]>
Commit | Line | Data |
---|---|---|
6178953b | 1 | #!/usr/bin/perl -w |
2a81ab0d AM |
2 | ############################################################################### |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
2293e1de | 5 | # Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> # |
2a81ab0d AM |
6 | # # |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
2a81ab0d | 21 | |
2a81ab0d | 22 | use strict; |
5653e551 | 23 | use experimental 'smartmatch'; |
2a81ab0d | 24 | |
97ab0569 MT |
25 | require '/var/ipfire/general-functions.pl'; |
26 | require "${General::swroot}/lang.pl"; | |
27 | require "/usr/lib/firewall/firewall-lib.pl"; | |
5730a5bc | 28 | require "${General::swroot}/location-functions.pl"; |
2a81ab0d | 29 | |
68d1eb10 MT |
30 | # Set to one to enable debugging mode. |
31 | my $DEBUG = 0; | |
32 | ||
1f9e7b53 | 33 | my $IPTABLES = "iptables --wait"; |
3d886880 | 34 | my $IPSET = "ipset"; |
1f9e7b53 | 35 | |
6178953b | 36 | # iptables chains |
8f4f4634 MT |
37 | my $CHAIN_INPUT = "INPUTFW"; |
38 | my $CHAIN_FORWARD = "FORWARDFW"; | |
d98aa95a | 39 | my $CHAIN_OUTPUT = "OUTGOINGFW"; |
8f4f4634 | 40 | my $CHAIN = $CHAIN_FORWARD; |
6178953b MT |
41 | my $CHAIN_NAT_SOURCE = "NAT_SOURCE"; |
42 | my $CHAIN_NAT_DESTINATION = "NAT_DESTINATION"; | |
6e87f0aa | 43 | my $CHAIN_MANGLE_NAT_DESTINATION_FIX = "NAT_DESTINATION"; |
8f4f4634 | 44 | my @VALID_CHAINS = ($CHAIN_INPUT, $CHAIN_FORWARD, $CHAIN_OUTPUT); |
c2a1af75 | 45 | my @ANY_ADDRESSES = ("0.0.0.0/0.0.0.0", "0.0.0.0/0", "0/0"); |
8f4f4634 MT |
46 | |
47 | my @PROTOCOLS = ("tcp", "udp", "icmp", "igmp", "ah", "esp", "gre", "ipv6", "ipip"); | |
48 | my @PROTOCOLS_WITH_PORTS = ("tcp", "udp"); | |
49 | ||
50 | my @VALID_TARGETS = ("ACCEPT", "DROP", "REJECT"); | |
6178953b | 51 | |
c69c8200 MT |
52 | my @PRIVATE_NETWORKS = ( |
53 | "10.0.0.0/8", | |
54 | "172.16.0.0/12", | |
55 | "192.168.0.0/16", | |
56 | "100.64.0.0/10", | |
57 | ); | |
58 | ||
ce31144c MT |
59 | # MARK masks |
60 | my $NAT_MASK = 0x0f000000; | |
61 | ||
2a81ab0d | 62 | my %fwdfwsettings=(); |
aa5f4b65 | 63 | my %fwoptions = (); |
2a81ab0d | 64 | my %defaultNetworks=(); |
8f4f4634 | 65 | my %configfwdfw=();; |
2a81ab0d | 66 | my %customgrp=(); |
2a81ab0d | 67 | my %configinputfw=(); |
5d7faa45 | 68 | my %configoutgoingfw=(); |
a6edca5a | 69 | my %confignatfw=(); |
5730a5bc SS |
70 | my %locationsettings = ( |
71 | "LOCATIONBLOCK_ENABLED" => "off" | |
f5ad4246 | 72 | ); |
27828969 | 73 | my %loaded_ipset_lists=(); |
f5ad4246 | 74 | |
6d8eb5de AM |
75 | my $configfwdfw = "${General::swroot}/firewall/config"; |
76 | my $configinput = "${General::swroot}/firewall/input"; | |
77 | my $configoutgoing = "${General::swroot}/firewall/outgoing"; | |
5730a5bc | 78 | my $locationfile = "${General::swroot}/firewall/locationblock"; |
2a81ab0d | 79 | my $configgrp = "${General::swroot}/fwhosts/customgroups"; |
210ee67b | 80 | my $netsettings = "${General::swroot}/ethernet/settings"; |
86a921ee | 81 | |
6d8eb5de | 82 | &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); |
aa5f4b65 | 83 | &General::readhash("${General::swroot}/optionsfw/settings", \%fwoptions); |
210ee67b | 84 | &General::readhash("$netsettings", \%defaultNetworks); |
2a81ab0d AM |
85 | &General::readhasharray($configfwdfw, \%configfwdfw); |
86 | &General::readhasharray($configinput, \%configinputfw); | |
5d7faa45 | 87 | &General::readhasharray($configoutgoing, \%configoutgoingfw); |
2a81ab0d | 88 | &General::readhasharray($configgrp, \%customgrp); |
2a81ab0d | 89 | |
5730a5bc SS |
90 | # Check if the location settings file exists |
91 | if (-e "$locationfile") { | |
f5ad4246 | 92 | # Read settings file |
5730a5bc | 93 | &General::readhash("$locationfile", \%locationsettings); |
f5ad4246 SS |
94 | } |
95 | ||
5730a5bc SS |
96 | # Get all available locations. |
97 | my @locations = &Location::Functions::get_locations(); | |
f5ad4246 | 98 | |
3bb4bb3f MT |
99 | my @log_limit_options = &make_log_limit_options(); |
100 | ||
aa5f4b65 MT |
101 | my $POLICY_INPUT_ALLOWED = 0; |
102 | my $POLICY_FORWARD_ALLOWED = ($fwdfwsettings{"POLICY"} eq "MODE2"); | |
103 | my $POLICY_OUTPUT_ALLOWED = ($fwdfwsettings{"POLICY1"} eq "MODE2"); | |
104 | ||
105 | my $POLICY_INPUT_ACTION = $fwoptions{"FWPOLICY2"}; | |
106 | my $POLICY_FORWARD_ACTION = $fwoptions{"FWPOLICY"}; | |
107 | my $POLICY_OUTPUT_ACTION = $fwoptions{"FWPOLICY1"}; | |
108 | ||
0564b0c7 SS |
109 | #workaround to suppress a warning when a variable is used only once |
110 | my @dummy = ( $Location::Functions::ipset_db_directory ); | |
111 | undef (@dummy); | |
112 | ||
8531b94a MT |
113 | # MAIN |
114 | &main(); | |
115 | ||
116 | sub main { | |
117 | # Flush all chains. | |
118 | &flush(); | |
119 | ||
3d886880 SS |
120 | # Destroy all existing ipsets. |
121 | run("$IPSET destroy"); | |
122 | ||
2d0c7a9f AM |
123 | # Prepare firewall rules. |
124 | if (! -z "${General::swroot}/firewall/input"){ | |
125 | &buildrules(\%configinputfw); | |
126 | } | |
127 | if (! -z "${General::swroot}/firewall/outgoing"){ | |
128 | &buildrules(\%configoutgoingfw); | |
129 | } | |
130 | if (! -z "${General::swroot}/firewall/config"){ | |
131 | &buildrules(\%configfwdfw); | |
132 | } | |
8531b94a | 133 | |
5730a5bc SS |
134 | # Load Location block rules. |
135 | &locationblock(); | |
211694e5 | 136 | |
8531b94a MT |
137 | # Reload firewall policy. |
138 | run("/usr/sbin/firewall-policy"); | |
2d0c7a9f AM |
139 | |
140 | #Reload firewall.local if present | |
141 | if ( -f '/etc/sysconfig/firewall.local'){ | |
142 | run("/etc/sysconfig/firewall.local reload"); | |
143 | } | |
2a81ab0d | 144 | } |
97ab0569 | 145 | |
68d1eb10 MT |
146 | sub run { |
147 | # Executes or prints the given shell command. | |
148 | my $command = shift; | |
149 | ||
150 | if ($DEBUG) { | |
151 | print "$command\n"; | |
152 | } else { | |
153 | system "$command"; | |
6e87f0aa MT |
154 | |
155 | if ($?) { | |
156 | print_error("ERROR: $command"); | |
157 | } | |
68d1eb10 MT |
158 | } |
159 | } | |
160 | ||
6178953b MT |
161 | sub print_error { |
162 | my $message = shift; | |
163 | ||
164 | print STDERR "$message\n"; | |
165 | } | |
166 | ||
8f4f4634 MT |
167 | sub print_rule { |
168 | my $hash = shift; | |
169 | ||
170 | print "\nRULE:"; | |
171 | ||
172 | my $i = 0; | |
173 | foreach (@$hash) { | |
174 | printf(" %2d: %s", $i++, $_); | |
175 | } | |
176 | print "\n"; | |
177 | } | |
178 | ||
791c2b45 MT |
179 | sub count_elements { |
180 | my $hash = shift; | |
181 | ||
182 | return scalar @$hash; | |
183 | } | |
184 | ||
97ab0569 | 185 | sub flush { |
d98aa95a MT |
186 | run("$IPTABLES -F $CHAIN_INPUT"); |
187 | run("$IPTABLES -F $CHAIN_FORWARD"); | |
188 | run("$IPTABLES -F $CHAIN_OUTPUT"); | |
189 | run("$IPTABLES -t nat -F $CHAIN_NAT_SOURCE"); | |
190 | run("$IPTABLES -t nat -F $CHAIN_NAT_DESTINATION"); | |
6e87f0aa | 191 | run("$IPTABLES -t mangle -F $CHAIN_MANGLE_NAT_DESTINATION_FIX"); |
bbeb2a50 SS |
192 | |
193 | # Flush LOCATIONBLOCK chain. | |
194 | run("$IPTABLES -F LOCATIONBLOCK"); | |
86a921ee | 195 | } |
97ab0569 | 196 | |
97ab0569 | 197 | sub buildrules { |
8f4f4634 MT |
198 | my $hash = shift; |
199 | ||
aa5f4b65 MT |
200 | # Search for targets that need to be specially handled when adding |
201 | # forwarding rules. Additional rules will automatically get inserted | |
202 | # into the INPUT/OUTPUT chains for these targets. | |
203 | my @special_input_targets = (); | |
204 | if (!$POLICY_FORWARD_ALLOWED) { | |
205 | push(@special_input_targets, "ACCEPT"); | |
206 | } | |
207 | ||
208 | if ($POLICY_INPUT_ACTION eq "DROP") { | |
ae93dd3d | 209 | push(@special_input_targets, ("ACCEPT", "REJECT")); |
aa5f4b65 | 210 | } elsif ($POLICY_INPUT_ACTION eq "REJECT") { |
ae93dd3d | 211 | push(@special_input_targets, ("ACCEPT", "DROP")); |
aa5f4b65 MT |
212 | } |
213 | ||
214 | my @special_output_targets = (); | |
215 | if ($POLICY_OUTPUT_ALLOWED) { | |
216 | push(@special_output_targets, ("DROP", "REJECT")); | |
217 | } else { | |
218 | push(@special_output_targets, "ACCEPT"); | |
219 | ||
220 | if ($POLICY_OUTPUT_ACTION eq "DROP") { | |
ae93dd3d | 221 | push(@special_output_targets, ("ACCEPT", "REJECT")); |
aa5f4b65 | 222 | } elsif ($POLICY_OUTPUT_ACTION eq "REJECT") { |
ae93dd3d | 223 | push(@special_output_targets, ("ACCEPT", "DROP")); |
aa5f4b65 MT |
224 | } |
225 | } | |
226 | ||
8f4f4634 MT |
227 | foreach my $key (sort {$a <=> $b} keys %$hash) { |
228 | # Skip disabled rules. | |
229 | next unless ($$hash{$key}[2] eq 'ON'); | |
230 | ||
791c2b45 MT |
231 | # Count number of elements in this line |
232 | my $elements = &count_elements($$hash{$key}); | |
233 | ||
8f4f4634 MT |
234 | if ($DEBUG) { |
235 | print_rule($$hash{$key}); | |
236 | } | |
237 | ||
238 | # Check if the target is valid. | |
239 | my $target = $$hash{$key}[0]; | |
240 | if (!$target ~~ @VALID_TARGETS) { | |
241 | print_error("Invalid target '$target' for rule $key"); | |
242 | next; | |
243 | } | |
244 | ||
245 | # Check if the chain is valid. | |
246 | my $chain = $$hash{$key}[1]; | |
247 | if (!$chain ~~ @VALID_CHAINS) { | |
248 | print_error("Invalid chain '$chain' in rule $key"); | |
249 | next; | |
250 | } | |
251 | ||
252 | # Collect all sources. | |
4e54e3c6 | 253 | my @sources = &fwlib::get_addresses($hash, $key, "src"); |
8f4f4634 MT |
254 | |
255 | # Collect all destinations. | |
4e54e3c6 | 256 | my @destinations = &fwlib::get_addresses($hash, $key, "tgt"); |
6178953b | 257 | |
c0ce9206 MT |
258 | # True if the destination is the firewall itself. |
259 | my $destination_is_firewall = ($$hash{$key}[5] eq "ipfire"); | |
260 | ||
6178953b | 261 | # Check if logging should be enabled. |
8f4f4634 | 262 | my $LOG = ($$hash{$key}[17] eq 'ON'); |
6178953b | 263 | |
8f4f4634 MT |
264 | # Check if NAT is enabled and initialize variables, that we use for that. |
265 | my $NAT = ($$hash{$key}[28] eq 'ON'); | |
6178953b | 266 | my $NAT_MODE; |
8f4f4634 MT |
267 | if ($NAT) { |
268 | $NAT_MODE = uc($$hash{$key}[31]); | |
269 | } | |
6178953b | 270 | |
8f4f4634 MT |
271 | # Set up time constraints. |
272 | my @time_options = (); | |
273 | if ($$hash{$key}[18] eq 'ON') { | |
274 | push(@time_options, ("-m", "time")); | |
6178953b | 275 | |
8f4f4634 MT |
276 | # Select all days of the week this match is active. |
277 | my @weekdays = (); | |
278 | if ($$hash{$key}[19] ne '') { | |
279 | push (@weekdays, "Mon"); | |
280 | } | |
281 | if ($$hash{$key}[20] ne '') { | |
282 | push (@weekdays, "Tue"); | |
283 | } | |
284 | if ($$hash{$key}[21] ne '') { | |
285 | push (@weekdays, "Wed"); | |
286 | } | |
287 | if ($$hash{$key}[22] ne '') { | |
288 | push (@weekdays, "Thu"); | |
289 | } | |
290 | if ($$hash{$key}[23] ne '') { | |
291 | push (@weekdays, "Fri"); | |
292 | } | |
293 | if ($$hash{$key}[24] ne '') { | |
294 | push (@weekdays, "Sat"); | |
295 | } | |
296 | if ($$hash{$key}[25] ne '') { | |
297 | push (@weekdays, "Sun"); | |
298 | } | |
299 | if (@weekdays) { | |
300 | push(@time_options, ("--weekdays", join(",", @weekdays))); | |
301 | } | |
6178953b | 302 | |
8f4f4634 MT |
303 | # Convert start time. |
304 | my $time_start = &format_time($$hash{$key}[26]); | |
305 | if ($time_start) { | |
306 | push(@time_options, ("--timestart", $time_start)); | |
a6edca5a | 307 | } |
6178953b | 308 | |
8f4f4634 MT |
309 | # Convert end time. |
310 | my $time_stop = &format_time($$hash{$key}[27]); | |
311 | if ($time_stop) { | |
312 | push(@time_options, ("--timestop", $time_stop)); | |
313 | } | |
a6edca5a | 314 | } |
6178953b | 315 | |
d2793ea8 AM |
316 | # Concurrent connection limit |
317 | my @ratelimit_options = (); | |
791c2b45 | 318 | |
d840d02a | 319 | if (($elements ge 34) && ($$hash{$key}[32] eq 'ON')) { |
d2793ea8 AM |
320 | my $conn_limit = $$hash{$key}[33]; |
321 | ||
322 | if ($conn_limit ge 1) { | |
323 | push(@ratelimit_options, ("-m", "connlimit")); | |
324 | ||
325 | # Use the the entire source IP address | |
326 | push(@ratelimit_options, "--connlimit-saddr"); | |
327 | push(@ratelimit_options, ("--connlimit-mask", "32")); | |
328 | ||
329 | # Apply the limit | |
330 | push(@ratelimit_options, ("--connlimit-upto", $conn_limit)); | |
331 | } | |
332 | } | |
333 | ||
334 | # Ratelimit | |
d840d02a | 335 | if (($elements ge 37) && ($$hash{$key}[34] eq 'ON')) { |
d2793ea8 AM |
336 | my $rate_limit = "$$hash{$key}[35]/$$hash{$key}[36]"; |
337 | ||
d840d02a MT |
338 | if ($rate_limit) { |
339 | push(@ratelimit_options, ("-m", "limit")); | |
340 | push(@ratelimit_options, ("--limit", $rate_limit)); | |
341 | } | |
d2793ea8 AM |
342 | } |
343 | ||
8f4f4634 MT |
344 | # Check which protocols are used in this rule and so that we can |
345 | # later group rules by protocols. | |
346 | my @protocols = &get_protocols($hash, $key); | |
347 | if (!@protocols) { | |
348 | print_error("Invalid protocol configuration for rule $key"); | |
349 | next; | |
350 | } | |
351 | ||
352 | foreach my $protocol (@protocols) { | |
353 | # Check if the given protocol is supported. | |
354 | if (($protocol ne "all") && (!$protocol ~~ @PROTOCOLS)) { | |
355 | print_error("Protocol $protocol is not supported (rule $key)"); | |
356 | next; | |
2a81ab0d | 357 | } |
8f4f4634 MT |
358 | |
359 | # Prepare protocol options (like ICMP types, ports, etc...). | |
d7a14d01 | 360 | my @protocol_options = &get_protocol_options($hash, $key, $protocol, 0); |
8f4f4634 MT |
361 | |
362 | # Check if this protocol knows ports. | |
363 | my $protocol_has_ports = ($protocol ~~ @PROTOCOLS_WITH_PORTS); | |
364 | ||
02574191 MT |
365 | foreach my $src (@sources) { |
366 | # Skip invalid source. | |
4e9a2b57 | 367 | next unless (defined $src); |
02574191 | 368 | next unless ($src); |
8f4f4634 | 369 | |
02574191 | 370 | # Sanitize source. |
48f07c19 | 371 | my $source = @$src[0]; |
02574191 MT |
372 | if ($source ~~ @ANY_ADDRESSES) { |
373 | $source = ""; | |
374 | } | |
375 | ||
48f07c19 AM |
376 | my $source_intf = @$src[1]; |
377 | ||
02574191 MT |
378 | foreach my $dst (@destinations) { |
379 | # Skip invalid rules. | |
4e9a2b57 | 380 | next unless (defined $dst); |
02574191 | 381 | next if (!$dst || ($dst eq "none")); |
c2a1af75 MT |
382 | |
383 | # Sanitize destination. | |
48f07c19 | 384 | my $destination = @$dst[0]; |
c2a1af75 MT |
385 | if ($destination ~~ @ANY_ADDRESSES) { |
386 | $destination = ""; | |
387 | } | |
388 | ||
48f07c19 AM |
389 | my $destination_intf = @$dst[1]; |
390 | ||
8f4f4634 MT |
391 | # Array with iptables arguments. |
392 | my @options = (); | |
393 | ||
394 | # Append protocol. | |
395 | if ($protocol ne "all") { | |
8f4f4634 | 396 | push(@options, @protocol_options); |
2a81ab0d | 397 | } |
8f4f4634 | 398 | |
6e87f0aa MT |
399 | # Prepare source options. |
400 | my @source_options = (); | |
8f4f4634 | 401 | if ($source =~ /mac/) { |
6e87f0aa | 402 | push(@source_options, $source); |
07106467 SS |
403 | } elsif ($source =~ /-m set/) { |
404 | # Grab location code from hash. | |
405 | my $loc_src = $$hash{$key}[4]; | |
406 | ||
27828969 SS |
407 | # Check if the network list for this country already has been loaded. |
408 | unless($loaded_ipset_lists{$loc_src}) { | |
409 | # Call function to load the networks list for this country. | |
410 | &ipset_restore($loc_src); | |
411 | ||
412 | # Store to the hash that this list has been loaded. | |
413 | $loaded_ipset_lists{$loc_src} = "1"; | |
414 | } | |
07106467 | 415 | |
b9ca2fa6 AM |
416 | push(@source_options, $source); |
417 | } elsif($source) { | |
6e87f0aa | 418 | push(@source_options, ("-s", $source)); |
2a81ab0d | 419 | } |
14f7cb87 | 420 | |
6e87f0aa | 421 | # Prepare destination options. |
c2a1af75 | 422 | my @destination_options = (); |
07106467 SS |
423 | if ($destination =~ /-m set/) { |
424 | # Grab location code from hash. | |
425 | my $loc_dst = $$hash{$key}[6]; | |
426 | ||
27828969 SS |
427 | # Check if the network list for this country already has been loaded. |
428 | unless($loaded_ipset_lists{$loc_dst}) { | |
429 | # Call function to load the networks list for this country. | |
430 | &ipset_restore($loc_dst); | |
431 | ||
432 | # Store to the hash that this list has been loaded. | |
433 | $loaded_ipset_lists{$loc_dst} = "1"; | |
434 | } | |
07106467 | 435 | |
b9ca2fa6 AM |
436 | push(@destination_options, $destination); |
437 | } elsif ($destination) { | |
c2a1af75 MT |
438 | push(@destination_options, ("-d", $destination)); |
439 | } | |
14f7cb87 | 440 | |
249839b0 MT |
441 | # Add source and destination interface to the filter rules. |
442 | # These are supposed to help filtering forged packets that originate | |
443 | # from BLUE with an IP address from GREEN for instance. | |
444 | my @source_intf_options = (); | |
445 | if ($source_intf) { | |
446 | push(@source_intf_options, ("-i", $source_intf)); | |
447 | } | |
448 | ||
449 | my @destination_intf_options = (); | |
450 | if ($destination_intf) { | |
451 | push(@destination_intf_options, ("-o", $destination_intf)); | |
452 | } | |
453 | ||
8f4f4634 MT |
454 | # Add time constraint options. |
455 | push(@options, @time_options); | |
14f7cb87 | 456 | |
d2793ea8 AM |
457 | # Add ratelimiting option |
458 | push(@options, @ratelimit_options); | |
459 | ||
aa5f4b65 | 460 | my $firewall_is_in_source_subnet = 1; |
e9b5ba41 | 461 | if ($source) { |
da7a2208 | 462 | $firewall_is_in_source_subnet = &firewall_is_in_subnet($source); |
e9b5ba41 MT |
463 | } |
464 | ||
aa5f4b65 MT |
465 | my $firewall_is_in_destination_subnet = 1; |
466 | if ($destination) { | |
467 | $firewall_is_in_destination_subnet = &firewall_is_in_subnet($destination); | |
468 | } | |
469 | ||
8f4f4634 MT |
470 | # Process NAT rules. |
471 | if ($NAT) { | |
4e54e3c6 | 472 | my $nat_address = &fwlib::get_nat_address($$hash{$key}[29], $source); |
b05ec50a | 473 | |
8f4f4634 MT |
474 | # Skip NAT rules if the NAT address is unknown |
475 | # (i.e. no internet connection has been established, yet). | |
476 | next unless ($nat_address); | |
b05ec50a | 477 | |
8f4f4634 MT |
478 | # Destination NAT |
479 | if ($NAT_MODE eq "DNAT") { | |
d7a14d01 MT |
480 | my @nat_options = (); |
481 | if ($protocol ne "all") { | |
482 | my @nat_protocol_options = &get_protocol_options($hash, $key, $protocol, 1); | |
483 | push(@nat_options, @nat_protocol_options); | |
484 | } | |
21b37391 SS |
485 | |
486 | # Add time options. | |
ff7cb6d6 MT |
487 | push(@nat_options, @time_options); |
488 | ||
21b37391 SS |
489 | # Determine if a REDIRECT rule should be created. |
490 | my $use_redirect = ($destination_is_firewall && !$destination && $protocol_has_ports); | |
491 | ||
ff7cb6d6 | 492 | # Make port-forwardings useable from the internal networks. |
21b37391 SS |
493 | if (!$use_redirect) { |
494 | my @internal_addresses = &fwlib::get_internal_firewall_ip_addresses(1); | |
495 | unless ($nat_address ~~ @internal_addresses) { | |
496 | &add_dnat_mangle_rules($nat_address, $source_intf, @nat_options); | |
497 | } | |
ff7cb6d6 MT |
498 | } |
499 | ||
21b37391 | 500 | # Add source options. |
6e87f0aa | 501 | push(@nat_options, @source_options); |
21b37391 SS |
502 | |
503 | # Add NAT address. | |
504 | if (!$use_redirect) { | |
505 | push(@nat_options, ("-d", $nat_address)); | |
506 | } | |
6e87f0aa | 507 | |
c0ce9206 | 508 | my $dnat_port; |
8f4f4634 | 509 | if ($protocol_has_ports) { |
c0ce9206 MT |
510 | $dnat_port = &get_dnat_target_port($hash, $key); |
511 | } | |
512 | ||
513 | my @nat_action_options = (); | |
b05ec50a | 514 | |
c0ce9206 | 515 | # Use iptables REDIRECT |
c0ce9206 | 516 | if ($use_redirect) { |
21b37391 SS |
517 | push(@nat_action_options, ("-j", "REDIRECT")); |
518 | ||
519 | # Redirect to specified port if one has given. | |
520 | if ($dnat_port) { | |
521 | push(@nat_action_options, ("--to-ports", $dnat_port)); | |
522 | } | |
c0ce9206 MT |
523 | |
524 | # Use iptables DNAT | |
525 | } else { | |
f98bb538 MT |
526 | if ($destination_is_firewall && !$destination) { |
527 | $destination = &fwlib::get_external_address(); | |
528 | } | |
529 | next unless ($destination); | |
530 | ||
c0ce9206 MT |
531 | my ($dnat_address, $dnat_mask) = split("/", $destination); |
532 | @destination_options = ("-d", $dnat_address); | |
533 | ||
534 | if ($protocol_has_ports) { | |
535 | my $dnat_port = &get_dnat_target_port($hash, $key); | |
536 | ||
537 | if ($dnat_port) { | |
538 | $dnat_address .= ":$dnat_port"; | |
539 | } | |
86a921ee | 540 | } |
c0ce9206 MT |
541 | |
542 | push(@nat_action_options, ("-j", "DNAT", "--to-destination", $dnat_address)); | |
2a81ab0d | 543 | } |
8f4f4634 MT |
544 | |
545 | if ($LOG) { | |
3bb4bb3f | 546 | run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options @log_limit_options -j LOG --log-prefix 'DNAT '"); |
8f4f4634 | 547 | } |
c0ce9206 | 548 | run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options @nat_action_options"); |
8f4f4634 MT |
549 | |
550 | # Source NAT | |
551 | } elsif ($NAT_MODE eq "SNAT") { | |
c4b7692a | 552 | my @snat_options = ( "-m", "policy", "--dir", "out", "--pol", "none" ); |
6e87f0aa MT |
553 | my @nat_options = @options; |
554 | ||
c4b7692a SS |
555 | # Get addresses for the configured firewall interfaces. |
556 | my @local_addresses = &fwlib::get_internal_firewall_ip_addresses(1); | |
557 | ||
558 | # Check if the nat_address is one of the local addresses. | |
559 | foreach my $local_address (@local_addresses) { | |
560 | if ($nat_address eq $local_address) { | |
561 | # Clear SNAT options. | |
562 | @snat_options = (); | |
563 | ||
564 | # Finish loop. | |
565 | last; | |
566 | } | |
567 | } | |
568 | ||
249839b0 | 569 | push(@nat_options, @destination_intf_options); |
6e87f0aa MT |
570 | push(@nat_options, @source_options); |
571 | push(@nat_options, @destination_options); | |
572 | ||
8f4f4634 | 573 | if ($LOG) { |
c4b7692a | 574 | run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @snat_options @log_limit_options -j LOG --log-prefix 'SNAT '"); |
8f4f4634 | 575 | } |
c4b7692a | 576 | run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @snat_options -j SNAT --to-source $nat_address"); |
2a81ab0d AM |
577 | } |
578 | } | |
8f4f4634 | 579 | |
6e87f0aa MT |
580 | push(@options, @source_options); |
581 | push(@options, @destination_options); | |
582 | ||
8f4f4634 | 583 | # Insert firewall rule. |
c22369a9 | 584 | if ($LOG) { |
249839b0 | 585 | run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options @log_limit_options -j LOG --log-prefix '$chain '"); |
8f4f4634 | 586 | } |
249839b0 | 587 | run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options -j $target"); |
aa5f4b65 MT |
588 | |
589 | # Handle forwarding rules and add corresponding rules for firewall access. | |
590 | if ($chain eq $CHAIN_FORWARD) { | |
591 | # If the firewall is part of the destination subnet and access to the destination network | |
592 | # is granted/forbidden for any network that the firewall itself is part of, we grant/forbid access | |
593 | # for the firewall, too. | |
594 | if ($firewall_is_in_destination_subnet && ($target ~~ @special_input_targets)) { | |
c22369a9 | 595 | if ($LOG) { |
249839b0 | 596 | run("$IPTABLES -A $CHAIN_INPUT @options @source_intf_options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '"); |
aa5f4b65 | 597 | } |
249839b0 | 598 | run("$IPTABLES -A $CHAIN_INPUT @options @source_intf_options -j $target"); |
aa5f4b65 MT |
599 | } |
600 | ||
601 | # Likewise. | |
602 | if ($firewall_is_in_source_subnet && ($target ~~ @special_output_targets)) { | |
c22369a9 | 603 | if ($LOG) { |
249839b0 | 604 | run("$IPTABLES -A $CHAIN_OUTPUT @options @destination_intf_options @log_limit_options -j LOG --log-prefix '$CHAIN_OUTPUT '"); |
aa5f4b65 | 605 | } |
249839b0 | 606 | run("$IPTABLES -A $CHAIN_OUTPUT @options @destination_intf_options -j $target"); |
aa5f4b65 MT |
607 | } |
608 | } | |
2a81ab0d AM |
609 | } |
610 | } | |
611 | } | |
2a81ab0d AM |
612 | } |
613 | } | |
97ab0569 | 614 | |
b05ec50a MT |
615 | # Formats the given timestamp into the iptables format which is "hh:mm" UTC. |
616 | sub format_time { | |
617 | my $val = shift; | |
618 | ||
619 | # Convert the given time into minutes. | |
620 | my $minutes = &time_convert_to_minutes($val); | |
621 | ||
622 | # Move the timestamp into UTC. | |
623 | $minutes += &time_utc_offset(); | |
624 | ||
625 | # Make sure $minutes is between 00:00 and 23:59. | |
626 | if ($minutes < 0) { | |
627 | $minutes += 1440; | |
628 | } | |
629 | ||
630 | if ($minutes > 1440) { | |
631 | $minutes -= 1440; | |
632 | } | |
633 | ||
634 | # Format as hh:mm. | |
635 | return sprintf("%02d:%02d", $minutes / 60, $minutes % 60); | |
472136c9 | 636 | } |
97ab0569 | 637 | |
b05ec50a MT |
638 | # Calculates the offsets in minutes from the local timezone to UTC. |
639 | sub time_utc_offset { | |
640 | my @localtime = localtime(time); | |
641 | my @gmtime = gmtime(time); | |
642 | ||
643 | return ($gmtime[2] * 60 + $gmtime[1] % 60) - ($localtime[2] * 60 + $localtime[1] % 60); | |
472136c9 | 644 | } |
97ab0569 | 645 | |
b05ec50a MT |
646 | # Takes a timestamp like "14:00" and converts it into minutes since midnight. |
647 | sub time_convert_to_minutes { | |
648 | my ($hrs, $min) = split(":", shift); | |
649 | ||
650 | return ($hrs * 60) + $min; | |
472136c9 | 651 | } |
97ab0569 | 652 | |
5730a5bc | 653 | sub locationblock { |
bbeb2a50 | 654 | # The LOCATIONBLOCK chain now gets flushed by the flush() function. |
211694e5 | 655 | |
5730a5bc SS |
656 | # If location blocking is not enabled, we are finished here. |
657 | if ($locationsettings{'LOCATIONBLOCK_ENABLED'} ne "on") { | |
211694e5 SS |
658 | # Exit submodule. Process remaining script. |
659 | return; | |
660 | } | |
661 | ||
2293e1de PM |
662 | # Only check the RED interface, which is ppp0 in case of RED_TYPE being |
663 | # set to "PPPOE", and red0 in case of RED_TYPE not being empty otherwise. | |
664 | if ($defaultNetworks{'RED_TYPE'} eq "PPPOE") { | |
665 | run("$IPTABLES -A LOCATIONBLOCK ! -i ppp0 -j RETURN"); | |
666 | } elsif ($defaultNetworks{'RED_DEV'} ne "") { | |
c69c8200 MT |
667 | run("$IPTABLES -A LOCATIONBLOCK ! -i $defaultNetworks{'RED_DEV'} -j RETURN"); |
668 | } | |
669 | ||
670 | # Do not check any private address space | |
671 | foreach my $network (@PRIVATE_NETWORKS) { | |
672 | run("$IPTABLES -A LOCATIONBLOCK -s $network -j RETURN"); | |
673 | } | |
674 | ||
5730a5bc SS |
675 | # Loop through all supported locations and |
676 | # create iptables rules, if blocking for this country | |
211694e5 SS |
677 | # is enabled. |
678 | foreach my $location (@locations) { | |
5730a5bc | 679 | if(exists $locationsettings{$location} && $locationsettings{$location} eq "on") { |
27828969 SS |
680 | # Check if the network list for this country already has been loaded. |
681 | unless($loaded_ipset_lists{$location}) { | |
682 | # Call function to load the networks list for this country. | |
683 | &ipset_restore($location); | |
684 | ||
685 | # Store to the hash that this list has been loaded. | |
686 | $loaded_ipset_lists{$location} = "1"; | |
687 | } | |
0df1d268 SS |
688 | |
689 | # Call iptables and create rule to use the loaded ipset list. | |
690 | run("$IPTABLES -A LOCATIONBLOCK -m set --match-set CC_$location src -j DROP"); | |
211694e5 SS |
691 | } |
692 | } | |
693 | } | |
694 | ||
8f4f4634 MT |
695 | sub get_protocols { |
696 | my $hash = shift; | |
697 | my $key = shift; | |
698 | ||
699 | my $uses_source_ports = ($$hash{$key}[7] eq "ON"); | |
700 | my $uses_services = ($$hash{$key}[11] eq "ON"); | |
701 | ||
702 | my @protocols = (); | |
703 | ||
704 | # Rules which don't have source ports or services (like ICMP, ESP, ...). | |
705 | if (!$uses_source_ports && !$uses_services) { | |
706 | push(@protocols, $$hash{$key}[8]); | |
707 | ||
708 | # Rules which either use ports or services. | |
709 | } elsif ($uses_source_ports || $uses_services) { | |
710 | # Check if service group or service | |
711 | if ($$hash{$key}[14] eq 'cust_srv') { | |
712 | push(@protocols, &fwlib::get_srv_prot($$hash{$key}[15])); | |
713 | ||
714 | } elsif($$hash{$key}[14] eq 'cust_srvgrp'){ | |
715 | my $protos = &fwlib::get_srvgrp_prot($$hash{$key}[15]); | |
716 | push(@protocols, split(",", $protos)); | |
717 | ||
718 | } else { | |
719 | # Fetch the protocol for this rule. | |
720 | my $protocol = lc($$hash{$key}[8]); | |
721 | ||
722 | # Fetch source and destination ports for this rule. | |
723 | my $source_ports = $$hash{$key}[10]; | |
724 | my $destination_ports = $$hash{$key}[15]; | |
725 | ||
726 | # Check if ports are set for protocols which do not support ports. | |
727 | if (!($protocol ~~ @PROTOCOLS_WITH_PORTS) && ($source_ports || $destination_ports)) { | |
728 | print_error("$protocol does not support ports"); | |
729 | return (); | |
730 | } | |
731 | ||
732 | push(@protocols, $protocol); | |
2a81ab0d AM |
733 | } |
734 | } | |
8f4f4634 MT |
735 | |
736 | # Remove all empty elements | |
737 | @protocols = map { $_ ? $_ : () } @protocols; | |
738 | ||
739 | # If no protocol has been defined, we assume "all". | |
740 | if (!@protocols) { | |
741 | push(@protocols, "all"); | |
98cee89f | 742 | } |
8f4f4634 MT |
743 | |
744 | # Make all protocol names lowercase. | |
745 | @protocols = map { lc } @protocols; | |
746 | ||
747 | return @protocols; | |
2a81ab0d | 748 | } |
97ab0569 | 749 | |
8f4f4634 MT |
750 | sub get_protocol_options { |
751 | my $hash = shift; | |
752 | my $key = shift; | |
753 | my $protocol = shift; | |
d7a14d01 | 754 | my $nat_options_wanted = shift; |
8f4f4634 MT |
755 | my @options = (); |
756 | ||
d7a14d01 MT |
757 | # Nothing to do if no protocol is specified. |
758 | if ($protocol eq "all") { | |
759 | return @options; | |
760 | } else { | |
761 | push(@options, ("-p", $protocol)); | |
762 | } | |
763 | ||
fcc68a42 MT |
764 | if ($protocol ~~ @PROTOCOLS_WITH_PORTS) { |
765 | # Process source ports. | |
766 | my $use_src_ports = ($$hash{$key}[7] eq "ON"); | |
767 | my $src_ports = $$hash{$key}[10]; | |
8f4f4634 | 768 | |
fcc68a42 MT |
769 | if ($use_src_ports && $src_ports) { |
770 | push(@options, &format_ports($src_ports, "src")); | |
771 | } | |
8f4f4634 | 772 | |
fcc68a42 MT |
773 | # Process destination ports. |
774 | my $use_dst_ports = ($$hash{$key}[11] eq "ON"); | |
775 | my $use_dnat = (($$hash{$key}[28] eq "ON") && ($$hash{$key}[31] eq "dnat")); | |
8f4f4634 | 776 | |
fcc68a42 MT |
777 | if ($use_dst_ports) { |
778 | my $dst_ports_mode = $$hash{$key}[14]; | |
779 | my $dst_ports = $$hash{$key}[15]; | |
8f4f4634 | 780 | |
fcc68a42 MT |
781 | if (($dst_ports_mode eq "TGT_PORT") && $dst_ports) { |
782 | if ($nat_options_wanted && $use_dnat && $$hash{$key}[30]) { | |
783 | $dst_ports = $$hash{$key}[30]; | |
784 | } | |
8f4f4634 | 785 | push(@options, &format_ports($dst_ports, "dst")); |
8f4f4634 | 786 | |
fcc68a42 MT |
787 | } elsif ($dst_ports_mode eq "cust_srv") { |
788 | if ($protocol eq "ICMP") { | |
789 | push(@options, ("--icmp-type", &fwlib::get_srv_port($dst_ports, 3, "ICMP"))); | |
790 | } else { | |
791 | $dst_ports = &fwlib::get_srv_port($dst_ports, 1, uc($protocol)); | |
792 | push(@options, &format_ports($dst_ports, "dst")); | |
793 | } | |
794 | ||
795 | } elsif ($dst_ports_mode eq "cust_srvgrp") { | |
796 | push(@options, &fwlib::get_srvgrp_port($dst_ports, uc($protocol))); | |
797 | } | |
2a81ab0d AM |
798 | } |
799 | } | |
8f4f4634 MT |
800 | |
801 | # Check if a single ICMP type is selected. | |
fcc68a42 | 802 | if ($protocol eq "icmp") { |
8f4f4634 MT |
803 | my $icmp_type = $$hash{$key}[9]; |
804 | ||
805 | if (($icmp_type ne "All ICMP-Types") && $icmp_type) { | |
806 | push(@options, ("--icmp-type", $icmp_type)); | |
a4c7bf6b AM |
807 | } |
808 | } | |
8f4f4634 MT |
809 | |
810 | return @options; | |
811 | } | |
812 | ||
813 | sub format_ports { | |
814 | my $ports = shift; | |
815 | my $type = shift; | |
816 | ||
817 | my $arg; | |
818 | if ($type eq "src") { | |
819 | $arg = "--sport"; | |
820 | } elsif ($type eq "dst") { | |
821 | $arg = "--dport"; | |
822 | } | |
823 | ||
824 | my @options = (); | |
825 | ||
826 | if ($ports =~ /\|/) { | |
827 | $ports =~ s/\|/,/g; | |
828 | push(@options, ("-m", "multiport")); | |
829 | } | |
830 | ||
1c3044d7 MT |
831 | if ($ports) { |
832 | push(@options, ($arg, $ports)); | |
833 | } | |
8f4f4634 MT |
834 | |
835 | return @options; | |
836 | } | |
837 | ||
838 | sub get_dnat_target_port { | |
839 | my $hash = shift; | |
840 | my $key = shift; | |
841 | ||
842 | if ($$hash{$key}[14] eq "TGT_PORT") { | |
1c3044d7 MT |
843 | my $port = $$hash{$key}[15]; |
844 | my $external_port = $$hash{$key}[30]; | |
845 | ||
846 | if ($external_port && ($port ne $external_port)) { | |
847 | return $$hash{$key}[15]; | |
848 | } | |
8f4f4634 | 849 | } |
2a81ab0d | 850 | } |
6e87f0aa MT |
851 | |
852 | sub add_dnat_mangle_rules { | |
853 | my $nat_address = shift; | |
48f07c19 | 854 | my $interface = shift; |
6e87f0aa MT |
855 | my @options = @_; |
856 | ||
ce31144c | 857 | my $mark = 0x01000000; |
6e87f0aa | 858 | foreach my $zone ("GREEN", "BLUE", "ORANGE") { |
6e87f0aa MT |
859 | # Skip rule if not all required information exists. |
860 | next unless (exists $defaultNetworks{$zone . "_NETADDRESS"}); | |
861 | next unless (exists $defaultNetworks{$zone . "_NETMASK"}); | |
862 | ||
48f07c19 AM |
863 | next if ($interface && $interface ne $defaultNetworks{$zone . "_DEV"}); |
864 | ||
6e87f0aa MT |
865 | my @mangle_options = @options; |
866 | ||
867 | my $netaddress = $defaultNetworks{$zone . "_NETADDRESS"}; | |
868 | $netaddress .= "/" . $defaultNetworks{$zone . "_NETMASK"}; | |
869 | ||
870 | push(@mangle_options, ("-s", $netaddress, "-d", $nat_address)); | |
ce31144c | 871 | push(@mangle_options, ("-j", "MARK", "--set-xmark", "$mark/$NAT_MASK")); |
6e87f0aa MT |
872 | |
873 | run("$IPTABLES -t mangle -A $CHAIN_MANGLE_NAT_DESTINATION_FIX @mangle_options"); | |
ce31144c MT |
874 | |
875 | $mark <<= 1; | |
6e87f0aa MT |
876 | } |
877 | } | |
3bb4bb3f MT |
878 | |
879 | sub make_log_limit_options { | |
880 | my @options = ("-m", "limit"); | |
881 | ||
882 | # Maybe we should get this from the configuration. | |
883 | my $limit = 10; | |
884 | ||
a85a7a60 | 885 | # We limit log messages to $limit messages per second. |
886 | push(@options, ("--limit", "$limit/second")); | |
3bb4bb3f MT |
887 | |
888 | # And we allow bursts of 2x $limit. | |
889 | push(@options, ("--limit-burst", $limit * 2)); | |
890 | ||
891 | return @options; | |
892 | } | |
e9b5ba41 | 893 | |
da7a2208 MT |
894 | sub firewall_is_in_subnet { |
895 | my $subnet = shift; | |
5cf8c8c1 | 896 | |
e9b5ba41 MT |
897 | # ORANGE is missing here, because nothing may ever access |
898 | # the firewall from this network. | |
4e54e3c6 | 899 | my $address = &fwlib::get_internal_firewall_ip_address($subnet, 0); |
e9b5ba41 | 900 | |
da7a2208 MT |
901 | if ($address) { |
902 | return 1; | |
e9b5ba41 | 903 | } |
da7a2208 MT |
904 | |
905 | return 0; | |
e9b5ba41 | 906 | } |
6babb404 SS |
907 | |
908 | sub ipset_restore ($) { | |
909 | my ($ccode) = @_; | |
910 | ||
50e43059 SS |
911 | my $file_prefix = "ipset4"; |
912 | my $db_file = "$Location::Functions::ipset_db_directory/$ccode.$file_prefix"; | |
913 | ||
914 | # Check if the generated file exists. | |
915 | if (-f $db_file) { | |
916 | # Run ipset and restore the list of the given country code. | |
917 | run("$IPSET restore < $db_file"); | |
918 | } | |
6babb404 | 919 | } |