatport'} =~ /^(\d+)\:(\D)$/) { + $fwdfwsettings{'dnatport'} ="$1:65535"; + } + } + return 1; + } + if ($val =~ "," || $val>65536 || $val<0){ return 0; } return 1; diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 4e07d7479..3df1954a7 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -901,7 +901,7 @@ 'fwdfw delete' => 'Löschen', 'fwdfw dnat' => 'DNAT/Portforward (ersetze diese IP mit der aus ZIEL)', 'fwdfw dnat error' => 'Für DNAT muss ein einzelner Host als ZIEL gewählt werden. Gruppen oder Netzwerke sind nicht erlaubt', -'fwdfw dnat porterr' => 'Für NAT muss ein einzelner PORT (TCP/UDP) angegeben werden', +'fwdfw dnat porterr' => 'Für NAT muss ein einzelner PORT oder PORTRANGE (TCP/UDP) angegeben werden', 'fwdfw DROP' => 'Verwerfen (DROP)', 'fwdfw edit' => 'Bearbeiten', 'fwdfw err nosrc' => 'Keine Quelle gewählt', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 4bea473f1..ac0d1de8e 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -926,7 +926,7 @@ 'fwdfw delete' => 'Delete', 'fwdfw dnat' => 'DNAT/Portforward (replace this IP with the one from TARGET)', 'fwdfw dnat error' => 'You have to select a single host for DNAT. Groups or networks are not allowed.', -'fwdfw dnat porterr' => 'You have to select a single port (tcp/udp) for NAT', +'fwdfw dnat porterr' => 'You have to select a single port or portrange (tcp/udp) for NAT', 'fwdfw DROP' => 'DROP', 'fwdfw edit' => 'Edit', 'fwdfw err nosrc' => 'No source selected.',