Changeset 299 for trunk/system


Ignore:
Timestamp:
Oct 3, 2010, 1:51:44 PM (14 years ago)
Author:
george
Message:
  • Opraveno: Generování nat a filter pravidel firewallu.
Location:
trunk/system/generators
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/system/generators/firewall_filter.php

    r298 r299  
    1313
    1414$InetInterface = $Config['MainRouter']['InetInterface'];
    15 $LocalInterface = $Config['MainRouter']['InetInterface'];
     15$LocalInterface = $Config['MainRouter']['LocalInterface'];
    1616
    1717$Items = array();
     
    2222$Items[] = array('chain' => 'forward', 'in-interface' => $InetInterface, 'action' => 'passthrough', 'comment' => 'total-in');
    2323
     24// Inet traffic groups
     25//$Items[] = array('chain' => 'forward', 'out-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-out', 'comment' => 'inet-out');     
     26//$Items[] = array('chain' => 'forward', 'in-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-in', 'comment' => 'inet-in');
     27
    2428// Input to router
    25 $Items[] = array('chain' => 'input', 'protocol' => 'icmp', 'action' => 'accept', 'comment' => 'local-ping');
    26 $Items[] = array('chain' => 'input', 'src-address' => '216.66.80.30', 'action' => 'accept', 'comment' => 'ipv6-tunnel');
    27 $Items[] = array('chain' => 'input', 'action' => 'drop', 'comment' => 'drop-rest-input');
     29$Items[] = array('chain' => 'input', 'in-interface' => $InetInterface, 'protocol' => 'icmp', 'action' => 'accept', 'comment' => 'local-ping');
     30$Items[] = array('chain' => 'input', 'in-interface' => $InetInterface, 'src-address' => '216.66.80.30', 'action' => 'accept', 'comment' => 'ipv6-tunnel');
     31$Items[] = array('chain' => 'input', 'in-interface' => $InetInterface, 'action' => 'drop', 'comment' => 'drop-rest-input');
    2832
    2933// Allowed SMTP servers
    30 $Items[] = array('chain' => 'forward', 'protocol' => 'tcp', 'dst-port' => 25, 'src-address' => '10.145.64.8', 'action' => 'accept', 'comment' => 'smtp.zdechov.net');
    31 $Items[] = array('chain' => 'forward', 'protocol' => 'tcp', 'dst-port' => 25, 'dst-address' => '212.111.0.12', 'action' => 'accept', 'comment' => 'smtp.inext.cz');
    32 $Items[] = array('chain' => 'forward', 'protocol' => 'tcp', 'dst-port' => 25, 'dst-address' => '93.89.98.3', 'action' => 'accept', 'comment' => 'smtp.sychrovnet.cz');
    33 $Items[] = array('chain' => 'forward', 'protocol' => 'tcp', 'dst-port' => 25, 'dst-address' => '77.75.72.43', 'action' => 'accept', 'comment' => 'smtp.seznam.cz');
    34 $Items[] = array('chain' => 'forward', 'protocol' => 'tcp', 'dst-port' => 25, 'dst-address' => '82.119.226.113', 'action' => 'accept', 'comment' => 'smtp.svarko.cz');
    35 $Items[] = array('chain' => 'forward', 'protocol' => 'tcp', 'dst-port' => 25, 'action' => 'drop', 'comment' => 'drop-rest-smtp');
     34$Items[] = array('chain' => 'forward', 'out-interface' => $InetInterface, 'protocol' => 'tcp', 'dst-port' => 25, 'src-address' => '10.145.64.8', 'action' => 'accept', 'comment' => 'smtp.zdechov.net');
     35$Items[] = array('chain' => 'forward', 'out-interface' => $InetInterface, 'protocol' => 'tcp', 'dst-port' => 25, 'dst-address' => '212.111.0.12', 'action' => 'accept', 'comment' => 'smtp.inext.cz');
     36$Items[] = array('chain' => 'forward', 'out-interface' => $InetInterface, 'protocol' => 'tcp', 'dst-port' => 25, 'dst-address' => '93.89.98.3', 'action' => 'accept', 'comment' => 'smtp.sychrovnet.cz');
     37$Items[] = array('chain' => 'forward', 'out-interface' => $InetInterface, 'protocol' => 'tcp', 'dst-port' => 25, 'dst-address' => '77.75.72.43', 'action' => 'accept', 'comment' => 'smtp.seznam.cz');
     38$Items[] = array('chain' => 'forward', 'out-interface' => $InetInterface, 'protocol' => 'tcp', 'dst-port' => 25, 'dst-address' => '82.119.226.113', 'action' => 'accept', 'comment' => 'smtp.svarko.cz');
     39$Items[] = array('chain' => 'forward', 'out-interface' => $InetInterface, 'protocol' => 'tcp', 'dst-port' => 25, 'action' => 'drop', 'comment' => 'drop-rest-smtp');
    3640
    3741
    3842
    39 // Inet traffic groups
    40 $Items[] = array('chain' => 'forward', 'interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-out', 'comment' => 'inet-out');     
    41 $Items[] = array('chain' => 'forward', 'interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-in', 'comment' => 'inet-out');
    4243
    4344// Insert blocked addresses
     
    5455    $Name = RouterOSIdent($Name);
    5556    echo($Name.'('.$Interface['LocalIP'].'), ');
    56     $Items[] = array('chain' => 'inet-out', 'src-address' => $Interface['LocalIP'], 'action' => 'drop', 'comment' => $Name.'-out-drop');
    57     $Items[] = array('chain' => 'inet-in', 'dst-address' => $Interface['LocalIP'], 'action' => 'drop', 'comment' => $Name.'-in-drop');
     57    $Items[] = array('chain' => 'forward', 'out-interface' => $InetInterface, 'src-address' => $Interface['LocalIP'], 'action' => 'drop', 'comment' => $Name.'-out-drop');
     58    $Items[] = array('chain' => 'forward', 'in-interface' => $InetInterface, 'dst-address' => $Interface['LocalIP'], 'action' => 'drop', 'comment' => $Name.'-in-drop');
    5859  }
    5960
     
    7273      if($Subnet['Mask'] == 32) $Src = $Subnet['AddressRange'];
    7374        else $Src = $Subnet['AddressRange'].'/'.$Subnet['Mask'];
    74       $Items[] = array('chain' => 'inet-out', 'src-address' => $Src, 'action' => 'drop','comment' => $Subnet['Name'].'-out-drop');
     75      $Items[] = array('chain' => 'forward', 'out-interface' => $InetInterface, 'src-address' => $Src, 'action' => 'drop','comment' => $Subnet['Name'].'-out-drop');
    7576   
    7677      $NewAddress = new NetworkAddressIPv4();
     
    8283      if($Subnet['ExtMask'] == 32) $Dest = $Subnet['ExtAddressRange'];
    8384        else $Dest = $Subnet['ExtAddressRange'].'/'.$Subnet['ExtMask'];
    84       $Items[] = array('chain' => 'inet-in', 'dst-address' => $Dest, 'action' => 'drop', 'comment' => $Subnet['Name'].'-in-drop');
     85      $Items[] = array('chain' => 'forward', 'in-interface' => $InetInterface, 'dst-address' => $Dest, 'action' => 'drop', 'comment' => $Subnet['Name'].'-in-drop');
    8586  }
    8687  echo("\n");
     
    8889
    8990//print_r($Items);
    90 $Routerboard->ListUpdate($Path, array('chain', 'dst-address', 'in-interface', 'src-address', 'out-interface', 'to-ports', 'dst-port', 'protocol', 'action', 'to-addresses', 'comment', 'jump-target', 'src-port'), $Items);
     91$Routerboard->ListUpdate($Path, array('chain', 'dst-address', 'in-interface', 'src-address', 'out-interface', 'dst-port', 'protocol', 'action', 'comment', 'jump-target', 'src-port'), $Items);
    9192
    9293?>
  • trunk/system/generators/firewall_nat.php

    r298 r299  
    1313
    1414$InetInterface = $Config['MainRouter']['InetInterface'];
    15 $LocalInterface = $Config['MainRouter']['InetInterface'];
     15$LocalInterface = $Config['MainRouter']['LocalInterface'];
    1616$IPCentrala = '10.145.64.8';
    1717
     
    5454    } else
    5555    {
    56       $Items[] = array('chain' => 'dstnat', 'src-address' => $Interface['LocalIP'], 'dst-port' => 80, 'action' => 'dst-nat',  'to-addresses' => $IPCentrala, 'to-ports' => 81, 'comment' => $Name.'-out');
     56      $Items[] = array('chain' => 'dstnat', 'src-address' => $Interface['LocalIP'], 'protocol' => 'tcp', 'dst-port' => 80, 'action' => 'dst-nat',  'to-addresses' => $IPCentrala, 'to-ports' => 81, 'comment' => $Name.'-out');
    5757    }
    5858  }
     
    8989      if($Subnet['Mask'] == 32) $Src = $Subnet['AddressRange'];
    9090        else $Src = $Subnet['AddressRange'].'/'.$Subnet['Mask'];
    91       $Items[] = array('chain' => 'dstnat', 'src-address' => $Src, 'dst-port' => 80, 'action' => 'dst-nat',  'to-addresses' => $IPCentrala, 'to-ports' => 81, 'comment' => $Subnet['Name'].'-out');
     91      $Items[] = array('chain' => 'dstnat', 'src-address' => $Src, 'protocol' => 'tcp', 'dst-port' => 80, 'action' => 'dst-nat',  'to-addresses' => $IPCentrala, 'to-ports' => 81, 'comment' => $Subnet['Name'].'-out');
    9292    }
    9393  }
Note: See TracChangeset for help on using the changeset viewer.