wstunnel/restrictions.yaml
Jasper Siepkes c09c349610
Add option to map (force) port use on the server for reverse tunnels. (#274)
This change adds a `port_mapping` option to the `ReverseTunnel` definition in the (YAML) restriction file.

It maps ports on the server side from X to Y (X:Y). Where X is the originally requested port by the client and Y is the port which will be used to listen on server-side.

For example with `10001:8080` configured and a client which connects using `-R tcp://10001:localhost:80` the server will listen on port 8080 instead of 10001. The originally requested ports (NOT the mapped ports) still needs to be allowed via the `ports` directive.

This is for example useful when dealing with lots of clients and you don't want to coordinate port use on all the clients but centrally on the server.
2024-05-22 16:13:58 +02:00

115 lines
3.5 KiB
YAML

# Restrictions are whitelist rules for the tunnels
# By default, all requests are denied and only if a restriction match, the request is allowed
restrictions:
- name: "Allow all"
description: "This restriction allows all requests"
# This restriction apply only and only if all matchers match/are evaluated to true
# It is a logical AND
match:
# This match apply only if it succeeds to match the path prefix with the given regex
# The regex does a match, so if you want to match exactly you need to bound the pattern with ^ $
# I.e: "tesotron" is going to match "XXXtesotronXXX", but "^tesotron$" is going to match only "tesotron"
- !PathPrefix "^.*$"
# The only other possible match type for now is !Any, that match everything/any request
# - !Any
# This is the list of tunnels your restriction is going to allow
# The list is checked in order, the first match is going to allow the request
allow:
# !Tunnel allows forward tunnels
- !Tunnel
# Protocol that are allowed. Empty list means all protocols are allowed
# Logical OR
protocol:
- Tcp
- Udp
# Port that are allowed. Can be a single port or an inclusive range (i.e. 80..90)
# Logical OR
port:
- 80
- 443
- 8080..8089
# if the tunnel wants to connect to a specific host, this regex must match
host: ^.*$
# if the tunnel wants to connect to a specific IP, it must be included in one of the network cidr
# Logical OR
cidr:
- 0.0.0.0/0
- ::/0
# !ReverseTunnel allows reverse tunnels
# Not specifying anything means all reverse tunnels are allowed
- !ReverseTunnel
protocol:
- Tcp
- Udp
- Socks5
- Unix
port:
- 1..65535
# Maps ports on the server side from X to Y (X:Y). For example with 10001:8080 configured and a client
# which connects using '-R tcp://10001:localhost:80' the server will listen on port 8080 instead of 10001.
# The originally requested ports (NOT the mapped ports) need to be allowed via the 'ports' directive.
port_mapping:
- 10001:8080
cidr:
- 0.0.0.0/0
- ::/0
---
# Examples
restrictions:
- name: "example 1"
description: "Only allow forward tunnels to port 443 and forbid reverse tunnels"
match:
- !PathPrefix "^.*$"
allow:
- !Tunnel
port:
- 443
---
restrictions:
- name: "example 2"
description: "Only allow forward tunnels to local ssh and forbid reverse tunnels"
match:
- !PathPrefix "^.*$"
allow:
- !Tunnel
protocol:
- Tcp
port:
- 22
host: ^localhost$
cidr:
- 127.0.0.1/32
---
restrictions:
- name: "example 3"
description: "Only allow socks5 reverse tunnels listening on port between 1080..1443 on lan network"
match:
- !PathPrefix "^.*$"
allow:
- !ReverseTunnel
protocol:
- Socks5
port:
- 1080..1443
cidr:
- 192.168.0.0/16
---
restrictions:
- name: "example 4"
description: "Allow everything for client using path prefix my-super-secret-path"
match:
- !PathPrefix "^my-super-secret-path$"
allow:
- !Tunnel
- !ReverseTunnel
---
restrictions:
- name: "example 5"
description: "Forbid everything ..."
match:
- !Any
allow: []