How to in DMZ forward port public_ip:40001 to private_ip:30022

debops / ansible-ferm

Manage iptables firewall using ferm

GNU General Public License v3.0

33 stars 20 forks source link

How to in DMZ forward port public_ip:40001 to private_ip:30022 #55

Closed drupaladmin closed 6 years ago

drupaladmin commented 9 years ago

Hi!

Tell me please how to in DMZ forward port public_ip:40001 to private_ip:30022?

drybjed commented 9 years ago

I guess at the moment dmz template supports only 1:1 mapping of public/private ports. I'll try to add custom ports soon. Thanks for the heads up. :-)

drupaladmin commented 9 years ago

I can try to help you with this task.

What do you think about adding items to array "ports" containing: public_port: private_port:

If private_port is not defined we use only public_port.

drybjed commented 9 years ago

I tried to add support with exactly the same parameters you are talking about, but I couldn't get the forwarding working just right and I have to work on some other thing at the moment. If you need this right now, I suggest that you could use custom template and write iptables commands directly as a post hook for some quick setup.

Current dmz template is geared towards forwarding all traffic to another host transparently, perhaps separate template to forward ports around to local or remote host would be better suited for this.

ganto commented 8 years ago

I guess this issue should be resolved with the recent commit, see #85. Now you should be able to define e.g.:

ferm__host_rules:
  - type: 'dmz'
    name: 'my-forward'
    public_ip: <your-public-address>
    private_ip: <your-private-address>
    protocol: 'tcp'
    port: [ 40001 ]
    dport: 30022

stefangweichinger commented 6 years ago

trying this:

ferm__host_rules:
  - name: 'fwd_https_to_java'
    type: 'dmz'
    private_ip: '127.0.0.1'
    public_ip: '{{ ansible_eth0.ipv4.address }}'
    protocol: 'tcp'
    port: '80'
    dport: '9000'

Generated conf on target host:

domain (ip ip6) {
    @def $PUBLIC_IP  = ( @ipfilter( (192.168.111.218) ) );
    @def $PRIVATE_IP = ( @ipfilter( (127.0.0.1) ) );
    @if @ne($PUBLIC_IP,"") @if @ne($PRIVATE_IP,"") {
        table filter chain FORWARD {
            protocol (tcp) {
                dport (80) {
                    destination $PRIVATE_IP ACCEPT;
                }
            }
        }
        table nat {
            chain PREROUTING {
                protocol (tcp) {
                    dport (80) {
                        destination $PUBLIC_IP DNAT to @cat($PRIVATE_IP, ":9000");
                    }
                }
            }
            chain POSTROUTING {
                source $PRIVATE_IP SNAT to $PUBLIC_IP;
            }
        }
    }
}

ferm fails with:

                         (
                             $ PRIVATE_IP , ":9000"
                         )
                         <--
 String expected
 failed!

varac commented 6 years ago

I get the same error as @stefangweichinger

drybjed commented 6 years ago

Hmm, I think I forgot about that issue at the time, sorry - but it was my birthday afer all... Anyway, I'll try to debug this soon, thanks for the heads up.

niccolox commented 6 years ago

am getting same error https://github.com/debops/ansible-ifupdown/issues/73