/usr/share/arno-iptables-firewall/plugins/50transparent-proxy.plugin is in arno-iptables-firewall 2.0.1.d-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 | # ------------------------------------------------------------------------------
# -= Arno's iptables firewall - Transparent Proxy plugin =-
#
PLUGIN_NAME="Transparent Proxy plugin"
PLUGIN_VERSION="1.03"
PLUGIN_CONF_FILE="transparent-proxy.conf"
#
# Last changed : September 19, 2010
# Requirements : kernel 2.6 + ip_nat + iptable_nat
# Comments : This plugin enables transparent DNAT for internal hosts for
# certain ports. Meaning you can redirect certain TCP/UDP ports (eg. http)
# which should be redirected from a certain INET address to an
# internal address.
# Updated to be IPv4-only
#
# Author : (C) Copyright 2007-2010 by Arno van Amersfoort
# Credits : Rok Potocnik for his initial idea
# Homepage : http://rocky.eld.leidenuniv.nl/
# Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151
# Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
# (note: you must remove all spaces and substitute the @ and the .
# at the proper locations!)
# ------------------------------------------------------------------------------
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# version 2 as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# ------------------------------------------------------------------------------
# Plugin start function
plugin_start()
{
# Some required modules are already loaded by the main script:
modprobe ip_nat
modprobe iptable_nat
# modprobe ip_table
# Setup (transparent) proxy settings:
#####################################
if [ -n "$FTP_PROXY_PORT" ]; then
echo "${INDENT}Redirecting all internal FTP(port 21) traffic to proxy-port $FTP_PROXY_PORT"
IFS=' ,'
for interface in $INT_IF; do
ip4tables -t nat -A PREROUTING -i $interface -p tcp --dport 21 -j REDIRECT --to-ports $FTP_PROXY_PORT
done
fi
if [ -n "$SMTP_PROXY_PORT" ]; then
echo "${INDENT}Redirecting all internal SMTP(port 25) traffic to proxy-port $SMTP_PROXY_PORT"
IFS=' ,'
for interface in $INT_IF; do
ip4tables -t nat -A PREROUTING -i $interface -p tcp --dport 25 -j REDIRECT --to-ports $SMTP_PROXY_PORT
done
fi
if [ -n "$HTTP_PROXY_PORT" ]; then
echo "${INDENT}Redirecting all internal HTTP(port 80) traffic to proxy-port $HTTP_PROXY_PORT"
IFS=' ,'
for interface in $INT_IF; do
ip4tables -t nat -A PREROUTING -i $interface -p tcp --dport 80 -j REDIRECT --to-ports $HTTP_PROXY_PORT
done
fi
if [ -n "$POP3_PROXY_PORT" ]; then
echo "${INDENT}Redirecting all internal POP3(port 110) traffic to proxy-port $POP3_PROXY_PORT"
IFS=' ,'
for interface in $INT_IF; do
ip4tables -t nat -A PREROUTING -i $interface -p tcp --dport 110 -j REDIRECT --to-ports $POP3_PROXY_PORT
done
fi
if [ -n "$HTTPS_PROXY_PORT" ]; then
echo "${INDENT}Redirecting all internal HTTPs(port 443) traffic to proxy-port $HTTPS_PROXY_PORT"
IFS=' ,'
for interface in $INT_IF; do
ip4tables -t nat -A PREROUTING -i $interface -p tcp --dport 443 -j REDIRECT --to-ports $HTTPS_PROXY_PORT
done
fi
return 0
}
# Plugin stop function
plugin_stop()
{
return 0
}
# Plugin status function
plugin_status()
{
return 0
}
# Check sanity of eg. environment
plugin_sanity_check()
{
# if [ -z "$FTP_PROXY_PORT" -o -z "$SMTP_PROXY_PORT" ]; then
# printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2
# return 1
# fi
return 0
}
############
# Mainline #
############
# Check where to find the config file
CONF_FILE=""
if [ -n "$PLUGIN_CONF_PATH" ]; then
CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
fi
# Check if the config file exists
if [ ! -e "$CONF_FILE" ]; then
printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2
PLUGIN_RET_VAL=0
else
# Source the plugin config file
. "$CONF_FILE"
if [ "$ENABLED" = "1" ] ||
[ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] ||
[ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then
# Show who we are:
echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION"
# Increment indention
INDENT="$INDENT "
# Only proceed if environment ok
if plugin_sanity_check; then
case $PLUGIN_CMD in
start|'') plugin_start; PLUGIN_RET_VAL=$?;;
stop ) plugin_stop; PLUGIN_RET_VAL=$?;;
status ) plugin_status; PLUGIN_RET_VAL=$?;;
* ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;;
esac
fi
else
PLUGIN_RET_VAL=0
fi
fi
|