[people/pmueller/ipfire-2.x.git] / config / forwardfw / rules.pl

#!/usr/bin/perl
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2012														  #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################
#																			  #
# Hi folks! I hope this code is useful for all. I needed something to handle  #
# my VPN Connections in a comfortable way. 				      				  #
# This script builds firewallrules from the webinterface                      #
###############################################################################

use strict;
use Time::Local;
no warnings 'uninitialized';

# enable only the following on debugging purpose
#use warnings;
#use CGI::Carp 'fatalsToBrowser';

my %fwdfwsettings=();
my %defaultNetworks=();
my %configfwdfw=();
my %color=();
my %icmptypes=();
my %ovpnSettings=();
my %customgrp=();
our %sourcehash=();
our %targethash=();
my @timeframe=();
my %configinputfw=();
my %configoutgoingfw=();
my %configdmzfw=();
my %aliases=();
my @DPROT=();
my @p2ps=();
require '/var/ipfire/general-functions.pl';
require "${General::swroot}/lang.pl";
require "${General::swroot}/forward/bin/firewall-lib.pl";

my $configdmz		= "${General::swroot}/forward/dmz";
my $configfwdfw		= "${General::swroot}/forward/config";
my $configinput	    = "${General::swroot}/forward/input";
my $configoutgoing  = "${General::swroot}/forward/outgoing";
my $p2pfile			= "${General::swroot}/forward/p2protocols";
my $configgrp		= "${General::swroot}/fwhosts/customgroups";
my $netsettings		= "${General::swroot}/ethernet/settings";
my $errormessage='';
my $orange;
my $green;
my $blue;
my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
my $CHAIN="FORWARDFW";
my $conexists='off';

&General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
&General::readhash("$netsettings", \%defaultNetworks);
&General::readhasharray($configdmz, \%configdmzfw);
&General::readhasharray($configfwdfw, \%configfwdfw);
&General::readhasharray($configinput, \%configinputfw);
&General::readhasharray($configoutgoing, \%configoutgoingfw);
&General::readhasharray($configgrp, \%customgrp);
&General::get_aliases(\%aliases);

#check if we have an internetconnection
open (CONN,"/var/ipfire/red/iface");
my $con = <CONN>;
close(CONN);
if (-f "/var/ipfire/red/active"){
	$conexists='on';
}

################################
#    DEBUG/TEST                #
################################
my $MODE=1;     # 0 - normal operation
				# 1 - print configline and rules to console	
				# 
################################		
my $param=shift;

if($param eq 'flush'){
	if ($MODE eq '1'){
		print " Flushing chains...\n";
	}
	&flush;
}else{
	if ($MODE eq '1'){
		print " Flushing chains...\n";
	}
	&flush;
	if ($MODE eq '1'){
		print " Preparing rules...\n";
	}
	&preparerules;
	if($MODE eq '0'){
		if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
			&p2pblock;
			system ("/usr/sbin/firewall-policy"); 
		}elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
			$defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'});
			$green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
			if ($defaultNetworks{'BLUE_DEV'}){
				$defaultNetworks{'BLUE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'BLUE_NETMASK'});
				$blue="$defaultNetworks{'BLUE_ADDRESS'}/$defaultNetworks{'BLUE_NETMASK'}";
				#set default rules for BLUE
				system ("iptables -A $CHAIN -s $blue -d $green -j RETURN");
			}
			if ($defaultNetworks{'ORANGE_DEV'}){
				$defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'});
				$orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}";
				#set default rules for DMZ
				system ("iptables -A $CHAIN -s $orange -d $green -j RETURN");
				if ($defaultNetworks{'BLUE_DEV'}){
					system ("iptables -A $CHAIN -s $orange -d $blue -j RETURN");
				}
			}
			&p2pblock;
			system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
			system ("/usr/sbin/firewall-policy");
		}
	}
}
sub flush
{
	system ("iptables -F FORWARDFW");
	system ("iptables -F INPUTFW");
	system ("iptables -F OUTGOINGFW");
}			
sub preparerules
{
	if (! -z  "${General::swroot}/forward/dmz"){
		&buildrules(\%configdmzfw);
	}
	if (! -z  "${General::swroot}/forward/config"){
		&buildrules(\%configfwdfw);
	}
	if (! -z  "${General::swroot}/forward/input"){
		&buildrules(\%configinputfw);
	}
	if (! -z  "${General::swroot}/forward/outgoing"){
		&buildrules(\%configoutgoingfw);
	}
}
sub buildrules
{
	my $hash=shift;
	my $STAG;
	foreach my $key (sort {$a <=> $b} keys %$hash){
		next if ($$hash{$key}[6] eq 'RED' && $conexists eq 'off' );
		$STAG='';
		if($$hash{$key}[2] eq 'ON'){
			#get source ip's
			if ($$hash{$key}[3] eq 'cust_grp_src'){
				foreach my $grp (sort {$a <=> $b} keys %customgrp){
						if($customgrp{$grp}[0] eq $$hash{$key}[4]){
						&get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
					}
				}
			}else{
				&get_address($$hash{$key}[3],$$hash{$key}[4],"src");
			}
			#get target ip's
			if ($$hash{$key}[5] eq 'cust_grp_tgt'){
				foreach my $grp (sort {$a <=> $b} keys %customgrp){
					if($customgrp{$grp}[0] eq $$hash{$key}[6]){
						&get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
					}
				}
			}elsif($$hash{$key}[5] eq 'ipfire'){
				if($$hash{$key}[6] eq 'Default IP'){
					open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.';
					$targethash{$key}[0]= <FILE>;
					close(FILE);
				}else{
					foreach my $alias (sort keys %aliases){
						if ($$hash{$key}[6] eq $alias){
							$targethash{$key}[0]=$aliases{$alias}{'IPT'};
						}
					}
				}
			}else{
				&get_address($$hash{$key}[5],$$hash{$key}[6],"tgt");
			}
			##get source prot and port
			$SRC_TGT='SRC';
			$SPROT = &get_prot($hash,$key);
			$SPORT = &get_port($hash,$key);
			$SRC_TGT='';

			##get target prot and port
			$DPROT=&get_prot($hash,$key);

			if ($DPROT eq ''){$DPROT=' ';}				
			@DPROT=split(",",$DPROT);

			#get time if defined
			if($$hash{$key}[18] eq 'ON'){
				my ($time1,$time2,$daylight);
				my $daylight=$$hash{$key}[28];
				$time1=&get_time($$hash{$key}[26],$daylight);
				$time2=&get_time($$hash{$key}[27],$daylight);
				if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
				if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");}
				if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");}
				if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");}
				if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");}
				if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");}
				if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");}
				$TIME=join(",",@timeframe);
				
				$TIMEFROM="--timestart $time1 ";
				$TIMETILL="--timestop $time2 ";
				$TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
			}
			if ($MODE eq '1'){	
				print "NR:$key ";
				foreach my $i (0 .. $#{$$hash{$key}}){
					print "$i: $$hash{$key}[$i]  ";
				}
				print "\n";
				print"##################################\n";
				#print rules to console
				foreach my $DPROT (@DPROT){
					$DPORT = &get_port($hash,$key,$DPROT);
					if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
					$PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
					foreach my $a (sort keys %sourcehash){
						foreach my $b (sort keys %targethash){
							if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
								if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
									if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
									if(substr($DPORT, 2, 4) eq 'icmp'){
										my @icmprule= split(",",substr($DPORT, 12,));
										foreach (@icmprule){
											if ($$hash{$key}[17] eq 'ON'){
												print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j LOG\n";
											}
											print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n"; 
										}
									}else{
										if ($$hash{$key}[17] eq 'ON'){
											print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
										}
										print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; 
									}
								}				
							}
						}
					}
					print"\n";
				}
			}elsif($MODE eq '0'){
				foreach my $DPROT (@DPROT){
					$DPORT = &get_port($hash,$key,$DPROT);
					if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
					$PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
					foreach my $a (sort keys %sourcehash){
						foreach my $b (sort keys %targethash){
							if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
								if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
									if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
									if(substr($DPORT, 2, 4) eq 'icmp'){
										my @icmprule= split(",",substr($DPORT, 12,));
										foreach (@icmprule){
											if ($$hash{$key}[17] eq 'ON'){
												system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] -- icmp-type $_ $TIME -j LOG");
											}
											system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]"); 
										}
									}else{
										if ($$hash{$key}[17] eq 'ON'){
											system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
										}
										system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]"); 
									}
								}				
							}
						}
					}
				}
			}
		}
		%sourcehash=();
		%targethash=();
		undef $TIME;
		undef $TIMEFROM;
		undef $TIMETILL;
	}
}
sub get_time
{
	my $val=shift;
	my $val1=shift;
	my $time;
	my $minutes;
	my $ruletime;
	$minutes = &utcmin($val);
	$ruletime = $minutes + &time_get_utc($val);
	if ($ruletime < 0){$ruletime +=1440;}
	if ($ruletime > 1440){$ruletime -=1440;}
	$time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60;
	return $time;
}
sub time_get_utc
{
	# Calculates the UTCtime from a given time
	my $val=shift;
	my @localtime=localtime(time);
	my @gmtime=gmtime(time);
	my $diff = ($gmtime[2]*60+$gmtime[1]%60)-($localtime[2]*60+$localtime[1]%60);
	return $diff;
}
sub utcmin
{
	my $ruletime=shift;
	my ($hrs,$min) = split(":",$ruletime);
	my $newtime = $hrs*60+$min;
	return $newtime;
}
sub p2pblock
{
	my $P2PSTRING;
	my $DO;
	open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
	@p2ps = <FILE>;
	close FILE;
	my $CMD = "-m ipp2p";
	foreach my $p2pentry (sort @p2ps) {
		my @p2pline = split( /\;/, $p2pentry );
		if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) {
			$DO = "ACCEPT";
			if ("$p2pline[2]" eq "on") {
				$P2PSTRING = "$P2PSTRING --$p2pline[1]";
			}
		}else {
			$DO = "RETURN";
			if ("$p2pline[2]" eq "off") {
				$P2PSTRING = "$P2PSTRING --$p2pline[1]";
			}
		}
	}
	if ($MODE eq 1){
		if($P2PSTRING){
			print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n";
		}
	}else{
		if($P2PSTRING){
			system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO");
		}
	}
}

sub get_address
{
	my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
	my $base2=shift;
	my $type=shift; #src or tgt
	my $hash;
	if ($type eq 'src'){
		$hash=\%sourcehash;	
	}else{
		$hash=\%targethash;
	}
	my $key = &General::findhasharraykey($hash);
	if($base eq 'src_addr' || $base eq 'tgt_addr' ){
		if (&General::validmac($base2)){
			$$hash{$key}[0] = "-m mac --mac-source $base2";
		}else{
			$$hash{$key}[0] = $base2;
		}
	}elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){
		$$hash{$key}[0]=&fwlib::get_std_net_ip($base2,$con);
	}elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){
		$$hash{$key}[0]=&fwlib::get_net_ip($base2);
	}elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){
		$$hash{$key}[0]=&fwlib::get_host_ip($base2,$type);
	}elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){
		$$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1);
	}elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){
		$$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33);
	}elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){
		$$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,27);
	}elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){
		$$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11);
	}
}
sub get_prot
{
	my $hash=shift;
	my $key=shift;
	if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
		if ($$hash{$key}[10] ne ''){
			return"$$hash{$key}[8]";
		}elsif($$hash{$key}[9] ne ''){
			return"$$hash{$key}[8]";
		}else{
			return "$$hash{$key}[8]";
		}
	}elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
		if ($$hash{$key}[14] eq 'TGT_PORT'){
			if ($$hash{$key}[15] ne ''){
				return "$$hash{$key}[12]";
			}elsif($$hash{$key}[13] ne ''){
				return "$$hash{$key}[12]";
			}else{
				return "$$hash{$key}[12]";
			}
		}elsif($$hash{$key}[14] eq 'cust_srv'){
			return &fwlib::get_srv_prot($$hash{$key}[15]);
			
		}elsif($$hash{$key}[14] eq 'cust_srvgrp'){
			return &fwlib::get_srvgrp_prot($$hash{$key}[15]);
		}
	}
}
sub get_port
{
	my $hash=shift;
	my $key=shift;
	my $prot=shift;
	if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
		if ($$hash{$key}[10] ne ''){
			$$hash{$key}[10] =~ s/\|/,/g;
			if(index($$hash{$key}[10],",") > 0){
				return "-m multiport --sport $$hash{$key}[10] ";
			}else{
				return "--sport $$hash{$key}[10] ";
			}
		}elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
			return "--icmp-type $$hash{$key}[9] ";
		}elsif($$hash{$key}[9] eq 'All ICMP-Types'){
			return;
		}
	}elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
		
		if($$hash{$key}[14] eq 'TGT_PORT'){
			if ($$hash{$key}[15] ne ''){
				$$hash{$key}[15] =~ s/\|/,/g;
				if(index($$hash{$key}[15],",") > 0){
					return "-m multiport --dport $$hash{$key}[15] ";
				}else{
					return "--dport $$hash{$key}[15] ";
				}
			}elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){
				return "--icmp-type $$hash{$key}[13] ";
			}elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){
				return;
			}
		}elsif($$hash{$key}[14] eq 'cust_srv'){
			if ($prot ne 'ICMP'){
				return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
			}elsif($prot eq 'ICMP' && $$hash{$key}[15] ne 'All ICMP-Types'){
				return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot);
			}elsif($prot eq 'ICMP' && $$hash{$key}[15] eq 'All ICMP-Types'){
				return;
			}
		}elsif($$hash{$key}[14] eq 'cust_srvgrp'){
			if 	($prot ne 'ICMP'){
				return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
			}
			elsif($prot eq 'ICMP'){
				return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
			}
		}
	}
}
Commit	Line	Data
2a81ab0d AM	1	#!/usr/bin/perl
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2012 #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21	# #
	22	# Hi folks! I hope this code is useful for all. I needed something to handle #
	23	# my VPN Connections in a comfortable way. #
	24	# This script builds firewallrules from the webinterface #
	25	###############################################################################
	26
2a81ab0d	27	use strict;
472136c9	28	use Time::Local;
2a81ab0d AM	29	no warnings 'uninitialized';
	30
	31	# enable only the following on debugging purpose
	32	#use warnings;
	33	#use CGI::Carp 'fatalsToBrowser';
	34
	35	my %fwdfwsettings=();
	36	my %defaultNetworks=();
	37	my %configfwdfw=();
	38	my %color=();
	39	my %icmptypes=();
	40	my %ovpnSettings=();
	41	my %customgrp=();
	42	our %sourcehash=();
	43	our %targethash=();
	44	my @timeframe=();
	45	my %configinputfw=();
5d7faa45	46	my %configoutgoingfw=();
31fef6cc	47	my %configdmzfw=();
2a81ab0d AM	48	my %aliases=();
2a81ab0d AM	49	my @DPROT=();
36196d0d	50	my @p2ps=();
2a81ab0d AM	51	require '/var/ipfire/general-functions.pl';
	52	require "${General::swroot}/lang.pl";
	53	require "${General::swroot}/forward/bin/firewall-lib.pl";
	54
31fef6cc	55	my $configdmz = "${General::swroot}/forward/dmz";
2a81ab0d AM	56	my $configfwdfw = "${General::swroot}/forward/config";
2a81ab0d AM	57	my $configinput = "${General::swroot}/forward/input";
5d7faa45	58	my $configoutgoing = "${General::swroot}/forward/outgoing";
36196d0d	59	my $p2pfile = "${General::swroot}/forward/p2protocols";
2a81ab0d	60	my $configgrp = "${General::swroot}/fwhosts/customgroups";
210ee67b	61	my $netsettings = "${General::swroot}/ethernet/settings";
2a81ab0d	62	my $errormessage='';
210ee67b AM	63	my $orange;
210ee67b AM	64	my $green;
6adcf156	65	my $blue;
2a81ab0d AM	66	my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
2a81ab0d AM	67	my $CHAIN="FORWARDFW";
ddcec9d3	68	my $conexists='off';
2a81ab0d AM	69
2a81ab0d AM	70	&General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
210ee67b	71	&General::readhash("$netsettings", \%defaultNetworks);
31fef6cc	72	&General::readhasharray($configdmz, \%configdmzfw);
2a81ab0d AM	73	&General::readhasharray($configfwdfw, \%configfwdfw);
2a81ab0d AM	74	&General::readhasharray($configinput, \%configinputfw);
5d7faa45	75	&General::readhasharray($configoutgoing, \%configoutgoingfw);
2a81ab0d AM	76	&General::readhasharray($configgrp, \%customgrp);
	77	&General::get_aliases(\%aliases);
	78
ddcec9d3 AM	79	#check if we have an internetconnection
	80	open (CONN,"/var/ipfire/red/iface");
	81	my $con = <CONN>;
	82	close(CONN);
	83	if (-f "/var/ipfire/red/active"){
	84	$conexists='on';
	85	}
	86
2a81ab0d AM	87	################################
	88	# DEBUG/TEST #
	89	################################
54cb7ff0	90	my $MODE=1; # 0 - normal operation
2a81ab0d AM	91	# 1 - print configline and rules to console
	92	#
	93	################################
	94	my $param=shift;
	95
	96	if($param eq 'flush'){
	97	if ($MODE eq '1'){
	98	print " Flushing chains...\n";
	99	}
	100	&flush;
	101	}else{
	102	if ($MODE eq '1'){
	103	print " Flushing chains...\n";
	104	}
	105	&flush;
	106	if ($MODE eq '1'){
	107	print " Preparing rules...\n";
	108	}
	109	&preparerules;
	110	if($MODE eq '0'){
	111	if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
af49e367	112	&p2pblock;
5d7faa45	113	system ("/usr/sbin/firewall-policy");
2a81ab0d	114	}elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
6adcf156 AM	115	$defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'});
6adcf156 AM	116	$green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
6adcf156 AM	117	if ($defaultNetworks{'BLUE_DEV'}){
	118	$defaultNetworks{'BLUE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'BLUE_NETMASK'});
	119	$blue="$defaultNetworks{'BLUE_ADDRESS'}/$defaultNetworks{'BLUE_NETMASK'}";
	120	#set default rules for BLUE
	121	system ("iptables -A $CHAIN -s $blue -d $green -j RETURN");
	122	}
5b7ed8bb AM	123	if ($defaultNetworks{'ORANGE_DEV'}){
	124	$defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'});
	125	$orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}";
	126	#set default rules for DMZ
	127	system ("iptables -A $CHAIN -s $orange -d $green -j RETURN");
	128	if ($defaultNetworks{'BLUE_DEV'}){
	129	system ("iptables -A $CHAIN -s $orange -d $blue -j RETURN");
	130	}
	131	}
6adcf156	132	&p2pblock;
fd10a52c	133	system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
5d7faa45	134	system ("/usr/sbin/firewall-policy");
2a81ab0d AM	135	}
	136	}
	137	}
2a81ab0d AM	138	sub flush
	139	{
	140	system ("iptables -F FORWARDFW");
	141	system ("iptables -F INPUTFW");
5d7faa45	142	system ("iptables -F OUTGOINGFW");
2a81ab0d AM	143	}
	144	sub preparerules
	145	{
31fef6cc AM	146	if (! -z "${General::swroot}/forward/dmz"){
	147	&buildrules(\%configdmzfw);
	148	}
2a81ab0d AM	149	if (! -z "${General::swroot}/forward/config"){
	150	&buildrules(\%configfwdfw);
	151	}
	152	if (! -z "${General::swroot}/forward/input"){
	153	&buildrules(\%configinputfw);
	154	}
5d7faa45 AM	155	if (! -z "${General::swroot}/forward/outgoing"){
	156	&buildrules(\%configoutgoingfw);
	157	}
2a81ab0d AM	158	}
	159	sub buildrules
	160	{
	161	my $hash=shift;
b5269091	162	my $STAG;
992394d5	163	foreach my $key (sort {$a <=> $b} keys %$hash){
ddcec9d3	164	next if ($$hash{$key}[6] eq 'RED' && $conexists eq 'off' );
b5269091	165	$STAG='';
2a81ab0d AM	166	if($$hash{$key}[2] eq 'ON'){
	167	#get source ip's
	168	if ($$hash{$key}[3] eq 'cust_grp_src'){
992394d5	169	foreach my $grp (sort {$a <=> $b} keys %customgrp){
2a81ab0d AM	170	if($customgrp{$grp}[0] eq $$hash{$key}[4]){
	171	&get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
	172	}
	173	}
	174	}else{
	175	&get_address($$hash{$key}[3],$$hash{$key}[4],"src");
	176	}
	177	#get target ip's
	178	if ($$hash{$key}[5] eq 'cust_grp_tgt'){
992394d5	179	foreach my $grp (sort {$a <=> $b} keys %customgrp){
2a81ab0d AM	180	if($customgrp{$grp}[0] eq $$hash{$key}[6]){
	181	&get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
	182	}
	183	}
	184	}elsif($$hash{$key}[5] eq 'ipfire'){
2a81ab0d AM	185	if($$hash{$key}[6] eq 'Default IP'){
	186	open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.';
	187	$targethash{$key}[0]= <FILE>;
	188	close(FILE);
	189	}else{
	190	foreach my $alias (sort keys %aliases){
	191	if ($$hash{$key}[6] eq $alias){
	192	$targethash{$key}[0]=$aliases{$alias}{'IPT'};
	193	}
	194	}
	195	}
	196	}else{
	197	&get_address($$hash{$key}[5],$$hash{$key}[6],"tgt");
	198	}
2a81ab0d AM	199	##get source prot and port
	200	$SRC_TGT='SRC';
	201	$SPROT = &get_prot($hash,$key);
	202	$SPORT = &get_port($hash,$key);
	203	$SRC_TGT='';
14f7cb87	204
2a81ab0d AM	205	##get target prot and port
2a81ab0d AM	206	$DPROT=&get_prot($hash,$key);
14f7cb87	207
2a81ab0d AM	208	if ($DPROT eq ''){$DPROT=' ';}
2a81ab0d AM	209	@DPROT=split(",",$DPROT);
14f7cb87	210
2a81ab0d AM	211	#get time if defined
2a81ab0d AM	212	if($$hash{$key}[18] eq 'ON'){
472136c9 AM	213	my ($time1,$time2,$daylight);
	214	my $daylight=$$hash{$key}[28];
	215	$time1=&get_time($$hash{$key}[26],$daylight);
	216	$time2=&get_time($$hash{$key}[27],$daylight);
2a81ab0d AM	217	if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
	218	if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");}
	219	if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");}
	220	if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");}
	221	if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");}
	222	if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");}
	223	if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");}
	224	$TIME=join(",",@timeframe);
472136c9 AM	225
	226	$TIMEFROM="--timestart $time1 ";
	227	$TIMETILL="--timestop $time2 ";
a0f267b9	228	$TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
2a81ab0d	229	}
2a81ab0d AM	230	if ($MODE eq '1'){
	231	print "NR:$key ";
	232	foreach my $i (0 .. $#{$$hash{$key}}){
	233	print "$i: $$hash{$key}[$i] ";
	234	}
	235	print "\n";
	236	print"##################################\n";
	237	#print rules to console
2a81ab0d AM	238	foreach my $DPROT (@DPROT){
	239	$DPORT = &get_port($hash,$key,$DPROT);
	240	if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
	241	$PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
	242	foreach my $a (sort keys %sourcehash){
	243	foreach my $b (sort keys %targethash){
d7dc9718	244	if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' \|\| $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
2a81ab0d	245	if($SPROT eq '' \|\| $SPROT eq $DPROT \|\| $DPROT eq ' '){
5d7faa45	246	if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
8cb1afc8 AM	247	if(substr($DPORT, 2, 4) eq 'icmp'){
	248	my @icmprule= split(",",substr($DPORT, 12,));
	249	foreach (@icmprule){
	250	if ($$hash{$key}[17] eq 'ON'){
	251	print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j LOG\n";
	252	}
	253	print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n";
	254	}
	255	}else{
	256	if ($$hash{$key}[17] eq 'ON'){
	257	print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
	258	}
	259	print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
2a81ab0d	260	}
2a81ab0d AM	261	}
	262	}
	263	}
	264	}
	265	print"\n";
	266	}
2a81ab0d AM	267	}elsif($MODE eq '0'){
	268	foreach my $DPROT (@DPROT){
	269	$DPORT = &get_port($hash,$key,$DPROT);
	270	if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
	271	$PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
	272	foreach my $a (sort keys %sourcehash){
	273	foreach my $b (sort keys %targethash){
d7dc9718	274	if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' \|\| $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
2a81ab0d	275	if($SPROT eq '' \|\| $SPROT eq $DPROT \|\| $DPROT eq ' '){
5d7faa45	276	if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
8cb1afc8 AM	277	if(substr($DPORT, 2, 4) eq 'icmp'){
	278	my @icmprule= split(",",substr($DPORT, 12,));
	279	foreach (@icmprule){
	280	if ($$hash{$key}[17] eq 'ON'){
	281	system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] -- icmp-type $_ $TIME -j LOG");
	282	}
	283	system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]");
	284	}
	285	}else{
	286	if ($$hash{$key}[17] eq 'ON'){
	287	system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
	288	}
	289	system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
2a81ab0d	290	}
2a81ab0d AM	291	}
	292	}
	293	}
	294	}
2a81ab0d AM	295	}
	296	}
	297	}
	298	%sourcehash=();
	299	%targethash=();
	300	undef $TIME;
	301	undef $TIMEFROM;
	302	undef $TIMETILL;
	303	}
	304	}
472136c9 AM	305	sub get_time
	306	{
	307	my $val=shift;
	308	my $val1=shift;
	309	my $time;
	310	my $minutes;
	311	my $ruletime;
	312	$minutes = &utcmin($val);
	313	$ruletime = $minutes + &time_get_utc($val);
	314	if ($ruletime < 0){$ruletime +=1440;}
	315	if ($ruletime > 1440){$ruletime -=1440;}
	316	$time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60;
	317	return $time;
	318	}
	319	sub time_get_utc
	320	{
	321	# Calculates the UTCtime from a given time
	322	my $val=shift;
	323	my @localtime=localtime(time);
	324	my @gmtime=gmtime(time);
	325	my $diff = ($gmtime[2]60+$gmtime[1]%60)-($localtime[2]60+$localtime[1]%60);
	326	return $diff;
	327	}
	328	sub utcmin
	329	{
	330	my $ruletime=shift;
	331	my ($hrs,$min) = split(":",$ruletime);
	332	my $newtime = $hrs*60+$min;
	333	return $newtime;
	334	}
36196d0d AM	335	sub p2pblock
	336	{
	337	my $P2PSTRING;
	338	my $DO;
	339	open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
	340	@p2ps = <FILE>;
	341	close FILE;
	342	my $CMD = "-m ipp2p";
	343	foreach my $p2pentry (sort @p2ps) {
	344	my @p2pline = split( /\;/, $p2pentry );
8d1beadc AM	345	if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) {
8d1beadc AM	346	$DO = "ACCEPT";
5238a871	347	if ("$p2pline[2]" eq "on") {
36196d0d AM	348	$P2PSTRING = "$P2PSTRING --$p2pline[1]";
36196d0d AM	349	}
8d1beadc	350	}else {
36196d0d	351	$DO = "RETURN";
5238a871	352	if ("$p2pline[2]" eq "off") {
36196d0d AM	353	$P2PSTRING = "$P2PSTRING --$p2pline[1]";
	354	}
	355	}
	356	}
	357	if ($MODE eq 1){
	358	if($P2PSTRING){
	359	print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n";
	360	}
	361	}else{
	362	if($P2PSTRING){
	363	system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO");
	364	}
	365	}
	366	}
	367
2a81ab0d AM	368	sub get_address
	369	{
	370	my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
	371	my $base2=shift;
	372	my $type=shift; #src or tgt
	373	my $hash;
	374	if ($type eq 'src'){
	375	$hash=\%sourcehash;
	376	}else{
	377	$hash=\%targethash;
	378	}
	379	my $key = &General::findhasharraykey($hash);
	380	if($base eq 'src_addr' \|\| $base eq 'tgt_addr' ){
b5269091 AM	381	if (&General::validmac($base2)){
	382	$$hash{$key}[0] = "-m mac --mac-source $base2";
	383	}else{
	384	$$hash{$key}[0] = $base2;
	385	}
2a81ab0d	386	}elsif($base eq 'std_net_src' \|\| $base eq 'std_net_tgt' \|\| $base eq 'Standard Network'){
ddcec9d3	387	$$hash{$key}[0]=&fwlib::get_std_net_ip($base2,$con);
2a81ab0d AM	388	}elsif($base eq 'cust_net_src' \|\| $base eq 'cust_net_tgt' \|\| $base eq 'Custom Network'){
	389	$$hash{$key}[0]=&fwlib::get_net_ip($base2);
	390	}elsif($base eq 'cust_host_src' \|\| $base eq 'cust_host_tgt' \|\| $base eq 'Custom Host'){
	391	$$hash{$key}[0]=&fwlib::get_host_ip($base2,$type);
	392	}elsif($base eq 'ovpn_net_src' \|\| $base eq 'ovpn_net_tgt' \|\| $base eq 'OpenVPN static network'){
	393	$$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1);
	394	}elsif($base eq 'ovpn_host_src' \|\|$base eq 'ovpn_host_tgt' \|\| $base eq 'OpenVPN static host'){
	395	$$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33);
	396	}elsif($base eq 'ovpn_n2n_src' \|\|$base eq 'ovpn_n2n_tgt' \|\| $base eq 'OpenVPN N-2-N'){
	397	$$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,27);
	398	}elsif($base eq 'ipsec_net_src' \|\| $base eq 'ipsec_net_tgt' \|\| $base eq 'IpSec Network'){
	399	$$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11);
	400	}
	401	}
	402	sub get_prot
	403	{
	404	my $hash=shift;
	405	my $key=shift;
	406	if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
	407	if ($$hash{$key}[10] ne ''){
	408	return"$$hash{$key}[8]";
	409	}elsif($$hash{$key}[9] ne ''){
	410	return"$$hash{$key}[8]";
	411	}else{
	412	return "$$hash{$key}[8]";
	413	}
	414	}elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
	415	if ($$hash{$key}[14] eq 'TGT_PORT'){
	416	if ($$hash{$key}[15] ne ''){
	417	return "$$hash{$key}[12]";
	418	}elsif($$hash{$key}[13] ne ''){
	419	return "$$hash{$key}[12]";
	420	}else{
	421	return "$$hash{$key}[12]";
	422	}
	423	}elsif($$hash{$key}[14] eq 'cust_srv'){
	424	return &fwlib::get_srv_prot($$hash{$key}[15]);
	425
	426	}elsif($$hash{$key}[14] eq 'cust_srvgrp'){
	427	return &fwlib::get_srvgrp_prot($$hash{$key}[15]);
	428	}
	429	}
	430	}
	431	sub get_port
	432	{
	433	my $hash=shift;
	434	my $key=shift;
	435	my $prot=shift;
	436	if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
	437	if ($$hash{$key}[10] ne ''){
8f0b047b	438	$$hash{$key}[10] =~ s/\\|/,/g;
93a5f4a5 AM	439	if(index($$hash{$key}[10],",") > 0){
	440	return "-m multiport --sport $$hash{$key}[10] ";
	441	}else{
	442	return "--sport $$hash{$key}[10] ";
	443	}
62fc8511	444	}elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
2a81ab0d	445	return "--icmp-type $$hash{$key}[9] ";
62fc8511 AM	446	}elsif($$hash{$key}[9] eq 'All ICMP-Types'){
62fc8511 AM	447	return;
2a81ab0d AM	448	}
2a81ab0d AM	449	}elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
b5269091	450
2a81ab0d AM	451	if($$hash{$key}[14] eq 'TGT_PORT'){
2a81ab0d AM	452	if ($$hash{$key}[15] ne ''){
8f0b047b	453	$$hash{$key}[15] =~ s/\\|/,/g;
93a5f4a5 AM	454	if(index($$hash{$key}[15],",") > 0){
	455	return "-m multiport --dport $$hash{$key}[15] ";
	456	}else{
	457	return "--dport $$hash{$key}[15] ";
	458	}
2a81ab0d AM	459	}elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){
	460	return "--icmp-type $$hash{$key}[13] ";
	461	}elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){
	462	return;
	463	}
	464	}elsif($$hash{$key}[14] eq 'cust_srv'){
	465	if ($prot ne 'ICMP'){
	466	return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
	467	}elsif($prot eq 'ICMP' && $$hash{$key}[15] ne 'All ICMP-Types'){
	468	return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot);
	469	}elsif($prot eq 'ICMP' && $$hash{$key}[15] eq 'All ICMP-Types'){
	470	return;
	471	}
	472	}elsif($$hash{$key}[14] eq 'cust_srvgrp'){
	473	if ($prot ne 'ICMP'){
	474	return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
	475	}
	476	elsif($prot eq 'ICMP'){
	477	return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
	478	}
2a81ab0d AM	479	}
	480	}
	481	}