mirror of https://github.com/aredn/aredn.git
84 lines
2.5 KiB
Awk
84 lines
2.5 KiB
Awk
# Copyright (C) 2006 OpenWrt.org
|
|
|
|
BEGIN {
|
|
FS=":"
|
|
}
|
|
|
|
($1 == "accept") || ($1 == "drop") || ($1 == "forward") {
|
|
delete _opt
|
|
str2data($3)
|
|
if ((_l["proto"] == "") && (_l["sport"] _l["dport"] != "")) {
|
|
_opt[0] = " -p tcp"
|
|
_opt[1] = " -p udp"
|
|
} else {
|
|
_opt[0] = ""
|
|
}
|
|
}
|
|
|
|
($1 == "accept") {
|
|
print "#\n# rules for " $_
|
|
target = " -j ACCEPT"
|
|
for (o in _opt) {
|
|
print "iptables -t nat -A prerouting_" $2 _opt[o] str2ipt($3) target
|
|
# this one is to allow LAN access to node services when a DMZ server is in use
|
|
if ($2 == "wifi") print "iptables -t nat -A PREROUTING " _opt[o] str2ipt($3) target
|
|
print "iptables -A input_" $2 " " _opt[o] str2ipt($3) target
|
|
}
|
|
}
|
|
|
|
($1 == "drop") {
|
|
print "#\n# rules for " $_
|
|
for (o in _opt) {
|
|
print "iptables -t nat -A prerouting_" $2 _opt[o] str2ipt($3) " -j DROP"
|
|
}
|
|
}
|
|
|
|
# 1 2 3 4 5
|
|
# forward:wifi:dport=80 proto=tcp dest=10.122.140.13:172.27.0.5:80
|
|
|
|
($1 == "forward") {
|
|
print "#\n# rules for " $_
|
|
target = " -j DNAT --to " $4
|
|
fwopts = ""
|
|
if ($5 != "") {
|
|
if ((_l["proto"] == "tcp") || (_l["proto"] == "udp") || (_l["proto"] == "")) {
|
|
if (_l["proto"] != "") fwopts = " -p " _l["proto"]
|
|
fwopts = fwopts " --dport " $5
|
|
target = target ":" $5
|
|
}
|
|
else fwopts = ""
|
|
}
|
|
for (o in _opt) {
|
|
print "iptables -t nat -A prerouting_" $2 _opt[o] str2ipt($3) target
|
|
# everything seems to work without this rule
|
|
#print "iptables -A forwarding_" $2 _opt[o] " -d " $4 fwopts " -j ACCEPT"
|
|
|
|
# the wan is more restricted so it needs extra rules
|
|
if($2 == "wan") {
|
|
fwopts = _opt[o]
|
|
if ((_l["proto"] != "") && (_opt[0] == "")) fwopts = " -p " _l["proto"]
|
|
if(_l["dport"] ~ /-/) {
|
|
dport = portstr("dst", _l["dport"])
|
|
print "iptables -A input_" $2 fwopts " -d " $4 dport " -j ACCEPT"
|
|
} else {
|
|
print "iptables -A input_" $2 fwopts " -d " $4 " --dport " $5 " -j ACCEPT"
|
|
}
|
|
}
|
|
|
|
# rules to give lan hosts access to port forwarded services
|
|
if ($2 == "wifi") {
|
|
fwopts = _opt[o]
|
|
dport = ""
|
|
if ((_l["proto"] != "") && (_opt[0] == "")) fwopts = " -p " _l["proto"]
|
|
if (_l["dport"] != "") dport = portstr("dst", _l["dport"])
|
|
print "iptables -t nat -A PREROUTING " fwopts " -s " LAN_NET " -d " _l["dest"] dport target
|
|
}
|
|
}
|
|
|
|
# nat the packet source for requests that came from the lan
|
|
# this doesn't work for the wan yet
|
|
if ($2 == "wifi") {
|
|
print "iptables -t nat -A POSTROUTING -s " LAN_NET " -d " $4 " -j SNAT --to " _l["dest"]
|
|
}
|
|
}
|