Community discussions

MikroTik App
 
ljwobker
just joined
Topic Author
Posts: 6
Joined: Fri Jul 30, 2021 9:33 pm

python script for building firewall pinholes and hairpin rules ("port forwarding")

Mon Mar 20, 2023 11:06 pm

I spent part of the weekend figuring out how to get pinhole firewall NAT ("port mapping") rules built, and I had a bunch of existing rules from another system that I didn't want to manually convert. So I put together this little python script to generate the rules which can then be pasted in via the terminal. Hopefully it's useful to someone else along the way.

The only configuration is whether you want the interior "hairpin" NAT rules built or not.
Comments welcome...

https://gist.github.com/ljwobker/7104a9 ... b2fb581cb2
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12313
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: python script for building firewall pinholes and hairpin rules ("port forwarding")

Tue Mar 21, 2023 1:00 am

missing / in front of "ip"




Why do not use directly RouterOS script instead of install python just for repeat 2 lines???
# "pinhole name/comment"= "outside_port", "protocol", "inside_host", "inside_port"
{ :local rules { "Joe web server"=     "80",   "tcp", "192.168.1.35", "80" \
               ; "trusted inside SSH"= "1999", "tcp", "192.168.1.40", "22" }
:local "inside_subnet"  "192.168.15.0/24"
:local "build_hairpins" true ; # set this if you want the inside hairpin rules built as well
:put "\1Bc\r\n/ip firewall nat"
foreach comment,map in=$rules do={
    :put "add action=dst-nat chain=dstnat in-interface-list=WAN dst-port=$($map->0) protocol=$($map->1) \
              to-addresses=$($map->2) to-ports=$($map->3) comment=\"$comment\""
    :if ($"build_hairpins") do={
        :put "add action=dst-nat chain=dstnat dst-address-list=WAN dst-port=$($map->0) protocol=$($map->1) \
                  to-addresses=$($map->2) to-ports=$($map->3) src-address=$"inside_subnet" comment=\"$comment hairpin\""}}}
Ignoring comments and whitespace are also less line of code ;)
I prefer to put each hairpin under the relative rule, instead to separate rules and hairpin.
I prefer also to put only one time "/ip firewall nat" instead of repeating it continuosly.
But the behaviour of your python script can be exactly copied.

Your same behaviour, except the added fix for "ip":
# "pinhole name/comment"= "outside_port", "protocol", "inside_host", "inside_port"
{ :local rules { "Joe web server"=     "80",   "tcp", "192.168.1.35", "80" \
               ; "trusted inside SSH"= "1999", "tcp", "192.168.1.40", "22" }
:local "inside_subnet"  "192.168.15.0/24"
:local "build_hairpins" true ; # set this if you want the inside hairpin rules built as well
foreach comment,map in=$rules do={
    :put "/ip firewall nat add comment=\"$comment\" action=dst-nat chain=dstnat protocol=$($map->1) \
                               dst-port=$($map->0) in-interface-list=WAN to-addresses=$($map->2) to-ports=$($map->3)"}
:if ($"build_hairpins") do={foreach comment,map in=$rules do={
        :put "/ip firewall nat add action=dst-nat chain=dstnat dst-address-list=WAN protocol=$($map->1) dst-port=$($map->0) \
                                   src-address=$"inside_subnet" to-addresses=$($map->2) to-ports=$($map->3) comment=\"$comment hairpin\""}}}
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3840
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: python script for building firewall pinholes and hairpin rules ("port forwarding")

Tue Mar 21, 2023 2:15 am

Adding firewall rules for pinholes/NAT seems like one-time cut-and-paste thing, so not sure what Python adds here. And now you have an external script that isn't safe to run more than once - so you can't just add to that list at the top and have it work...

You can use SSH from python to just run the same code @rextended provides. For this particular small task I'd think that be cleaner.

Just my two cents however.
 
ljwobker
just joined
Topic Author
Posts: 6
Joined: Fri Jul 30, 2021 9:33 pm

Re: python script for building firewall pinholes and hairpin rules ("port forwarding")

Tue Mar 21, 2023 10:09 pm

Why python? -- Because I already know it! I didn't even know there WAS a routerOS scripting language, but that's a very useful tip.
Apologies for the typo.
And while *I* don't expect to use this regularly, maybe it helps someone else.
Certainly just one of many ways to solve this particular task.

Who is online

Users browsing this forum: No registered users and 10 guests