From 0560d125b105fdfd88722adc50f0cf6f75a85af6 Mon Sep 17 00:00:00 2001
From: Christoph <ckubu@oopen.de>
Date: Wed, 3 Jun 2020 15:11:46 +0200
Subject: [PATCH] Update firewall - Add support for posrtforwarding using
 socat.

---
 roles/firewall/tasks/main.yml | 130 +++++++++++++++++++++++++++++++++-
 1 file changed, 129 insertions(+), 1 deletion(-)

diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml
index 2259338..5ebbe55 100644
--- a/roles/firewall/tasks/main.yml
+++ b/roles/firewall/tasks/main.yml
@@ -940,7 +940,7 @@
 - name: Check if String 'mumble_ports=..' is present
   shell: grep -q -E "^mumble_ports=" /etc/ipt-firewall/main_ipv6.conf
   register: mumble_ports_ipv6_present
-  when: main_ipv4_exists.stat.exists
+  when: main_ipv6_exists.stat.exists
   failed_when: "mumble_ports_ipv6_present.rc > 1"
   changed_when: "mumble_ports_ipv6_present.rc > 0"
 
@@ -962,6 +962,134 @@
   notify:
     - Restart IPv6 Firewall
 
+
+# ---
+# Portforwarding
+# ---
+
+- name: Check if String 'portforward_tcp=..' (IPv4) is present
+  shell: grep -q -E "^portforward_tcp=" /etc/ipt-firewall/main_ipv4.conf
+  register: portforward_tcp_ipv4_present
+  when: main_ipv4_exists.stat.exists
+  failed_when: "portforward_tcp_ipv4_present.rc > 1"
+  changed_when: "portforward_tcp_ipv4_present.rc > 0"
+
+- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (portforward_tcp)
+  blockinfile:
+    path: /etc/ipt-firewall/main_ipv4.conf
+    insertafter: '^#?\s*forward_udp_out_ports'
+    block: |
+
+      # =============
+      # --- Portforwarding
+      # =============
+
+      # - Portforwarding TCP
+      # -
+      # - portforward_tcp="<device-in>:<src-ip>:<port-in>:<ip-to-forward>:<port-out>"
+      # -
+      # - Multiple declarations (blank separated list) are possible
+      # -
+      # - Example:
+      # -    portforward_tcp="${ext_if_1}:83.223.86.95:9997:192.168.52.25:22
+      # -                     ${ext_if_1}:${ext_1_ip}:80:83.223.86.98:80
+      # -                     ${ext_if_1}:${ext_1_ip}:443:83.223.86.98:443
+      # -                     "
+      # -
+      # - Note!
+      # -    be careful if you use a variable (e.g. ext_1_ip) that it contains NO SPACES.
+      # -
+      # - Blank separated list
+      # -
+      portforward_tcp=""
+
+
+      # - Portforwarding UDP
+      # -
+      # - portforward_udp="<device-in>:<src-ip>:<udp-port-in>:<ip-to-forward>:<udp-port-out>"
+      # -
+      # - Multiple declarations (blank separated list) are possible
+      # -
+      # - Example:
+      # -    portforward_udp="
+      # -       ${ext_if_1}:${ext_1_ip}:1194:192.168.52.25:1194
+      # -       ${ext_if_1}:${ext_1_ip}:1195:192.168.53.24:1195
+      # -    "
+      # -
+      # - Blank separated list
+      # -
+      portforward_udp=""
+
+    marker: "# Marker set by modify-ipt-server.yml (portforward_tcp)"
+  when: 
+    - main_ipv4_exists.stat.exists
+    -  portforward_tcp_ipv4_present is changed
+  notify:
+    - Restart IPv4 Firewall
+
+
+- name: Check if String 'portforward_tcp=..' (IPv6) is present
+  shell: grep -q -E "^portforward_tcp=" /etc/ipt-firewall/main_ipv6.conf
+  register: portforward_tcp_ipv6_present
+  when: main_ipv6_exists.stat.exists
+  failed_when: "portforward_tcp_ipv6_present.rc > 1"
+  changed_when: "portforward_tcp_ipv6_present.rc > 0"
+
+- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mumble_ports)
+  blockinfile:
+    path: /etc/ipt-firewall/main_ipv6.conf
+    insertafter: '^#?\s*forward_udp_out_ports'
+    block: |
+
+      # =============
+      # --- Portforwarding
+      # =============
+
+      # - Portforwarding TCP
+      # -
+      # - portforward_tcp="<device-in>,<src-ip>,<port-in>,<ip-to-forward>,<port-out>"
+      # -
+      # - Multiple declarations (blank separated list) are possible
+      # -
+      # - Example:
+      # -    portforward_tcp="${ext_if_1},${ext_1_ip},9997,2a01:30:0:13:5054:ff:fe83:dbda,c22
+      # -                     ${ext_if_1},${ext_1_ip},80,2a01:30:0:13:211:84ff:feb7:7f9c,80
+      # -                     ${ext_if_1},2a01:30:0:13:2d1:2bff:fec1:aed0,80,2a01:30:0:13:211:84ff:feb7:7f9c,80
+      # -                     ${ext_if_1},2a01:30:0:13:2d1:2bff:fec1:aed0,443,2a01:30:0:13:211:84ff:feb7:7f9c,443
+      # -                     "
+      # -
+      # - Note!
+      # -    be careful if you use a variable (e.g. ext_1_ip) that it contains NO SPACES.
+      # -
+      # - Blank separated list
+      # -
+      portforward_tcp=""
+
+
+      # - Portforwarding UDP
+      # -
+      # - portforward_udp="<device-in>,<src-ip>,<udp-port-in>,<ip-to-forward>,<udp-port-out>"
+      # -
+      # - Multiple declarations (blank separated list) are possible
+      # -
+      # - Example:
+      # -    portforward_udp="
+      # -       ${ext_if_1},${ext_1_ip},1094,,1094
+      # -       ${ext_if_1},${ext_1_ip},1095,,1095
+      # -    "
+      # -
+      # - Blank separated list
+      # -
+      portforward_udp=""
+
+    marker: "# Marker set by modify-ipt-server.yml (portforward_tcp)"
+  when: 
+    - main_ipv6_exists.stat.exists
+    -  portforward_tcp_ipv6_present is changed
+  notify:
+    - Restart IPv6 Firewall
+
+
 # ---
 # Remove Marker set by blockinfile
 # ---