mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-27 19:23:24 +02:00
Forward Firewall: 0.9.8.7 Implemented SNAT/DNAT
reorganized firewall chains
This commit is contained in:
Alexander Marx
committed by
Michael Tremer
Michael Tremer
parent
93b75f31ad
commit
6b681c40d2
144
config/forwardfw/convert-portfw
Executable file
144
config/forwardfw/convert-portfw
Executable file
@@ -0,0 +1,144 @@
|
||||
#!/usr/bin/perl
|
||||
|
||||
########################################################################
|
||||
# Script: convert-portfw
|
||||
# Date: 19.03.2013
|
||||
# Author: Alexander Marx (amarx@ipfire.org)
|
||||
########################################################################
|
||||
#
|
||||
# This script converts old portforwarding rules from old Firewall
|
||||
# to the new one. This is a 3-step process.
|
||||
# STEP1: read old config and normalize settings
|
||||
# STEP2: create new rules from old ones
|
||||
# STEP3: check if rule already exists, when not, put it into
|
||||
# /var/ipfire/forward/nat
|
||||
########################################################################
|
||||
require '/var/ipfire/general-functions.pl';
|
||||
my @values=();
|
||||
my @built_rules=();
|
||||
my %nat=();
|
||||
my $portfwconfig = "${General::swroot}/portfw/config";
|
||||
my $confignat = "${General::swroot}/forward/nat";
|
||||
my ($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark);
|
||||
my ($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1);
|
||||
my $count=0;
|
||||
my $jump;
|
||||
if(! -d "/var/log/converters"){ mkdir("/var/log/converters");}
|
||||
open(FILE, $portfwconfig) or die 'Unable to open config file.';
|
||||
my @current = <FILE>;
|
||||
close(FILE);
|
||||
open (LOG, ">/var/log/converters/portfw-convert.log") or die $!;
|
||||
open(ALIAS, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.';
|
||||
my @alias = <ALIAS>;
|
||||
close(ALIAS);
|
||||
&get_config;
|
||||
&build_rules;
|
||||
&write_rules;
|
||||
sub get_config
|
||||
{
|
||||
print LOG "STEP 1: Get config from old portforward\n#########################################\n";
|
||||
foreach my $line (@current){
|
||||
if($jump eq '1'){
|
||||
$jump='';
|
||||
$count++;
|
||||
next;
|
||||
}
|
||||
my $u=$count+1;
|
||||
($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark) = split(",",$line);
|
||||
($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1) = split(",",$current[$u]);
|
||||
if ($flag1 eq '1'){
|
||||
$source=$source1;
|
||||
$jump='1';
|
||||
}
|
||||
my $now=localtime;
|
||||
chomp($remark);
|
||||
print LOG "$now processing-> KEY: $key FLAG: $flag PROT: $prot FIREPORT: $ipfireport TARGET: $target TGTPORT: $targetport ACTIVE: $active ALIAS: $alias SOURCE: $source REM: $remark Doublerule: $jump\n";
|
||||
push (@values,$prot.",".$ipfireport.",".$target.",".$targetport.",".$active.",".$alias.",".$source.",".$remark);
|
||||
$count++;
|
||||
}
|
||||
}
|
||||
sub build_rules
|
||||
{
|
||||
print LOG "\nSTEP 2: Convert old portforwardrules in a useable format\n########################################################\n";
|
||||
my $src;
|
||||
my $src1;
|
||||
my $ipfireip;
|
||||
my $count=0;
|
||||
my $stop;
|
||||
#build rules for new firewall
|
||||
foreach my $line (@values){
|
||||
chomp ($line);
|
||||
($prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark)=split(",",$line);
|
||||
$count++;
|
||||
#get sourcepart
|
||||
if($source eq '0.0.0.0/0'){
|
||||
$src = 'std_net_src';
|
||||
$src1 = 'ALL';
|
||||
}else{
|
||||
$src = 'src_addr';
|
||||
my ($a,$b) = split("/",$source);
|
||||
$src1 = $a."/32";
|
||||
}
|
||||
#get ipfire ip
|
||||
if($alias eq '0.0.0.0'){
|
||||
$alias='ALL';
|
||||
}else{
|
||||
foreach my $ali (@alias){
|
||||
my ($alias_ip,$alias_active,$alias_name) = split (",",$ali);
|
||||
if($alias eq $alias_name){
|
||||
$alias=$alias_name;
|
||||
}
|
||||
}
|
||||
}
|
||||
$active = uc $active;
|
||||
$prot = uc $prot;
|
||||
$remark = chomp($remark);
|
||||
push (@built_rules,"ACCEPT,NAT_DESTINATION,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat");
|
||||
my $now=localtime;
|
||||
print LOG "$now Converted-> KEY: $count ACCEPT,NAT_DESTINATION,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat\n";
|
||||
}
|
||||
}
|
||||
sub write_rules
|
||||
{
|
||||
my $skip='';
|
||||
my $id;
|
||||
print LOG "\nSTEP 3: Create DNAT rules in new firewall\n#########################################\n";
|
||||
&General::readhasharray($confignat,\%nat);
|
||||
foreach my $line (@built_rules){
|
||||
$skip='';
|
||||
my ($action,$chain,$active,$src,$src1,$tgt,$tgt1,$use_prot,$prot,$dummy,$tgt_port,$tgt_port1,$remark,$from,$to,$use_port,$alias,$ipfireport,$dnat) = split (",",$line);
|
||||
foreach my $key (sort keys %nat){
|
||||
if ($line eq "$nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4],$nat{$key}[5],$nat{$key}[6],$nat{$key}[11],$nat{$key}[12],$nat{$key}[13],$nat{$key}[14],$nat{$key}[15],$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31]"){
|
||||
my $now=localtime;
|
||||
print LOG "$now SKIP-> Rule $nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4],$nat{$key}[5],$nat{$key}[6],$nat{$key}[11],$nat{$key}[12],$nat{$key}[13],$nat{$key}[14],$nat{$key}[15],$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31] ->EXISTS\n";
|
||||
$skip='1';
|
||||
}
|
||||
}
|
||||
if ($skip ne '1'){
|
||||
$id = &General::findhasharraykey(\%nat);
|
||||
$nat{$id}[0] = $action;
|
||||
$nat{$id}[1] = $chain;
|
||||
$nat{$id}[2] = $active;
|
||||
$nat{$id}[3] = $src;
|
||||
$nat{$id}[4] = $src1;
|
||||
$nat{$id}[5] = $tgt;
|
||||
$nat{$id}[6] = $tgt1;
|
||||
$nat{$id}[11] = $use_prot;
|
||||
$nat{$id}[12] = $prot;
|
||||
$nat{$id}[13] = $dummy;
|
||||
$nat{$id}[14] = $tgt_port;
|
||||
$nat{$id}[15] = $tgt_port1;
|
||||
$nat{$id}[16] = $remark;
|
||||
$nat{$id}[26] = $from;
|
||||
$nat{$id}[27] = $to;
|
||||
$nat{$id}[28] = $use_port;
|
||||
$nat{$id}[29] = $alias;
|
||||
$nat{$id}[30] = $ipfireport;
|
||||
$nat{$id}[31] = $dnat;
|
||||
my $now=localtime;
|
||||
print LOG "$now NEW RULE-> Rule $nat{$id}[0],$nat{$id}[1],$nat{$id}[2],$nat{$id}[3],$nat{$id}[4],$nat{$id}[5],$nat{$id}[6],$nat{$id}[11],$nat{$id}[12],$nat{$id}[13],$nat{$id}[14],$nat{$id}[15],$nat{$id}[16],$nat{$id}[26],$nat{$id}[27],$nat{$id}[28],$nat{$id}[29],$nat{$id}[30],$nat{$id}[31]\n";
|
||||
}
|
||||
}
|
||||
&General::writehasharray($confignat,\%nat);
|
||||
}
|
||||
close (LOG);
|
||||
@@ -22,7 +22,7 @@ if [ "$POLICY" == "MODE1" ]; then
|
||||
/sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
|
||||
fi
|
||||
else
|
||||
/sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
|
||||
/sbin/iptables -A POLICYFWD -j ACCEPT -m comment --comment "DROP_FORWARD"
|
||||
fi
|
||||
|
||||
#OUTGOINGFW
|
||||
@@ -40,7 +40,7 @@ if [ "$POLICY1" == "MODE1" ]; then
|
||||
/sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
|
||||
fi
|
||||
else
|
||||
/sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
|
||||
/sbin/iptables -A POLICYOUT -j ACCEPT -m comment --comment "DROP_OUTPUT"
|
||||
fi
|
||||
#INPUT
|
||||
if [ "$FWPOLICY2" == "REJECT" ]; then
|
||||
|
||||
Reference in New Issue
Block a user