]>
Commit | Line | Data |
---|---|---|
ac1cfefa | 1 | #!/usr/bin/perl |
70df8302 MT |
2 | ############################################################################### |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
75bc929e | 5 | # Copyright (C) 2007-2012 IPFire Team <info@ipfire.org> # |
70df8302 MT |
6 | # # |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
ac1cfefa | 21 | |
75bc929e | 22 | use strict; |
ac1cfefa MT |
23 | |
24 | use Net::IPv4Addr qw( :all ); | |
75bc929e | 25 | use Switch; |
ac1cfefa MT |
26 | |
27 | # enable only the following on debugging purpose | |
1465b127 | 28 | #use warnings; |
cb5e9c6c | 29 | #use CGI::Carp 'fatalsToBrowser'; |
ac1cfefa | 30 | |
986e08d9 | 31 | require '/var/ipfire/general-functions.pl'; |
ac1cfefa MT |
32 | require "${General::swroot}/lang.pl"; |
33 | require "${General::swroot}/header.pl"; | |
34 | ||
c8a8778f MT |
35 | my $colour_multicast = "#A0A0A0"; |
36 | ||
75bc929e MT |
37 | &Header::showhttpheaders(); |
38 | ||
39 | my @network=(); | |
40 | my @masklen=(); | |
41 | my @colour=(); | |
42 | ||
43 | my %netsettings=(); | |
44 | &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); | |
45 | ||
ac1cfefa MT |
46 | #workaround to suppress a warning when a variable is used only once |
47 | my @dummy = ( ${Header::table1colour} ); | |
48 | undef (@dummy); | |
49 | ||
75bc929e MT |
50 | # Read the connection tracking table. |
51 | open(CONNTRACK, "/usr/local/bin/getconntracktable | sort -k 5,5 --numeric-sort --reverse |") or die "Unable to read conntrack table"; | |
52 | my @conntrack = <CONNTRACK>; | |
53 | close(CONNTRACK); | |
ac1cfefa | 54 | |
75bc929e | 55 | # Collect data for the @network array. |
ac1cfefa | 56 | |
75bc929e MT |
57 | # Add Firewall Localhost 127.0.0.1 |
58 | push(@network, '127.0.0.1'); | |
59 | push(@masklen, '255.255.255.255'); | |
60 | push(@colour, ${Header::colourfw}); | |
ac1cfefa | 61 | |
2c42fe6a | 62 | if (open(IP, "${General::swroot}/red/local-ipaddress")) { |
75bc929e MT |
63 | my $redip = <IP>; |
64 | close(IP); | |
65 | ||
66 | chomp $redip; | |
67 | push(@network, $redip); | |
68 | push(@masklen, '255.255.255.255'); | |
69 | push(@colour, ${Header::colourfw}); | |
2c42fe6a MT |
70 | } |
71 | ||
75bc929e MT |
72 | # Add STATIC RED aliases |
73 | if ($netsettings{'RED_DEV'}) { | |
74 | my $aliasfile = "${General::swroot}/ethernet/aliases"; | |
75 | open(ALIASES, $aliasfile) or die 'Unable to open aliases file.'; | |
76 | my @aliases = <ALIASES>; | |
77 | close(ALIASES); | |
78 | ||
79 | # We have a RED eth iface | |
80 | if ($netsettings{'RED_TYPE'} eq 'STATIC') { | |
81 | # We have a STATIC RED eth iface | |
82 | foreach my $line (@aliases) { | |
83 | chomp($line); | |
84 | my @temp = split(/\,/,$line); | |
85 | if ($temp[0]) { | |
86 | push(@network, $temp[0]); | |
87 | push(@masklen, $netsettings{'RED_NETMASK'} ); | |
88 | push(@colour, ${Header::colourfw} ); | |
89 | } | |
90 | } | |
91 | } | |
92 | } | |
ac1cfefa MT |
93 | |
94 | # Add Green Firewall Interface | |
95 | push(@network, $netsettings{'GREEN_ADDRESS'}); | |
96 | push(@masklen, "255.255.255.255" ); | |
97 | push(@colour, ${Header::colourfw} ); | |
98 | ||
99 | # Add Green Network to Array | |
100 | push(@network, $netsettings{'GREEN_NETADDRESS'}); | |
101 | push(@masklen, $netsettings{'GREEN_NETMASK'} ); | |
102 | push(@colour, ${Header::colourgreen} ); | |
103 | ||
104 | # Add Green Routes to Array | |
105 | my @routes = `/sbin/route -n | /bin/grep $netsettings{'GREEN_DEV'}`; | |
106 | foreach my $route (@routes) { | |
75bc929e MT |
107 | chomp($route); |
108 | my @temp = split(/[\t ]+/, $route); | |
109 | push(@network, $temp[0]); | |
110 | push(@masklen, $temp[2]); | |
111 | push(@colour, ${Header::colourgreen} ); | |
5433e2c9 MT |
112 | } |
113 | ||
f9aaffa6 MT |
114 | # Add Blue Firewall Interface |
115 | push(@network, $netsettings{'BLUE_ADDRESS'}); | |
116 | push(@masklen, "255.255.255.255" ); | |
117 | push(@colour, ${Header::colourfw} ); | |
118 | ||
5433e2c9 MT |
119 | # Add Blue Network |
120 | if ($netsettings{'BLUE_DEV'}) { | |
75bc929e MT |
121 | push(@network, $netsettings{'BLUE_NETADDRESS'}); |
122 | push(@masklen, $netsettings{'BLUE_NETMASK'} ); | |
123 | push(@colour, ${Header::colourblue} ); | |
124 | ||
125 | # Add Blue Routes to Array | |
126 | @routes = `/sbin/route -n | /bin/grep $netsettings{'BLUE_DEV'}`; | |
127 | foreach my $route (@routes) { | |
128 | chomp($route); | |
129 | my @temp = split(/[\t ]+/, $route); | |
130 | push(@network, $temp[0]); | |
131 | push(@masklen, $temp[2]); | |
132 | push(@colour, ${Header::colourblue} ); | |
133 | } | |
134 | } | |
135 | ||
136 | # Add Orange Network | |
137 | if ($netsettings{'ORANGE_DEV'}) { | |
138 | push(@network, $netsettings{'ORANGE_NETADDRESS'}); | |
139 | push(@masklen, $netsettings{'ORANGE_NETMASK'} ); | |
140 | push(@colour, ${Header::colourorange} ); | |
141 | # Add Orange Routes to Array | |
142 | @routes = `/sbin/route -n | /bin/grep $netsettings{'ORANGE_DEV'}`; | |
143 | foreach my $route (@routes) { | |
144 | chomp($route); | |
145 | my @temp = split(/[\t ]+/, $route); | |
146 | push(@network, $temp[0]); | |
147 | push(@masklen, $temp[2]); | |
148 | push(@colour, ${Header::colourorange} ); | |
149 | } | |
5433e2c9 MT |
150 | } |
151 | ||
c8a8778f MT |
152 | # Highlight multicast connections. |
153 | push(@network, "224.0.0.0"); | |
154 | push(@masklen, "239.0.0.0"); | |
155 | push(@colour, $colour_multicast); | |
156 | ||
6e13d0a5 MT |
157 | # Add OpenVPN net and RED/BLUE/ORANGE entry (when appropriate) |
158 | if (-e "${General::swroot}/ovpn/settings") { | |
75bc929e MT |
159 | my %ovpnsettings = (); |
160 | &General::readhash("${General::swroot}/ovpn/settings", \%ovpnsettings); | |
161 | my @tempovpnsubnet = split("\/",$ovpnsettings{'DOVPN_SUBNET'}); | |
162 | ||
163 | # add OpenVPN net | |
164 | push(@network, $tempovpnsubnet[0]); | |
165 | push(@masklen, $tempovpnsubnet[1]); | |
166 | push(@colour, ${Header::colourovpn} ); | |
167 | ||
168 | # add BLUE:port / proto | |
169 | if (($ovpnsettings{'ENABLED_BLUE'} eq 'on') && $netsettings{'BLUE_DEV'}) { | |
170 | push(@network, $netsettings{'BLUE_ADDRESS'} ); | |
171 | push(@masklen, '255.255.255.255' ); | |
172 | push(@colour, ${Header::colourovpn}); | |
173 | } | |
6e13d0a5 | 174 | |
75bc929e MT |
175 | # add ORANGE:port / proto |
176 | if (($ovpnsettings{'ENABLED_ORANGE'} eq 'on') && $netsettings{'ORANGE_DEV'}) { | |
177 | push(@network, $netsettings{'ORANGE_ADDRESS'} ); | |
178 | push(@masklen, '255.255.255.255' ); | |
179 | push(@colour, ${Header::colourovpn} ); | |
180 | } | |
181 | } | |
6e13d0a5 | 182 | |
03435d85 | 183 | open(IPSEC, "${General::swroot}/vpn/config"); |
75bc929e MT |
184 | my @ipsec = <IPSEC>; |
185 | close(IPSEC); | |
7dbf47dc | 186 | |
75bc929e MT |
187 | foreach my $line (@ipsec) { |
188 | my @vpn = split(',', $line); | |
189 | my ($network, $mask) = split("/", $vpn[12]); | |
6e13d0a5 | 190 | |
75bc929e MT |
191 | if (!&General::validip($mask)) { |
192 | $mask = ipv4_cidr2msk($mask); | |
193 | } | |
ac1cfefa | 194 | |
75bc929e MT |
195 | push(@network, $network); |
196 | push(@masklen, $mask); | |
197 | push(@colour, ${Header::colourvpn}); | |
ac1cfefa | 198 | } |
ac1cfefa | 199 | |
d9ac41d5 MT |
200 | if (-e "${General::swroot}/ovpn/n2nconf") { |
201 | open(OVPNN2N, "${General::swroot}/ovpn/ovpnconfig"); | |
202 | my @ovpnn2n = <OVPNN2N>; | |
203 | close(OVPNN2N); | |
204 | ||
205 | foreach my $line (@ovpnn2n) { | |
206 | my @ovpn = split(',', $line); | |
207 | next if ($ovpn[4] ne 'net'); | |
208 | ||
209 | my ($network, $mask) = split("/", $ovpn[12]); | |
210 | if (!&General::validip($mask)) { | |
211 | $mask = ipv4_cidr2msk($mask); | |
212 | } | |
213 | ||
214 | push(@network, $network); | |
215 | push(@masklen, $mask); | |
216 | push(@colour, ${Header::colourovpn}); | |
217 | } | |
218 | } | |
219 | ||
75bc929e MT |
220 | # Show the page. |
221 | &Header::openpage($Lang::tr{'connections'}, 1, ''); | |
222 | &Header::openbigbox('100%', 'left'); | |
223 | &Header::openbox('100%', 'left', $Lang::tr{'connection tracking'}); | |
c2b15814 | 224 | |
75bc929e MT |
225 | # Print legend. |
226 | print <<END; | |
227 | <table width='100%'> | |
228 | <tr> | |
229 | <td align='center'> | |
230 | <b>$Lang::tr{'legend'} : </b> | |
231 | </td> | |
232 | <td align='center' bgcolor='${Header::colourgreen}'> | |
233 | <b><font color='#FFFFFF'>$Lang::tr{'lan'}</font></b> | |
234 | </td> | |
235 | <td align='center' bgcolor='${Header::colourred}'> | |
236 | <b><font color='#FFFFFF'>$Lang::tr{'internet'}</font></b> | |
237 | </td> | |
238 | <td align='center' bgcolor='${Header::colourorange}'> | |
239 | <b><font color='#FFFFFF'>$Lang::tr{'dmz'}</font></b> | |
240 | </td> | |
241 | <td align='center' bgcolor='${Header::colourblue}'> | |
242 | <b><font color='#FFFFFF'>$Lang::tr{'wireless'}</font></b> | |
243 | </td> | |
244 | <td align='center' bgcolor='${Header::colourfw}'> | |
245 | <b><font color='#FFFFFF'>IPFire</font></b> | |
246 | </td> | |
247 | <td align='center' bgcolor='${Header::colourvpn}'> | |
248 | <b><font color='#FFFFFF'>$Lang::tr{'vpn'}</font></b> | |
249 | </td> | |
250 | <td align='center' bgcolor='${Header::colourovpn}'> | |
251 | <b><font color='#FFFFFF'>$Lang::tr{'OpenVPN'}</font></b> | |
252 | </td> | |
c8a8778f MT |
253 | <td align='center' bgcolor='$colour_multicast'> |
254 | <b><font color='#FFFFFF'>Multicast</font></b> | |
255 | </td> | |
75bc929e MT |
256 | </tr> |
257 | </table> | |
258 | <br> | |
259 | END | |
c2b15814 | 260 | |
75bc929e MT |
261 | # Print table header. |
262 | print <<END; | |
263 | <table width='100%'> | |
264 | <tr> | |
265 | <th align='center'> | |
266 | $Lang::tr{'protocol'} | |
267 | </th> | |
268 | <th align='center'> | |
269 | $Lang::tr{'source ip and port'} | |
270 | </th> | |
271 | <th> </th> | |
272 | <th align='center'> | |
273 | $Lang::tr{'dest ip and port'} | |
274 | </th> | |
275 | <th> </th> | |
276 | <th align='center'> | |
277 | $Lang::tr{'download'} / | |
278 | <br>$Lang::tr{'upload'} | |
279 | </th> | |
280 | <th align='center'> | |
281 | $Lang::tr{'connection'}<br>$Lang::tr{'status'} | |
282 | </th> | |
283 | <th align='center'> | |
284 | $Lang::tr{'expires'}<br>($Lang::tr{'seconds'}) | |
285 | </th> | |
286 | </tr> | |
287 | END | |
c2b15814 | 288 | |
75bc929e MT |
289 | foreach my $line (@conntrack) { |
290 | my @conn = split(' ', $line); | |
c2b15814 | 291 | |
75bc929e MT |
292 | # The first bit is the l3 protocol. |
293 | my $l3proto = $conn[0]; | |
c2b15814 | 294 | |
75bc929e MT |
295 | # Skip everything that is not IPv4. |
296 | if ($l3proto ne 'ipv4') { | |
297 | next; | |
298 | } | |
ac1cfefa | 299 | |
75bc929e MT |
300 | # L4 protocol (tcp, udp, ...). |
301 | my $l4proto = $conn[2]; | |
c2b15814 | 302 | |
7d55ca0d | 303 | # Translate unknown protocols. |
75bc929e | 304 | if ($l4proto eq 'unknown') { |
7d55ca0d MT |
305 | my $l4protonum = $conn[3]; |
306 | if ($l4protonum eq '2') { | |
307 | $l4proto = 'IGMP'; | |
308 | } elsif ($l4protonum eq '4') { | |
309 | $l4proto = 'IPv4 Encap'; | |
310 | } elsif ($l4protonum eq '33') { | |
311 | $l4proto = 'DCCP'; | |
312 | } elsif ($l4protonum eq '41') { | |
313 | $l4proto = 'IPv6 Encap'; | |
314 | } elsif ($l4protonum eq '50') { | |
315 | $l4proto = 'ESP'; | |
316 | } elsif ($l4protonum eq '51') { | |
317 | $l4proto = 'AH'; | |
318 | } elsif ($l4protonum eq '132') { | |
319 | $l4proto = 'SCTP'; | |
320 | } else { | |
321 | $l4proto = $l4protonum; | |
322 | } | |
323 | } else { | |
324 | $l4proto = uc($l4proto); | |
75bc929e | 325 | } |
4809e64e | 326 | |
75bc929e MT |
327 | # Source and destination. |
328 | my $sip; | |
329 | my $dip; | |
330 | my $sport; | |
331 | my $dport; | |
332 | my @packets; | |
333 | my @bytes; | |
334 | ||
335 | my $ttl = $conn[4]; | |
336 | my $state; | |
7d55ca0d | 337 | if ($l4proto eq 'TCP') { |
75bc929e MT |
338 | $state = $conn[5]; |
339 | } | |
c2b15814 | 340 | |
75bc929e MT |
341 | # Kick out everything that is not IPv4. |
342 | foreach my $item (@conn) { | |
343 | my ($key, $val) = split('=', $item); | |
344 | ||
345 | switch ($key) { | |
346 | case "src" { | |
347 | $sip = $val; | |
348 | } | |
349 | case "dst" { | |
350 | $dip = $val; | |
351 | } | |
352 | case "sport" { | |
353 | $sport = $val; | |
354 | } | |
355 | case "dport" { | |
356 | $dport = $val; | |
357 | } | |
358 | case "packets" { | |
359 | push(@packets, $val); | |
360 | } | |
361 | case "bytes" { | |
362 | push(@bytes, $val); | |
363 | } | |
364 | } | |
365 | } | |
1465b127 | 366 | |
75bc929e MT |
367 | my $sip_colour = ipcolour($sip); |
368 | my $dip_colour = ipcolour($dip); | |
1465b127 | 369 | |
7d55ca0d MT |
370 | my $sserv = ''; |
371 | if ($sport < 1024) { | |
75bc929e MT |
372 | $sserv = uc(getservbyport($sport, lc($l4proto))); |
373 | if ($sserv ne '') { | |
374 | $sserv = " ($sserv)"; | |
375 | } | |
7d55ca0d | 376 | } |
1465b127 | 377 | |
7d55ca0d MT |
378 | my $dserv = ''; |
379 | if ($dport < 1024) { | |
75bc929e MT |
380 | $dserv = uc(getservbyport($dport, lc($l4proto))); |
381 | if ($dserv ne '') { | |
382 | $dserv = " ($dserv)"; | |
383 | } | |
7d55ca0d | 384 | } |
1465b127 | 385 | |
75bc929e MT |
386 | my $bytes_in = format_bytes($bytes[0]); |
387 | my $bytes_out = format_bytes($bytes[1]); | |
388 | ||
389 | # Format TTL | |
390 | $ttl = format_time($ttl); | |
391 | ||
392 | print <<END; | |
393 | <tr> | |
394 | <td align='center'>$l4proto</td> | |
395 | <td align='center' bgcolor='$sip_colour'> | |
396 | <a href='/cgi-bin/ipinfo.cgi?ip=$sip'> | |
397 | <font color='#FFFFFF'>$sip</font> | |
398 | </a> | |
399 | </td> | |
400 | <td align='center' bgcolor='$sip_colour'> | |
401 | <a href='http://isc.sans.org/port_details.php?port=$sport' target='top'> | |
402 | <font color='#FFFFFF'>$sport$sserv</font> | |
403 | </a> | |
404 | </td> | |
405 | <td align='center' bgcolor='$dip_colour'> | |
406 | <a href='/cgi-bin/ipinfo.cgi?ip=$dip'> | |
407 | <font color='#FFFFFF'>$dip</font> | |
408 | </a> | |
409 | </td> | |
410 | <td align='center' bgcolor='$dip_colour'> | |
411 | <a href='http://isc.sans.org/port_details.php?port=$dport' target='top'> | |
412 | <font color='#FFFFFF'>$dport$dserv</font> | |
413 | </a> | |
414 | </td> | |
415 | <td align='center'> | |
416 | $bytes_in / $bytes_out | |
417 | </td> | |
418 | <td align='center'>$state</td> | |
419 | <td align='center'>$ttl</td> | |
420 | </tr> | |
ac1cfefa | 421 | END |
ac1cfefa | 422 | } |
c2b15814 | 423 | |
75bc929e MT |
424 | # Close the main table. |
425 | print "</table>"; | |
ac1cfefa MT |
426 | |
427 | &Header::closebox(); | |
428 | &Header::closebigbox(); | |
429 | &Header::closepage(); | |
430 | ||
75bc929e MT |
431 | sub format_bytes($) { |
432 | my $bytes = shift; | |
433 | my @units = ("B", "k", "M", "G", "T"); | |
434 | ||
435 | foreach my $unit (@units) { | |
436 | if ($bytes < 1024) { | |
437 | return sprintf("%d%s", $bytes, $unit); | |
438 | } | |
c2b15814 | 439 | |
75bc929e MT |
440 | $bytes /= 1024; |
441 | } | |
442 | ||
443 | return sprintf("%d%s", $bytes, $units[$#units]); | |
c2b15814 MT |
444 | } |
445 | ||
75bc929e MT |
446 | sub format_time($) { |
447 | my $time = shift; | |
c2b15814 | 448 | |
75bc929e MT |
449 | my $seconds = $time % 60; |
450 | my $minutes = $time / 60; | |
c2b15814 | 451 | |
75bc929e MT |
452 | my $hours = 0; |
453 | if ($minutes >= 60) { | |
454 | $hours = $minutes / 60; | |
455 | $minutes %= 60; | |
456 | } | |
457 | ||
458 | return sprintf("%3d:%02d:%02d", $hours, $minutes, $seconds); | |
c2b15814 MT |
459 | } |
460 | ||
75bc929e MT |
461 | sub ipcolour($) { |
462 | my $id = 0; | |
463 | my $colour = ${Header::colourred}; | |
464 | my ($ip) = $_[0]; | |
465 | my $found = 0; | |
466 | ||
467 | foreach my $line (@network) { | |
468 | if ($network[$id] eq '') { | |
469 | $id++; | |
470 | } else { | |
471 | if (!$found && ipv4_in_network($network[$id], $masklen[$id], $ip) ) { | |
472 | $found = 1; | |
473 | $colour = $colour[$id]; | |
474 | } | |
475 | $id++; | |
476 | } | |
477 | } | |
478 | ||
479 | return $colour; | |
c2b15814 MT |
480 | } |
481 | ||
482 | 1; |