blob: 9a89a244a4a66f44ed95e0bbbf19fe29d5a12955 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
#
# Adds some firewall magic to the stunnel.
#
# Using DNAT, this firewall rule allow a locally running program
# to try to connect to the normal remote IP and remote port of the
# service on another machine, but have this connection magically
# routed through the locally running stunnel client.
#
# The network looks like this:
#
# From the client's perspective:
#
# |------- stunnel client --------------| |---------- stunnel server -----------------------|
# consumer app -> localhost:accept_port -> connect:connect_port -> localhost:original_port
#
# From the server's perspective:
#
# |------- stunnel client --------------| |---------- stunnel server -----------------------|
# ?? -> *:accept_port -> localhost:connect_port -> service
#
define site_shorewall::stunnel::client(
$accept_port,
$connect,
$connect_port,
$original_port) {
include site_shorewall::defaults
shorewall::rule {
"stunnel_dnat_${name}":
action => 'DNAT',
source => '$FW',
destination => "\$FW:127.0.0.1:${accept_port}",
proto => 'tcp',
destinationport => $original_port,
originaldest => $connect,
order => 200
}
}
|