smeserver/smeserver-portforwarding
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

initial commit of file from CVS for e-smith-portforwarding on Wed 12 Jul 09:04:13 BST 2023

Browse Source
This commit is contained in:
Brian Read
2023-07-12 09:04:13 +01:00
parent e5466e0cdd
commit 4094d29da6
13 changed files with 1960 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
root/etc/e-smith/db/configuration/migrate/10migrateMasqForwards Normal file
View File

@@ -0,0 +1,19 @@
{
my %FDB;
foreach my $proto ('TCP', 'UDP') {
$FDB{$proto} = esmith::ConfigDB->open("portforward_" . lc($proto))
|| esmith::ConfigDB->create("portforward_" . lc($proto));
my %rules = split ',', $DB->get_prop_and_delete('masq', "${proto}Forwards")
|| next;
foreach my $entry (keys %rules) {
my %props = ( type => 'forward' );
my ($addr, $port) = split ':', $rules{$entry};
$props{'DestHost'} = $addr;
$props{'DestPort'} = $port if $port;
$FDB{$proto}->new_record($entry, \%props);
}
}
}

168
root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/portforwarding Executable file
View File

@@ -0,0 +1,168 @@
<!-- vim: ft=xml:
-->
<lexicon lang="en-us">
<entry>
<base>FORM_TITLE</base>
<trans>Configure Port Forwarding</trans>
</entry>
<entry>
<base>FIRST_PAGE_DESCRIPTION</base>
<trans><![CDATA[
<p>
You can use this panel to modify your firewall rules so
as to open a specific port on this server and forward it
to another port on another host. Doing so will permit
incoming traffic to directly access a private host on
your LAN.
</p>
<p>
WARNING: Misuse of this feature can seriously compromise the
security of your network. Do not use this feature
lightly, or without fully understanding the implications
of your actions.
</p>
]]>
</trans>
</entry>
<entry>
<base>CREATE_RULE</base>
<trans>Create portforwarding rule</trans>
</entry>
<entry>
<base>SUMMARY_ADD_DESC</base>
<trans>The following summarizes the port-forwarding rule
that you are about to add. If you are satisfied with the rule,
click the &quot;Add&quot; button. If you are not, click the
&quot;Cancel&quot; button.
</trans>
</entry>
<entry>
<base>SUMMARY_REMOVE_DESC</base>
<trans>The following summarizes the port-forwarding rule
that you are about to remove. If you are sure you want to
remove the rule, click the &quot;Remove&quot; button. If not,
click the &quot;Cancel&quot; button.
</trans>
</entry>
<entry>
<base>SHOW_FORWARDS</base>
<trans>
Below you will find a table summarizing the current
port-forwarding rules installed on this server. Click on the
&quot;Remove&quot; link to remove the corresponding rule.
</trans>
</entry>
<entry>
<base>NO_FORWARDS</base>
<trans>There are currently no forwarded ports on the system.</trans>
</entry>
<entry>
<base>CREATE_PAGE_DESCRIPTION</base>
<trans><![CDATA[
<p>Select the protocol, the port you wish to forward, the
destination host, and the port on the destination host
that you wish to forward to. If you wish to specify a port
range, enter the lower and upper boundaries separated by a
hyphen. The destination port may be left blank, which will
instruct the firewall to leave the source port
unaltered.</p>
]]>
</trans>
</entry>
<entry>
<base>LABEL_SOURCE_PORT</base>
<trans>Source Port(s)</trans>
</entry>
<entry>
<base>LABEL_PROTOCOL</base>
<trans>Protocol</trans>
</entry>
<entry>
<base>LABEL_DESTINATION_PORT</base>
<trans>Destination Port(s)</trans>
</entry>
<entry>
<base>LABEL_DESTINATION_HOST</base>
<trans>Destination Host IP Address</trans>
</entry>
<entry>
<base>LABEL_RULE_COMMENT</base>
<trans>Rule Comment</trans>
</entry>
<entry>
<base>LABEL_ALLOW_HOSTS</base>
<trans>Allow Hosts</trans>
</entry>
<entry>
<base>Port forwarding</base>
<trans>Port forwarding</trans>
</entry>
<entry>
<base>SUCCESS</base>
<trans>Your change to the port forwarding rules has been
successfully saved.
</trans>
</entry>
<entry>
<base>RULE_COMMENT</base>
<trans>Rule Comment</trans>
</entry>
<entry>
<base>ALLOW_HOSTS</base>
<trans>Allow Hosts</trans>
</entry>
<entry>
<base>ERR_NO_MASQ_RECORD</base>
<trans>Cannot retrieve masq record from the configuration
database.</trans>
</entry>
<entry>
<base>ERR_UNSUPPORTED_MODE</base>
<trans>Unsupported mode.</trans>
</entry>
<entry>
<base>ERR_CANNOT_REMOVE_NORULE</base>
<trans>Cannot remove non-existant rule.</trans>
</entry>
<entry>
<base>ERR_NONZERO_RETURN_EVENT</base>
<trans>Event returned a non-zero return value.</trans>
</entry>
<entry>
<base>ERR_BADPORT</base>
<trans>The ports must be a positive integer less than
65536.</trans>
</entry>
<entry>
<base>ERR_BADIP</base>
<trans>This does not appear to be an IP address. You must use
dotted-quad notation, and each of the four numbers should be less
than 256. ie: 192.168.0.5</trans>
</entry>
<entry>
<base>ERR_DUPRULE</base>
<trans>This rule has already been added, it cannot be added
twice.</trans>
</entry>
<entry>
<base>ERR_PORT_COLLISION</base>
<trans>
ERROR: This port or port range conflicts with an existing
rule. Please modify this new rule, or remove the old rule.
</trans>
</entry>
<entry>
<base>ERR_BADAHOST</base>
<trans>
This does not appear to be a valid IP address list.
ie: 192.168.0.1,192.168.1.1/24
</trans>
</entry>
<entry>
<base>IN_SERVERONLY</base>
<trans>
This server is currently in serveronly mode and portforwarding
is possible only to localhost.
</trans>
</entry>
</lexicon>

5
root/etc/e-smith/templates/etc/rc.d/init.d/masq/42SetupPortForwarding Normal file
View File

@@ -0,0 +1,5 @@
/sbin/iptables -t nat --new-chain PortForwarding
/sbin/iptables -t nat --new-chain PortForwarding_1
/sbin/iptables -t nat --insert PREROUTING --jump PortForwarding
/sbin/iptables -t nat --append PortForwarding --destination $OUTERNET \
--jump PortForwarding_1

73
root/etc/e-smith/templates/etc/rc.d/init.d/masq/91adjustPortForward Normal file
View File

@@ -0,0 +1,73 @@
{
my $pf_chain = "PortForwarding_\$\$";
$OUT .= "# Create a new PortForwarding chain\n";
$OUT .= "PFC=\$(/sbin/iptables --table nat ";
$OUT .= "--numeric --list PortForwarding |\\\n";
$OUT .= " sed -n '3s/ .*//p')\n";
$OUT .= " /sbin/iptables --table nat --new-chain $pf_chain\n";
my %FDB;
foreach my $protocol (qw(tcp udp))
{
my $uproto = uc $protocol;
$FDB{$protocol} = esmith::ConfigDB->open("portforward_$protocol")
|| die "Can't open portforward_$protocol database: $!\n";
foreach my $entry ( $FDB{$protocol}->get_all ) {
my $port = $entry->key;
my $ip = $entry->prop('DestHost');
my $dport = $entry->prop('DestPort') || $port;
$port =~ s/-/:/;
# Map canonical localhost back to our current external IP
$ip = '$OUTERNET' if ($ip eq 'localhost');
my $host_list = $entry->prop("AllowHosts") || '0.0.0.0/0';
foreach my $host (split(',', $host_list)) {
$OUT .= " /sbin/iptables --table nat --append $pf_chain";
# Set up local port to forward
$OUT .= " --proto $protocol --destination-port ${port}";
$OUT .= " --src $host" unless $host eq '0.0.0.0/0';
# Set up the remote port to forward to
$OUT .= " -j DNAT --to-destination $ip:$dport\n";
}
# And accept the incoming packets. Use the dport if there is one.
($port = $dport) =~ s/-/:/ if $dport;
# If this rule is forwarding to localhost, ExternalIP or LocalIP,
# then we must allow it on the INPUT chain instead of the FORWARD
# chain.
my $target_chain = (($ip eq '$OUTERNET') ?
"Inbound${uproto}_\$\$" : "Forwarded${uproto}_\$\$");
foreach my $access_type (("Allow", "Deny")) {
my $jump_target = (($access_type eq "Allow") ? "ACCEPT" : "denylog");
my $host_list = $entry->prop("${access_type}Hosts") || "";
$host_list = "0.0.0.0/0"
if (($host_list eq "") and ($access_type eq "Allow"));
foreach my $host (split(',', $host_list)) {
$OUT .= " /sbin/iptables -A $target_chain";
$OUT .= " --proto $protocol --dport $port \\\n ";
$OUT .= " --destination $ip" if ($ip ne '$OUTERNET');
$OUT .= " --src $host --jump $jump_target\n";
}
}
}
}
# having created a new PortForwarding chain, activate it and destroy
# the old.
$OUT .= " /sbin/iptables --table nat --replace PortForwarding 1 " .
"--destination \$OUTERNET --jump $pf_chain\n";
$OUT .= " /sbin/iptables --table nat --flush \$PFC\n";
$OUT .= " /sbin/iptables --table nat --delete-chain \$PFC\n";
}

128
root/etc/e-smith/web/functions/portforwarding Executable file
View File

@@ -0,0 +1,128 @@
#!/usr/bin/perl -wT
# vim: ft=xml ts=4 sw=4 et:
#----------------------------------------------------------------------
# heading : Security
# description : Port forwarding
# navigation : 5000 5400
#----------------------------------------------------------------------
#----------------------------------------------------------------------
# copyright (C) 2002 Mitel Networks Corporation
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# Technical support for this program is available from Mitel Networks
# Please visit our web site www.mitel.com/sme/ for details.
#----------------------------------------------------------------------
use strict;
use esmith::FormMagick::Panel::portforwarding;
my $form = esmith::FormMagick::Panel::portforwarding->new();
# Uncomment the next line for debugging purposes.
#$form->debug(1);
$form->display();
__DATA__
<form
title="FORM_TITLE"
header="/etc/e-smith/web/common/head.tmpl"
footer="/etc/e-smith/web/common/foot.tmpl">
<!-- page 0 -->
<page
name="First"
pre-event="print_status_message()">
<description>FIRST_PAGE_DESCRIPTION</description>
<subroutine src="show_port_forwards()" />
</page>
<!-- page 1 -->
<page
name="Create"
pre-event="print_status_message()">
<description>CREATE_PAGE_DESCRIPTION</description>
<field
id="protocol"
type="select"
options="'TCP','UDP'">
<label>LABEL_PROTOCOL</label>
</field>
<field
id="source_port"
type="text"
size="11"
validation="validate_source_port()">
<label>LABEL_SOURCE_PORT</label>
</field>
<field
id="destination_host"
type="text"
size="15"
validation="validate_destination_host()">
<label>LABEL_DESTINATION_HOST</label>
</field>
<field
id="destination_port"
type="text"
size="11"
validation="validate_destination_port()">
<label>LABEL_DESTINATION_PORT</label>
</field>
<field
id="rule_comment"
type="text">
<label>LABEL_RULE_COMMENT</label>
</field>
<field
id="allow_hosts"
type="text"
validation="validate_allowed_hosts()">
<label>LABEL_ALLOW_HOSTS</label>
</field>
<subroutine src="print_button('NEXT')" />
</page>
<!-- page 2 -->
<page
name="ShowSummary"
pre-event="turn_off_buttons()"
post-event="create_new()">
<subroutine src="display_summary_create" />
</page>
<!-- page 3
Note: This page is not used. It's a kludge to permit the next page
to work properly from a link on the front page. FormMagick needs
work.
-->
<page
name="Dummy">
</page>
<!-- page 4 -->
<page
name="Remove"
pre-event="turn_off_buttons()"
post-event="remove_rule()">
<subroutine src="display_summary_remove" />
</page>
</form>