Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: Nicky on May 20, 2006, 12:03:12 AM
-
Replace /etc/e-smith/templates/etc/rc.d/init.d/masq/91ajustPortForward with this:
# ------------------------ cut here ----------------------------------------
#
# Corrected UDP PortForwarding Bug! (by Néstor D. Díaz - nestorddiaz@matelogic.com.ar)
#
{
my $pf_chain = "PortForwarding_\$\$";
$OUT .= "# Create a new PortForwarding chain\n";
$OUT .= "PFC=\$(/sbin/iptables --table nat ";
$OUT .= "--numeric --list PortForwarding |\\\n";
$OUT .= " sed -n '3s/ .*//p')\n";
$OUT .= " /sbin/iptables --table nat --new-chain $pf_chain\n";
foreach my $protocol (qw(tcp udp))
{
my $uproto = uc $protocol;
my $propname = $uproto . "Forwards";
my %forwards = split(/,/, $masq{$propname} || '');
foreach my $port (keys %forwards)
{
my ($ip, $dport) = split(/:/, $forwards{$port});
$port =~ s/-/:/;
$OUT .= " /sbin/iptables --table nat --append $pf_chain " .
"--protocol $protocol \\\n".
# Set up local port to forward
" --destination-port ${port} -j DNAT " .
# Set up the remote port to forward to
"--to-destination $ip";
# Append the dport if any.
$OUT .= ":$dport" if $dport;
$OUT .= "\n";
# And accept the incoming packets. Use the dport if there is one.
($port = $dport) =~ s/-/:/ if $dport;
# If this rule is forwarding to localhost, ExternalIP or LocalIP,
# then we must allow it on the INPUT chain instead of the FORWARD
# chain.
if (($ip eq '127.0.0.1') ||
($ip eq $InternalInterface{IPAddress}))
{
# Bad doggie! Bad!
die "Port-forwarding to localhost or internal interface not permitted.\n";
}
elsif ($ip eq $ExternalInterface{IPAddress})
{
if ($uproto eq 'tcp')
{
$OUT .= " adjust_tcp_in $port ACCEPT Inbound${uproto}_\$\$\n";
}
else
{
$OUT .= " adjust_udp_in $port ACCEPT Inbound${uproto}_\$\$\n";
}
}
else
{
if ($uproto eq 'tcp')
{
$OUT .= " adjust_tcp_in $port ACCEPT Forwarded${uproto}_\$\$ $ip/32\n";
}
else
{
$OUT .= " adjust_udp_in $port ACCEPT Forwarded${uproto}_\$\$ $ip/32\n";
}
}
}
}
# having created a new PortForwarding chain, activate it and destroy
# the old.
$OUT .= " /sbin/iptables --table nat --replace PortForwarding 1 " .
"--destination \$OUTERNET --jump $pf_chain\n";
$OUT .= " /sbin/iptables --table nat --flush \$PFC\n";
$OUT .= " /sbin/iptables --table nat --delete-chain \$PFC\n";
}
# ------------------------ cut here ----------------------------------------
Or Download this file from:
http://www.matelogic.com.ar/91adjustPortForward
Cheers!
-
Sorry!!!
Where "if ($uproto eq 'tcp')" must say "if ($protocol eq 'tcp')".
Download from here:
http://www.matelogic.com.ar/91adjustPortForward
-
Example of the Bug:
-----------------------
Some IPTables Rules:
Chain ForwardedTCP (1 references)
target prot opt source destination
ForwardedTCP_24182 all -- anywhere anywhere
denylog tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
Chain ForwardedTCP_24182 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere pc-00007.matelogic.com.artcp dpt:4890
ACCEPT tcp -- anywhere pc-00069.matelogic.com.artcp dpt:4357
ACCEPT tcp -- anywhere pc-00007.matelogic.com.artcp dpt:4500
ACCEPT tcp -- anywhere pc-00069.matelogic.com.artcp dpt:4889
Chain ForwardedUDP (1 references)
target prot opt source destination
ForwardedUDP_24182 all -- anywhere anywhere
denylog udp -- anywhere anywhere
Chain ForwardedUDP_24182 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere pc-00007.matelogic.com.arudp dpt:6430
ACCEPT tcp -- anywhere pc-00009.matelogic.com.arudp dpt:27015
ACCEPT tcp -- anywhere pc-00069.matelogic.com.arudp dpt:6474
Comment: The last 3 lines must be "udp" protocol.
-
Please post such information only in the Bug Tracker.
Could you please post a reference to a bug in the Bug Tracker so that we know what the bug is, and people who see this thread can see what has been done about it - e.g. release of an update? Thanks.
-
Could you please post a reference to a bug in the Bug Tracker ...
Nicky, could you please post a link into the bug tracker, to the bug you are referring to?