]>
Commit | Line | Data |
---|---|---|
6178953b | 1 | #!/usr/bin/perl -w |
2a81ab0d AM |
2 | ############################################################################### |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5bee9a9d | 5 | # Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> # |
2a81ab0d AM |
6 | # # |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
2a81ab0d | 21 | |
2a81ab0d | 22 | use strict; |
472136c9 | 23 | use Time::Local; |
2a81ab0d | 24 | |
97ab0569 MT |
25 | require '/var/ipfire/general-functions.pl'; |
26 | require "${General::swroot}/lang.pl"; | |
27 | require "/usr/lib/firewall/firewall-lib.pl"; | |
2a81ab0d | 28 | |
68d1eb10 MT |
29 | # Set to one to enable debugging mode. |
30 | my $DEBUG = 0; | |
31 | ||
1f9e7b53 MT |
32 | my $IPTABLES = "iptables --wait"; |
33 | ||
6178953b MT |
34 | # iptables chains |
35 | my $CHAIN = "FORWARDFW"; | |
36 | my $CHAIN_NAT_SOURCE = "NAT_SOURCE"; | |
37 | my $CHAIN_NAT_DESTINATION = "NAT_DESTINATION"; | |
38 | ||
2a81ab0d AM |
39 | my %fwdfwsettings=(); |
40 | my %defaultNetworks=(); | |
41 | my %configfwdfw=(); | |
42 | my %color=(); | |
43 | my %icmptypes=(); | |
44 | my %ovpnSettings=(); | |
45 | my %customgrp=(); | |
46 | our %sourcehash=(); | |
47 | our %targethash=(); | |
48 | my @timeframe=(); | |
49 | my %configinputfw=(); | |
5d7faa45 | 50 | my %configoutgoingfw=(); |
a6edca5a | 51 | my %confignatfw=(); |
2a81ab0d AM |
52 | my %aliases=(); |
53 | my @DPROT=(); | |
36196d0d | 54 | my @p2ps=(); |
2a81ab0d | 55 | |
6d8eb5de AM |
56 | my $configfwdfw = "${General::swroot}/firewall/config"; |
57 | my $configinput = "${General::swroot}/firewall/input"; | |
58 | my $configoutgoing = "${General::swroot}/firewall/outgoing"; | |
59 | my $p2pfile = "${General::swroot}/firewall/p2protocols"; | |
2a81ab0d | 60 | my $configgrp = "${General::swroot}/fwhosts/customgroups"; |
210ee67b | 61 | my $netsettings = "${General::swroot}/ethernet/settings"; |
86a921ee AM |
62 | my $errormessage = ''; |
63 | my $orange = ''; | |
64 | my $green = ''; | |
65 | my $blue = ''; | |
6178953b | 66 | my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$SRC_TGT); |
86a921ee | 67 | my $conexists = 'off'; |
86a921ee AM |
68 | my $dnat =''; |
69 | my $snat =''; | |
70 | ||
6d8eb5de | 71 | &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); |
210ee67b | 72 | &General::readhash("$netsettings", \%defaultNetworks); |
2a81ab0d AM |
73 | &General::readhasharray($configfwdfw, \%configfwdfw); |
74 | &General::readhasharray($configinput, \%configinputfw); | |
5d7faa45 | 75 | &General::readhasharray($configoutgoing, \%configoutgoingfw); |
2a81ab0d AM |
76 | &General::readhasharray($configgrp, \%customgrp); |
77 | &General::get_aliases(\%aliases); | |
78 | ||
ddcec9d3 AM |
79 | #check if we have an internetconnection |
80 | open (CONN,"/var/ipfire/red/iface"); | |
81 | my $con = <CONN>; | |
82 | close(CONN); | |
97ab0569 | 83 | |
ddcec9d3 AM |
84 | if (-f "/var/ipfire/red/active"){ |
85 | $conexists='on'; | |
86 | } | |
97ab0569 | 87 | |
a6edca5a AM |
88 | open (CONN1,"/var/ipfire/red/local-ipaddress"); |
89 | my $redip = <CONN1>; | |
90 | close(CONN1); | |
97ab0569 | 91 | |
8531b94a MT |
92 | # MAIN |
93 | &main(); | |
94 | ||
95 | sub main { | |
96 | # Flush all chains. | |
97 | &flush(); | |
98 | ||
99 | # Reload firewall rules. | |
100 | &preparerules(); | |
101 | ||
102 | # Load P2P block rules. | |
103 | &p2pblock(); | |
104 | ||
105 | # Reload firewall policy. | |
106 | run("/usr/sbin/firewall-policy"); | |
2a81ab0d | 107 | } |
97ab0569 | 108 | |
68d1eb10 MT |
109 | sub run { |
110 | # Executes or prints the given shell command. | |
111 | my $command = shift; | |
112 | ||
113 | if ($DEBUG) { | |
114 | print "$command\n"; | |
115 | } else { | |
116 | system "$command"; | |
117 | } | |
118 | } | |
119 | ||
6178953b MT |
120 | sub print_error { |
121 | my $message = shift; | |
122 | ||
123 | print STDERR "$message\n"; | |
124 | } | |
125 | ||
97ab0569 | 126 | sub flush { |
1f9e7b53 MT |
127 | run("$IPTABLES -F FORWARDFW"); |
128 | run("$IPTABLES -F INPUTFW"); | |
129 | run("$IPTABLES -F OUTGOINGFW"); | |
130 | run("$IPTABLES -t nat -F NAT_DESTINATION"); | |
131 | run("$IPTABLES -t nat -F NAT_SOURCE"); | |
86a921ee | 132 | } |
97ab0569 MT |
133 | |
134 | sub preparerules { | |
6d8eb5de | 135 | if (! -z "${General::swroot}/firewall/config"){ |
2a81ab0d AM |
136 | &buildrules(\%configfwdfw); |
137 | } | |
6d8eb5de | 138 | if (! -z "${General::swroot}/firewall/input"){ |
2a81ab0d AM |
139 | &buildrules(\%configinputfw); |
140 | } | |
6d8eb5de | 141 | if (! -z "${General::swroot}/firewall/outgoing"){ |
5d7faa45 AM |
142 | &buildrules(\%configoutgoingfw); |
143 | } | |
2a81ab0d | 144 | } |
97ab0569 MT |
145 | |
146 | sub buildrules { | |
2a81ab0d | 147 | my $hash=shift; |
b5269091 | 148 | my $STAG; |
a6edca5a AM |
149 | my $snatport; |
150 | my $fireport; | |
98cee89f | 151 | my $fwaccessdport; |
c12392c0 | 152 | my $natchain; |
2aeb4b25 | 153 | my $icmptype; |
992394d5 | 154 | foreach my $key (sort {$a <=> $b} keys %$hash){ |
ff4770c7 | 155 | next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' ); |
6178953b MT |
156 | |
157 | my $TIME = ""; | |
158 | my $TIMEFROM; | |
159 | my $TIMETILL; | |
160 | my $natip = ""; | |
161 | ||
162 | # Check if logging should be enabled. | |
163 | my $LOG = 0; | |
164 | if ($$hash{$key}[17] eq 'ON') { | |
165 | $LOG = 1; | |
166 | } | |
167 | ||
168 | my $NAT = 0; | |
169 | my $NAT_MODE; | |
170 | ||
171 | # Check if NAT is enabled and initialize variables, that we use for that. | |
172 | if ($$hash{$key}[28] eq 'ON') { | |
173 | $NAT = 1; | |
174 | ||
175 | # Destination NAT | |
176 | if ($$hash{$key}[31] eq 'dnat') { | |
177 | $NAT_MODE = "DNAT"; | |
178 | ||
179 | if ($$hash{$key}[30] =~ /\|/) { | |
98cee89f AM |
180 | $$hash{$key}[30]=~ tr/|/,/; |
181 | $fireport='-m multiport --dport '.$$hash{$key}[30]; | |
6178953b | 182 | } else { |
98cee89f AM |
183 | $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0); |
184 | } | |
6178953b MT |
185 | |
186 | # Source NAT | |
187 | } elsif ($$hash{$key}[31] eq 'snat') { | |
188 | $NAT_MODE = "SNAT"; | |
189 | ||
190 | } else { | |
191 | print_error("Invalid NAT mode: $$hash{$key}[31]"); | |
192 | next; | |
a6edca5a | 193 | } |
6178953b MT |
194 | |
195 | $natip = &get_nat_ip($$hash{$key}[29], $NAT_MODE); | |
a6edca5a | 196 | } |
6178953b | 197 | |
b5269091 | 198 | $STAG=''; |
2a81ab0d AM |
199 | if($$hash{$key}[2] eq 'ON'){ |
200 | #get source ip's | |
201 | if ($$hash{$key}[3] eq 'cust_grp_src'){ | |
992394d5 | 202 | foreach my $grp (sort {$a <=> $b} keys %customgrp){ |
2a81ab0d AM |
203 | if($customgrp{$grp}[0] eq $$hash{$key}[4]){ |
204 | &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src"); | |
205 | } | |
206 | } | |
207 | }else{ | |
208 | &get_address($$hash{$key}[3],$$hash{$key}[4],"src"); | |
209 | } | |
210 | #get target ip's | |
211 | if ($$hash{$key}[5] eq 'cust_grp_tgt'){ | |
992394d5 | 212 | foreach my $grp (sort {$a <=> $b} keys %customgrp){ |
2a81ab0d AM |
213 | if($customgrp{$grp}[0] eq $$hash{$key}[6]){ |
214 | &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt"); | |
215 | } | |
216 | } | |
a0fb1099 | 217 | }elsif($$hash{$key}[5] eq 'ipfire' ){ |
05d4f131 AM |
218 | if($$hash{$key}[6] eq 'GREEN'){ |
219 | $targethash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'}; | |
220 | } | |
221 | if($$hash{$key}[6] eq 'BLUE'){ | |
222 | $targethash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'}; | |
223 | } | |
224 | if($$hash{$key}[6] eq 'ORANGE'){ | |
225 | $targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'}; | |
226 | } | |
8762442c AM |
227 | if($$hash{$key}[6] eq 'ALL'){ |
228 | $targethash{$key}[0]='0.0.0.0/0'; | |
229 | } | |
690b0bd7 | 230 | if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){ |
ff4770c7 | 231 | open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress"; |
2a81ab0d AM |
232 | $targethash{$key}[0]= <FILE>; |
233 | close(FILE); | |
234 | }else{ | |
235 | foreach my $alias (sort keys %aliases){ | |
236 | if ($$hash{$key}[6] eq $alias){ | |
237 | $targethash{$key}[0]=$aliases{$alias}{'IPT'}; | |
238 | } | |
239 | } | |
240 | } | |
241 | }else{ | |
242 | &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt"); | |
243 | } | |
2a81ab0d AM |
244 | ##get source prot and port |
245 | $SRC_TGT='SRC'; | |
2a81ab0d AM |
246 | $SPORT = &get_port($hash,$key); |
247 | $SRC_TGT=''; | |
14f7cb87 | 248 | |
2a81ab0d AM |
249 | ##get target prot and port |
250 | $DPROT=&get_prot($hash,$key); | |
14f7cb87 | 251 | |
a4c7bf6b | 252 | if ($DPROT eq ''){$DPROT=' ';} |
2a81ab0d | 253 | @DPROT=split(",",$DPROT); |
14f7cb87 | 254 | |
2a81ab0d AM |
255 | #get time if defined |
256 | if($$hash{$key}[18] eq 'ON'){ | |
472136c9 | 257 | my ($time1,$time2,$daylight); |
6178953b | 258 | $daylight=$$hash{$key}[28]; |
472136c9 AM |
259 | $time1=&get_time($$hash{$key}[26],$daylight); |
260 | $time2=&get_time($$hash{$key}[27],$daylight); | |
2a81ab0d AM |
261 | if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");} |
262 | if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");} | |
263 | if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");} | |
264 | if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");} | |
265 | if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");} | |
266 | if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");} | |
267 | if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");} | |
268 | $TIME=join(",",@timeframe); | |
86a921ee | 269 | |
472136c9 AM |
270 | $TIMEFROM="--timestart $time1 "; |
271 | $TIMETILL="--timestop $time2 "; | |
a0f267b9 | 272 | $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL"; |
2a81ab0d | 273 | } |
b57edbd8 MT |
274 | foreach my $DPROT (@DPROT){ |
275 | $DPORT = &get_port($hash,$key,$DPROT); | |
276 | $PROT=$DPROT; | |
277 | $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); | |
278 | if ($DPROT ne 'TCP' && $DPROT ne'UDP' && $DPROT ne 'ICMP' ){ | |
279 | $DPORT=''; | |
2a81ab0d | 280 | } |
b57edbd8 MT |
281 | foreach my $a (sort keys %sourcehash){ |
282 | foreach my $b (sort keys %targethash){ | |
6178953b | 283 | if(! $sourcehash{$a}[0] || ! $targethash{$b}[0] || ($natip eq '-d ' && $NAT) || (!$natip && $NAT)){ |
b57edbd8 MT |
284 | #Skip rules when no RED IP is set (DHCP,DSL) |
285 | next; | |
286 | } | |
287 | next if ($targethash{$b}[0] eq 'none'); | |
288 | $STAG=''; | |
289 | if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ | |
290 | if($DPROT ne ''){ | |
291 | if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} | |
292 | #Process ICMP RULE | |
293 | if(substr($DPORT, 2, 4) eq 'icmp'){ | |
294 | my @icmprule= split(",",substr($DPORT, 12,)); | |
295 | foreach (@icmprule){ | |
296 | $icmptype="--icmp-type "; | |
297 | if ($_ eq "BLANK") { | |
298 | $icmptype=""; | |
299 | $_=""; | |
8cb1afc8 | 300 | } |
6178953b | 301 | if ($LOG) { |
1f9e7b53 | 302 | run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG"); |
cdb3536b | 303 | } |
6178953b | 304 | run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]"); |
2a81ab0d | 305 | } |
b57edbd8 | 306 | #PROCESS DNAT RULE (Portforward) |
6178953b MT |
307 | } elsif ($NAT && $NAT_MODE eq "DNAT") { |
308 | if ($LOG) { | |
309 | run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT'"); | |
86a921ee | 310 | } |
b57edbd8 MT |
311 | my ($ip,$sub) =split("/",$targethash{$b}[0]); |
312 | #Process NAT with servicegroup used | |
6178953b MT |
313 | if ($$hash{$key}[14] eq 'cust_srvgrp') { |
314 | run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j DNAT --to-destination $ip $DPORT"); | |
b57edbd8 | 315 | $fwaccessdport=$DPORT; |
6178953b MT |
316 | } else { |
317 | run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j DNAT --to-destination $ip$DPORT"); | |
b57edbd8 MT |
318 | $DPORT =~ s/\-/:/g; |
319 | if ($DPORT){ | |
320 | $fwaccessdport="--dport ".substr($DPORT,1,); | |
321 | }elsif(! $DPORT && $$hash{$key}[30] ne ''){ | |
322 | if ($$hash{$key}[30]=~m/|/i){ | |
323 | $$hash{$key}[30] =~ s/\|/,/g; | |
324 | $fwaccessdport="-m multiport --dport $$hash{$key}[30]"; | |
325 | }else{ | |
326 | $fwaccessdport="--dport $$hash{$key}[30]"; | |
98cee89f AM |
327 | } |
328 | } | |
c12392c0 | 329 | } |
1f9e7b53 | 330 | run("$IPTABLES -A FORWARDFW $PROT $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]"); |
b57edbd8 MT |
331 | next; |
332 | #PROCESS SNAT RULE | |
6178953b MT |
333 | } elsif ($NAT && $NAT_MODE eq "SNAT") { |
334 | if ($LOG) { | |
335 | run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT'"); | |
93c2de1c | 336 | } |
6178953b | 337 | run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j SNAT --to-source $natip"); |
b57edbd8 MT |
338 | } |
339 | #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double) | |
340 | if ($PROT ne '-p ICMP'){ | |
6178953b | 341 | if ($LOG && !$NAT) { |
1f9e7b53 | 342 | run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG"); |
b57edbd8 | 343 | } |
1f9e7b53 | 344 | run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]"); |
b57edbd8 MT |
345 | } |
346 | #PROCESS Prot ICMP and type = All ICMP-Types | |
347 | if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){ | |
6178953b | 348 | if ($LOG && !$NAT) { |
1f9e7b53 | 349 | run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG"); |
86a921ee | 350 | } |
1f9e7b53 | 351 | run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]"); |
86a921ee | 352 | } |
2a81ab0d AM |
353 | } |
354 | } | |
355 | } | |
2a81ab0d AM |
356 | } |
357 | } | |
358 | } | |
359 | %sourcehash=(); | |
360 | %targethash=(); | |
a6edca5a | 361 | undef $fireport; |
2a81ab0d AM |
362 | } |
363 | } | |
97ab0569 MT |
364 | |
365 | sub get_nat_ip { | |
a6edca5a | 366 | my $val=shift; |
08e1c65d | 367 | my $type=shift; |
a6edca5a AM |
368 | my $result; |
369 | if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){ | |
370 | $result=$defaultNetworks{$val.'_ADDRESS'}; | |
371 | }elsif($val eq 'ALL'){ | |
372 | $result='-i '.$con; | |
6178953b | 373 | }elsif($val eq 'Default IP' && $type eq "DNAT"){ |
a6edca5a | 374 | $result='-d '.$redip; |
6178953b | 375 | }elsif($val eq 'Default IP' && $type eq "SNAT"){ |
08e1c65d | 376 | $result=$redip; |
a6edca5a AM |
377 | }else{ |
378 | foreach my $al (sort keys %aliases){ | |
6178953b | 379 | if($val eq $al && $type eq "DNAT"){ |
a6edca5a | 380 | $result='-d '.$aliases{$al}{'IPT'}; |
6178953b | 381 | }elsif($val eq $al && $type eq "SNAT"){ |
08e1c65d | 382 | $result=$aliases{$al}{'IPT'}; |
a6edca5a AM |
383 | } |
384 | } | |
385 | } | |
386 | return $result; | |
387 | } | |
97ab0569 MT |
388 | |
389 | sub get_time { | |
472136c9 AM |
390 | my $val=shift; |
391 | my $val1=shift; | |
392 | my $time; | |
393 | my $minutes; | |
394 | my $ruletime; | |
395 | $minutes = &utcmin($val); | |
396 | $ruletime = $minutes + &time_get_utc($val); | |
397 | if ($ruletime < 0){$ruletime +=1440;} | |
398 | if ($ruletime > 1440){$ruletime -=1440;} | |
399 | $time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60; | |
400 | return $time; | |
401 | } | |
97ab0569 MT |
402 | |
403 | sub time_get_utc { | |
472136c9 AM |
404 | # Calculates the UTCtime from a given time |
405 | my $val=shift; | |
406 | my @localtime=localtime(time); | |
407 | my @gmtime=gmtime(time); | |
408 | my $diff = ($gmtime[2]*60+$gmtime[1]%60)-($localtime[2]*60+$localtime[1]%60); | |
409 | return $diff; | |
410 | } | |
97ab0569 MT |
411 | |
412 | sub utcmin { | |
472136c9 AM |
413 | my $ruletime=shift; |
414 | my ($hrs,$min) = split(":",$ruletime); | |
415 | my $newtime = $hrs*60+$min; | |
416 | return $newtime; | |
417 | } | |
97ab0569 MT |
418 | |
419 | sub p2pblock { | |
6178953b | 420 | my $P2PSTRING = ""; |
36196d0d AM |
421 | my $DO; |
422 | open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; | |
423 | @p2ps = <FILE>; | |
424 | close FILE; | |
425 | my $CMD = "-m ipp2p"; | |
426 | foreach my $p2pentry (sort @p2ps) { | |
427 | my @p2pline = split( /\;/, $p2pentry ); | |
8d1beadc AM |
428 | if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) { |
429 | $DO = "ACCEPT"; | |
5238a871 | 430 | if ("$p2pline[2]" eq "on") { |
36196d0d AM |
431 | $P2PSTRING = "$P2PSTRING --$p2pline[1]"; |
432 | } | |
8d1beadc | 433 | }else { |
36196d0d | 434 | $DO = "RETURN"; |
5238a871 | 435 | if ("$p2pline[2]" eq "off") { |
36196d0d AM |
436 | $P2PSTRING = "$P2PSTRING --$p2pline[1]"; |
437 | } | |
438 | } | |
439 | } | |
68d1eb10 MT |
440 | |
441 | if($P2PSTRING) { | |
1f9e7b53 | 442 | run("$IPTABLES -A FORWARDFW $CMD $P2PSTRING -j $DO"); |
36196d0d AM |
443 | } |
444 | } | |
97ab0569 MT |
445 | |
446 | sub get_address { | |
2a81ab0d AM |
447 | my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey |
448 | my $base2=shift; | |
449 | my $type=shift; #src or tgt | |
450 | my $hash; | |
451 | if ($type eq 'src'){ | |
86a921ee | 452 | $hash=\%sourcehash; |
2a81ab0d AM |
453 | }else{ |
454 | $hash=\%targethash; | |
455 | } | |
456 | my $key = &General::findhasharraykey($hash); | |
457 | if($base eq 'src_addr' || $base eq 'tgt_addr' ){ | |
b5269091 AM |
458 | if (&General::validmac($base2)){ |
459 | $$hash{$key}[0] = "-m mac --mac-source $base2"; | |
460 | }else{ | |
461 | $$hash{$key}[0] = $base2; | |
462 | } | |
2a81ab0d | 463 | }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){ |
ddcec9d3 | 464 | $$hash{$key}[0]=&fwlib::get_std_net_ip($base2,$con); |
2a81ab0d AM |
465 | }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){ |
466 | $$hash{$key}[0]=&fwlib::get_net_ip($base2); | |
467 | }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){ | |
468 | $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type); | |
469 | }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){ | |
470 | $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1); | |
471 | }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){ | |
472 | $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33); | |
473 | }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){ | |
6fab5bca | 474 | $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,11); |
2a81ab0d AM |
475 | }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){ |
476 | $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11); | |
a0fb1099 AM |
477 | }elsif($base eq 'ipfire_src' ){ |
478 | if($base2 eq 'GREEN'){ | |
479 | $$hash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'}; | |
480 | } | |
481 | if($base2 eq 'BLUE'){ | |
482 | $$hash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'}; | |
483 | } | |
484 | if($base2 eq 'ORANGE'){ | |
485 | $$hash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'}; | |
486 | } | |
487 | if($base2 eq 'ALL'){ | |
488 | $$hash{$key}[0]='0.0.0.0/0'; | |
489 | } | |
490 | if($base2 eq 'RED' || $base2 eq 'RED1'){ | |
800077a6 | 491 | open(FILE, "/var/ipfire/red/local-ipaddress"); |
a0fb1099 AM |
492 | $$hash{$key}[0]= <FILE>; |
493 | close(FILE); | |
494 | }else{ | |
495 | foreach my $alias (sort keys %aliases){ | |
496 | if ($base2 eq $alias){ | |
497 | $$hash{$key}[0]=$aliases{$alias}{'IPT'}; | |
498 | } | |
499 | } | |
500 | } | |
2a81ab0d AM |
501 | } |
502 | } | |
97ab0569 MT |
503 | |
504 | sub get_prot { | |
2a81ab0d AM |
505 | my $hash=shift; |
506 | my $key=shift; | |
a4c7bf6b AM |
507 | #check AH,GRE,ESP or ICMP |
508 | if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON'){ | |
509 | return "$$hash{$key}[8]"; | |
510 | } | |
511 | if ($$hash{$key}[7] eq 'ON' || $$hash{$key}[11] eq 'ON'){ | |
512 | #check if servicegroup or service | |
513 | if($$hash{$key}[14] eq 'cust_srv'){ | |
2a81ab0d | 514 | return &fwlib::get_srv_prot($$hash{$key}[15]); |
2a81ab0d AM |
515 | }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ |
516 | return &fwlib::get_srvgrp_prot($$hash{$key}[15]); | |
a4c7bf6b AM |
517 | }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && $$hash{$key}[8] eq ''){ #when ports are used and prot set to "all" |
518 | return "TCP,UDP"; | |
519 | }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && ($$hash{$key}[8] eq 'TCP' || $$hash{$key}[8] eq 'UDP')){ #when ports are used and prot set to "tcp" or "udp" | |
520 | return "$$hash{$key}[8]"; | |
521 | }elsif (($$hash{$key}[10] eq '' && $$hash{$key}[15] eq '') && $$hash{$key}[8] ne 'ICMP'){ #when ports are NOT used and prot NOT set to "ICMP" | |
522 | return "$$hash{$key}[8]"; | |
523 | }else{ | |
524 | return "$$hash{$key}[8]"; | |
2a81ab0d AM |
525 | } |
526 | } | |
98cee89f AM |
527 | #DNAT |
528 | if ($SRC_TGT eq '' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[11] eq '' && $$hash{$key}[12] ne ''){ | |
fadcfb73 | 529 | return "$$hash{$key}[8]"; |
98cee89f | 530 | } |
2a81ab0d | 531 | } |
97ab0569 MT |
532 | |
533 | sub get_port { | |
2a81ab0d AM |
534 | my $hash=shift; |
535 | my $key=shift; | |
536 | my $prot=shift; | |
14bcb9a2 | 537 | #Get manual defined Ports from SOURCE |
2a81ab0d AM |
538 | if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){ |
539 | if ($$hash{$key}[10] ne ''){ | |
8f0b047b | 540 | $$hash{$key}[10] =~ s/\|/,/g; |
93a5f4a5 AM |
541 | if(index($$hash{$key}[10],",") > 0){ |
542 | return "-m multiport --sport $$hash{$key}[10] "; | |
543 | }else{ | |
a6edca5a AM |
544 | if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ||($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat') ){ |
545 | return "--sport $$hash{$key}[10] "; | |
546 | }else{ | |
547 | return ":$$hash{$key}[10]"; | |
548 | } | |
93a5f4a5 | 549 | } |
2a81ab0d | 550 | } |
14bcb9a2 | 551 | #Get manual ports from TARGET |
2a81ab0d | 552 | }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){ |
2a81ab0d AM |
553 | if($$hash{$key}[14] eq 'TGT_PORT'){ |
554 | if ($$hash{$key}[15] ne ''){ | |
8f0b047b | 555 | $$hash{$key}[15] =~ s/\|/,/g; |
93a5f4a5 AM |
556 | if(index($$hash{$key}[15],",") > 0){ |
557 | return "-m multiport --dport $$hash{$key}[15] "; | |
558 | }else{ | |
a6edca5a AM |
559 | if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){ |
560 | return "--dport $$hash{$key}[15] "; | |
561 | }else{ | |
829697d0 | 562 | $$hash{$key}[15] =~ s/\:/-/g; |
653a71b9 | 563 | return ":$$hash{$key}[15]"; |
a6edca5a | 564 | } |
93a5f4a5 | 565 | } |
2a81ab0d | 566 | } |
14bcb9a2 | 567 | #Get ports defined in custom Service (firewall-groups) |
2a81ab0d AM |
568 | }elsif($$hash{$key}[14] eq 'cust_srv'){ |
569 | if ($prot ne 'ICMP'){ | |
653a71b9 | 570 | if($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){ |
14bcb9a2 AM |
571 | my $ports =&fwlib::get_srv_port($$hash{$key}[15],1,$prot); |
572 | $ports =~ s/\:/-/g; | |
573 | return ":".$ports | |
6be32fe5 AM |
574 | }else{ |
575 | return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); | |
576 | } | |
e6e9a811 AM |
577 | }elsif($prot eq 'ICMP' && $$hash{$key}[11] eq 'ON'){ #When PROT is ICMP and "use targetport is checked, this is an icmp-service |
578 | return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot); | |
2a81ab0d | 579 | } |
14bcb9a2 | 580 | #Get ports from services which are used in custom servicegroups (firewall-groups) |
2a81ab0d AM |
581 | }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ |
582 | if ($prot ne 'ICMP'){ | |
583 | return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot); | |
584 | } | |
585 | elsif($prot eq 'ICMP'){ | |
586 | return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot); | |
587 | } | |
2a81ab0d AM |
588 | } |
589 | } | |
a4c7bf6b AM |
590 | #CHECK ICMP |
591 | if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON' && $SRC_TGT eq ''){ | |
592 | if($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){ | |
593 | return "--icmp-type $$hash{$key}[9] "; | |
594 | }elsif($$hash{$key}[9] eq 'All ICMP-Types'){ | |
595 | return; | |
596 | } | |
597 | } | |
2a81ab0d | 598 | } |