]>
Commit | Line | Data |
---|---|---|
1 | #!/usr/bin/perl -w | |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
22 | use strict; | |
23 | use experimental 'smartmatch'; | |
24 | ||
25 | require '/var/ipfire/general-functions.pl'; | |
26 | require "${General::swroot}/lang.pl"; | |
27 | require "/usr/lib/firewall/firewall-lib.pl"; | |
28 | require "${General::swroot}/location-functions.pl"; | |
29 | ||
30 | # Set to one to enable debugging mode. | |
31 | my $DEBUG = 0; | |
32 | ||
33 | my $IPTABLES = "iptables --wait"; | |
34 | my $IPSET = "ipset"; | |
35 | ||
36 | # iptables chains | |
37 | my $CHAIN_INPUT = "INPUTFW"; | |
38 | my $CHAIN_FORWARD = "FORWARDFW"; | |
39 | my $CHAIN_OUTPUT = "OUTGOINGFW"; | |
40 | my $CHAIN = $CHAIN_FORWARD; | |
41 | my $CHAIN_NAT_SOURCE = "NAT_SOURCE"; | |
42 | my $CHAIN_NAT_DESTINATION = "NAT_DESTINATION"; | |
43 | my $CHAIN_MANGLE_NAT_DESTINATION_FIX = "NAT_DESTINATION"; | |
44 | my @VALID_CHAINS = ($CHAIN_INPUT, $CHAIN_FORWARD, $CHAIN_OUTPUT); | |
45 | my @ANY_ADDRESSES = ("0.0.0.0/0.0.0.0", "0.0.0.0/0", "0/0"); | |
46 | ||
47 | my @PROTOCOLS = ("tcp", "udp", "icmp", "igmp", "ah", "esp", "gre", "ipv6", "ipip"); | |
48 | my @PROTOCOLS_WITH_PORTS = ("tcp", "udp"); | |
49 | ||
50 | my @VALID_TARGETS = ("ACCEPT", "DROP", "REJECT"); | |
51 | ||
52 | my @PRIVATE_NETWORKS = ( | |
53 | "10.0.0.0/8", | |
54 | "172.16.0.0/12", | |
55 | "192.168.0.0/16", | |
56 | "100.64.0.0/10", | |
57 | ); | |
58 | ||
59 | # MARK masks | |
60 | my $NAT_MASK = 0x0f000000; | |
61 | ||
62 | # Country code, which is used to mark hostile networks. | |
63 | my $HOSTILE_CCODE = "XD"; | |
64 | ||
65 | my %fwdfwsettings=(); | |
66 | my %fwoptions = (); | |
67 | my %defaultNetworks=(); | |
68 | my %configfwdfw=();; | |
69 | my %customgrp=(); | |
70 | my %configinputfw=(); | |
71 | my %configoutgoingfw=(); | |
72 | my %confignatfw=(); | |
73 | my %locationsettings = ( | |
74 | "LOCATIONBLOCK_ENABLED" => "off" | |
75 | ); | |
76 | my %ipset_loaded_sets = (); | |
77 | my @ipset_used_sets = (); | |
78 | ||
79 | my $configfwdfw = "${General::swroot}/firewall/config"; | |
80 | my $configinput = "${General::swroot}/firewall/input"; | |
81 | my $configoutgoing = "${General::swroot}/firewall/outgoing"; | |
82 | my $locationfile = "${General::swroot}/firewall/locationblock"; | |
83 | my $configgrp = "${General::swroot}/fwhosts/customgroups"; | |
84 | my $netsettings = "${General::swroot}/ethernet/settings"; | |
85 | ||
86 | &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); | |
87 | &General::readhash("${General::swroot}/optionsfw/settings", \%fwoptions); | |
88 | &General::readhash("$netsettings", \%defaultNetworks); | |
89 | &General::readhasharray($configfwdfw, \%configfwdfw); | |
90 | &General::readhasharray($configinput, \%configinputfw); | |
91 | &General::readhasharray($configoutgoing, \%configoutgoingfw); | |
92 | &General::readhasharray($configgrp, \%customgrp); | |
93 | ||
94 | # Check if the location settings file exists | |
95 | if (-e "$locationfile") { | |
96 | # Read settings file | |
97 | &General::readhash("$locationfile", \%locationsettings); | |
98 | } | |
99 | ||
100 | # Get all available locations. | |
101 | my @locations = &Location::Functions::get_locations(); | |
102 | ||
103 | # Name or the RED interface. | |
104 | my $RED_DEV = &General::get_red_interface(); | |
105 | ||
106 | my @log_limit_options = &make_log_limit_options(); | |
107 | ||
108 | my $POLICY_INPUT_ALLOWED = 0; | |
109 | my $POLICY_FORWARD_ALLOWED = ($fwdfwsettings{"POLICY"} eq "MODE2"); | |
110 | my $POLICY_OUTPUT_ALLOWED = ($fwdfwsettings{"POLICY1"} eq "MODE2"); | |
111 | ||
112 | my $POLICY_INPUT_ACTION = $fwoptions{"FWPOLICY2"}; | |
113 | my $POLICY_FORWARD_ACTION = $fwoptions{"FWPOLICY"}; | |
114 | my $POLICY_OUTPUT_ACTION = $fwoptions{"FWPOLICY1"}; | |
115 | ||
116 | #workaround to suppress a warning when a variable is used only once | |
117 | my @dummy = ( $Location::Functions::ipset_db_directory ); | |
118 | undef (@dummy); | |
119 | ||
120 | # MAIN | |
121 | &main(); | |
122 | ||
123 | sub main { | |
124 | # Get currently used ipset sets. | |
125 | &ipset_get_sets(); | |
126 | ||
127 | # Flush all chains. | |
128 | &flush(); | |
129 | ||
130 | # Prepare firewall rules. | |
131 | if (! -z "${General::swroot}/firewall/input"){ | |
132 | &buildrules(\%configinputfw); | |
133 | } | |
134 | if (! -z "${General::swroot}/firewall/outgoing"){ | |
135 | &buildrules(\%configoutgoingfw); | |
136 | } | |
137 | if (! -z "${General::swroot}/firewall/config"){ | |
138 | &buildrules(\%configfwdfw); | |
139 | } | |
140 | ||
141 | # Load Location block rules. | |
142 | &locationblock(); | |
143 | ||
144 | # Load rules to block hostile networks. | |
145 | &drop_hostile_networks(); | |
146 | ||
147 | # Reload firewall policy. | |
148 | run("/usr/sbin/firewall-policy"); | |
149 | ||
150 | # Cleanup not longer needed ipset sets. | |
151 | &ipset_cleanup(); | |
152 | ||
153 | #Reload firewall.local if present | |
154 | if ( -f '/etc/sysconfig/firewall.local'){ | |
155 | run("/etc/sysconfig/firewall.local reload"); | |
156 | } | |
157 | } | |
158 | ||
159 | sub run { | |
160 | # Executes or prints the given shell command. | |
161 | my $command = shift; | |
162 | ||
163 | if ($DEBUG) { | |
164 | print "$command\n"; | |
165 | } else { | |
166 | system "$command"; | |
167 | ||
168 | if ($?) { | |
169 | print_error("ERROR: $command"); | |
170 | } | |
171 | } | |
172 | } | |
173 | ||
174 | sub print_error { | |
175 | my $message = shift; | |
176 | ||
177 | print STDERR "$message\n"; | |
178 | } | |
179 | ||
180 | sub print_rule { | |
181 | my $hash = shift; | |
182 | ||
183 | print "\nRULE:"; | |
184 | ||
185 | my $i = 0; | |
186 | foreach (@$hash) { | |
187 | printf(" %2d: %s", $i++, $_); | |
188 | } | |
189 | print "\n"; | |
190 | } | |
191 | ||
192 | sub count_elements { | |
193 | my $hash = shift; | |
194 | ||
195 | return scalar @$hash; | |
196 | } | |
197 | ||
198 | sub flush { | |
199 | run("$IPTABLES -F $CHAIN_INPUT"); | |
200 | run("$IPTABLES -F $CHAIN_FORWARD"); | |
201 | run("$IPTABLES -F $CHAIN_OUTPUT"); | |
202 | run("$IPTABLES -t nat -F $CHAIN_NAT_SOURCE"); | |
203 | run("$IPTABLES -t nat -F $CHAIN_NAT_DESTINATION"); | |
204 | run("$IPTABLES -t mangle -F $CHAIN_MANGLE_NAT_DESTINATION_FIX"); | |
205 | } | |
206 | ||
207 | sub buildrules { | |
208 | my $hash = shift; | |
209 | ||
210 | # Search for targets that need to be specially handled when adding | |
211 | # forwarding rules. Additional rules will automatically get inserted | |
212 | # into the INPUT/OUTPUT chains for these targets. | |
213 | my @special_input_targets = (); | |
214 | if (!$POLICY_FORWARD_ALLOWED) { | |
215 | push(@special_input_targets, "ACCEPT"); | |
216 | } | |
217 | ||
218 | if ($POLICY_INPUT_ACTION eq "DROP") { | |
219 | push(@special_input_targets, ("ACCEPT", "REJECT")); | |
220 | } elsif ($POLICY_INPUT_ACTION eq "REJECT") { | |
221 | push(@special_input_targets, ("ACCEPT", "DROP")); | |
222 | } | |
223 | ||
224 | my @special_output_targets = (); | |
225 | if ($POLICY_OUTPUT_ALLOWED) { | |
226 | push(@special_output_targets, ("DROP", "REJECT")); | |
227 | } else { | |
228 | push(@special_output_targets, "ACCEPT"); | |
229 | ||
230 | if ($POLICY_OUTPUT_ACTION eq "DROP") { | |
231 | push(@special_output_targets, ("ACCEPT", "REJECT")); | |
232 | } elsif ($POLICY_OUTPUT_ACTION eq "REJECT") { | |
233 | push(@special_output_targets, ("ACCEPT", "DROP")); | |
234 | } | |
235 | } | |
236 | ||
237 | foreach my $key (sort {$a <=> $b} keys %$hash) { | |
238 | # Skip disabled rules. | |
239 | next unless ($$hash{$key}[2] eq 'ON'); | |
240 | ||
241 | # Count number of elements in this line | |
242 | my $elements = &count_elements($$hash{$key}); | |
243 | ||
244 | if ($DEBUG) { | |
245 | print_rule($$hash{$key}); | |
246 | } | |
247 | ||
248 | # Check if the target is valid. | |
249 | my $target = $$hash{$key}[0]; | |
250 | if (!$target ~~ @VALID_TARGETS) { | |
251 | print_error("Invalid target '$target' for rule $key"); | |
252 | next; | |
253 | } | |
254 | ||
255 | # Check if the chain is valid. | |
256 | my $chain = $$hash{$key}[1]; | |
257 | if (!$chain ~~ @VALID_CHAINS) { | |
258 | print_error("Invalid chain '$chain' in rule $key"); | |
259 | next; | |
260 | } | |
261 | ||
262 | # Collect all sources. | |
263 | my @sources = &fwlib::get_addresses($hash, $key, "src"); | |
264 | ||
265 | # Collect all destinations. | |
266 | my @destinations = &fwlib::get_addresses($hash, $key, "tgt"); | |
267 | ||
268 | # True if the destination is the firewall itself. | |
269 | my $destination_is_firewall = ($$hash{$key}[5] eq "ipfire"); | |
270 | ||
271 | # Check if logging should be enabled. | |
272 | my $LOG = ($$hash{$key}[17] eq 'ON'); | |
273 | ||
274 | # Check if NAT is enabled and initialize variables, that we use for that. | |
275 | my $NAT = ($$hash{$key}[28] eq 'ON'); | |
276 | my $NAT_MODE; | |
277 | if ($NAT) { | |
278 | $NAT_MODE = uc($$hash{$key}[31]); | |
279 | } | |
280 | ||
281 | # Set up time constraints. | |
282 | my @time_options = (); | |
283 | if ($$hash{$key}[18] eq 'ON') { | |
284 | push(@time_options, ("-m", "time")); | |
285 | ||
286 | # Select all days of the week this match is active. | |
287 | my @weekdays = (); | |
288 | if ($$hash{$key}[19] ne '') { | |
289 | push (@weekdays, "Mon"); | |
290 | } | |
291 | if ($$hash{$key}[20] ne '') { | |
292 | push (@weekdays, "Tue"); | |
293 | } | |
294 | if ($$hash{$key}[21] ne '') { | |
295 | push (@weekdays, "Wed"); | |
296 | } | |
297 | if ($$hash{$key}[22] ne '') { | |
298 | push (@weekdays, "Thu"); | |
299 | } | |
300 | if ($$hash{$key}[23] ne '') { | |
301 | push (@weekdays, "Fri"); | |
302 | } | |
303 | if ($$hash{$key}[24] ne '') { | |
304 | push (@weekdays, "Sat"); | |
305 | } | |
306 | if ($$hash{$key}[25] ne '') { | |
307 | push (@weekdays, "Sun"); | |
308 | } | |
309 | if (@weekdays) { | |
310 | push(@time_options, ("--weekdays", join(",", @weekdays))); | |
311 | } | |
312 | ||
313 | # Convert start time. | |
314 | my $time_start = &format_time($$hash{$key}[26]); | |
315 | if ($time_start) { | |
316 | push(@time_options, ("--timestart", $time_start)); | |
317 | } | |
318 | ||
319 | # Convert end time. | |
320 | my $time_stop = &format_time($$hash{$key}[27]); | |
321 | if ($time_stop) { | |
322 | push(@time_options, ("--timestop", $time_stop)); | |
323 | } | |
324 | } | |
325 | ||
326 | # Concurrent connection limit | |
327 | my @ratelimit_options = (); | |
328 | ||
329 | if (($elements ge 34) && ($$hash{$key}[32] eq 'ON')) { | |
330 | my $conn_limit = $$hash{$key}[33]; | |
331 | ||
332 | if ($conn_limit ge 1) { | |
333 | push(@ratelimit_options, ("-m", "connlimit")); | |
334 | ||
335 | # Use the the entire source IP address | |
336 | push(@ratelimit_options, "--connlimit-saddr"); | |
337 | push(@ratelimit_options, ("--connlimit-mask", "32")); | |
338 | ||
339 | # Apply the limit | |
340 | push(@ratelimit_options, ("--connlimit-upto", $conn_limit)); | |
341 | } | |
342 | } | |
343 | ||
344 | # Ratelimit | |
345 | if (($elements ge 37) && ($$hash{$key}[34] eq 'ON')) { | |
346 | my $rate_limit = "$$hash{$key}[35]/$$hash{$key}[36]"; | |
347 | ||
348 | if ($rate_limit) { | |
349 | push(@ratelimit_options, ("-m", "limit")); | |
350 | push(@ratelimit_options, ("--limit", $rate_limit)); | |
351 | } | |
352 | } | |
353 | ||
354 | # Check which protocols are used in this rule and so that we can | |
355 | # later group rules by protocols. | |
356 | my @protocols = &get_protocols($hash, $key); | |
357 | if (!@protocols) { | |
358 | print_error("Invalid protocol configuration for rule $key"); | |
359 | next; | |
360 | } | |
361 | ||
362 | foreach my $protocol (@protocols) { | |
363 | # Check if the given protocol is supported. | |
364 | if (($protocol ne "all") && (!$protocol ~~ @PROTOCOLS)) { | |
365 | print_error("Protocol $protocol is not supported (rule $key)"); | |
366 | next; | |
367 | } | |
368 | ||
369 | # Prepare protocol options (like ICMP types, ports, etc...). | |
370 | my @protocol_options = &get_protocol_options($hash, $key, $protocol, 0); | |
371 | ||
372 | # Check if this protocol knows ports. | |
373 | my $protocol_has_ports = ($protocol ~~ @PROTOCOLS_WITH_PORTS); | |
374 | ||
375 | foreach my $src (@sources) { | |
376 | # Skip invalid source. | |
377 | next unless (defined $src); | |
378 | next unless ($src); | |
379 | ||
380 | # Sanitize source. | |
381 | my $source = @$src[0]; | |
382 | if ($source ~~ @ANY_ADDRESSES) { | |
383 | $source = ""; | |
384 | } | |
385 | ||
386 | my $source_intf = @$src[1]; | |
387 | ||
388 | foreach my $dst (@destinations) { | |
389 | # Skip invalid rules. | |
390 | next unless (defined $dst); | |
391 | next if (!$dst || ($dst eq "none")); | |
392 | ||
393 | # Sanitize destination. | |
394 | my $destination = @$dst[0]; | |
395 | if ($destination ~~ @ANY_ADDRESSES) { | |
396 | $destination = ""; | |
397 | } | |
398 | ||
399 | my $destination_intf = @$dst[1]; | |
400 | ||
401 | # Array with iptables arguments. | |
402 | my @options = (); | |
403 | ||
404 | # Append protocol. | |
405 | if ($protocol ne "all") { | |
406 | push(@options, @protocol_options); | |
407 | } | |
408 | ||
409 | # Prepare source options. | |
410 | my @source_options = (); | |
411 | if ($source =~ /mac/) { | |
412 | push(@source_options, $source); | |
413 | } elsif ($source =~ /-m set/) { | |
414 | # Grab location code from hash. | |
415 | my $loc_src = $$hash{$key}[4]; | |
416 | ||
417 | # Call function to load the networks list for this country. | |
418 | &ipset_restore($loc_src); | |
419 | ||
420 | push(@source_options, $source); | |
421 | } elsif($source) { | |
422 | push(@source_options, ("-s", $source)); | |
423 | } | |
424 | ||
425 | # Prepare destination options. | |
426 | my @destination_options = (); | |
427 | if ($destination =~ /-m set/) { | |
428 | # Grab location code from hash. | |
429 | my $loc_dst = $$hash{$key}[6]; | |
430 | ||
431 | # Call function to load the networks list for this country. | |
432 | &ipset_restore($loc_dst); | |
433 | ||
434 | push(@destination_options, $destination); | |
435 | } elsif ($destination) { | |
436 | push(@destination_options, ("-d", $destination)); | |
437 | } | |
438 | ||
439 | # Add source and destination interface to the filter rules. | |
440 | # These are supposed to help filtering forged packets that originate | |
441 | # from BLUE with an IP address from GREEN for instance. | |
442 | my @source_intf_options = (); | |
443 | if ($source_intf) { | |
444 | push(@source_intf_options, ("-i", $source_intf)); | |
445 | } | |
446 | ||
447 | my @destination_intf_options = (); | |
448 | if ($destination_intf) { | |
449 | push(@destination_intf_options, ("-o", $destination_intf)); | |
450 | } | |
451 | ||
452 | # Add time constraint options. | |
453 | push(@options, @time_options); | |
454 | ||
455 | # Add ratelimiting option | |
456 | push(@options, @ratelimit_options); | |
457 | ||
458 | my $firewall_is_in_source_subnet = 1; | |
459 | if ($source) { | |
460 | $firewall_is_in_source_subnet = &firewall_is_in_subnet($source); | |
461 | } | |
462 | ||
463 | my $firewall_is_in_destination_subnet = 1; | |
464 | if ($destination) { | |
465 | $firewall_is_in_destination_subnet = &firewall_is_in_subnet($destination); | |
466 | } | |
467 | ||
468 | # Process NAT rules. | |
469 | if ($NAT) { | |
470 | my $nat_address = &fwlib::get_nat_address($$hash{$key}[29], $source); | |
471 | ||
472 | # Skip NAT rules if the NAT address is unknown | |
473 | # (i.e. no internet connection has been established, yet). | |
474 | next unless ($nat_address); | |
475 | ||
476 | # Destination NAT | |
477 | if ($NAT_MODE eq "DNAT") { | |
478 | my @nat_options = (); | |
479 | if ($protocol ne "all") { | |
480 | my @nat_protocol_options = &get_protocol_options($hash, $key, $protocol, 1); | |
481 | push(@nat_options, @nat_protocol_options); | |
482 | } | |
483 | ||
484 | # Add time options. | |
485 | push(@nat_options, @time_options); | |
486 | ||
487 | # Determine if a REDIRECT rule should be created. | |
488 | my $use_redirect = ($destination_is_firewall && !$destination && $protocol_has_ports); | |
489 | ||
490 | # Make port-forwardings useable from the internal networks. | |
491 | if (!$use_redirect) { | |
492 | my @internal_addresses = &fwlib::get_internal_firewall_ip_addresses(1); | |
493 | unless ($nat_address ~~ @internal_addresses) { | |
494 | &add_dnat_mangle_rules($nat_address, $source_intf, @nat_options); | |
495 | } | |
496 | } | |
497 | ||
498 | # Add source options. | |
499 | push(@nat_options, @source_options); | |
500 | ||
501 | # Add NAT address. | |
502 | if (!$use_redirect) { | |
503 | push(@nat_options, ("-d", $nat_address)); | |
504 | } | |
505 | ||
506 | my $dnat_port; | |
507 | if ($protocol_has_ports) { | |
508 | $dnat_port = &get_dnat_target_port($hash, $key); | |
509 | } | |
510 | ||
511 | my @nat_action_options = (); | |
512 | ||
513 | # Use iptables REDIRECT | |
514 | if ($use_redirect) { | |
515 | push(@nat_action_options, ("-j", "REDIRECT")); | |
516 | ||
517 | # Redirect to specified port if one has given. | |
518 | if ($dnat_port) { | |
519 | push(@nat_action_options, ("--to-ports", $dnat_port)); | |
520 | } | |
521 | ||
522 | # Use iptables DNAT | |
523 | } else { | |
524 | if ($destination_is_firewall && !$destination) { | |
525 | $destination = &fwlib::get_external_address(); | |
526 | } | |
527 | next unless ($destination); | |
528 | ||
529 | my ($dnat_address, $dnat_mask) = split("/", $destination); | |
530 | @destination_options = ("-d", $dnat_address); | |
531 | ||
532 | if ($protocol_has_ports) { | |
533 | my $dnat_port = &get_dnat_target_port($hash, $key); | |
534 | ||
535 | if ($dnat_port) { | |
536 | $dnat_address .= ":$dnat_port"; | |
537 | } | |
538 | } | |
539 | ||
540 | push(@nat_action_options, ("-j", "DNAT", "--to-destination", $dnat_address)); | |
541 | } | |
542 | ||
543 | if ($LOG) { | |
544 | run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options @log_limit_options -j LOG --log-prefix 'DNAT '"); | |
545 | } | |
546 | run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options @nat_action_options"); | |
547 | ||
548 | # Source NAT | |
549 | } elsif ($NAT_MODE eq "SNAT") { | |
550 | my @snat_options = ( "-m", "policy", "--dir", "out", "--pol", "none" ); | |
551 | my @nat_options = @options; | |
552 | ||
553 | # Get addresses for the configured firewall interfaces. | |
554 | my @local_addresses = &fwlib::get_internal_firewall_ip_addresses(1); | |
555 | ||
556 | # Check if the nat_address is one of the local addresses. | |
557 | foreach my $local_address (@local_addresses) { | |
558 | if ($nat_address eq $local_address) { | |
559 | # Clear SNAT options. | |
560 | @snat_options = (); | |
561 | ||
562 | # Finish loop. | |
563 | last; | |
564 | } | |
565 | } | |
566 | ||
567 | push(@nat_options, @destination_intf_options); | |
568 | push(@nat_options, @source_options); | |
569 | push(@nat_options, @destination_options); | |
570 | ||
571 | if ($LOG) { | |
572 | run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @snat_options @log_limit_options -j LOG --log-prefix 'SNAT '"); | |
573 | } | |
574 | run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @snat_options -j SNAT --to-source $nat_address"); | |
575 | } | |
576 | } | |
577 | ||
578 | push(@options, @source_options); | |
579 | push(@options, @destination_options); | |
580 | ||
581 | # Insert firewall rule. | |
582 | if ($LOG) { | |
583 | run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options @log_limit_options -j LOG --log-prefix '$chain '"); | |
584 | } | |
585 | run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options -j $target"); | |
586 | ||
587 | # Handle forwarding rules and add corresponding rules for firewall access. | |
588 | if ($chain eq $CHAIN_FORWARD) { | |
589 | # If the firewall is part of the destination subnet and access to the destination network | |
590 | # is granted/forbidden for any network that the firewall itself is part of, we grant/forbid access | |
591 | # for the firewall, too. | |
592 | if ($firewall_is_in_destination_subnet && ($target ~~ @special_input_targets)) { | |
593 | if ($LOG) { | |
594 | run("$IPTABLES -A $CHAIN_INPUT @options @source_intf_options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '"); | |
595 | } | |
596 | run("$IPTABLES -A $CHAIN_INPUT @options @source_intf_options -j $target"); | |
597 | } | |
598 | ||
599 | # Likewise. | |
600 | if ($firewall_is_in_source_subnet && ($target ~~ @special_output_targets)) { | |
601 | if ($LOG) { | |
602 | run("$IPTABLES -A $CHAIN_OUTPUT @options @destination_intf_options @log_limit_options -j LOG --log-prefix '$CHAIN_OUTPUT '"); | |
603 | } | |
604 | run("$IPTABLES -A $CHAIN_OUTPUT @options @destination_intf_options -j $target"); | |
605 | } | |
606 | } | |
607 | } | |
608 | } | |
609 | } | |
610 | } | |
611 | } | |
612 | ||
613 | # Formats the given timestamp into the iptables format which is "hh:mm" UTC. | |
614 | sub format_time { | |
615 | my $val = shift; | |
616 | ||
617 | # Convert the given time into minutes. | |
618 | my $minutes = &time_convert_to_minutes($val); | |
619 | ||
620 | # Move the timestamp into UTC. | |
621 | $minutes += &time_utc_offset(); | |
622 | ||
623 | # Make sure $minutes is between 00:00 and 23:59. | |
624 | if ($minutes < 0) { | |
625 | $minutes += 1440; | |
626 | } | |
627 | ||
628 | if ($minutes > 1440) { | |
629 | $minutes -= 1440; | |
630 | } | |
631 | ||
632 | # Format as hh:mm. | |
633 | return sprintf("%02d:%02d", $minutes / 60, $minutes % 60); | |
634 | } | |
635 | ||
636 | # Calculates the offsets in minutes from the local timezone to UTC. | |
637 | sub time_utc_offset { | |
638 | my @localtime = localtime(time); | |
639 | my @gmtime = gmtime(time); | |
640 | ||
641 | return ($gmtime[2] * 60 + $gmtime[1] % 60) - ($localtime[2] * 60 + $localtime[1] % 60); | |
642 | } | |
643 | ||
644 | # Takes a timestamp like "14:00" and converts it into minutes since midnight. | |
645 | sub time_convert_to_minutes { | |
646 | my ($hrs, $min) = split(":", shift); | |
647 | ||
648 | return ($hrs * 60) + $min; | |
649 | } | |
650 | ||
651 | sub locationblock { | |
652 | # Flush LOCATIONBLOCK chain. | |
653 | run("$IPTABLES -F LOCATIONBLOCK"); | |
654 | ||
655 | # If location blocking is not enabled, we are finished here. | |
656 | if ($locationsettings{'LOCATIONBLOCK_ENABLED'} ne "on") { | |
657 | # Exit submodule. Process remaining script. | |
658 | return; | |
659 | } | |
660 | ||
661 | # Only check the RED interface, which is ppp0 in case of RED_TYPE being | |
662 | # set to "PPPOE", and red0 in case of RED_TYPE not being empty otherwise. | |
663 | if ($defaultNetworks{'RED_TYPE'} eq "PPPOE") { | |
664 | run("$IPTABLES -A LOCATIONBLOCK ! -i ppp0 -j RETURN"); | |
665 | } elsif ($defaultNetworks{'RED_DEV'} ne "") { | |
666 | run("$IPTABLES -A LOCATIONBLOCK ! -i $defaultNetworks{'RED_DEV'} -j RETURN"); | |
667 | } | |
668 | ||
669 | # Do not check any private address space | |
670 | foreach my $network (@PRIVATE_NETWORKS) { | |
671 | run("$IPTABLES -A LOCATIONBLOCK -s $network -j RETURN"); | |
672 | } | |
673 | ||
674 | # Loop through all supported locations and | |
675 | # create iptables rules, if blocking for this country | |
676 | # is enabled. | |
677 | foreach my $location (@locations) { | |
678 | if(exists $locationsettings{$location} && $locationsettings{$location} eq "on") { | |
679 | # Call function to load the networks list for this country. | |
680 | &ipset_restore($location); | |
681 | ||
682 | # Call iptables and create rule to use the loaded ipset list. | |
683 | run("$IPTABLES -A LOCATIONBLOCK -m set --match-set $location src -j DROP"); | |
684 | } | |
685 | } | |
686 | } | |
687 | ||
688 | sub drop_hostile_networks () { | |
689 | # Flush the HOSTILE firewall chain. | |
690 | run("$IPTABLES -F HOSTILE"); | |
691 | ||
692 | # If dropping hostile networks is not enabled, we are finished here. | |
693 | if ($fwoptions{'DROPHOSTILE'} ne "on") { | |
694 | # Exit function. | |
695 | return; | |
696 | } | |
697 | ||
698 | # Exit if there is no red interface. | |
699 | return unless($RED_DEV); | |
700 | ||
701 | # Call function to load the network list of hostile networks. | |
702 | &ipset_restore($HOSTILE_CCODE); | |
703 | ||
704 | # Check traffic in incoming/outgoing direction and drop if it matches | |
705 | run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE src -j HOSTILE_DROP"); | |
706 | run("$IPTABLES -A HOSTILE -o $RED_DEV -m set --match-set $HOSTILE_CCODE dst -j HOSTILE_DROP"); | |
707 | } | |
708 | ||
709 | sub get_protocols { | |
710 | my $hash = shift; | |
711 | my $key = shift; | |
712 | ||
713 | my $uses_source_ports = ($$hash{$key}[7] eq "ON"); | |
714 | my $uses_services = ($$hash{$key}[11] eq "ON"); | |
715 | ||
716 | my @protocols = (); | |
717 | ||
718 | # Rules which don't have source ports or services (like ICMP, ESP, ...). | |
719 | if (!$uses_source_ports && !$uses_services) { | |
720 | push(@protocols, $$hash{$key}[8]); | |
721 | ||
722 | # Rules which either use ports or services. | |
723 | } elsif ($uses_source_ports || $uses_services) { | |
724 | # Check if service group or service | |
725 | if ($$hash{$key}[14] eq 'cust_srv') { | |
726 | push(@protocols, &fwlib::get_srv_prot($$hash{$key}[15])); | |
727 | ||
728 | } elsif($$hash{$key}[14] eq 'cust_srvgrp'){ | |
729 | my $protos = &fwlib::get_srvgrp_prot($$hash{$key}[15]); | |
730 | push(@protocols, split(",", $protos)); | |
731 | ||
732 | } else { | |
733 | # Fetch the protocol for this rule. | |
734 | my $protocol = lc($$hash{$key}[8]); | |
735 | ||
736 | # Fetch source and destination ports for this rule. | |
737 | my $source_ports = $$hash{$key}[10]; | |
738 | my $destination_ports = $$hash{$key}[15]; | |
739 | ||
740 | # Check if ports are set for protocols which do not support ports. | |
741 | if (!($protocol ~~ @PROTOCOLS_WITH_PORTS) && ($source_ports || $destination_ports)) { | |
742 | print_error("$protocol does not support ports"); | |
743 | return (); | |
744 | } | |
745 | ||
746 | push(@protocols, $protocol); | |
747 | } | |
748 | } | |
749 | ||
750 | # Remove all empty elements | |
751 | @protocols = map { $_ ? $_ : () } @protocols; | |
752 | ||
753 | # If no protocol has been defined, we assume "all". | |
754 | if (!@protocols) { | |
755 | push(@protocols, "all"); | |
756 | } | |
757 | ||
758 | # Make all protocol names lowercase. | |
759 | @protocols = map { lc } @protocols; | |
760 | ||
761 | return @protocols; | |
762 | } | |
763 | ||
764 | sub get_protocol_options { | |
765 | my $hash = shift; | |
766 | my $key = shift; | |
767 | my $protocol = shift; | |
768 | my $nat_options_wanted = shift; | |
769 | my @options = (); | |
770 | ||
771 | # Nothing to do if no protocol is specified. | |
772 | if ($protocol eq "all") { | |
773 | return @options; | |
774 | } else { | |
775 | push(@options, ("-p", $protocol)); | |
776 | } | |
777 | ||
778 | if ($protocol ~~ @PROTOCOLS_WITH_PORTS) { | |
779 | # Process source ports. | |
780 | my $use_src_ports = ($$hash{$key}[7] eq "ON"); | |
781 | my $src_ports = $$hash{$key}[10]; | |
782 | ||
783 | if ($use_src_ports && $src_ports) { | |
784 | push(@options, &format_ports($src_ports, "src")); | |
785 | } | |
786 | ||
787 | # Process destination ports. | |
788 | my $use_dst_ports = ($$hash{$key}[11] eq "ON"); | |
789 | my $use_dnat = (($$hash{$key}[28] eq "ON") && ($$hash{$key}[31] eq "dnat")); | |
790 | ||
791 | if ($use_dst_ports) { | |
792 | my $dst_ports_mode = $$hash{$key}[14]; | |
793 | my $dst_ports = $$hash{$key}[15]; | |
794 | ||
795 | if (($dst_ports_mode eq "TGT_PORT") && $dst_ports) { | |
796 | if ($nat_options_wanted && $use_dnat && $$hash{$key}[30]) { | |
797 | $dst_ports = $$hash{$key}[30]; | |
798 | } | |
799 | push(@options, &format_ports($dst_ports, "dst")); | |
800 | ||
801 | } elsif ($dst_ports_mode eq "cust_srv") { | |
802 | if ($protocol eq "ICMP") { | |
803 | push(@options, ("--icmp-type", &fwlib::get_srv_port($dst_ports, 3, "ICMP"))); | |
804 | } else { | |
805 | $dst_ports = &fwlib::get_srv_port($dst_ports, 1, uc($protocol)); | |
806 | push(@options, &format_ports($dst_ports, "dst")); | |
807 | } | |
808 | ||
809 | } elsif ($dst_ports_mode eq "cust_srvgrp") { | |
810 | push(@options, &fwlib::get_srvgrp_port($dst_ports, uc($protocol))); | |
811 | } | |
812 | } | |
813 | } | |
814 | ||
815 | # Check if a single ICMP type is selected. | |
816 | if ($protocol eq "icmp") { | |
817 | my $icmp_type = $$hash{$key}[9]; | |
818 | ||
819 | if (($icmp_type ne "All ICMP-Types") && $icmp_type) { | |
820 | push(@options, ("--icmp-type", $icmp_type)); | |
821 | } | |
822 | } | |
823 | ||
824 | return @options; | |
825 | } | |
826 | ||
827 | sub format_ports { | |
828 | my $ports = shift; | |
829 | my $type = shift; | |
830 | ||
831 | my $arg; | |
832 | if ($type eq "src") { | |
833 | $arg = "--sport"; | |
834 | } elsif ($type eq "dst") { | |
835 | $arg = "--dport"; | |
836 | } | |
837 | ||
838 | my @options = (); | |
839 | ||
840 | if ($ports =~ /\|/) { | |
841 | $ports =~ s/\|/,/g; | |
842 | push(@options, ("-m", "multiport")); | |
843 | } | |
844 | ||
845 | if ($ports) { | |
846 | push(@options, ($arg, $ports)); | |
847 | } | |
848 | ||
849 | return @options; | |
850 | } | |
851 | ||
852 | sub get_dnat_target_port { | |
853 | my $hash = shift; | |
854 | my $key = shift; | |
855 | ||
856 | if ($$hash{$key}[14] eq "TGT_PORT") { | |
857 | my $port = $$hash{$key}[15]; | |
858 | my $external_port = $$hash{$key}[30]; | |
859 | ||
860 | if ($external_port && ($port ne $external_port)) { | |
861 | return $$hash{$key}[15]; | |
862 | } | |
863 | } | |
864 | } | |
865 | ||
866 | sub add_dnat_mangle_rules { | |
867 | my $nat_address = shift; | |
868 | my $interface = shift; | |
869 | my @options = @_; | |
870 | ||
871 | my $mark = 0x01000000; | |
872 | foreach my $zone ("GREEN", "BLUE", "ORANGE") { | |
873 | # Skip rule if not all required information exists. | |
874 | next unless (exists $defaultNetworks{$zone . "_NETADDRESS"}); | |
875 | next unless (exists $defaultNetworks{$zone . "_NETMASK"}); | |
876 | ||
877 | next if ($interface && $interface ne $defaultNetworks{$zone . "_DEV"}); | |
878 | ||
879 | my @mangle_options = @options; | |
880 | ||
881 | my $netaddress = $defaultNetworks{$zone . "_NETADDRESS"}; | |
882 | $netaddress .= "/" . $defaultNetworks{$zone . "_NETMASK"}; | |
883 | ||
884 | push(@mangle_options, ("-s", $netaddress, "-d", $nat_address)); | |
885 | push(@mangle_options, ("-j", "MARK", "--set-xmark", "$mark/$NAT_MASK")); | |
886 | ||
887 | run("$IPTABLES -t mangle -A $CHAIN_MANGLE_NAT_DESTINATION_FIX @mangle_options"); | |
888 | ||
889 | $mark <<= 1; | |
890 | } | |
891 | } | |
892 | ||
893 | sub make_log_limit_options { | |
894 | my @options = ("-m", "limit"); | |
895 | ||
896 | # Maybe we should get this from the configuration. | |
897 | my $limit = 10; | |
898 | ||
899 | # We limit log messages to $limit messages per second. | |
900 | push(@options, ("--limit", "$limit/second")); | |
901 | ||
902 | # And we allow bursts of 2x $limit. | |
903 | push(@options, ("--limit-burst", $limit * 2)); | |
904 | ||
905 | return @options; | |
906 | } | |
907 | ||
908 | sub firewall_is_in_subnet { | |
909 | my $subnet = shift; | |
910 | ||
911 | # ORANGE is missing here, because nothing may ever access | |
912 | # the firewall from this network. | |
913 | my $address = &fwlib::get_internal_firewall_ip_address($subnet, 0); | |
914 | ||
915 | if ($address) { | |
916 | return 1; | |
917 | } | |
918 | ||
919 | return 0; | |
920 | } | |
921 | ||
922 | sub ipset_get_sets () { | |
923 | # Get all currently used ipset lists and store them in an array. | |
924 | my @output = `$IPSET -n list`; | |
925 | ||
926 | # Loop through the temporary array. | |
927 | foreach my $set (@output) { | |
928 | # Remove any newlines. | |
929 | chomp($set); | |
930 | ||
931 | # Add the set the array of used sets. | |
932 | push(@ipset_used_sets, $set); | |
933 | } | |
934 | ||
935 | # Display used sets in debug mode. | |
936 | if($DEBUG) { | |
937 | print "Used ipset sets:\n"; | |
938 | print "@ipset_used_sets\n\n"; | |
939 | } | |
940 | } | |
941 | ||
942 | sub ipset_restore ($) { | |
943 | my ($set) = @_; | |
944 | ||
945 | # Empty variable to store the db file, which should be | |
946 | # restored by ipset. | |
947 | my $db_file; | |
948 | ||
949 | # Check if the set already has been loaded. | |
950 | if($ipset_loaded_sets{$set}) { | |
951 | # It already has been loaded - so there is nothing to do. | |
952 | return; | |
953 | } | |
954 | ||
955 | # Check if the given set name is a country code. | |
956 | if($set ~~ @locations) { | |
957 | # Libloc adds the IP type (v4 or v6) as part of the set and file name. | |
958 | my $loc_set = "$set" . "v4"; | |
959 | ||
960 | # The bare filename equals the set name. | |
961 | my $filename = $loc_set; | |
962 | ||
963 | # Libloc uses "ipset" as file extension. | |
964 | my $file_extension = "ipset"; | |
965 | ||
966 | # Generate full path and filename for the ipset db file. | |
967 | my $db_file = "$Location::Functions::ipset_db_directory/$filename.$file_extension"; | |
968 | ||
969 | # Call function to restore/load the set. | |
970 | &ipset_call_restore($db_file); | |
971 | ||
972 | # Check if the set is already loaded (has been used before). | |
973 | if ($set ~~ @ipset_used_sets) { | |
974 | # The sets contains the IP type (v4 or v6) as part of the name. | |
975 | # The firewall rules matches against sets without that extension. So we safely | |
976 | # can swap or rename the sets to use the new ones. | |
977 | run("$IPSET swap $loc_set $set"); | |
978 | } else { | |
979 | # If the set is not loaded, we have to rename it to proper use it. | |
980 | run("$IPSET rename $loc_set $set"); | |
981 | } | |
982 | } | |
983 | ||
984 | # Store the restored set to the hash to prevent from loading it again. | |
985 | $ipset_loaded_sets{$set} = "1"; | |
986 | } | |
987 | ||
988 | sub ipset_call_restore ($) { | |
989 | my ($file) = @_; | |
990 | ||
991 | # Check if the requested file exists. | |
992 | if (-f $file) { | |
993 | # Run ipset and restore the given set. | |
994 | run("$IPSET restore -f $file"); | |
995 | } | |
996 | } | |
997 | ||
998 | sub ipset_cleanup () { | |
999 | # Loop through the array of used sets. | |
1000 | foreach my $set (@ipset_used_sets) { | |
1001 | # Check if this set is still in use. | |
1002 | # | |
1003 | # In this case an entry in the loaded sets hash exists. | |
1004 | unless($ipset_loaded_sets{$set}) { | |
1005 | # Entry does not exist, so this set is not longer | |
1006 | # used and can be destroyed. | |
1007 | run("$IPSET destroy $set"); | |
1008 | } | |
1009 | } | |
1010 | } |