source: trunk/Modules/NetworkConfigRouterOS/Generators/FirewallNAT.php@ 617

Last change on this file since 617 was 617, checked in by chronos, 11 years ago
  • Opraveno: Skripty pro generování nastavení správně nepoužívali třídu System.
File size: 8.6 KB
Line 
1<?php
2
3if(isset($_SERVER['REMOTE_ADDR'])) die();
4include_once(dirname(__FILE__).'/../../../Application/System.php');
5$System = new System();
6$System->ShowPage = false;
7$System->Run();
8$Path = array('ip', 'firewall', 'nat');
9
10$Routerboard = new Routerboard($Config['MainRouter']['HostName']);
11$Routerboard->UserName = $Config['MainRouter']['UserName'];
12$Routerboard->Timeout = $Config['MainRouter']['ConnectTimeout'];
13$Routerboard->Debug = true;
14
15$InetInterface = $Config['MainRouter']['InetInterface'];
16$LocalInterface = $Config['MainRouter']['LocalInterface'];
17$IPCentrala = '10.145.64.8';
18
19$Items = array();
20
21/*
22// NTP redirect
23$Items[] = array('chain' => 'srcnat', 'src-address' => '10.145.66.1', 'protocol' => 'udp', 'src-port' => 123, 'action' => 'src-nat', 'to-addresses' => '10.145.64.1', 'comment' => 'NTP_redirect_4');
24$Items[] = array('chain' => 'srcnat', 'src-address' => '10.145.66.161', 'protocol' => 'udp', 'src-port' => 123, 'action' => 'src-nat', 'to-addresses' => '10.145.64.1', 'comment' => 'NTP_redirect_5');
25$Items[] = array('chain' => 'srcnat', 'src-address' => '10.145.66.193', 'protocol' => 'udp', 'src-port' => 123, 'action' => 'src-nat', 'to-addresses' => '10.145.64.1', 'comment' => 'NTP_redirect_1');
26$Items[] = array('chain' => 'srcnat', 'src-address' => '10.145.66.225', 'protocol' => 'udp', 'src-port' => 123, 'action' => 'src-nat', 'to-addresses' => '10.145.64.1', 'comment' => 'NTP_redirect_2');
27$Items[] = array('chain' => 'srcnat', 'src-address' => '10.145.66.250', 'protocol' => 'udp', 'src-port' => 123, 'action' => 'src-nat', 'to-addresses' => '10.145.64.1', 'comment' => 'NTP_redirect_3');
28$Items[] = array('chain' => 'srcnat', 'src-address' => '10.145.66.253', 'protocol' => 'udp', 'src-port' => 123, 'action' => 'src-nat', 'to-addresses' => '10.145.64.1', 'comment' => 'NTP_redirect_6');
29*/
30
31// Chain for inet interface
32$Items[] = array('chain' => 'srcnat', 'out-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-out', 'comment' => 'inet-out');
33$Items[] = array('chain' => 'dstnat', 'in-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-in', 'comment' => 'inet-in');
34
35// Skip local subnet
36//$Items[] = array('chain' => 'inet-out', 'dst-address' => '172.16.1.1/30', 'action' => 'accept', 'comment' => 'Local_subnet');
37//$Items[] = array('chain' => 'inet-in', 'dst-address' => '172.16.1.1/30', 'action' => 'accept', 'comment' => 'Local_subnet');
38
39$DbResult = $System->Database->query('SELECT `Member`.*, `Subject`.`Name` FROM `Member` '.
40 'LEFT JOIN `Subject` ON `Subject`.`Id` = `Member`.`Subject` '.
41 'WHERE `Member`.`Blocked` = 0');
42while($Member = $DbResult->fetch_assoc())
43{
44 echo($Member['Name'].': ');
45 // Hosts
46 $DbResult2 = $System->Database->query('SELECT `NetworkInterface`.*, `NetworkDevice`.`Name` AS `DeviceName`, `NetworkDevice`.`InboundNATPriority` FROM `NetworkInterface`'.
47 ' LEFT JOIN `NetworkDevice` ON `NetworkDevice`.`Id` = `NetworkInterface`.`Device` WHERE (`NetworkInterface`.`ExternalIP` <> "")'.
48 ' AND (`NetworkInterface`.`LocalIP` <> "")'.
49 ' AND (`NetworkDevice`.`Member` = '.$Member['Id'].') AND (`NetworkInterface`.`LocalIP` != `NetworkInterface`.`ExternalIP`) ORDER BY `id` DESC');
50 while($Interface = $DbResult2->fetch_assoc())
51 {
52 $Name = $Interface['DeviceName'];
53 if($Interface['Name'] != '') $Name .= '-'.$Interface['Name'];
54 $Name = RouterOSIdent($Name);
55 echo($Name.'('.$Interface['LocalIP'].'), ');
56 if($Member['Blocked'] == 0)
57 {
58 $Items[] = array('chain' => 'inet-out', 'src-address' => $Interface['LocalIP'], 'action' => 'src-nat', 'to-addresses' => $Interface['ExternalIP'], 'comment' => $Name.'-out');
59 if($Interface['InboundNATPriority'] > 0)
60 $Items[] = array('chain' => 'inet-in', 'dst-address' => $Interface['ExternalIP'], 'action' => 'dst-nat', 'to-addresses' => $Interface['LocalIP'], 'comment' => $Name.'-in');
61 } else
62 {
63 $Items[] = array('chain' => 'dstnat', 'src-address' => $Interface['LocalIP'], 'protocol' => 'tcp', 'dst-port' => 80, 'action' => 'dst-nat', 'to-addresses' => $IPCentrala, 'to-ports' => 81, 'comment' => $Name.'-out');
64 }
65 }
66
67 // Subnets
68 $DbResult2 = $System->Database->select('NetworkSubnet', '*', '`Member`='.$Member['Id']);
69 while($Subnet = $DbResult2->fetch_assoc())
70 {
71 $Subnet['Name'] = RouterOSIdent('subnet-'.$Subnet['Name']);
72 echo($Subnet['Name'].'('.$Subnet['AddressRange'].'/'.$Subnet['Mask'].'), ');
73 if($Member['Blocked'] == 0)
74 {
75 $NewAddress = new NetworkAddressIPv4();
76 $NewAddress->AddressFromString($Subnet['ExtAddressRange']);
77 $NewAddress->Prefix = $Subnet['ExtMask'];
78 $Range = $NewAddress->GetRange();
79 if($Subnet['ExtMask'] != 32) $Range = $Range['From']->AddressToString().'-'.$Range['To']->AddressToString();
80 else $Range = $Range['From']->AddressToString();
81 if($Subnet['Mask'] == 32) $Src = $Subnet['AddressRange'];
82 else $Src = $Subnet['AddressRange'].'/'.$Subnet['Mask'];
83 $Items[] = array('chain' => 'inet-out', 'src-address' => $Src, 'action' => 'src-nat', 'to-addresses' => $Range, 'comment' => $Subnet['Name'].'-out');
84
85 $NewAddress = new NetworkAddressIPv4();
86 $NewAddress->AddressFromString($Subnet['AddressRange']);
87 $NewAddress->Prefix = $Subnet['Mask'];
88 $Range = $NewAddress->GetRange();
89 if($Subnet['Mask'] != 32) $Range = $Range['From']->AddressToString().'-'.$Range['To']->AddressToString();
90 else $Range = $Range['From']->AddressToString();
91 if($Subnet['ExtMask'] == 32) $Dest = $Subnet['ExtAddressRange'];
92 else $Dest = $Subnet['ExtAddressRange'].'/'.$Subnet['ExtMask'];
93 $Items[] = array('chain' => 'inet-in', 'dst-address' => $Dest, 'action' => 'dst-nat', 'to-addresses' => $Range, 'comment' => $Subnet['Name'].'-in');
94 } else
95 {
96 if($Subnet['Mask'] == 32) $Src = $Subnet['AddressRange'];
97 else $Src = $Subnet['AddressRange'].'/'.$Subnet['Mask'];
98 $Items[] = array('chain' => 'dstnat', 'src-address' => $Src, 'protocol' => 'tcp', 'dst-port' => 80, 'action' => 'dst-nat', 'to-addresses' => $IPCentrala, 'to-ports' => 81, 'comment' => $Subnet['Name'].'-out');
99 }
100 }
101 echo("\n");
102}
103
104// Masquerade hosts without public ip
105$Items[] = array('chain' => 'inet-out', 'action' => 'src-nat', 'to-addresses' => '77.92.221.188', 'comment' => 'Default_NAT');
106
107// Redirect DNS port
108$Items[] = array('chain' => 'dstnat', 'dst-address' => '212.111.4.174', 'protocol' => 'tcp', 'dst-port' => 53, 'in-interface' => $InetInterface, 'action' => 'dst-nat', 'to-addresses' => '10.145.64.8', 'to-ports' => 53, 'comment' => 'DNS_redirection_TCP');
109$Items[] = array('chain' => 'dstnat', 'dst-address' => '212.111.4.174', 'protocol' => 'udp', 'dst-port' => 53, 'in-interface' => $InetInterface, 'action' => 'dst-nat', 'to-addresses' => '10.145.64.8', 'to-ports' => 53, 'comment' => 'DNS_redirection_UDP');
110
111
112// Chain for local interface
113$Items[] = array('chain' => 'srcnat', 'out-interface' => $LocalInterface, 'action' => 'jump', 'jump-target' => 'local-out', 'comment' => 'local-out');
114$Items[] = array('chain' => 'dstnat', 'in-interface' => $LocalInterface, 'action' => 'jump', 'jump-target' => 'local-in', 'comment' => 'local-in');
115
116/*
117// Route public addresses localy
118$DbResult = $System->Database->query('SELECT Member.*, Subject.Name FROM Member JOIN Subject ON Member.Subject = Subject.Id');
119while($Member = $DbResult->fetch_assoc())
120{
121 echo($Member['Name'].': ');
122 // Hosts
123 $DbResult2 = $System->Database->query('SELECT NetworkInterface.*, NetworkDevice.Name AS DeviceName FROM NetworkInterface LEFT JOIN NetworkDevice ON NetworkDevice.Id = NetworkInterface.Device WHERE (NetworkInterface.ExternalIP <> "") AND (NetworkDevice.Member = '.$Member['Id'].') AND (NetworkInterface.LocalIP != NetworkInterface.ExternalIP) ORDER BY id DESC');
124 while($Interface = $DbResult2->fetch_assoc())
125 {
126 $Name = $Interface['DeviceName'];
127 if($Interface['Name'] != '') $Name .= '-'.$Interface['Name'];
128 $Name = RouterOSIdent($Name);
129 echo($Name.'('.$Interface['LocalIP'].'), ');
130 $Items[] = array('chain' => 'local-in', 'dst-address' => $Interface['ExternalIP'], 'action' => 'dst-nat', 'to-addresses' => $Interface['LocalIP'], 'comment' => $Name.'-in-local');
131 }
132 echo("\n");
133}
134
135// Map returned local traffic to virtual subnet
136$Items[] = array('chain' => 'local-out', 'src-address' => '10.145.0.0/16', 'dst-address' => '10.145.0.0/16', 'action' => 'netmap', 'to-addresses' => '10.45.0.0-10.45.255.255', 'comment' => 'map-local');
137*/
138
139//print_r($Items);
140$Routerboard->ListUpdate($Path, array('chain', 'dst-address', 'in-interface', 'src-address', 'out-interface', 'to-ports', 'dst-port', 'protocol', 'action', 'to-addresses', 'comment', 'jump-target', 'src-port'), $Items);
Note: See TracBrowser for help on using the repository browser.