mirror of
https://framagit.org/tom79/fediplan.git
synced 2025-04-05 21:51:50 +02:00
85 lines
2.4 KiB
Bash
Executable file
85 lines
2.4 KiB
Bash
Executable file
#!/bin/sh
|
|
|
|
#
|
|
# Adds TCP/UDP port forwarding rules to the pf firewall (MacOS/BSD).
|
|
#
|
|
# Adds rules for both TCP and UDP in addition to those from /etc/pf.conf.
|
|
# Requires an existing rdr-anchor entry in /etc/pf.conf.
|
|
# Only adds rules temporarily, without changing any files.
|
|
#
|
|
# Usage: ./forward-ports.sh [[nic:]port=[ip:]port [...]]
|
|
#
|
|
# If no network interface is given, forwards from all interfaces.
|
|
# If no IP is given, forwards to 127.0.0.1.
|
|
# If no port forwarding rule is given, resets to the rules from /etc/pf.conf.
|
|
#
|
|
# e.g. forwarding ports 80 and 443 on network interface en0 to ports 8080 and
|
|
# 8443 on localhost respectively:
|
|
# ./forward-ports.sh en0:80=8080 en0:443=8443
|
|
#
|
|
# Copyright 2019, Sebastian Tschan
|
|
# https://blueimp.net
|
|
#
|
|
# Licensed under the MIT license:
|
|
# https://opensource.org/licenses/MIT
|
|
#
|
|
|
|
set -e
|
|
|
|
RULES=
|
|
NEWLINE='
|
|
'
|
|
|
|
print_usage_exit() {
|
|
if [ -n "$RULES" ]; then
|
|
printf '\nError in custom rules:\n%s\n' "$RULES" >&2
|
|
fi
|
|
echo "Usage: $0 [[nic:]port=[ip:]port [...]]" >&2
|
|
exit 1
|
|
}
|
|
|
|
print_nat_rules() {
|
|
echo
|
|
echo 'Loaded NAT rules:'
|
|
sudo pfctl -s nat 2>/dev/null
|
|
echo
|
|
}
|
|
|
|
# Print usage and exit if option arguments like "-h" are used:
|
|
if [ "${1#-}" != "$1" ]; then print_usage_exit; fi
|
|
|
|
while test $# -gt 0; do
|
|
# Separate the from=to parts:
|
|
from=${1%=*}
|
|
to=${1#*=}
|
|
# If from part has a nic defined, extract it, else forward from all:
|
|
case "$from" in
|
|
*:*) nic="on ${from%:*}";;
|
|
*) nic=;;
|
|
esac
|
|
# Extract the port to forward from:
|
|
from_port=${from##*:}
|
|
# If to part has an IP defined, extract it, else forward to 127.0.0.1:
|
|
case "$to" in
|
|
*:*) to_ip=${to%:*};;
|
|
*) to_ip=127.0.0.1;;
|
|
esac
|
|
# Extract the port to forward to:
|
|
to_port=${to##*:}
|
|
# Create the packet filter (pf) forwarding rule for both TCP and UDP:
|
|
rule=$(
|
|
printf \
|
|
'rdr pass %s inet proto %s from any to any port %s -> %s port %s' \
|
|
"$nic" '{tcp udp}' "$from_port" "$to_ip" "$to_port"
|
|
)
|
|
# Add it to the list of rules:
|
|
RULES="$RULES$rule$NEWLINE"
|
|
shift
|
|
done
|
|
|
|
# Add the rules after the line matching "rdr-anchor" in /etc/pf.conf, print the
|
|
# combined rules to STDOUT and load the rules into pf from STDIN.
|
|
# Finally, display the loaded NAT rules or print the script usage on failure:
|
|
# shellcheck disable=SC2015
|
|
printf %s "$RULES" | sed -e '/rdr-anchor/r /dev/stdin' /etc/pf.conf |
|
|
sudo pfctl -Ef - 2>/dev/null && print_nat_rules || print_usage_exit
|