webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-05-05 03:18:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

Firewall: make DNAT only accessible from selected source network

Browse Source 
We added RED to the standard networks and now portforwardings are only
useable from the selected source. If selected "all" the portforwarding
can be used from any internal network. Else the access is only grnated
from the selected source network.
This commit is contained in:
Alexander Marx
2014-07-18 08:44:45 +02:00
parent d7636b6fa3
commit 48f07c1957
4 changed files with 63 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
config/firewall/rules.pl
View File

@@ -291,24 +291,28 @@ sub buildrules {
foreach my $src (@sources) {
# Skip invalid source.
next unless ($src);
next unless (@$src[0]);
# Sanitize source.
my $source = $src;
my $source = @$src[0];
if ($source ~~ @ANY_ADDRESSES) {
$source = "";
}
my $source_intf = @$src[1];
foreach my $dst (@destinations) {
# Skip invalid rules.
next if (!$dst || ($dst eq "none"));
next if (!@$dst[0] || (@$dst[0] eq "none"));
# Sanitize destination.
my $destination = $dst;
my $destination = @$dst[0];
if ($destination ~~ @ANY_ADDRESSES) {
$destination = "";
}
my $destination_intf = @$dst[1];
# Array with iptables arguments.
my @options = ();
@@ -325,12 +329,20 @@ sub buildrules {
push(@source_options, ("-s", $source));
}
if ($source_intf) {
push(@source_options, ("-i", $source_intf));
}
# Prepare destination options.
my @destination_options = ();
if ($destination) {
push(@destination_options, ("-d", $destination));
}
if ($destination_intf) {
push(@destination_options, ("-o", $destination_intf));
}
# Add time constraint options.
push(@options, @time_options);
@@ -364,7 +376,7 @@ sub buildrules {
# Make port-forwardings useable from the internal networks.
my @internal_addresses = &fwlib::get_internal_firewall_ip_addresses(1);
unless ($nat_address ~~ @internal_addresses) {
&add_dnat_mangle_rules($nat_address, @nat_options);
&add_dnat_mangle_rules($nat_address, $source_intf, @nat_options);
}
push(@nat_options, @source_options);
@@ -681,6 +693,7 @@ sub get_dnat_target_port {
sub add_dnat_mangle_rules {
my $nat_address = shift;
my $interface = shift;
my @options = @_;
my $mark = 0;
@@ -691,6 +704,8 @@ sub add_dnat_mangle_rules {
next unless (exists $defaultNetworks{$zone . "_NETADDRESS"});
next unless (exists $defaultNetworks{$zone . "_NETMASK"});
next if ($interface && $interface ne $defaultNetworks{$zone . "_DEV"});
my @mangle_options = @options;
my $netaddress = $defaultNetworks{$zone . "_NETADDRESS"};