]>
Commit | Line | Data |
---|---|---|
6178953b | 1 | #!/usr/bin/perl -w |
2a81ab0d AM |
2 | ############################################################################### |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5bee9a9d | 5 | # Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> # |
2a81ab0d AM |
6 | # # |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
2a81ab0d | 21 | |
2a81ab0d | 22 | use strict; |
2a81ab0d | 23 | |
97ab0569 MT |
24 | require '/var/ipfire/general-functions.pl'; |
25 | require "${General::swroot}/lang.pl"; | |
26 | require "/usr/lib/firewall/firewall-lib.pl"; | |
2a81ab0d | 27 | |
68d1eb10 MT |
28 | # Set to one to enable debugging mode. |
29 | my $DEBUG = 0; | |
30 | ||
1f9e7b53 MT |
31 | my $IPTABLES = "iptables --wait"; |
32 | ||
6178953b | 33 | # iptables chains |
8f4f4634 MT |
34 | my $CHAIN_INPUT = "INPUTFW"; |
35 | my $CHAIN_FORWARD = "FORWARDFW"; | |
d98aa95a | 36 | my $CHAIN_OUTPUT = "OUTGOINGFW"; |
8f4f4634 | 37 | my $CHAIN = $CHAIN_FORWARD; |
6178953b MT |
38 | my $CHAIN_NAT_SOURCE = "NAT_SOURCE"; |
39 | my $CHAIN_NAT_DESTINATION = "NAT_DESTINATION"; | |
6e87f0aa | 40 | my $CHAIN_MANGLE_NAT_DESTINATION_FIX = "NAT_DESTINATION"; |
8f4f4634 | 41 | my @VALID_CHAINS = ($CHAIN_INPUT, $CHAIN_FORWARD, $CHAIN_OUTPUT); |
c2a1af75 | 42 | my @ANY_ADDRESSES = ("0.0.0.0/0.0.0.0", "0.0.0.0/0", "0/0"); |
8f4f4634 MT |
43 | |
44 | my @PROTOCOLS = ("tcp", "udp", "icmp", "igmp", "ah", "esp", "gre", "ipv6", "ipip"); | |
45 | my @PROTOCOLS_WITH_PORTS = ("tcp", "udp"); | |
46 | ||
47 | my @VALID_TARGETS = ("ACCEPT", "DROP", "REJECT"); | |
6178953b | 48 | |
2a81ab0d AM |
49 | my %fwdfwsettings=(); |
50 | my %defaultNetworks=(); | |
8f4f4634 | 51 | my %configfwdfw=();; |
2a81ab0d | 52 | my %customgrp=(); |
2a81ab0d | 53 | my %configinputfw=(); |
5d7faa45 | 54 | my %configoutgoingfw=(); |
a6edca5a | 55 | my %confignatfw=(); |
2a81ab0d | 56 | my %aliases=(); |
36196d0d | 57 | my @p2ps=(); |
2a81ab0d | 58 | |
6d8eb5de AM |
59 | my $configfwdfw = "${General::swroot}/firewall/config"; |
60 | my $configinput = "${General::swroot}/firewall/input"; | |
61 | my $configoutgoing = "${General::swroot}/firewall/outgoing"; | |
62 | my $p2pfile = "${General::swroot}/firewall/p2protocols"; | |
2a81ab0d | 63 | my $configgrp = "${General::swroot}/fwhosts/customgroups"; |
210ee67b | 64 | my $netsettings = "${General::swroot}/ethernet/settings"; |
86a921ee | 65 | |
6d8eb5de | 66 | &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); |
210ee67b | 67 | &General::readhash("$netsettings", \%defaultNetworks); |
2a81ab0d AM |
68 | &General::readhasharray($configfwdfw, \%configfwdfw); |
69 | &General::readhasharray($configinput, \%configinputfw); | |
5d7faa45 | 70 | &General::readhasharray($configoutgoing, \%configoutgoingfw); |
2a81ab0d AM |
71 | &General::readhasharray($configgrp, \%customgrp); |
72 | &General::get_aliases(\%aliases); | |
73 | ||
3bb4bb3f MT |
74 | my @log_limit_options = &make_log_limit_options(); |
75 | ||
8531b94a MT |
76 | # MAIN |
77 | &main(); | |
78 | ||
79 | sub main { | |
80 | # Flush all chains. | |
81 | &flush(); | |
82 | ||
83 | # Reload firewall rules. | |
84 | &preparerules(); | |
85 | ||
86 | # Load P2P block rules. | |
87 | &p2pblock(); | |
88 | ||
89 | # Reload firewall policy. | |
90 | run("/usr/sbin/firewall-policy"); | |
2a81ab0d | 91 | } |
97ab0569 | 92 | |
68d1eb10 MT |
93 | sub run { |
94 | # Executes or prints the given shell command. | |
95 | my $command = shift; | |
96 | ||
97 | if ($DEBUG) { | |
98 | print "$command\n"; | |
99 | } else { | |
100 | system "$command"; | |
6e87f0aa MT |
101 | |
102 | if ($?) { | |
103 | print_error("ERROR: $command"); | |
104 | } | |
68d1eb10 MT |
105 | } |
106 | } | |
107 | ||
6178953b MT |
108 | sub print_error { |
109 | my $message = shift; | |
110 | ||
111 | print STDERR "$message\n"; | |
112 | } | |
113 | ||
8f4f4634 MT |
114 | sub print_rule { |
115 | my $hash = shift; | |
116 | ||
117 | print "\nRULE:"; | |
118 | ||
119 | my $i = 0; | |
120 | foreach (@$hash) { | |
121 | printf(" %2d: %s", $i++, $_); | |
122 | } | |
123 | print "\n"; | |
124 | } | |
125 | ||
97ab0569 | 126 | sub flush { |
d98aa95a MT |
127 | run("$IPTABLES -F $CHAIN_INPUT"); |
128 | run("$IPTABLES -F $CHAIN_FORWARD"); | |
129 | run("$IPTABLES -F $CHAIN_OUTPUT"); | |
130 | run("$IPTABLES -t nat -F $CHAIN_NAT_SOURCE"); | |
131 | run("$IPTABLES -t nat -F $CHAIN_NAT_DESTINATION"); | |
6e87f0aa | 132 | run("$IPTABLES -t mangle -F $CHAIN_MANGLE_NAT_DESTINATION_FIX"); |
86a921ee | 133 | } |
97ab0569 MT |
134 | |
135 | sub preparerules { | |
6d8eb5de | 136 | if (! -z "${General::swroot}/firewall/config"){ |
2a81ab0d AM |
137 | &buildrules(\%configfwdfw); |
138 | } | |
6d8eb5de | 139 | if (! -z "${General::swroot}/firewall/input"){ |
2a81ab0d AM |
140 | &buildrules(\%configinputfw); |
141 | } | |
6d8eb5de | 142 | if (! -z "${General::swroot}/firewall/outgoing"){ |
5d7faa45 AM |
143 | &buildrules(\%configoutgoingfw); |
144 | } | |
2a81ab0d | 145 | } |
97ab0569 MT |
146 | |
147 | sub buildrules { | |
8f4f4634 MT |
148 | my $hash = shift; |
149 | ||
150 | foreach my $key (sort {$a <=> $b} keys %$hash) { | |
151 | # Skip disabled rules. | |
152 | next unless ($$hash{$key}[2] eq 'ON'); | |
153 | ||
154 | if ($DEBUG) { | |
155 | print_rule($$hash{$key}); | |
156 | } | |
157 | ||
158 | # Check if the target is valid. | |
159 | my $target = $$hash{$key}[0]; | |
160 | if (!$target ~~ @VALID_TARGETS) { | |
161 | print_error("Invalid target '$target' for rule $key"); | |
162 | next; | |
163 | } | |
164 | ||
165 | # Check if the chain is valid. | |
166 | my $chain = $$hash{$key}[1]; | |
167 | if (!$chain ~~ @VALID_CHAINS) { | |
168 | print_error("Invalid chain '$chain' in rule $key"); | |
169 | next; | |
170 | } | |
171 | ||
172 | # Collect all sources. | |
4e54e3c6 | 173 | my @sources = &fwlib::get_addresses($hash, $key, "src"); |
8f4f4634 MT |
174 | |
175 | # Collect all destinations. | |
4e54e3c6 | 176 | my @destinations = &fwlib::get_addresses($hash, $key, "tgt"); |
6178953b | 177 | |
c0ce9206 MT |
178 | # True if the destination is the firewall itself. |
179 | my $destination_is_firewall = ($$hash{$key}[5] eq "ipfire"); | |
180 | ||
6178953b | 181 | # Check if logging should be enabled. |
8f4f4634 | 182 | my $LOG = ($$hash{$key}[17] eq 'ON'); |
6178953b | 183 | |
8f4f4634 MT |
184 | # Check if NAT is enabled and initialize variables, that we use for that. |
185 | my $NAT = ($$hash{$key}[28] eq 'ON'); | |
6178953b | 186 | my $NAT_MODE; |
8f4f4634 MT |
187 | if ($NAT) { |
188 | $NAT_MODE = uc($$hash{$key}[31]); | |
189 | } | |
6178953b | 190 | |
8f4f4634 MT |
191 | # Set up time constraints. |
192 | my @time_options = (); | |
193 | if ($$hash{$key}[18] eq 'ON') { | |
194 | push(@time_options, ("-m", "time")); | |
6178953b | 195 | |
8f4f4634 MT |
196 | # Select all days of the week this match is active. |
197 | my @weekdays = (); | |
198 | if ($$hash{$key}[19] ne '') { | |
199 | push (@weekdays, "Mon"); | |
200 | } | |
201 | if ($$hash{$key}[20] ne '') { | |
202 | push (@weekdays, "Tue"); | |
203 | } | |
204 | if ($$hash{$key}[21] ne '') { | |
205 | push (@weekdays, "Wed"); | |
206 | } | |
207 | if ($$hash{$key}[22] ne '') { | |
208 | push (@weekdays, "Thu"); | |
209 | } | |
210 | if ($$hash{$key}[23] ne '') { | |
211 | push (@weekdays, "Fri"); | |
212 | } | |
213 | if ($$hash{$key}[24] ne '') { | |
214 | push (@weekdays, "Sat"); | |
215 | } | |
216 | if ($$hash{$key}[25] ne '') { | |
217 | push (@weekdays, "Sun"); | |
218 | } | |
219 | if (@weekdays) { | |
220 | push(@time_options, ("--weekdays", join(",", @weekdays))); | |
221 | } | |
6178953b | 222 | |
8f4f4634 MT |
223 | # Convert start time. |
224 | my $time_start = &format_time($$hash{$key}[26]); | |
225 | if ($time_start) { | |
226 | push(@time_options, ("--timestart", $time_start)); | |
a6edca5a | 227 | } |
6178953b | 228 | |
8f4f4634 MT |
229 | # Convert end time. |
230 | my $time_stop = &format_time($$hash{$key}[27]); | |
231 | if ($time_stop) { | |
232 | push(@time_options, ("--timestop", $time_stop)); | |
233 | } | |
a6edca5a | 234 | } |
6178953b | 235 | |
8f4f4634 MT |
236 | # Check which protocols are used in this rule and so that we can |
237 | # later group rules by protocols. | |
238 | my @protocols = &get_protocols($hash, $key); | |
239 | if (!@protocols) { | |
240 | print_error("Invalid protocol configuration for rule $key"); | |
241 | next; | |
242 | } | |
243 | ||
244 | foreach my $protocol (@protocols) { | |
245 | # Check if the given protocol is supported. | |
246 | if (($protocol ne "all") && (!$protocol ~~ @PROTOCOLS)) { | |
247 | print_error("Protocol $protocol is not supported (rule $key)"); | |
248 | next; | |
2a81ab0d | 249 | } |
8f4f4634 MT |
250 | |
251 | # Prepare protocol options (like ICMP types, ports, etc...). | |
d7a14d01 | 252 | my @protocol_options = &get_protocol_options($hash, $key, $protocol, 0); |
8f4f4634 MT |
253 | |
254 | # Check if this protocol knows ports. | |
255 | my $protocol_has_ports = ($protocol ~~ @PROTOCOLS_WITH_PORTS); | |
256 | ||
257 | foreach my $source (@sources) { | |
258 | foreach my $destination (@destinations) { | |
259 | # Skip invalid rules. | |
260 | next if (!$source || !$destination || ($destination eq "none")); | |
261 | ||
c2a1af75 MT |
262 | # Sanitize source. |
263 | if ($source ~~ @ANY_ADDRESSES) { | |
264 | $source = ""; | |
265 | } | |
266 | ||
267 | # Sanitize destination. | |
268 | if ($destination ~~ @ANY_ADDRESSES) { | |
269 | $destination = ""; | |
270 | } | |
271 | ||
8f4f4634 MT |
272 | # Array with iptables arguments. |
273 | my @options = (); | |
274 | ||
275 | # Append protocol. | |
276 | if ($protocol ne "all") { | |
8f4f4634 | 277 | push(@options, @protocol_options); |
2a81ab0d | 278 | } |
8f4f4634 | 279 | |
6e87f0aa MT |
280 | # Prepare source options. |
281 | my @source_options = (); | |
8f4f4634 | 282 | if ($source =~ /mac/) { |
6e87f0aa | 283 | push(@source_options, $source); |
c2a1af75 | 284 | } elsif ($source) { |
6e87f0aa | 285 | push(@source_options, ("-s", $source)); |
2a81ab0d | 286 | } |
14f7cb87 | 287 | |
6e87f0aa | 288 | # Prepare destination options. |
c2a1af75 MT |
289 | my @destination_options = (); |
290 | if ($destination) { | |
291 | push(@destination_options, ("-d", $destination)); | |
292 | } | |
14f7cb87 | 293 | |
8f4f4634 MT |
294 | # Add time constraint options. |
295 | push(@options, @time_options); | |
14f7cb87 | 296 | |
e9b5ba41 MT |
297 | my $firewall_is_in_source_subnet = 0; |
298 | if ($source) { | |
da7a2208 | 299 | $firewall_is_in_source_subnet = &firewall_is_in_subnet($source); |
e9b5ba41 MT |
300 | } |
301 | ||
8f4f4634 MT |
302 | # Process NAT rules. |
303 | if ($NAT) { | |
4e54e3c6 | 304 | my $nat_address = &fwlib::get_nat_address($$hash{$key}[29], $source); |
b05ec50a | 305 | |
8f4f4634 MT |
306 | # Skip NAT rules if the NAT address is unknown |
307 | # (i.e. no internet connection has been established, yet). | |
308 | next unless ($nat_address); | |
b05ec50a | 309 | |
8f4f4634 MT |
310 | # Destination NAT |
311 | if ($NAT_MODE eq "DNAT") { | |
6e87f0aa | 312 | # Make port-forwardings useable from the internal networks. |
4e54e3c6 | 313 | my @internal_addresses = &fwlib::get_internal_firewall_ip_addresses(1); |
5cf8c8c1 MT |
314 | unless ($nat_address ~~ @internal_addresses) { |
315 | &add_dnat_mangle_rules($nat_address, @options); | |
316 | } | |
b05ec50a | 317 | |
d7a14d01 MT |
318 | my @nat_options = (); |
319 | if ($protocol ne "all") { | |
320 | my @nat_protocol_options = &get_protocol_options($hash, $key, $protocol, 1); | |
321 | push(@nat_options, @nat_protocol_options); | |
322 | } | |
6e87f0aa | 323 | push(@nat_options, @source_options); |
8f4f4634 | 324 | push(@nat_options, ("-d", $nat_address)); |
6e87f0aa | 325 | |
c0ce9206 | 326 | my $dnat_port; |
8f4f4634 | 327 | if ($protocol_has_ports) { |
c0ce9206 MT |
328 | $dnat_port = &get_dnat_target_port($hash, $key); |
329 | } | |
330 | ||
331 | my @nat_action_options = (); | |
b05ec50a | 332 | |
c0ce9206 MT |
333 | # Use iptables REDIRECT |
334 | my $use_redirect = ($destination_is_firewall && !$destination && $protocol_has_ports && $dnat_port); | |
335 | if ($use_redirect) { | |
336 | push(@nat_action_options, ("-j", "REDIRECT", "--to-ports", $dnat_port)); | |
337 | ||
338 | # Use iptables DNAT | |
339 | } else { | |
f98bb538 MT |
340 | if ($destination_is_firewall && !$destination) { |
341 | $destination = &fwlib::get_external_address(); | |
342 | } | |
343 | next unless ($destination); | |
344 | ||
c0ce9206 MT |
345 | my ($dnat_address, $dnat_mask) = split("/", $destination); |
346 | @destination_options = ("-d", $dnat_address); | |
347 | ||
348 | if ($protocol_has_ports) { | |
349 | my $dnat_port = &get_dnat_target_port($hash, $key); | |
350 | ||
351 | if ($dnat_port) { | |
352 | $dnat_address .= ":$dnat_port"; | |
353 | } | |
86a921ee | 354 | } |
c0ce9206 MT |
355 | |
356 | push(@nat_action_options, ("-j", "DNAT", "--to-destination", $dnat_address)); | |
2a81ab0d | 357 | } |
8f4f4634 MT |
358 | |
359 | if ($LOG) { | |
3bb4bb3f | 360 | run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options @log_limit_options -j LOG --log-prefix 'DNAT '"); |
8f4f4634 | 361 | } |
c0ce9206 | 362 | run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options @nat_action_options"); |
8f4f4634 MT |
363 | |
364 | # Source NAT | |
365 | } elsif ($NAT_MODE eq "SNAT") { | |
6e87f0aa MT |
366 | my @nat_options = @options; |
367 | ||
368 | push(@nat_options, @source_options); | |
369 | push(@nat_options, @destination_options); | |
370 | ||
8f4f4634 | 371 | if ($LOG) { |
3bb4bb3f | 372 | run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @log_limit_options -j LOG --log-prefix 'SNAT '"); |
8f4f4634 | 373 | } |
6e87f0aa | 374 | run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options -j SNAT --to-source $nat_address"); |
2a81ab0d AM |
375 | } |
376 | } | |
8f4f4634 | 377 | |
6e87f0aa | 378 | push(@options, @source_options); |
e9b5ba41 MT |
379 | |
380 | if ($firewall_is_in_source_subnet && ($fwdfwsettings{"POLICY"} eq "MODE1") && ($chain eq $CHAIN_FORWARD)) { | |
381 | if ($LOG && !$NAT) { | |
382 | run("$IPTABLES -A $CHAIN_INPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '"); | |
383 | } | |
384 | run("$IPTABLES -A $CHAIN_INPUT @options -j $target"); | |
385 | } | |
386 | ||
6e87f0aa MT |
387 | push(@options, @destination_options); |
388 | ||
8f4f4634 MT |
389 | # Insert firewall rule. |
390 | if ($LOG && !$NAT) { | |
0bda23f5 | 391 | run("$IPTABLES -A $chain @options @log_limit_options -j LOG --log-prefix '$chain '"); |
8f4f4634 MT |
392 | } |
393 | run("$IPTABLES -A $chain @options -j $target"); | |
2a81ab0d AM |
394 | } |
395 | } | |
396 | } | |
2a81ab0d AM |
397 | } |
398 | } | |
97ab0569 | 399 | |
b05ec50a MT |
400 | # Formats the given timestamp into the iptables format which is "hh:mm" UTC. |
401 | sub format_time { | |
402 | my $val = shift; | |
403 | ||
404 | # Convert the given time into minutes. | |
405 | my $minutes = &time_convert_to_minutes($val); | |
406 | ||
407 | # Move the timestamp into UTC. | |
408 | $minutes += &time_utc_offset(); | |
409 | ||
410 | # Make sure $minutes is between 00:00 and 23:59. | |
411 | if ($minutes < 0) { | |
412 | $minutes += 1440; | |
413 | } | |
414 | ||
415 | if ($minutes > 1440) { | |
416 | $minutes -= 1440; | |
417 | } | |
418 | ||
419 | # Format as hh:mm. | |
420 | return sprintf("%02d:%02d", $minutes / 60, $minutes % 60); | |
472136c9 | 421 | } |
97ab0569 | 422 | |
b05ec50a MT |
423 | # Calculates the offsets in minutes from the local timezone to UTC. |
424 | sub time_utc_offset { | |
425 | my @localtime = localtime(time); | |
426 | my @gmtime = gmtime(time); | |
427 | ||
428 | return ($gmtime[2] * 60 + $gmtime[1] % 60) - ($localtime[2] * 60 + $localtime[1] % 60); | |
472136c9 | 429 | } |
97ab0569 | 430 | |
b05ec50a MT |
431 | # Takes a timestamp like "14:00" and converts it into minutes since midnight. |
432 | sub time_convert_to_minutes { | |
433 | my ($hrs, $min) = split(":", shift); | |
434 | ||
435 | return ($hrs * 60) + $min; | |
472136c9 | 436 | } |
97ab0569 MT |
437 | |
438 | sub p2pblock { | |
6178953b | 439 | my $P2PSTRING = ""; |
36196d0d AM |
440 | my $DO; |
441 | open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; | |
442 | @p2ps = <FILE>; | |
443 | close FILE; | |
444 | my $CMD = "-m ipp2p"; | |
445 | foreach my $p2pentry (sort @p2ps) { | |
446 | my @p2pline = split( /\;/, $p2pentry ); | |
8d1beadc AM |
447 | if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) { |
448 | $DO = "ACCEPT"; | |
5238a871 | 449 | if ("$p2pline[2]" eq "on") { |
36196d0d AM |
450 | $P2PSTRING = "$P2PSTRING --$p2pline[1]"; |
451 | } | |
8d1beadc | 452 | }else { |
36196d0d | 453 | $DO = "RETURN"; |
5238a871 | 454 | if ("$p2pline[2]" eq "off") { |
36196d0d AM |
455 | $P2PSTRING = "$P2PSTRING --$p2pline[1]"; |
456 | } | |
457 | } | |
458 | } | |
68d1eb10 MT |
459 | |
460 | if($P2PSTRING) { | |
1f9e7b53 | 461 | run("$IPTABLES -A FORWARDFW $CMD $P2PSTRING -j $DO"); |
36196d0d AM |
462 | } |
463 | } | |
97ab0569 | 464 | |
8f4f4634 MT |
465 | sub get_protocols { |
466 | my $hash = shift; | |
467 | my $key = shift; | |
468 | ||
469 | my $uses_source_ports = ($$hash{$key}[7] eq "ON"); | |
470 | my $uses_services = ($$hash{$key}[11] eq "ON"); | |
471 | ||
472 | my @protocols = (); | |
473 | ||
474 | # Rules which don't have source ports or services (like ICMP, ESP, ...). | |
475 | if (!$uses_source_ports && !$uses_services) { | |
476 | push(@protocols, $$hash{$key}[8]); | |
477 | ||
478 | # Rules which either use ports or services. | |
479 | } elsif ($uses_source_ports || $uses_services) { | |
480 | # Check if service group or service | |
481 | if ($$hash{$key}[14] eq 'cust_srv') { | |
482 | push(@protocols, &fwlib::get_srv_prot($$hash{$key}[15])); | |
483 | ||
484 | } elsif($$hash{$key}[14] eq 'cust_srvgrp'){ | |
485 | my $protos = &fwlib::get_srvgrp_prot($$hash{$key}[15]); | |
486 | push(@protocols, split(",", $protos)); | |
487 | ||
488 | } else { | |
489 | # Fetch the protocol for this rule. | |
490 | my $protocol = lc($$hash{$key}[8]); | |
491 | ||
492 | # Fetch source and destination ports for this rule. | |
493 | my $source_ports = $$hash{$key}[10]; | |
494 | my $destination_ports = $$hash{$key}[15]; | |
495 | ||
496 | # Check if ports are set for protocols which do not support ports. | |
497 | if (!($protocol ~~ @PROTOCOLS_WITH_PORTS) && ($source_ports || $destination_ports)) { | |
498 | print_error("$protocol does not support ports"); | |
499 | return (); | |
500 | } | |
501 | ||
502 | push(@protocols, $protocol); | |
2a81ab0d AM |
503 | } |
504 | } | |
8f4f4634 MT |
505 | |
506 | # Remove all empty elements | |
507 | @protocols = map { $_ ? $_ : () } @protocols; | |
508 | ||
509 | # If no protocol has been defined, we assume "all". | |
510 | if (!@protocols) { | |
511 | push(@protocols, "all"); | |
98cee89f | 512 | } |
8f4f4634 MT |
513 | |
514 | # Make all protocol names lowercase. | |
515 | @protocols = map { lc } @protocols; | |
516 | ||
517 | return @protocols; | |
2a81ab0d | 518 | } |
97ab0569 | 519 | |
8f4f4634 MT |
520 | sub get_protocol_options { |
521 | my $hash = shift; | |
522 | my $key = shift; | |
523 | my $protocol = shift; | |
d7a14d01 | 524 | my $nat_options_wanted = shift; |
8f4f4634 MT |
525 | my @options = (); |
526 | ||
d7a14d01 MT |
527 | # Nothing to do if no protocol is specified. |
528 | if ($protocol eq "all") { | |
529 | return @options; | |
530 | } else { | |
531 | push(@options, ("-p", $protocol)); | |
532 | } | |
533 | ||
8f4f4634 MT |
534 | # Process source ports. |
535 | my $use_src_ports = ($$hash{$key}[7] eq "ON"); | |
536 | my $src_ports = $$hash{$key}[10]; | |
537 | ||
538 | if ($use_src_ports && $src_ports) { | |
539 | push(@options, &format_ports($src_ports, "src")); | |
540 | } | |
541 | ||
542 | # Process destination ports. | |
543 | my $use_dst_ports = ($$hash{$key}[11] eq "ON"); | |
544 | my $use_dnat = (($$hash{$key}[28] eq "ON") && ($$hash{$key}[31] eq "dnat")); | |
545 | ||
546 | if ($use_dst_ports) { | |
547 | my $dst_ports_mode = $$hash{$key}[14]; | |
548 | my $dst_ports = $$hash{$key}[15]; | |
8f4f4634 MT |
549 | |
550 | if (($dst_ports_mode eq "TGT_PORT") && $dst_ports) { | |
d7a14d01 | 551 | if ($nat_options_wanted && $use_dnat && $$hash{$key}[30]) { |
1c3044d7 MT |
552 | $dst_ports = $$hash{$key}[30]; |
553 | } | |
8f4f4634 MT |
554 | push(@options, &format_ports($dst_ports, "dst")); |
555 | ||
556 | } elsif ($dst_ports_mode eq "cust_srv") { | |
557 | if ($protocol eq "ICMP") { | |
558 | push(@options, ("--icmp-type", &fwlib::get_srv_port($dst_ports, 3, "ICMP"))); | |
559 | } else { | |
560 | $dst_ports = &fwlib::get_srv_port($dst_ports, 1, uc($protocol)); | |
561 | push(@options, &format_ports($dst_ports, "dst")); | |
2a81ab0d | 562 | } |
8f4f4634 MT |
563 | |
564 | } elsif ($dst_ports_mode eq "cust_srvgrp") { | |
565 | push(@options, &fwlib::get_srvgrp_port($dst_ports, uc($protocol))); | |
2a81ab0d AM |
566 | } |
567 | } | |
8f4f4634 MT |
568 | |
569 | # Check if a single ICMP type is selected. | |
570 | if (!$use_src_ports && !$use_dst_ports && $protocol eq "icmp") { | |
571 | my $icmp_type = $$hash{$key}[9]; | |
572 | ||
573 | if (($icmp_type ne "All ICMP-Types") && $icmp_type) { | |
574 | push(@options, ("--icmp-type", $icmp_type)); | |
a4c7bf6b AM |
575 | } |
576 | } | |
8f4f4634 MT |
577 | |
578 | return @options; | |
579 | } | |
580 | ||
581 | sub format_ports { | |
582 | my $ports = shift; | |
583 | my $type = shift; | |
584 | ||
585 | my $arg; | |
586 | if ($type eq "src") { | |
587 | $arg = "--sport"; | |
588 | } elsif ($type eq "dst") { | |
589 | $arg = "--dport"; | |
590 | } | |
591 | ||
592 | my @options = (); | |
593 | ||
594 | if ($ports =~ /\|/) { | |
595 | $ports =~ s/\|/,/g; | |
596 | push(@options, ("-m", "multiport")); | |
597 | } | |
598 | ||
1c3044d7 MT |
599 | if ($ports) { |
600 | push(@options, ($arg, $ports)); | |
601 | } | |
8f4f4634 MT |
602 | |
603 | return @options; | |
604 | } | |
605 | ||
606 | sub get_dnat_target_port { | |
607 | my $hash = shift; | |
608 | my $key = shift; | |
609 | ||
610 | if ($$hash{$key}[14] eq "TGT_PORT") { | |
1c3044d7 MT |
611 | my $port = $$hash{$key}[15]; |
612 | my $external_port = $$hash{$key}[30]; | |
613 | ||
614 | if ($external_port && ($port ne $external_port)) { | |
615 | return $$hash{$key}[15]; | |
616 | } | |
8f4f4634 | 617 | } |
2a81ab0d | 618 | } |
6e87f0aa MT |
619 | |
620 | sub add_dnat_mangle_rules { | |
621 | my $nat_address = shift; | |
622 | my @options = @_; | |
623 | ||
624 | my $mark = 0; | |
625 | foreach my $zone ("GREEN", "BLUE", "ORANGE") { | |
626 | $mark++; | |
627 | ||
628 | # Skip rule if not all required information exists. | |
629 | next unless (exists $defaultNetworks{$zone . "_NETADDRESS"}); | |
630 | next unless (exists $defaultNetworks{$zone . "_NETMASK"}); | |
631 | ||
632 | my @mangle_options = @options; | |
633 | ||
634 | my $netaddress = $defaultNetworks{$zone . "_NETADDRESS"}; | |
635 | $netaddress .= "/" . $defaultNetworks{$zone . "_NETMASK"}; | |
636 | ||
637 | push(@mangle_options, ("-s", $netaddress, "-d", $nat_address)); | |
638 | push(@mangle_options, ("-j", "MARK", "--set-mark", $mark)); | |
639 | ||
640 | run("$IPTABLES -t mangle -A $CHAIN_MANGLE_NAT_DESTINATION_FIX @mangle_options"); | |
641 | } | |
642 | } | |
3bb4bb3f MT |
643 | |
644 | sub make_log_limit_options { | |
645 | my @options = ("-m", "limit"); | |
646 | ||
647 | # Maybe we should get this from the configuration. | |
648 | my $limit = 10; | |
649 | ||
650 | # We limit log messages to $limit messages per minute. | |
651 | push(@options, ("--limit", "$limit/min")); | |
652 | ||
653 | # And we allow bursts of 2x $limit. | |
654 | push(@options, ("--limit-burst", $limit * 2)); | |
655 | ||
656 | return @options; | |
657 | } | |
e9b5ba41 | 658 | |
da7a2208 MT |
659 | sub firewall_is_in_subnet { |
660 | my $subnet = shift; | |
5cf8c8c1 | 661 | |
e9b5ba41 MT |
662 | # ORANGE is missing here, because nothing may ever access |
663 | # the firewall from this network. | |
4e54e3c6 | 664 | my $address = &fwlib::get_internal_firewall_ip_address($subnet, 0); |
e9b5ba41 | 665 | |
da7a2208 MT |
666 | if ($address) { |
667 | return 1; | |
e9b5ba41 | 668 | } |
da7a2208 MT |
669 | |
670 | return 0; | |
e9b5ba41 | 671 | } |
b0d9fad3 | 672 |