Koozali.org: home of the SME Server

Clean Solution for UDP PortForwarding Bug

Nicky

Clean Solution for UDP PortForwarding Bug
« on: May 20, 2006, 12:03:12 AM »
Replace /etc/e-smith/templates/etc/rc.d/init.d/masq/91ajustPortForward with this:

# ------------------------ cut here ----------------------------------------
#
# Corrected UDP PortForwarding Bug! (by Néstor D. Díaz - nestorddiaz@matelogic.com.ar)
#

{
    my $pf_chain = "PortForwarding_\$\$";
    $OUT .= "# Create a new PortForwarding chain\n";
    $OUT .= "PFC=\$(/sbin/iptables --table nat ";
    $OUT .= "--numeric --list PortForwarding |\\\n";
    $OUT .= "   sed -n '3s/ .*//p')\n";
    $OUT .= "    /sbin/iptables --table nat --new-chain $pf_chain\n";

    foreach my $protocol (qw(tcp udp))
    {
        my $uproto = uc $protocol;
        my $propname = $uproto . "Forwards";
        my %forwards = split(/,/, $masq{$propname} || '');
        foreach my $port (keys %forwards)
        {
            my ($ip, $dport) = split(/:/, $forwards{$port});
            $port =~ s/-/:/;
            $OUT .= "    /sbin/iptables --table nat --append $pf_chain " .
                "--protocol $protocol \\\n".
            # Set up local port to forward
            "         --destination-port ${port} -j DNAT " .
            # Set up the remote port to forward to
                "--to-destination $ip";
            # Append the dport if any.
            $OUT .= ":$dport" if $dport;
            $OUT .= "\n";
            # And accept the incoming packets. Use the dport if there is one.
            ($port = $dport) =~ s/-/:/ if $dport;
            # If this rule is forwarding to localhost, ExternalIP or LocalIP,
            # then we must allow it on the INPUT chain instead of the FORWARD
            # chain.
            if (($ip eq '127.0.0.1') ||
                ($ip eq $InternalInterface{IPAddress}))
            {
                # Bad doggie! Bad!
                die "Port-forwarding to localhost or internal interface not permitted.\n";
            }
            elsif ($ip eq $ExternalInterface{IPAddress})
            {
      if ($uproto eq 'tcp')
      {
                   $OUT .= "    adjust_tcp_in $port ACCEPT Inbound${uproto}_\$\$\n";
      }
           else
      {
          $OUT .= "    adjust_udp_in $port ACCEPT Inbound${uproto}_\$\$\n";
      }
       }
            else
            {
                if ($uproto eq 'tcp')
      {
          $OUT .= "    adjust_tcp_in $port ACCEPT Forwarded${uproto}_\$\$ $ip/32\n";
           }
      else
      {
          $OUT .= "    adjust_udp_in $port ACCEPT Forwarded${uproto}_\$\$ $ip/32\n";
      }
       }
        }
    }

    # having created a new PortForwarding chain, activate it and destroy
    # the old.
    $OUT .= "    /sbin/iptables --table nat --replace PortForwarding 1 " .
                "--destination \$OUTERNET --jump $pf_chain\n";
    $OUT .= "    /sbin/iptables --table nat --flush \$PFC\n";
    $OUT .= "    /sbin/iptables --table nat --delete-chain \$PFC\n";
}
# ------------------------ cut here ----------------------------------------

Or Download this file from:
http://www.matelogic.com.ar/91adjustPortForward

Cheers!

Nicky

Clean Solution for UDP PortForwarding Bug
« Reply #1 on: May 20, 2006, 03:56:06 AM »
Sorry!!!

Where "if ($uproto eq 'tcp')" must say "if ($protocol eq 'tcp')".

Download from here:
http://www.matelogic.com.ar/91adjustPortForward

Nicky

Example of the Bug
« Reply #2 on: May 20, 2006, 04:43:10 PM »
Example of the Bug:
-----------------------

Some IPTables Rules:

Chain ForwardedTCP (1 references)
target prot opt source destination
ForwardedTCP_24182 all -- anywhere anywhere
denylog tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN

Chain ForwardedTCP_24182 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere pc-00007.matelogic.com.artcp dpt:4890
ACCEPT tcp -- anywhere pc-00069.matelogic.com.artcp dpt:4357
ACCEPT tcp -- anywhere pc-00007.matelogic.com.artcp dpt:4500
ACCEPT tcp -- anywhere pc-00069.matelogic.com.artcp dpt:4889

Chain ForwardedUDP (1 references)
target prot opt source destination
ForwardedUDP_24182 all -- anywhere anywhere
denylog udp -- anywhere anywhere

Chain ForwardedUDP_24182 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere pc-00007.matelogic.com.arudp dpt:6430
ACCEPT tcp -- anywhere pc-00009.matelogic.com.arudp dpt:27015
ACCEPT tcp -- anywhere pc-00069.matelogic.com.arudp dpt:6474

Comment: The last 3 lines must be "udp" protocol.

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Clean Solution for UDP PortForwarding Bug
« Reply #3 on: May 26, 2006, 08:20:56 PM »
Please post such information only in the Bug Tracker.

Could you please post a reference to a bug in the Bug Tracker so that we know what the bug is, and people who see this thread can see what has been done about it - e.g. release of an update? Thanks.

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Clean Solution for UDP PortForwarding Bug
« Reply #4 on: June 02, 2006, 04:39:27 AM »
Quote from: "CharlieBrady"

Could you please post a reference to a bug in the Bug Tracker ...


Nicky, could you please post a link into the bug tracker, to the bug you are referring to?