aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>2021-06-18 14:53:18 +0300
committerKaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>2021-06-18 14:54:14 +0300
commit7a97c0a67132ecec496a9f1c161321f0bc519fd1 (patch)
tree2e1fea1d036d9d94942d41b1a5ac06e31942fab0
parentd34e447b684a3f29ea81a1304272c6837d11cffb (diff)
downloadawall-7a97c0a67132ecec496a9f1c161321f0bc519fd1.tar.gz
awall-7a97c0a67132ecec496a9f1c161321f0bc519fd1.tar.bz2
awall-7a97c0a67132ecec496a9f1c161321f0bc519fd1.tar.xz
Filter: disallow bypassing DNAT
ref #9647
-rw-r--r--awall/modules/filter.lua10
-rw-r--r--test/output/filter-dnat/dump24
-rw-r--r--test/output/filter-dnat/rules-save12
3 files changed, 28 insertions, 18 deletions
diff --git a/awall/modules/filter.lua b/awall/modules/filter.lua
index c76fbf4..a761585 100644
--- a/awall/modules/filter.lua
+++ b/awall/modules/filter.lua
@@ -361,6 +361,16 @@ function Filter:target()
end
function Filter:mangleoptfrags(ofrags)
+ if self.dnat then
+ ofrags = combinations(
+ ofrags,
+ {
+ {family='inet', match='-m conntrack --ctstate DNAT'},
+ {family='inet6'}
+ }
+ )
+ end
+
local limit = self:limit()
local ul = self:updatelimit()
diff --git a/test/output/filter-dnat/dump b/test/output/filter-dnat/dump
index 0d59c48..54b5da8 100644
--- a/test/output/filter-dnat/dump
+++ b/test/output/filter-dnat/dump
@@ -14,20 +14,20 @@ Dnat 2 {"in":"B"}
Filter 1 {"dest":"192.168.0.1","dnat":"10.0.0.1","in":"A","service":"smtp"}
(filter-dnat)
- inet/filter/FORWARD -i eth0 -p tcp --dport 25 -d 10.0.0.1 -j ACCEPT
- inet/filter/INPUT -i eth0 -p tcp --dport 25 -d 10.0.0.1 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -p tcp --dport 25 -d 10.0.0.1 -m conntrack --ctstate DNAT -j ACCEPT
+ inet/filter/INPUT -i eth0 -p tcp --dport 25 -d 10.0.0.1 -m conntrack --ctstate DNAT -j ACCEPT
inet/nat/PREROUTING -i eth0 -p tcp --dport 25 -d 192.168.0.1 -j DNAT --to-destination 10.0.0.1
Filter 2 {"dest":"192.168.0.2","dnat":{"addr":"10.0.0.2","port":8080},"in":"A","service":"http"}
(filter-dnat)
- inet/filter/FORWARD -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -j ACCEPT
- inet/filter/INPUT -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -m conntrack --ctstate DNAT -j ACCEPT
+ inet/filter/INPUT -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -m conntrack --ctstate DNAT -j ACCEPT
inet/nat/PREROUTING -i eth0 -p tcp --dport 80 -d 192.168.0.2 -j DNAT --to-destination 10.0.0.2:8080
Filter 3 {"dnat":{"addr":"10.0.0.3","port":"8022-8033"},"in":"A","service":"ssh"}
(filter-dnat)
- inet/filter/FORWARD -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -j ACCEPT
- inet/filter/INPUT -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -j ACCEPT
+ inet/filter/FORWARD -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -m conntrack --ctstate DNAT -j ACCEPT
+ inet/filter/INPUT -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -m conntrack --ctstate DNAT -j ACCEPT
inet/nat/PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-destination 10.0.0.3:8022-8033
inet6/filter/FORWARD -i eth0 -p tcp --dport 22 -j ACCEPT
inet6/filter/INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
@@ -473,9 +473,9 @@ hash:net family inet
:icmp-routing - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j icmp-routing
--A FORWARD -i eth0 -p tcp --dport 25 -d 10.0.0.1 -j ACCEPT
--A FORWARD -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -j ACCEPT
--A FORWARD -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -j ACCEPT
+-A FORWARD -i eth0 -p tcp --dport 25 -d 10.0.0.1 -m conntrack --ctstate DNAT -j ACCEPT
+-A FORWARD -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -m conntrack --ctstate DNAT -j ACCEPT
+-A FORWARD -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
@@ -534,9 +534,9 @@ hash:net family inet
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A INPUT -i lo -j ACCEPT
--A INPUT -i eth0 -p tcp --dport 25 -d 10.0.0.1 -j ACCEPT
--A INPUT -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -j ACCEPT
--A INPUT -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -j ACCEPT
+-A INPUT -i eth0 -p tcp --dport 25 -d 10.0.0.1 -m conntrack --ctstate DNAT -j ACCEPT
+-A INPUT -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -m conntrack --ctstate DNAT -j ACCEPT
+-A INPUT -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -m conntrack --ctstate DNAT -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
diff --git a/test/output/filter-dnat/rules-save b/test/output/filter-dnat/rules-save
index 6760e5e..3fa869f 100644
--- a/test/output/filter-dnat/rules-save
+++ b/test/output/filter-dnat/rules-save
@@ -6,9 +6,9 @@
:icmp-routing - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m conntrack --ctstate RELATED -j icmp-routing
--A FORWARD -i eth0 -p tcp --dport 25 -d 10.0.0.1 -j ACCEPT
--A FORWARD -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -j ACCEPT
--A FORWARD -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -j ACCEPT
+-A FORWARD -i eth0 -p tcp --dport 25 -d 10.0.0.1 -m conntrack --ctstate DNAT -j ACCEPT
+-A FORWARD -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -m conntrack --ctstate DNAT -j ACCEPT
+-A FORWARD -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
@@ -67,9 +67,9 @@
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j icmp-routing
-A INPUT -i lo -j ACCEPT
--A INPUT -i eth0 -p tcp --dport 25 -d 10.0.0.1 -j ACCEPT
--A INPUT -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -j ACCEPT
--A INPUT -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -j ACCEPT
+-A INPUT -i eth0 -p tcp --dport 25 -d 10.0.0.1 -m conntrack --ctstate DNAT -j ACCEPT
+-A INPUT -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -m conntrack --ctstate DNAT -j ACCEPT
+-A INPUT -i eth0 -p tcp --dport 8022:8033 -d 10.0.0.3 -m conntrack --ctstate DNAT -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing