# portforward.sh
#
# designed for bastille-firewall
# Copyright (c) 2002 Peter Watkins
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# place in /etc/Bastille/firewall.d/pre-chain-split.d
# as portforward.sh (directory name and .sh suffix are critical)
#
#
# Settings:
#
# 1) IP_FORWARDS (all OSes/kernel versions)
#
# List your port forwarding info here. This should be a whitespace
# separated list. Each item in the list should be be a hyphen-separated
# list including the following, in this order
# - interface name, e.g. "eth0" (blank for all)
# - destination address, e.g. "192.168.1.1" for the single
# address 192.168.1.1, "0.0.0.0" for any address, etc.
# (this address may contain a netmask, e.g. 192.168.1.1/24)
# - the destination port number, e.g. "80" for standard HTTP
# - the protocol type or number, e.g. "tcp"
# - the forwarding service address, e.g. "172.19.1.2"
# - the forwarding service port, e.g. "8000"
#
# Example:
# IP_FORWARDS="eth0-0.0.0.0-80-tcp-172.19.1.2-8000"
# This says we only have one forwarding rule to establish. Any TCP
# traffic destined for any address bound to the "eth0" interface's port
# 80 will be forwarded to TCP port 8000 of 172.19.1.2. This is a typical
# rule for a site that wants to run its Web server on an internal
# machine, using a high port so the Web server can be started by a
# non-root user. Whether the forwarding or running on a high port are
# a *good* idea is a question we won't address here.
#
IP_FORWARDS="eth0-xxx.xxx.xxx.xxx-8888-tcp-192.168.0.2-80"
#
#
# 2) IPFWADM (Linux 2.2/ipchains only)
#
#
# For 2.2-based kernels, where is ipfwadm?
IPFWADM="/sbin/ipfwadm"
#
if [ -z "${IPCHAINS}" -a -z "${IPTABLES}" ]; then
echo "Error: only good for iptables or ipchains/ipfwadm" > /dev/stderr
elif [ -n "${IPCHAINS}" -a \( \! -x "${IPFWADM}" \) ]; then
echo "Please install $IPFWADM for forwarding with 2.2/ipchains systems" >/dev/stderr
else
if [ -n "${IPCHAINS}" -a \( -x "${IPFWADM}" \) ]; then
# flush ipfwadm rules
${IPFWADM} portfw -f
fi
for fw_rule in ${IP_FORWARDS} ; do
# ugly awk hack
fw_iface=`echo "$fw_rule" | awk -F\- '{print $1}'`
fw_inaddr=`echo "$fw_rule" | awk -F\- '{print $2}'`
fw_inport=`echo "$fw_rule" | awk -F\- '{print $3}'`
fw_inproto=`echo "$fw_rule" | awk -F\- '{print $4}'`
fw_outaddr=`echo "$fw_rule" | awk -F\- '{print $5}'`
fw_outport=`echo "$fw_rule" | awk -F\- '{print $6}'`
if [ -n "${fw_iface}" ]; then
# we have an interface specified
if [ -n "${IPTABLES}" ]; then
${IPTABLES} -t nat -A PREROUTING -p $fw_inproto -i $fw_iface -d $fw_inaddr --dport $fw_inport -j DNAT --to $fw_outaddr:$fw_outport
${IPTABLES} -A FORWARD -p $fw_inproto -i $fw_iface -d $fw_outaddr --dport $fw_outport -j ACCEPT
### debug ###
#echo "${IPTABLES} -t nat -A PREROUTING -p $fw_inproto -i $fw_iface -d $fw_inaddr --dport $fw_inport -j DNAT --to $fw_outaddr:$fw_outport"
#echo "${IPTABLES} -A FORWARD -p $fw_inproto -i $fw_iface -d $fw_outaddr --dport $fw_outport -j ACCEPT"
### debug ###
else
${IPFWADM} portfw -P $fw_proto -L $fw_inaddr $fw_inport -R $fw_outaddr $fw_outport
fi
else
# apply forward to all interfaces
if [ -n "${IPTABLES}" ]; then
${IPTABLES} -t nat -A PREROUTING -p $fw_inproto -d $fw_inaddr --dport $fw_inport -j DNAT --to $fw_outaddr:$fw_outport
${IPTABLES} -A FORWARD -p $fw_inproto -d $fw_outaddr --dport $fw_outport -j ACCEPT
else
# same as ipfwadm rule above, actually
${IPFWADM} portfw -P $fw_proto -L $fw_inaddr $fw_inport -R $fw_outaddr $fw_outport
fi
fi
done
fi
syntax highlighted by Code2HTML, v. 0.9