]>
Commit | Line | Data |
---|---|---|
6178953b | 1 | #!/usr/bin/perl -w |
2a81ab0d AM |
2 | ############################################################################### |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5bee9a9d | 5 | # Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> # |
2a81ab0d AM |
6 | # # |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
2a81ab0d | 21 | |
2a81ab0d | 22 | use strict; |
2a81ab0d | 23 | |
97ab0569 MT |
24 | require '/var/ipfire/general-functions.pl'; |
25 | require "${General::swroot}/lang.pl"; | |
26 | require "/usr/lib/firewall/firewall-lib.pl"; | |
2a81ab0d | 27 | |
68d1eb10 MT |
28 | # Set to one to enable debugging mode. |
29 | my $DEBUG = 0; | |
30 | ||
1f9e7b53 MT |
31 | my $IPTABLES = "iptables --wait"; |
32 | ||
6178953b | 33 | # iptables chains |
8f4f4634 MT |
34 | my $CHAIN_INPUT = "INPUTFW"; |
35 | my $CHAIN_FORWARD = "FORWARDFW"; | |
d98aa95a | 36 | my $CHAIN_OUTPUT = "OUTGOINGFW"; |
8f4f4634 | 37 | my $CHAIN = $CHAIN_FORWARD; |
6178953b MT |
38 | my $CHAIN_NAT_SOURCE = "NAT_SOURCE"; |
39 | my $CHAIN_NAT_DESTINATION = "NAT_DESTINATION"; | |
6e87f0aa | 40 | my $CHAIN_MANGLE_NAT_DESTINATION_FIX = "NAT_DESTINATION"; |
8f4f4634 | 41 | my @VALID_CHAINS = ($CHAIN_INPUT, $CHAIN_FORWARD, $CHAIN_OUTPUT); |
c2a1af75 | 42 | my @ANY_ADDRESSES = ("0.0.0.0/0.0.0.0", "0.0.0.0/0", "0/0"); |
8f4f4634 MT |
43 | |
44 | my @PROTOCOLS = ("tcp", "udp", "icmp", "igmp", "ah", "esp", "gre", "ipv6", "ipip"); | |
45 | my @PROTOCOLS_WITH_PORTS = ("tcp", "udp"); | |
46 | ||
47 | my @VALID_TARGETS = ("ACCEPT", "DROP", "REJECT"); | |
6178953b | 48 | |
2a81ab0d | 49 | my %fwdfwsettings=(); |
aa5f4b65 | 50 | my %fwoptions = (); |
2a81ab0d | 51 | my %defaultNetworks=(); |
8f4f4634 | 52 | my %configfwdfw=();; |
2a81ab0d | 53 | my %customgrp=(); |
2a81ab0d | 54 | my %configinputfw=(); |
5d7faa45 | 55 | my %configoutgoingfw=(); |
a6edca5a | 56 | my %confignatfw=(); |
36196d0d | 57 | my @p2ps=(); |
2a81ab0d | 58 | |
6d8eb5de AM |
59 | my $configfwdfw = "${General::swroot}/firewall/config"; |
60 | my $configinput = "${General::swroot}/firewall/input"; | |
61 | my $configoutgoing = "${General::swroot}/firewall/outgoing"; | |
62 | my $p2pfile = "${General::swroot}/firewall/p2protocols"; | |
211694e5 | 63 | my $geoipfile = "${General::swroot}/firewall/geoipblock"; |
2a81ab0d | 64 | my $configgrp = "${General::swroot}/fwhosts/customgroups"; |
210ee67b | 65 | my $netsettings = "${General::swroot}/ethernet/settings"; |
86a921ee | 66 | |
6d8eb5de | 67 | &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); |
aa5f4b65 | 68 | &General::readhash("${General::swroot}/optionsfw/settings", \%fwoptions); |
210ee67b | 69 | &General::readhash("$netsettings", \%defaultNetworks); |
2a81ab0d AM |
70 | &General::readhasharray($configfwdfw, \%configfwdfw); |
71 | &General::readhasharray($configinput, \%configinputfw); | |
5d7faa45 | 72 | &General::readhasharray($configoutgoing, \%configoutgoingfw); |
2a81ab0d | 73 | &General::readhasharray($configgrp, \%customgrp); |
2a81ab0d | 74 | |
3bb4bb3f MT |
75 | my @log_limit_options = &make_log_limit_options(); |
76 | ||
aa5f4b65 MT |
77 | my $POLICY_INPUT_ALLOWED = 0; |
78 | my $POLICY_FORWARD_ALLOWED = ($fwdfwsettings{"POLICY"} eq "MODE2"); | |
79 | my $POLICY_OUTPUT_ALLOWED = ($fwdfwsettings{"POLICY1"} eq "MODE2"); | |
80 | ||
81 | my $POLICY_INPUT_ACTION = $fwoptions{"FWPOLICY2"}; | |
82 | my $POLICY_FORWARD_ACTION = $fwoptions{"FWPOLICY"}; | |
83 | my $POLICY_OUTPUT_ACTION = $fwoptions{"FWPOLICY1"}; | |
84 | ||
8531b94a MT |
85 | # MAIN |
86 | &main(); | |
87 | ||
88 | sub main { | |
89 | # Flush all chains. | |
90 | &flush(); | |
91 | ||
2d0c7a9f AM |
92 | # Prepare firewall rules. |
93 | if (! -z "${General::swroot}/firewall/input"){ | |
94 | &buildrules(\%configinputfw); | |
95 | } | |
96 | if (! -z "${General::swroot}/firewall/outgoing"){ | |
97 | &buildrules(\%configoutgoingfw); | |
98 | } | |
99 | if (! -z "${General::swroot}/firewall/config"){ | |
100 | &buildrules(\%configfwdfw); | |
101 | } | |
8531b94a MT |
102 | |
103 | # Load P2P block rules. | |
104 | &p2pblock(); | |
105 | ||
211694e5 SS |
106 | # Load GeoIP block rules. |
107 | &geoipblock(); | |
108 | ||
8531b94a MT |
109 | # Reload firewall policy. |
110 | run("/usr/sbin/firewall-policy"); | |
2d0c7a9f AM |
111 | |
112 | #Reload firewall.local if present | |
113 | if ( -f '/etc/sysconfig/firewall.local'){ | |
114 | run("/etc/sysconfig/firewall.local reload"); | |
115 | } | |
2a81ab0d | 116 | } |
97ab0569 | 117 | |
68d1eb10 MT |
118 | sub run { |
119 | # Executes or prints the given shell command. | |
120 | my $command = shift; | |
121 | ||
122 | if ($DEBUG) { | |
123 | print "$command\n"; | |
124 | } else { | |
125 | system "$command"; | |
6e87f0aa MT |
126 | |
127 | if ($?) { | |
128 | print_error("ERROR: $command"); | |
129 | } | |
68d1eb10 MT |
130 | } |
131 | } | |
132 | ||
6178953b MT |
133 | sub print_error { |
134 | my $message = shift; | |
135 | ||
136 | print STDERR "$message\n"; | |
137 | } | |
138 | ||
8f4f4634 MT |
139 | sub print_rule { |
140 | my $hash = shift; | |
141 | ||
142 | print "\nRULE:"; | |
143 | ||
144 | my $i = 0; | |
145 | foreach (@$hash) { | |
146 | printf(" %2d: %s", $i++, $_); | |
147 | } | |
148 | print "\n"; | |
149 | } | |
150 | ||
791c2b45 MT |
151 | sub count_elements { |
152 | my $hash = shift; | |
153 | ||
154 | return scalar @$hash; | |
155 | } | |
156 | ||
97ab0569 | 157 | sub flush { |
d98aa95a MT |
158 | run("$IPTABLES -F $CHAIN_INPUT"); |
159 | run("$IPTABLES -F $CHAIN_FORWARD"); | |
160 | run("$IPTABLES -F $CHAIN_OUTPUT"); | |
161 | run("$IPTABLES -t nat -F $CHAIN_NAT_SOURCE"); | |
162 | run("$IPTABLES -t nat -F $CHAIN_NAT_DESTINATION"); | |
6e87f0aa | 163 | run("$IPTABLES -t mangle -F $CHAIN_MANGLE_NAT_DESTINATION_FIX"); |
86a921ee | 164 | } |
97ab0569 | 165 | |
97ab0569 | 166 | sub buildrules { |
8f4f4634 MT |
167 | my $hash = shift; |
168 | ||
aa5f4b65 MT |
169 | # Search for targets that need to be specially handled when adding |
170 | # forwarding rules. Additional rules will automatically get inserted | |
171 | # into the INPUT/OUTPUT chains for these targets. | |
172 | my @special_input_targets = (); | |
173 | if (!$POLICY_FORWARD_ALLOWED) { | |
174 | push(@special_input_targets, "ACCEPT"); | |
175 | } | |
176 | ||
177 | if ($POLICY_INPUT_ACTION eq "DROP") { | |
178 | push(@special_input_targets, "REJECT"); | |
179 | } elsif ($POLICY_INPUT_ACTION eq "REJECT") { | |
180 | push(@special_input_targets, "DROP"); | |
181 | } | |
182 | ||
183 | my @special_output_targets = (); | |
184 | if ($POLICY_OUTPUT_ALLOWED) { | |
185 | push(@special_output_targets, ("DROP", "REJECT")); | |
186 | } else { | |
187 | push(@special_output_targets, "ACCEPT"); | |
188 | ||
189 | if ($POLICY_OUTPUT_ACTION eq "DROP") { | |
190 | push(@special_output_targets, "REJECT"); | |
191 | } elsif ($POLICY_OUTPUT_ACTION eq "REJECT") { | |
192 | push(@special_output_targets, "DROP"); | |
193 | } | |
194 | } | |
195 | ||
8f4f4634 MT |
196 | foreach my $key (sort {$a <=> $b} keys %$hash) { |
197 | # Skip disabled rules. | |
198 | next unless ($$hash{$key}[2] eq 'ON'); | |
199 | ||
791c2b45 MT |
200 | # Count number of elements in this line |
201 | my $elements = &count_elements($$hash{$key}); | |
202 | ||
8f4f4634 MT |
203 | if ($DEBUG) { |
204 | print_rule($$hash{$key}); | |
205 | } | |
206 | ||
207 | # Check if the target is valid. | |
208 | my $target = $$hash{$key}[0]; | |
209 | if (!$target ~~ @VALID_TARGETS) { | |
210 | print_error("Invalid target '$target' for rule $key"); | |
211 | next; | |
212 | } | |
213 | ||
214 | # Check if the chain is valid. | |
215 | my $chain = $$hash{$key}[1]; | |
216 | if (!$chain ~~ @VALID_CHAINS) { | |
217 | print_error("Invalid chain '$chain' in rule $key"); | |
218 | next; | |
219 | } | |
220 | ||
221 | # Collect all sources. | |
4e54e3c6 | 222 | my @sources = &fwlib::get_addresses($hash, $key, "src"); |
8f4f4634 MT |
223 | |
224 | # Collect all destinations. | |
4e54e3c6 | 225 | my @destinations = &fwlib::get_addresses($hash, $key, "tgt"); |
6178953b | 226 | |
c0ce9206 MT |
227 | # True if the destination is the firewall itself. |
228 | my $destination_is_firewall = ($$hash{$key}[5] eq "ipfire"); | |
229 | ||
6178953b | 230 | # Check if logging should be enabled. |
8f4f4634 | 231 | my $LOG = ($$hash{$key}[17] eq 'ON'); |
6178953b | 232 | |
8f4f4634 MT |
233 | # Check if NAT is enabled and initialize variables, that we use for that. |
234 | my $NAT = ($$hash{$key}[28] eq 'ON'); | |
6178953b | 235 | my $NAT_MODE; |
8f4f4634 MT |
236 | if ($NAT) { |
237 | $NAT_MODE = uc($$hash{$key}[31]); | |
238 | } | |
6178953b | 239 | |
8f4f4634 MT |
240 | # Set up time constraints. |
241 | my @time_options = (); | |
242 | if ($$hash{$key}[18] eq 'ON') { | |
243 | push(@time_options, ("-m", "time")); | |
6178953b | 244 | |
8f4f4634 MT |
245 | # Select all days of the week this match is active. |
246 | my @weekdays = (); | |
247 | if ($$hash{$key}[19] ne '') { | |
248 | push (@weekdays, "Mon"); | |
249 | } | |
250 | if ($$hash{$key}[20] ne '') { | |
251 | push (@weekdays, "Tue"); | |
252 | } | |
253 | if ($$hash{$key}[21] ne '') { | |
254 | push (@weekdays, "Wed"); | |
255 | } | |
256 | if ($$hash{$key}[22] ne '') { | |
257 | push (@weekdays, "Thu"); | |
258 | } | |
259 | if ($$hash{$key}[23] ne '') { | |
260 | push (@weekdays, "Fri"); | |
261 | } | |
262 | if ($$hash{$key}[24] ne '') { | |
263 | push (@weekdays, "Sat"); | |
264 | } | |
265 | if ($$hash{$key}[25] ne '') { | |
266 | push (@weekdays, "Sun"); | |
267 | } | |
268 | if (@weekdays) { | |
269 | push(@time_options, ("--weekdays", join(",", @weekdays))); | |
270 | } | |
6178953b | 271 | |
8f4f4634 MT |
272 | # Convert start time. |
273 | my $time_start = &format_time($$hash{$key}[26]); | |
274 | if ($time_start) { | |
275 | push(@time_options, ("--timestart", $time_start)); | |
a6edca5a | 276 | } |
6178953b | 277 | |
8f4f4634 MT |
278 | # Convert end time. |
279 | my $time_stop = &format_time($$hash{$key}[27]); | |
280 | if ($time_stop) { | |
281 | push(@time_options, ("--timestop", $time_stop)); | |
282 | } | |
a6edca5a | 283 | } |
6178953b | 284 | |
d2793ea8 AM |
285 | # Concurrent connection limit |
286 | my @ratelimit_options = (); | |
791c2b45 | 287 | |
d840d02a | 288 | if (($elements ge 34) && ($$hash{$key}[32] eq 'ON')) { |
d2793ea8 AM |
289 | my $conn_limit = $$hash{$key}[33]; |
290 | ||
291 | if ($conn_limit ge 1) { | |
292 | push(@ratelimit_options, ("-m", "connlimit")); | |
293 | ||
294 | # Use the the entire source IP address | |
295 | push(@ratelimit_options, "--connlimit-saddr"); | |
296 | push(@ratelimit_options, ("--connlimit-mask", "32")); | |
297 | ||
298 | # Apply the limit | |
299 | push(@ratelimit_options, ("--connlimit-upto", $conn_limit)); | |
300 | } | |
301 | } | |
302 | ||
303 | # Ratelimit | |
d840d02a | 304 | if (($elements ge 37) && ($$hash{$key}[34] eq 'ON')) { |
d2793ea8 AM |
305 | my $rate_limit = "$$hash{$key}[35]/$$hash{$key}[36]"; |
306 | ||
d840d02a MT |
307 | if ($rate_limit) { |
308 | push(@ratelimit_options, ("-m", "limit")); | |
309 | push(@ratelimit_options, ("--limit", $rate_limit)); | |
310 | } | |
d2793ea8 AM |
311 | } |
312 | ||
8f4f4634 MT |
313 | # Check which protocols are used in this rule and so that we can |
314 | # later group rules by protocols. | |
315 | my @protocols = &get_protocols($hash, $key); | |
316 | if (!@protocols) { | |
317 | print_error("Invalid protocol configuration for rule $key"); | |
318 | next; | |
319 | } | |
320 | ||
321 | foreach my $protocol (@protocols) { | |
322 | # Check if the given protocol is supported. | |
323 | if (($protocol ne "all") && (!$protocol ~~ @PROTOCOLS)) { | |
324 | print_error("Protocol $protocol is not supported (rule $key)"); | |
325 | next; | |
2a81ab0d | 326 | } |
8f4f4634 MT |
327 | |
328 | # Prepare protocol options (like ICMP types, ports, etc...). | |
d7a14d01 | 329 | my @protocol_options = &get_protocol_options($hash, $key, $protocol, 0); |
8f4f4634 MT |
330 | |
331 | # Check if this protocol knows ports. | |
332 | my $protocol_has_ports = ($protocol ~~ @PROTOCOLS_WITH_PORTS); | |
333 | ||
02574191 MT |
334 | foreach my $src (@sources) { |
335 | # Skip invalid source. | |
4e9a2b57 | 336 | next unless (defined $src); |
02574191 | 337 | next unless ($src); |
8f4f4634 | 338 | |
02574191 | 339 | # Sanitize source. |
48f07c19 | 340 | my $source = @$src[0]; |
02574191 MT |
341 | if ($source ~~ @ANY_ADDRESSES) { |
342 | $source = ""; | |
343 | } | |
344 | ||
48f07c19 AM |
345 | my $source_intf = @$src[1]; |
346 | ||
02574191 MT |
347 | foreach my $dst (@destinations) { |
348 | # Skip invalid rules. | |
4e9a2b57 | 349 | next unless (defined $dst); |
02574191 | 350 | next if (!$dst || ($dst eq "none")); |
c2a1af75 MT |
351 | |
352 | # Sanitize destination. | |
48f07c19 | 353 | my $destination = @$dst[0]; |
c2a1af75 MT |
354 | if ($destination ~~ @ANY_ADDRESSES) { |
355 | $destination = ""; | |
356 | } | |
357 | ||
48f07c19 AM |
358 | my $destination_intf = @$dst[1]; |
359 | ||
8f4f4634 MT |
360 | # Array with iptables arguments. |
361 | my @options = (); | |
362 | ||
363 | # Append protocol. | |
364 | if ($protocol ne "all") { | |
8f4f4634 | 365 | push(@options, @protocol_options); |
2a81ab0d | 366 | } |
8f4f4634 | 367 | |
6e87f0aa MT |
368 | # Prepare source options. |
369 | my @source_options = (); | |
8f4f4634 | 370 | if ($source =~ /mac/) { |
6e87f0aa | 371 | push(@source_options, $source); |
b9ca2fa6 AM |
372 | } elsif ($source =~ /-m geoip/) { |
373 | push(@source_options, $source); | |
374 | } elsif($source) { | |
6e87f0aa | 375 | push(@source_options, ("-s", $source)); |
2a81ab0d | 376 | } |
14f7cb87 | 377 | |
6e87f0aa | 378 | # Prepare destination options. |
c2a1af75 | 379 | my @destination_options = (); |
b9ca2fa6 AM |
380 | if ($destination =~ /-m geoip/) { |
381 | push(@destination_options, $destination); | |
382 | } elsif ($destination) { | |
c2a1af75 MT |
383 | push(@destination_options, ("-d", $destination)); |
384 | } | |
14f7cb87 | 385 | |
8f4f4634 MT |
386 | # Add time constraint options. |
387 | push(@options, @time_options); | |
14f7cb87 | 388 | |
d2793ea8 AM |
389 | # Add ratelimiting option |
390 | push(@options, @ratelimit_options); | |
391 | ||
aa5f4b65 | 392 | my $firewall_is_in_source_subnet = 1; |
e9b5ba41 | 393 | if ($source) { |
da7a2208 | 394 | $firewall_is_in_source_subnet = &firewall_is_in_subnet($source); |
e9b5ba41 MT |
395 | } |
396 | ||
aa5f4b65 MT |
397 | my $firewall_is_in_destination_subnet = 1; |
398 | if ($destination) { | |
399 | $firewall_is_in_destination_subnet = &firewall_is_in_subnet($destination); | |
400 | } | |
401 | ||
8f4f4634 MT |
402 | # Process NAT rules. |
403 | if ($NAT) { | |
4e54e3c6 | 404 | my $nat_address = &fwlib::get_nat_address($$hash{$key}[29], $source); |
b05ec50a | 405 | |
8f4f4634 MT |
406 | # Skip NAT rules if the NAT address is unknown |
407 | # (i.e. no internet connection has been established, yet). | |
408 | next unless ($nat_address); | |
b05ec50a | 409 | |
8f4f4634 MT |
410 | # Destination NAT |
411 | if ($NAT_MODE eq "DNAT") { | |
d7a14d01 MT |
412 | my @nat_options = (); |
413 | if ($protocol ne "all") { | |
414 | my @nat_protocol_options = &get_protocol_options($hash, $key, $protocol, 1); | |
415 | push(@nat_options, @nat_protocol_options); | |
416 | } | |
ff7cb6d6 MT |
417 | push(@nat_options, @time_options); |
418 | ||
419 | # Make port-forwardings useable from the internal networks. | |
420 | my @internal_addresses = &fwlib::get_internal_firewall_ip_addresses(1); | |
421 | unless ($nat_address ~~ @internal_addresses) { | |
48f07c19 | 422 | &add_dnat_mangle_rules($nat_address, $source_intf, @nat_options); |
ff7cb6d6 MT |
423 | } |
424 | ||
6e87f0aa | 425 | push(@nat_options, @source_options); |
8f4f4634 | 426 | push(@nat_options, ("-d", $nat_address)); |
6e87f0aa | 427 | |
c0ce9206 | 428 | my $dnat_port; |
8f4f4634 | 429 | if ($protocol_has_ports) { |
c0ce9206 MT |
430 | $dnat_port = &get_dnat_target_port($hash, $key); |
431 | } | |
432 | ||
433 | my @nat_action_options = (); | |
b05ec50a | 434 | |
c0ce9206 MT |
435 | # Use iptables REDIRECT |
436 | my $use_redirect = ($destination_is_firewall && !$destination && $protocol_has_ports && $dnat_port); | |
437 | if ($use_redirect) { | |
438 | push(@nat_action_options, ("-j", "REDIRECT", "--to-ports", $dnat_port)); | |
439 | ||
440 | # Use iptables DNAT | |
441 | } else { | |
f98bb538 MT |
442 | if ($destination_is_firewall && !$destination) { |
443 | $destination = &fwlib::get_external_address(); | |
444 | } | |
445 | next unless ($destination); | |
446 | ||
c0ce9206 MT |
447 | my ($dnat_address, $dnat_mask) = split("/", $destination); |
448 | @destination_options = ("-d", $dnat_address); | |
449 | ||
450 | if ($protocol_has_ports) { | |
451 | my $dnat_port = &get_dnat_target_port($hash, $key); | |
452 | ||
453 | if ($dnat_port) { | |
454 | $dnat_address .= ":$dnat_port"; | |
455 | } | |
86a921ee | 456 | } |
c0ce9206 MT |
457 | |
458 | push(@nat_action_options, ("-j", "DNAT", "--to-destination", $dnat_address)); | |
2a81ab0d | 459 | } |
8f4f4634 MT |
460 | |
461 | if ($LOG) { | |
3bb4bb3f | 462 | run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options @log_limit_options -j LOG --log-prefix 'DNAT '"); |
8f4f4634 | 463 | } |
c0ce9206 | 464 | run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options @nat_action_options"); |
8f4f4634 MT |
465 | |
466 | # Source NAT | |
467 | } elsif ($NAT_MODE eq "SNAT") { | |
6e87f0aa MT |
468 | my @nat_options = @options; |
469 | ||
306098a4 AM |
470 | if ($destination_intf) { |
471 | push(@nat_options, ("-o", $destination_intf)); | |
472 | } | |
473 | ||
6e87f0aa MT |
474 | push(@nat_options, @source_options); |
475 | push(@nat_options, @destination_options); | |
476 | ||
8f4f4634 | 477 | if ($LOG) { |
3bb4bb3f | 478 | run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @log_limit_options -j LOG --log-prefix 'SNAT '"); |
8f4f4634 | 479 | } |
6e87f0aa | 480 | run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options -j SNAT --to-source $nat_address"); |
2a81ab0d AM |
481 | } |
482 | } | |
8f4f4634 | 483 | |
1b34f6cd MT |
484 | # Add source and destination interface to the filter rules. |
485 | # These are supposed to help filtering forged packets that originate | |
486 | # from BLUE with an IP address from GREEN for instance. | |
487 | if ($source_intf) { | |
488 | push(@source_options, ("-i", $source_intf)); | |
489 | } | |
490 | ||
491 | if ($destination_intf) { | |
492 | push(@destination_options, ("-o", $destination_intf)); | |
493 | } | |
494 | ||
6e87f0aa MT |
495 | push(@options, @source_options); |
496 | push(@options, @destination_options); | |
497 | ||
8f4f4634 MT |
498 | # Insert firewall rule. |
499 | if ($LOG && !$NAT) { | |
0bda23f5 | 500 | run("$IPTABLES -A $chain @options @log_limit_options -j LOG --log-prefix '$chain '"); |
8f4f4634 MT |
501 | } |
502 | run("$IPTABLES -A $chain @options -j $target"); | |
aa5f4b65 MT |
503 | |
504 | # Handle forwarding rules and add corresponding rules for firewall access. | |
505 | if ($chain eq $CHAIN_FORWARD) { | |
506 | # If the firewall is part of the destination subnet and access to the destination network | |
507 | # is granted/forbidden for any network that the firewall itself is part of, we grant/forbid access | |
508 | # for the firewall, too. | |
509 | if ($firewall_is_in_destination_subnet && ($target ~~ @special_input_targets)) { | |
510 | if ($LOG && !$NAT) { | |
511 | run("$IPTABLES -A $CHAIN_INPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '"); | |
512 | } | |
513 | run("$IPTABLES -A $CHAIN_INPUT @options -j $target"); | |
514 | } | |
515 | ||
516 | # Likewise. | |
517 | if ($firewall_is_in_source_subnet && ($target ~~ @special_output_targets)) { | |
518 | if ($LOG && !$NAT) { | |
519 | run("$IPTABLES -A $CHAIN_OUTPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_OUTPUT '"); | |
520 | } | |
521 | run("$IPTABLES -A $CHAIN_OUTPUT @options -j $target"); | |
522 | } | |
523 | } | |
2a81ab0d AM |
524 | } |
525 | } | |
526 | } | |
2a81ab0d AM |
527 | } |
528 | } | |
97ab0569 | 529 | |
b05ec50a MT |
530 | # Formats the given timestamp into the iptables format which is "hh:mm" UTC. |
531 | sub format_time { | |
532 | my $val = shift; | |
533 | ||
534 | # Convert the given time into minutes. | |
535 | my $minutes = &time_convert_to_minutes($val); | |
536 | ||
537 | # Move the timestamp into UTC. | |
538 | $minutes += &time_utc_offset(); | |
539 | ||
540 | # Make sure $minutes is between 00:00 and 23:59. | |
541 | if ($minutes < 0) { | |
542 | $minutes += 1440; | |
543 | } | |
544 | ||
545 | if ($minutes > 1440) { | |
546 | $minutes -= 1440; | |
547 | } | |
548 | ||
549 | # Format as hh:mm. | |
550 | return sprintf("%02d:%02d", $minutes / 60, $minutes % 60); | |
472136c9 | 551 | } |
97ab0569 | 552 | |
b05ec50a MT |
553 | # Calculates the offsets in minutes from the local timezone to UTC. |
554 | sub time_utc_offset { | |
555 | my @localtime = localtime(time); | |
556 | my @gmtime = gmtime(time); | |
557 | ||
558 | return ($gmtime[2] * 60 + $gmtime[1] % 60) - ($localtime[2] * 60 + $localtime[1] % 60); | |
472136c9 | 559 | } |
97ab0569 | 560 | |
b05ec50a MT |
561 | # Takes a timestamp like "14:00" and converts it into minutes since midnight. |
562 | sub time_convert_to_minutes { | |
563 | my ($hrs, $min) = split(":", shift); | |
564 | ||
565 | return ($hrs * 60) + $min; | |
472136c9 | 566 | } |
97ab0569 MT |
567 | |
568 | sub p2pblock { | |
766c2f60 MT |
569 | open(FILE, "<$p2pfile") or die "Unable to read $p2pfile"; |
570 | my @protocols = (); | |
571 | foreach my $p2pentry (<FILE>) { | |
572 | my @p2pline = split(/\;/, $p2pentry); | |
2a5b19c5 | 573 | next unless ($p2pline[2] eq "off"); |
766c2f60 MT |
574 | |
575 | push(@protocols, "--$p2pline[1]"); | |
36196d0d | 576 | } |
766c2f60 | 577 | close(FILE); |
68d1eb10 | 578 | |
24d36c80 | 579 | run("$IPTABLES -F P2PBLOCK"); |
766c2f60 | 580 | if (@protocols) { |
2a5b19c5 | 581 | run("$IPTABLES -A P2PBLOCK -m ipp2p @protocols -j DROP"); |
36196d0d AM |
582 | } |
583 | } | |
97ab0569 | 584 | |
211694e5 SS |
585 | sub geoipblock { |
586 | my %geoipsettings = (); | |
0505af9d AF |
587 | $geoipsettings{'GEOIPBLOCK_ENABLED'} = "off"; |
588 | ||
589 | # Flush iptables chain. | |
590 | run("$IPTABLES -F GEOIPBLOCK"); | |
211694e5 SS |
591 | |
592 | # Check if the geoip settings file exists | |
593 | if (-e "$geoipfile") { | |
594 | # Read settings file | |
595 | &General::readhash("$geoipfile", \%geoipsettings); | |
211694e5 SS |
596 | } |
597 | ||
598 | # If geoip blocking is not enabled, we are finished here. | |
599 | if ($geoipsettings{'GEOIPBLOCK_ENABLED'} ne "on") { | |
600 | # Exit submodule. Process remaining script. | |
601 | return; | |
602 | } | |
603 | ||
604 | # Get supported locations. | |
605 | my @locations = &fwlib::get_geoip_locations(); | |
606 | ||
211694e5 SS |
607 | # Loop through all supported geoip locations and |
608 | # create iptables rules, if blocking this country | |
609 | # is enabled. | |
610 | foreach my $location (@locations) { | |
1f912010 | 611 | if(exists $geoipsettings{$location} && $geoipsettings{$location} eq "on") { |
211694e5 SS |
612 | run("$IPTABLES -A GEOIPBLOCK -m geoip --src-cc $location -j DROP"); |
613 | } | |
614 | } | |
615 | } | |
616 | ||
8f4f4634 MT |
617 | sub get_protocols { |
618 | my $hash = shift; | |
619 | my $key = shift; | |
620 | ||
621 | my $uses_source_ports = ($$hash{$key}[7] eq "ON"); | |
622 | my $uses_services = ($$hash{$key}[11] eq "ON"); | |
623 | ||
624 | my @protocols = (); | |
625 | ||
626 | # Rules which don't have source ports or services (like ICMP, ESP, ...). | |
627 | if (!$uses_source_ports && !$uses_services) { | |
628 | push(@protocols, $$hash{$key}[8]); | |
629 | ||
630 | # Rules which either use ports or services. | |
631 | } elsif ($uses_source_ports || $uses_services) { | |
632 | # Check if service group or service | |
633 | if ($$hash{$key}[14] eq 'cust_srv') { | |
634 | push(@protocols, &fwlib::get_srv_prot($$hash{$key}[15])); | |
635 | ||
636 | } elsif($$hash{$key}[14] eq 'cust_srvgrp'){ | |
637 | my $protos = &fwlib::get_srvgrp_prot($$hash{$key}[15]); | |
638 | push(@protocols, split(",", $protos)); | |
639 | ||
640 | } else { | |
641 | # Fetch the protocol for this rule. | |
642 | my $protocol = lc($$hash{$key}[8]); | |
643 | ||
644 | # Fetch source and destination ports for this rule. | |
645 | my $source_ports = $$hash{$key}[10]; | |
646 | my $destination_ports = $$hash{$key}[15]; | |
647 | ||
648 | # Check if ports are set for protocols which do not support ports. | |
649 | if (!($protocol ~~ @PROTOCOLS_WITH_PORTS) && ($source_ports || $destination_ports)) { | |
650 | print_error("$protocol does not support ports"); | |
651 | return (); | |
652 | } | |
653 | ||
654 | push(@protocols, $protocol); | |
2a81ab0d AM |
655 | } |
656 | } | |
8f4f4634 MT |
657 | |
658 | # Remove all empty elements | |
659 | @protocols = map { $_ ? $_ : () } @protocols; | |
660 | ||
661 | # If no protocol has been defined, we assume "all". | |
662 | if (!@protocols) { | |
663 | push(@protocols, "all"); | |
98cee89f | 664 | } |
8f4f4634 MT |
665 | |
666 | # Make all protocol names lowercase. | |
667 | @protocols = map { lc } @protocols; | |
668 | ||
669 | return @protocols; | |
2a81ab0d | 670 | } |
97ab0569 | 671 | |
8f4f4634 MT |
672 | sub get_protocol_options { |
673 | my $hash = shift; | |
674 | my $key = shift; | |
675 | my $protocol = shift; | |
d7a14d01 | 676 | my $nat_options_wanted = shift; |
8f4f4634 MT |
677 | my @options = (); |
678 | ||
d7a14d01 MT |
679 | # Nothing to do if no protocol is specified. |
680 | if ($protocol eq "all") { | |
681 | return @options; | |
682 | } else { | |
683 | push(@options, ("-p", $protocol)); | |
684 | } | |
685 | ||
fcc68a42 MT |
686 | if ($protocol ~~ @PROTOCOLS_WITH_PORTS) { |
687 | # Process source ports. | |
688 | my $use_src_ports = ($$hash{$key}[7] eq "ON"); | |
689 | my $src_ports = $$hash{$key}[10]; | |
8f4f4634 | 690 | |
fcc68a42 MT |
691 | if ($use_src_ports && $src_ports) { |
692 | push(@options, &format_ports($src_ports, "src")); | |
693 | } | |
8f4f4634 | 694 | |
fcc68a42 MT |
695 | # Process destination ports. |
696 | my $use_dst_ports = ($$hash{$key}[11] eq "ON"); | |
697 | my $use_dnat = (($$hash{$key}[28] eq "ON") && ($$hash{$key}[31] eq "dnat")); | |
8f4f4634 | 698 | |
fcc68a42 MT |
699 | if ($use_dst_ports) { |
700 | my $dst_ports_mode = $$hash{$key}[14]; | |
701 | my $dst_ports = $$hash{$key}[15]; | |
8f4f4634 | 702 | |
fcc68a42 MT |
703 | if (($dst_ports_mode eq "TGT_PORT") && $dst_ports) { |
704 | if ($nat_options_wanted && $use_dnat && $$hash{$key}[30]) { | |
705 | $dst_ports = $$hash{$key}[30]; | |
706 | } | |
8f4f4634 | 707 | push(@options, &format_ports($dst_ports, "dst")); |
8f4f4634 | 708 | |
fcc68a42 MT |
709 | } elsif ($dst_ports_mode eq "cust_srv") { |
710 | if ($protocol eq "ICMP") { | |
711 | push(@options, ("--icmp-type", &fwlib::get_srv_port($dst_ports, 3, "ICMP"))); | |
712 | } else { | |
713 | $dst_ports = &fwlib::get_srv_port($dst_ports, 1, uc($protocol)); | |
714 | push(@options, &format_ports($dst_ports, "dst")); | |
715 | } | |
716 | ||
717 | } elsif ($dst_ports_mode eq "cust_srvgrp") { | |
718 | push(@options, &fwlib::get_srvgrp_port($dst_ports, uc($protocol))); | |
719 | } | |
2a81ab0d AM |
720 | } |
721 | } | |
8f4f4634 MT |
722 | |
723 | # Check if a single ICMP type is selected. | |
fcc68a42 | 724 | if ($protocol eq "icmp") { |
8f4f4634 MT |
725 | my $icmp_type = $$hash{$key}[9]; |
726 | ||
727 | if (($icmp_type ne "All ICMP-Types") && $icmp_type) { | |
728 | push(@options, ("--icmp-type", $icmp_type)); | |
a4c7bf6b AM |
729 | } |
730 | } | |
8f4f4634 MT |
731 | |
732 | return @options; | |
733 | } | |
734 | ||
735 | sub format_ports { | |
736 | my $ports = shift; | |
737 | my $type = shift; | |
738 | ||
739 | my $arg; | |
740 | if ($type eq "src") { | |
741 | $arg = "--sport"; | |
742 | } elsif ($type eq "dst") { | |
743 | $arg = "--dport"; | |
744 | } | |
745 | ||
746 | my @options = (); | |
747 | ||
748 | if ($ports =~ /\|/) { | |
749 | $ports =~ s/\|/,/g; | |
750 | push(@options, ("-m", "multiport")); | |
751 | } | |
752 | ||
1c3044d7 MT |
753 | if ($ports) { |
754 | push(@options, ($arg, $ports)); | |
755 | } | |
8f4f4634 MT |
756 | |
757 | return @options; | |
758 | } | |
759 | ||
760 | sub get_dnat_target_port { | |
761 | my $hash = shift; | |
762 | my $key = shift; | |
763 | ||
764 | if ($$hash{$key}[14] eq "TGT_PORT") { | |
1c3044d7 MT |
765 | my $port = $$hash{$key}[15]; |
766 | my $external_port = $$hash{$key}[30]; | |
767 | ||
768 | if ($external_port && ($port ne $external_port)) { | |
769 | return $$hash{$key}[15]; | |
770 | } | |
8f4f4634 | 771 | } |
2a81ab0d | 772 | } |
6e87f0aa MT |
773 | |
774 | sub add_dnat_mangle_rules { | |
775 | my $nat_address = shift; | |
48f07c19 | 776 | my $interface = shift; |
6e87f0aa MT |
777 | my @options = @_; |
778 | ||
779 | my $mark = 0; | |
780 | foreach my $zone ("GREEN", "BLUE", "ORANGE") { | |
781 | $mark++; | |
782 | ||
783 | # Skip rule if not all required information exists. | |
784 | next unless (exists $defaultNetworks{$zone . "_NETADDRESS"}); | |
785 | next unless (exists $defaultNetworks{$zone . "_NETMASK"}); | |
786 | ||
48f07c19 AM |
787 | next if ($interface && $interface ne $defaultNetworks{$zone . "_DEV"}); |
788 | ||
6e87f0aa MT |
789 | my @mangle_options = @options; |
790 | ||
791 | my $netaddress = $defaultNetworks{$zone . "_NETADDRESS"}; | |
792 | $netaddress .= "/" . $defaultNetworks{$zone . "_NETMASK"}; | |
793 | ||
794 | push(@mangle_options, ("-s", $netaddress, "-d", $nat_address)); | |
795 | push(@mangle_options, ("-j", "MARK", "--set-mark", $mark)); | |
796 | ||
797 | run("$IPTABLES -t mangle -A $CHAIN_MANGLE_NAT_DESTINATION_FIX @mangle_options"); | |
798 | } | |
799 | } | |
3bb4bb3f MT |
800 | |
801 | sub make_log_limit_options { | |
802 | my @options = ("-m", "limit"); | |
803 | ||
804 | # Maybe we should get this from the configuration. | |
805 | my $limit = 10; | |
806 | ||
807 | # We limit log messages to $limit messages per minute. | |
808 | push(@options, ("--limit", "$limit/min")); | |
809 | ||
810 | # And we allow bursts of 2x $limit. | |
811 | push(@options, ("--limit-burst", $limit * 2)); | |
812 | ||
813 | return @options; | |
814 | } | |
e9b5ba41 | 815 | |
da7a2208 MT |
816 | sub firewall_is_in_subnet { |
817 | my $subnet = shift; | |
5cf8c8c1 | 818 | |
e9b5ba41 MT |
819 | # ORANGE is missing here, because nothing may ever access |
820 | # the firewall from this network. | |
4e54e3c6 | 821 | my $address = &fwlib::get_internal_firewall_ip_address($subnet, 0); |
e9b5ba41 | 822 | |
da7a2208 MT |
823 | if ($address) { |
824 | return 1; | |
e9b5ba41 | 825 | } |
da7a2208 MT |
826 | |
827 | return 0; | |
e9b5ba41 | 828 | } |