SOCKS Proxy Allowed Client IP Range

Use this forum to post questions relating to WinGate, feature requests, technical or configuration problems

Moderator: Qbik Staff

SOCKS Proxy Allowed Client IP Range

Postby astingen » Mar 17 21 3:49 am

Hello,

I'm trying to setup a SOCKS proxy on wingate, and I'd like to restrict the clients allowed to certain ip ranges, ideally expressed in CIDR notation.

Looking around, I don't see a easy way to do this - am I missing something?

My current approach:
I'm trying to setup a policy, that uses a JavaScript script to compare the IP Address of the client to a global data list, which would contain the list of address ranges in CIDR notation (192.168.1.0/24). I've got a script that should work (and works when testing outside Wingate), but when it tries to run I get "Error parsing script". This is just using a list hard-coded into the script, before I tried to get a global data list working (it wasn't clear if that would work the way I was expecting).

Here's my script:
Code: Select all
//return true or false depending on whether you wish the
//'Yes' or 'No' path to be taken
function filter(User, Binding, Session, Event)
{   
   function IsIpInCidr(ip, cidr)
   {      
      var cidrIp = cidr.split('/')[0];
      var cidrSm = cidr.split('/')[1];

      return (IPnumber(ip) & IPmask(cidrSm)) == (IPnumber(cidrIp) & IPmask(cidrSm));
   }

   function IPnumber(IPaddress) {
      var ip = IPaddress.match(/^(\d+)\.(\d+)\.(\d+)\.(\d+)$/);

      if(ip) {
         return (+ip[1]<<24) + (+ip[2]<<16) + (+ip[3]<<8) + (+ip[4]);
      }

      return null;
   }

   function IPmask(maskSize) {
      return -1<<(32-maskSize);
   }

   var i;
   var list = ["192.168.1.0/24", "192.168.2.0/24"]

   for (i in list) {
      if (IsIpInCidr(Session.ClientIP, list[i])) {
         return true
      }
   }

   return false;
}


Anyone have any insights? A better way to do this, or a way to make my script work?

Thanks,
Drew
astingen
 
Posts: 2
Joined: Mar 16 21 8:48 am

Re: SOCKS Proxy Allowed Client IP Range

Postby adrien » Mar 17 21 5:54 pm

Hi Drew

The jscript module in WinGate is not exactly standard, and there are a few functions that are non-standard. I spent a bit of time on your function and got it working. Couple of things.

1. You can't define a function inside a function
2. arrays are 0-based (first item is index 0)
3. Looks like you can't initialise an array with a set of entries, or I couldn't figure out how

Code: Select all
// converts string form of IP address in dotted notation to an integer.
function IPnumber(IPaddress)
{
   var str = String(IPaddress);
   var ip = Strings.Tokenize(str, ".");
   var ipnum = Number(ip[0]);
   ipnum *= 256;
   ipnum += Number(ip[1]);
   ipnum *= 256;
   ipnum += Number(ip[2]);
   ipnum *= 256;
   ipnum += Number(ip[3]);
   return ipnum;
}

// returns masked value of IP using mask size.  IP in string form.
function IPMasked(ipStr, maskSize)
{
   var bitsToClear = (32-maskSize);
   var ipMasked = IPnumber(ipStr);
   ipMasked = ipMasked >> bitsToClear;
   ipMasked = ipMasked << bitsToClear;
   return ipMasked;
}

// returns true if ip is in network defined by cidr
function IsIpInCidr(ip, cidr)
{     
   var tokens = Strings.Tokenize(cidr, "/");
   return(IPMasked(ip, tokens[1]) == IPMasked(tokens[0], tokens[1]));
}

//return true or false depending on whether you wish the
//'Yes' or 'No' path to be taken
function filter(User, Binding, Session, Event)
{   
   var i = 0;
   var list;

   // assign values to list
   list[0]="192.168.3.0/24";
   list[1]="192.168.2.0/24";
   list[2]="192.168.4.0/24";
   list[3]="0.0.0.0/0";

   // convert ClientIp to a string for the functions
   var ip = String(Session.ClientIp);

   // loop over list of CIDR network descriptors
   for (i = 0 ; i < lengthOf(list); i++)
   {
      if(IsIpInCidr(ip, list[i]))
      {
         return true
      }
   }
   return false;
}
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: SOCKS Proxy Allowed Client IP Range

Postby astingen » Mar 17 21 6:26 pm

Ah, thanks Adrien!

So, my next question - instead of using my array in code, could I replace it with a `Data.GetList("My CidrList")`? It says that returns type "DataList", but doesn't provide much more on the structure there.
astingen
 
Posts: 2
Joined: Mar 16 21 8:48 am

Re: SOCKS Proxy Allowed Client IP Range

Postby adrien » Mar 17 21 9:23 pm

Hi

yeah, there's no way in code there to iterate the members of the list, and they can be nested lists or files as well

What's your main goal with all of this, are you trying to build a system that automatically builds a list of allowed or blocked CIDR subnets?

If you use Lua instead of Jscript you can do file access. The Data lists also have a function to dump to file, so there could be a way you could access list content there - via the file system.

Might be a new feature requirement, we've played with the idea of having more specialised lists, that know what kind of data they contain (e.g. domain names, IP addresses, CIDR routes etc) and can be queried specially for that.

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland


Return to WinGate

Who is online

Users browsing this forum: No registered users and 23 guests

cron