projects / people / ms / ipfire-2.x.git / blame
| Commit | Line | Data |
|---|---|---|
| 2a81ab0d AM |
1 | #!/usr/bin/perl |
| 2 | ############################################################################### | |
| 3 | # # | |
| 4 | # IPFire.org - A linux based firewall # | |
| 5 | # Copyright (C) 2012 # | |
| 6 | # # | |
| 7 | # This program is free software: you can redistribute it and/or modify # | |
| 8 | # it under the terms of the GNU General Public License as published by # | |
| 9 | # the Free Software Foundation, either version 3 of the License, or # | |
| 10 | # (at your option) any later version. # | |
| 11 | # # | |
| 12 | # This program is distributed in the hope that it will be useful, # | |
| 13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
| 14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
| 15 | # GNU General Public License for more details. # | |
| 16 | # # | |
| 17 | # You should have received a copy of the GNU General Public License # | |
| 18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
| 19 | # # | |
| 20 | ############################################################################### | |
| 21 | # # | |
| 22 | # Hi folks! I hope this code is useful for all. I needed something to handle # | |
| 23 | # my VPN Connections in a comfortable way. # | |
| 24 | # This script builds firewallrules from the webinterface # | |
| 25 | ############################################################################### | |
| 26 | ||
| 2a81ab0d | 27 | use strict; |
| 472136c9 | 28 | use Time::Local; |
| 2a81ab0d AM |
29 | no warnings 'uninitialized'; |
| 30 | ||
| 31 | # enable only the following on debugging purpose | |
| 32 | #use warnings; | |
| 33 | #use CGI::Carp 'fatalsToBrowser'; | |
| 34 | ||
| 35 | my %fwdfwsettings=(); | |
| 36 | my %defaultNetworks=(); | |
| 37 | my %configfwdfw=(); | |
| 38 | my %color=(); | |
| 39 | my %icmptypes=(); | |
| 40 | my %ovpnSettings=(); | |
| 41 | my %customgrp=(); | |
| 42 | our %sourcehash=(); | |
| 43 | our %targethash=(); | |
| 44 | my @timeframe=(); | |
| 45 | my %configinputfw=(); | |
| 5d7faa45 | 46 | my %configoutgoingfw=(); |
| 31fef6cc | 47 | my %configdmzfw=(); |
| a6edca5a | 48 | my %confignatfw=(); |
| 2a81ab0d AM |
49 | my %aliases=(); |
| 50 | my @DPROT=(); | |
| 36196d0d | 51 | my @p2ps=(); |
| 2a81ab0d AM |
52 | require '/var/ipfire/general-functions.pl'; |
| 53 | require "${General::swroot}/lang.pl"; | |
| 54 | require "${General::swroot}/forward/bin/firewall-lib.pl"; | |
| 55 | ||
| 31fef6cc | 56 | my $configdmz = "${General::swroot}/forward/dmz"; |
| 2a81ab0d AM |
57 | my $configfwdfw = "${General::swroot}/forward/config"; |
| 58 | my $configinput = "${General::swroot}/forward/input"; | |
| 5d7faa45 | 59 | my $configoutgoing = "${General::swroot}/forward/outgoing"; |
| a6edca5a | 60 | my $confignat = "${General::swroot}/forward/nat"; |
| 36196d0d | 61 | my $p2pfile = "${General::swroot}/forward/p2protocols"; |
| 2a81ab0d | 62 | my $configgrp = "${General::swroot}/fwhosts/customgroups"; |
| 210ee67b | 63 | my $netsettings = "${General::swroot}/ethernet/settings"; |
| 2a81ab0d | 64 | my $errormessage=''; |
| 210ee67b AM |
65 | my $orange; |
| 66 | my $green; | |
| 6adcf156 | 67 | my $blue; |
| 2a81ab0d AM |
68 | my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT); |
| 69 | my $CHAIN="FORWARDFW"; | |
| ddcec9d3 | 70 | my $conexists='off'; |
| a6edca5a AM |
71 | my $command = 'iptables -A'; |
| 72 | my $dnat=''; | |
| 73 | my $snat=''; | |
| 2a81ab0d | 74 | &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings); |
| 210ee67b | 75 | &General::readhash("$netsettings", \%defaultNetworks); |
| 31fef6cc | 76 | &General::readhasharray($configdmz, \%configdmzfw); |
| 2a81ab0d AM |
77 | &General::readhasharray($configfwdfw, \%configfwdfw); |
| 78 | &General::readhasharray($configinput, \%configinputfw); | |
| 5d7faa45 | 79 | &General::readhasharray($configoutgoing, \%configoutgoingfw); |
| a6edca5a | 80 | &General::readhasharray($confignat, \%confignatfw); |
| 2a81ab0d AM |
81 | &General::readhasharray($configgrp, \%customgrp); |
| 82 | &General::get_aliases(\%aliases); | |
| 83 | ||
| ddcec9d3 AM |
84 | #check if we have an internetconnection |
| 85 | open (CONN,"/var/ipfire/red/iface"); | |
| 86 | my $con = <CONN>; | |
| 87 | close(CONN); | |
| 88 | if (-f "/var/ipfire/red/active"){ | |
| 89 | $conexists='on'; | |
| 90 | } | |
| a6edca5a AM |
91 | open (CONN1,"/var/ipfire/red/local-ipaddress"); |
| 92 | my $redip = <CONN1>; | |
| 93 | close(CONN1); | |
| 2a81ab0d AM |
94 | ################################ |
| 95 | # DEBUG/TEST # | |
| 96 | ################################ | |
| 54cb7ff0 | 97 | my $MODE=1; # 0 - normal operation |
| 2a81ab0d AM |
98 | # 1 - print configline and rules to console |
| 99 | # | |
| 100 | ################################ | |
| 101 | my $param=shift; | |
| 102 | ||
| 103 | if($param eq 'flush'){ | |
| 104 | if ($MODE eq '1'){ | |
| 105 | print " Flushing chains...\n"; | |
| 106 | } | |
| 107 | &flush; | |
| 108 | }else{ | |
| 109 | if ($MODE eq '1'){ | |
| 110 | print " Flushing chains...\n"; | |
| 111 | } | |
| 112 | &flush; | |
| 113 | if ($MODE eq '1'){ | |
| 114 | print " Preparing rules...\n"; | |
| 115 | } | |
| 116 | &preparerules; | |
| 117 | if($MODE eq '0'){ | |
| 118 | if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ | |
| af49e367 | 119 | &p2pblock; |
| 5d7faa45 | 120 | system ("/usr/sbin/firewall-policy"); |
| 2a81ab0d | 121 | }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){ |
| 6adcf156 AM |
122 | $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'}); |
| 123 | $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}"; | |
| 6adcf156 AM |
124 | if ($defaultNetworks{'BLUE_DEV'}){ |
| 125 | $defaultNetworks{'BLUE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'BLUE_NETMASK'}); | |
| 126 | $blue="$defaultNetworks{'BLUE_ADDRESS'}/$defaultNetworks{'BLUE_NETMASK'}"; | |
| 127 | #set default rules for BLUE | |
| 128 | system ("iptables -A $CHAIN -s $blue -d $green -j RETURN"); | |
| 129 | } | |
| 5b7ed8bb AM |
130 | if ($defaultNetworks{'ORANGE_DEV'}){ |
| 131 | $defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'}); | |
| 132 | $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}"; | |
| 133 | #set default rules for DMZ | |
| 134 | system ("iptables -A $CHAIN -s $orange -d $green -j RETURN"); | |
| 135 | if ($defaultNetworks{'BLUE_DEV'}){ | |
| 136 | system ("iptables -A $CHAIN -s $orange -d $blue -j RETURN"); | |
| 137 | } | |
| 138 | } | |
| 6adcf156 | 139 | &p2pblock; |
| fd10a52c | 140 | system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT"); |
| 5d7faa45 | 141 | system ("/usr/sbin/firewall-policy"); |
| 2a81ab0d AM |
142 | } |
| 143 | } | |
| 144 | } | |
| 2a81ab0d AM |
145 | sub flush |
| 146 | { | |
| 147 | system ("iptables -F FORWARDFW"); | |
| 148 | system ("iptables -F INPUTFW"); | |
| 5d7faa45 | 149 | system ("iptables -F OUTGOINGFW"); |
| 28640b73 AM |
150 | system ("iptables -F PORTFWACCESS"); |
| 151 | system ("iptables -t nat -F NAT_DESTINATION"); | |
| 152 | system ("iptables -t nat -F NAT_SOURCE"); | |
| 2a81ab0d AM |
153 | } |
| 154 | sub preparerules | |
| 155 | { | |
| 31fef6cc AM |
156 | if (! -z "${General::swroot}/forward/dmz"){ |
| 157 | &buildrules(\%configdmzfw); | |
| 158 | } | |
| 2a81ab0d AM |
159 | if (! -z "${General::swroot}/forward/config"){ |
| 160 | &buildrules(\%configfwdfw); | |
| 161 | } | |
| 162 | if (! -z "${General::swroot}/forward/input"){ | |
| 163 | &buildrules(\%configinputfw); | |
| 164 | } | |
| 5d7faa45 AM |
165 | if (! -z "${General::swroot}/forward/outgoing"){ |
| 166 | &buildrules(\%configoutgoingfw); | |
| 167 | } | |
| a6edca5a AM |
168 | if (! -z "${General::swroot}/forward/nat"){ |
| 169 | &buildrules(\%confignatfw); | |
| 170 | } | |
| 2a81ab0d AM |
171 | } |
| 172 | sub buildrules | |
| 173 | { | |
| 174 | my $hash=shift; | |
| b5269091 | 175 | my $STAG; |
| a6edca5a AM |
176 | my $natip; |
| 177 | my $snatport; | |
| 178 | my $fireport; | |
| bc912c6e | 179 | my $nat; |
| 98cee89f | 180 | my $fwaccessdport; |
| 992394d5 | 181 | foreach my $key (sort {$a <=> $b} keys %$hash){ |
| ddcec9d3 | 182 | next if ($$hash{$key}[6] eq 'RED' && $conexists eq 'off' ); |
| a6edca5a AM |
183 | if ($$hash{$key}[28] eq 'ON'){ |
| 184 | $command='iptables -t nat -A'; | |
| 185 | $natip=&get_nat_ip($$hash{$key}[29]); | |
| 186 | if($$hash{$key}[31] eq 'dnat'){ | |
| bc912c6e | 187 | $nat='DNAT'; |
| 98cee89f AM |
188 | if ($$hash{$key}[30] =~ /\|/){ |
| 189 | $$hash{$key}[30]=~ tr/|/,/; | |
| 190 | $fireport='-m multiport --dport '.$$hash{$key}[30]; | |
| 191 | }else{ | |
| 192 | $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0); | |
| 193 | } | |
| a6edca5a | 194 | }else{ |
| bc912c6e | 195 | $nat='SNAT'; |
| a6edca5a AM |
196 | } |
| 197 | } | |
| b5269091 | 198 | $STAG=''; |
| 2a81ab0d AM |
199 | if($$hash{$key}[2] eq 'ON'){ |
| 200 | #get source ip's | |
| 201 | if ($$hash{$key}[3] eq 'cust_grp_src'){ | |
| 992394d5 | 202 | foreach my $grp (sort {$a <=> $b} keys %customgrp){ |
| 2a81ab0d AM |
203 | if($customgrp{$grp}[0] eq $$hash{$key}[4]){ |
| 204 | &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src"); | |
| 205 | } | |
| 206 | } | |
| 207 | }else{ | |
| 208 | &get_address($$hash{$key}[3],$$hash{$key}[4],"src"); | |
| 209 | } | |
| 210 | #get target ip's | |
| 211 | if ($$hash{$key}[5] eq 'cust_grp_tgt'){ | |
| 992394d5 | 212 | foreach my $grp (sort {$a <=> $b} keys %customgrp){ |
| 2a81ab0d AM |
213 | if($customgrp{$grp}[0] eq $$hash{$key}[6]){ |
| 214 | &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt"); | |
| 215 | } | |
| 216 | } | |
| 217 | }elsif($$hash{$key}[5] eq 'ipfire'){ | |
| 2a81ab0d AM |
218 | if($$hash{$key}[6] eq 'Default IP'){ |
| 219 | open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.'; | |
| 220 | $targethash{$key}[0]= <FILE>; | |
| 221 | close(FILE); | |
| 222 | }else{ | |
| 223 | foreach my $alias (sort keys %aliases){ | |
| 224 | if ($$hash{$key}[6] eq $alias){ | |
| 225 | $targethash{$key}[0]=$aliases{$alias}{'IPT'}; | |
| 226 | } | |
| 227 | } | |
| 228 | } | |
| 229 | }else{ | |
| 230 | &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt"); | |
| 231 | } | |
| 2a81ab0d AM |
232 | ##get source prot and port |
| 233 | $SRC_TGT='SRC'; | |
| 234 | $SPROT = &get_prot($hash,$key); | |
| 235 | $SPORT = &get_port($hash,$key); | |
| 236 | $SRC_TGT=''; | |
| 14f7cb87 | 237 | |
| 2a81ab0d AM |
238 | ##get target prot and port |
| 239 | $DPROT=&get_prot($hash,$key); | |
| 14f7cb87 | 240 | |
| 2a81ab0d AM |
241 | if ($DPROT eq ''){$DPROT=' ';} |
| 242 | @DPROT=split(",",$DPROT); | |
| 14f7cb87 | 243 | |
| 2a81ab0d AM |
244 | #get time if defined |
| 245 | if($$hash{$key}[18] eq 'ON'){ | |
| 472136c9 AM |
246 | my ($time1,$time2,$daylight); |
| 247 | my $daylight=$$hash{$key}[28]; | |
| 248 | $time1=&get_time($$hash{$key}[26],$daylight); | |
| 249 | $time2=&get_time($$hash{$key}[27],$daylight); | |
| 2a81ab0d AM |
250 | if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");} |
| 251 | if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");} | |
| 252 | if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");} | |
| 253 | if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");} | |
| 254 | if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");} | |
| 255 | if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");} | |
| 256 | if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");} | |
| 257 | $TIME=join(",",@timeframe); | |
| 472136c9 AM |
258 | |
| 259 | $TIMEFROM="--timestart $time1 "; | |
| 260 | $TIMETILL="--timestop $time2 "; | |
| a0f267b9 | 261 | $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL"; |
| 2a81ab0d | 262 | } |
| 2a81ab0d AM |
263 | if ($MODE eq '1'){ |
| 264 | print "NR:$key "; | |
| 265 | foreach my $i (0 .. $#{$$hash{$key}}){ | |
| 266 | print "$i: $$hash{$key}[$i] "; | |
| 267 | } | |
| 268 | print "\n"; | |
| 269 | print"##################################\n"; | |
| 270 | #print rules to console | |
| 2a81ab0d AM |
271 | foreach my $DPROT (@DPROT){ |
| 272 | $DPORT = &get_port($hash,$key,$DPROT); | |
| 273 | if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;} | |
| 274 | $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); | |
| 275 | foreach my $a (sort keys %sourcehash){ | |
| 276 | foreach my $b (sort keys %targethash){ | |
| d7dc9718 | 277 | if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ |
| 2a81ab0d | 278 | if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){ |
| 5d7faa45 | 279 | if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} |
| 8cb1afc8 AM |
280 | if(substr($DPORT, 2, 4) eq 'icmp'){ |
| 281 | my @icmprule= split(",",substr($DPORT, 12,)); | |
| 282 | foreach (@icmprule){ | |
| 283 | if ($$hash{$key}[17] eq 'ON'){ | |
| a6edca5a | 284 | print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j LOG\n"; |
| 8cb1afc8 | 285 | } |
| a6edca5a | 286 | print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n"; |
| 8cb1afc8 | 287 | } |
| a6edca5a | 288 | }elsif($$hash{$key}[28] ne 'ON'){ |
| 8cb1afc8 | 289 | if ($$hash{$key}[17] eq 'ON'){ |
| a6edca5a | 290 | print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; |
| 8cb1afc8 | 291 | } |
| a6edca5a | 292 | print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; |
| 28640b73 AM |
293 | }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ |
| 294 | if ($$hash{$key}[17] eq 'ON'){ | |
| 295 | print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; | |
| 296 | } | |
| 28640b73 | 297 | my ($ip,$sub) =split("/",$targethash{$b}[0]); |
| bc912c6e | 298 | print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; |
| 829697d0 | 299 | $DPORT =~ s/\-/:/g; |
| 98cee89f AM |
300 | if ($DPORT){ |
| 301 | $fwaccessdport="--dport ".substr($DPORT,1,); | |
| 302 | }elsif(! $DPORT && $$hash{$key}[30] ne ''){ | |
| 303 | if ($$hash{$key}[30]=~m/|/i){ | |
| 304 | $$hash{$key}[30] =~ s/\|/,/g; | |
| 305 | $fwaccessdport="-m multiport --dport $$hash{$key}[30]"; | |
| 306 | }else{ | |
| 307 | $fwaccessdport="--dport $$hash{$key}[30]"; | |
| 308 | } | |
| 309 | } | |
| bc912c6e | 310 | print "iptables -A PORTFWACCESS $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; |
| a6edca5a | 311 | }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[32] eq 'snat'){ |
| bc912c6e | 312 | print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip$fireport\n"; |
| 2a81ab0d | 313 | } |
| 2a81ab0d AM |
314 | } |
| 315 | } | |
| 316 | } | |
| 317 | } | |
| 318 | print"\n"; | |
| 319 | } | |
| 2a81ab0d AM |
320 | }elsif($MODE eq '0'){ |
| 321 | foreach my $DPROT (@DPROT){ | |
| 322 | $DPORT = &get_port($hash,$key,$DPROT); | |
| 323 | if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;} | |
| 324 | $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); | |
| 325 | foreach my $a (sort keys %sourcehash){ | |
| 326 | foreach my $b (sort keys %targethash){ | |
| d7dc9718 | 327 | if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ |
| 2a81ab0d | 328 | if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){ |
| 5d7faa45 | 329 | if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} |
| 8cb1afc8 AM |
330 | if(substr($DPORT, 2, 4) eq 'icmp'){ |
| 331 | my @icmprule= split(",",substr($DPORT, 12,)); | |
| 332 | foreach (@icmprule){ | |
| 333 | if ($$hash{$key}[17] eq 'ON'){ | |
| a6edca5a | 334 | system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] -- icmp-type $_ $TIME -j LOG"); |
| 8cb1afc8 | 335 | } |
| a6edca5a AM |
336 | system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]"); |
| 337 | } | |
| 338 | }elsif($$hash{$key}[28] ne 'ON'){ | |
| 339 | if ($$hash{$key}[17] eq 'ON'){ | |
| 340 | system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; | |
| 341 | } | |
| 342 | system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; | |
| 343 | }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ | |
| 344 | if ($$hash{$key}[17] eq 'ON'){ | |
| 345 | system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; | |
| 8cb1afc8 | 346 | } |
| a6edca5a | 347 | my ($ip,$sub) =split("/",$targethash{$b}[0]); |
| bc912c6e | 348 | system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; |
| 829697d0 | 349 | $DPORT =~ s/\-/:/g; |
| 98cee89f AM |
350 | if ($DPORT){ |
| 351 | $fwaccessdport="--dport ".substr($DPORT,1,); | |
| 352 | }elsif(! $DPORT && $$hash{$key}[30] ne ''){ | |
| 353 | if ($$hash{$key}[30]=~m/|/i){ | |
| 354 | $$hash{$key}[30] =~ s/\|/,/g; | |
| 355 | $fwaccessdport="-m multiport --dport $$hash{$key}[30]"; | |
| 356 | }else{ | |
| 357 | $fwaccessdport="--dport $$hash{$key}[30]"; | |
| 358 | } | |
| 359 | } | |
| bc912c6e | 360 | system "iptables -A PORTFWACCESS $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; |
| a6edca5a | 361 | }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ |
| 8cb1afc8 | 362 | if ($$hash{$key}[17] eq 'ON'){ |
| a6edca5a | 363 | system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT '\n"; |
| 8cb1afc8 | 364 | } |
| bc912c6e | 365 | system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip$fireport\n"; |
| 2a81ab0d | 366 | } |
| 2a81ab0d AM |
367 | } |
| 368 | } | |
| 369 | } | |
| 370 | } | |
| 2a81ab0d AM |
371 | } |
| 372 | } | |
| 373 | } | |
| 374 | %sourcehash=(); | |
| 375 | %targethash=(); | |
| 376 | undef $TIME; | |
| 377 | undef $TIMEFROM; | |
| 378 | undef $TIMETILL; | |
| a6edca5a | 379 | undef $fireport; |
| 2a81ab0d AM |
380 | } |
| 381 | } | |
| a6edca5a AM |
382 | sub get_nat_ip |
| 383 | { | |
| 384 | my $val=shift; | |
| 385 | my $result; | |
| 386 | if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){ | |
| 387 | $result=$defaultNetworks{$val.'_ADDRESS'}; | |
| 388 | }elsif($val eq 'ALL'){ | |
| 389 | $result='-i '.$con; | |
| 390 | }elsif($val eq 'Default IP'){ | |
| 391 | $result='-d '.$redip; | |
| 392 | }else{ | |
| 393 | foreach my $al (sort keys %aliases){ | |
| 394 | if($val eq $al){ | |
| 395 | $result='-d '.$aliases{$al}{'IPT'}; | |
| 396 | } | |
| 397 | } | |
| 398 | } | |
| 399 | return $result; | |
| 400 | } | |
| 472136c9 AM |
401 | sub get_time |
| 402 | { | |
| 403 | my $val=shift; | |
| 404 | my $val1=shift; | |
| 405 | my $time; | |
| 406 | my $minutes; | |
| 407 | my $ruletime; | |
| 408 | $minutes = &utcmin($val); | |
| 409 | $ruletime = $minutes + &time_get_utc($val); | |
| 410 | if ($ruletime < 0){$ruletime +=1440;} | |
| 411 | if ($ruletime > 1440){$ruletime -=1440;} | |
| 412 | $time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60; | |
| 413 | return $time; | |
| 414 | } | |
| 415 | sub time_get_utc | |
| 416 | { | |
| 417 | # Calculates the UTCtime from a given time | |
| 418 | my $val=shift; | |
| 419 | my @localtime=localtime(time); | |
| 420 | my @gmtime=gmtime(time); | |
| 421 | my $diff = ($gmtime[2]*60+$gmtime[1]%60)-($localtime[2]*60+$localtime[1]%60); | |
| 422 | return $diff; | |
| 423 | } | |
| 424 | sub utcmin | |
| 425 | { | |
| 426 | my $ruletime=shift; | |
| 427 | my ($hrs,$min) = split(":",$ruletime); | |
| 428 | my $newtime = $hrs*60+$min; | |
| 429 | return $newtime; | |
| 430 | } | |
| 36196d0d AM |
431 | sub p2pblock |
| 432 | { | |
| 433 | my $P2PSTRING; | |
| 434 | my $DO; | |
| 435 | open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; | |
| 436 | @p2ps = <FILE>; | |
| 437 | close FILE; | |
| 438 | my $CMD = "-m ipp2p"; | |
| 439 | foreach my $p2pentry (sort @p2ps) { | |
| 440 | my @p2pline = split( /\;/, $p2pentry ); | |
| 8d1beadc AM |
441 | if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) { |
| 442 | $DO = "ACCEPT"; | |
| 5238a871 | 443 | if ("$p2pline[2]" eq "on") { |
| 36196d0d AM |
444 | $P2PSTRING = "$P2PSTRING --$p2pline[1]"; |
| 445 | } | |
| 8d1beadc | 446 | }else { |
| 36196d0d | 447 | $DO = "RETURN"; |
| 5238a871 | 448 | if ("$p2pline[2]" eq "off") { |
| 36196d0d AM |
449 | $P2PSTRING = "$P2PSTRING --$p2pline[1]"; |
| 450 | } | |
| 451 | } | |
| 452 | } | |
| 453 | if ($MODE eq 1){ | |
| 454 | if($P2PSTRING){ | |
| 455 | print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n"; | |
| 456 | } | |
| 457 | }else{ | |
| 458 | if($P2PSTRING){ | |
| 459 | system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO"); | |
| 460 | } | |
| 461 | } | |
| 462 | } | |
| 2a81ab0d AM |
463 | sub get_address |
| 464 | { | |
| 465 | my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey | |
| 466 | my $base2=shift; | |
| 467 | my $type=shift; #src or tgt | |
| 468 | my $hash; | |
| 469 | if ($type eq 'src'){ | |
| 470 | $hash=\%sourcehash; | |
| 471 | }else{ | |
| 472 | $hash=\%targethash; | |
| 473 | } | |
| 474 | my $key = &General::findhasharraykey($hash); | |
| 475 | if($base eq 'src_addr' || $base eq 'tgt_addr' ){ | |
| b5269091 AM |
476 | if (&General::validmac($base2)){ |
| 477 | $$hash{$key}[0] = "-m mac --mac-source $base2"; | |
| 478 | }else{ | |
| 479 | $$hash{$key}[0] = $base2; | |
| 480 | } | |
| 2a81ab0d | 481 | }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){ |
| ddcec9d3 | 482 | $$hash{$key}[0]=&fwlib::get_std_net_ip($base2,$con); |
| 2a81ab0d AM |
483 | }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){ |
| 484 | $$hash{$key}[0]=&fwlib::get_net_ip($base2); | |
| 485 | }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){ | |
| 486 | $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type); | |
| 487 | }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){ | |
| 488 | $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1); | |
| 489 | }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){ | |
| 490 | $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33); | |
| 491 | }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){ | |
| 492 | $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,27); | |
| 493 | }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){ | |
| 494 | $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11); | |
| 495 | } | |
| 496 | } | |
| 497 | sub get_prot | |
| 498 | { | |
| 499 | my $hash=shift; | |
| 500 | my $key=shift; | |
| 501 | if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){ | |
| 502 | if ($$hash{$key}[10] ne ''){ | |
| 503 | return"$$hash{$key}[8]"; | |
| 504 | }elsif($$hash{$key}[9] ne ''){ | |
| 505 | return"$$hash{$key}[8]"; | |
| 506 | }else{ | |
| 507 | return "$$hash{$key}[8]"; | |
| 508 | } | |
| 509 | }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){ | |
| 510 | if ($$hash{$key}[14] eq 'TGT_PORT'){ | |
| 511 | if ($$hash{$key}[15] ne ''){ | |
| 512 | return "$$hash{$key}[12]"; | |
| 513 | }elsif($$hash{$key}[13] ne ''){ | |
| 514 | return "$$hash{$key}[12]"; | |
| 515 | }else{ | |
| 516 | return "$$hash{$key}[12]"; | |
| 517 | } | |
| 518 | }elsif($$hash{$key}[14] eq 'cust_srv'){ | |
| 519 | return &fwlib::get_srv_prot($$hash{$key}[15]); | |
| 520 | ||
| 521 | }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ | |
| 522 | return &fwlib::get_srvgrp_prot($$hash{$key}[15]); | |
| 523 | } | |
| 524 | } | |
| 98cee89f AM |
525 | #DNAT |
| 526 | if ($SRC_TGT eq '' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[11] eq '' && $$hash{$key}[12] ne ''){ | |
| 527 | return "$$hash{$key}[12]"; | |
| 528 | } | |
| 2a81ab0d AM |
529 | } |
| 530 | sub get_port | |
| 531 | { | |
| 532 | my $hash=shift; | |
| 533 | my $key=shift; | |
| 534 | my $prot=shift; | |
| 535 | if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){ | |
| 536 | if ($$hash{$key}[10] ne ''){ | |
| 8f0b047b | 537 | $$hash{$key}[10] =~ s/\|/,/g; |
| 93a5f4a5 AM |
538 | if(index($$hash{$key}[10],",") > 0){ |
| 539 | return "-m multiport --sport $$hash{$key}[10] "; | |
| 540 | }else{ | |
| a6edca5a AM |
541 | if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ||($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat') ){ |
| 542 | return "--sport $$hash{$key}[10] "; | |
| 543 | }else{ | |
| 544 | return ":$$hash{$key}[10]"; | |
| 545 | } | |
| 93a5f4a5 | 546 | } |
| 62fc8511 | 547 | }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){ |
| 2a81ab0d | 548 | return "--icmp-type $$hash{$key}[9] "; |
| 62fc8511 AM |
549 | }elsif($$hash{$key}[9] eq 'All ICMP-Types'){ |
| 550 | return; | |
| 2a81ab0d AM |
551 | } |
| 552 | }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){ | |
| 2a81ab0d AM |
553 | if($$hash{$key}[14] eq 'TGT_PORT'){ |
| 554 | if ($$hash{$key}[15] ne ''){ | |
| 8f0b047b | 555 | $$hash{$key}[15] =~ s/\|/,/g; |
| 93a5f4a5 AM |
556 | if(index($$hash{$key}[15],",") > 0){ |
| 557 | return "-m multiport --dport $$hash{$key}[15] "; | |
| 558 | }else{ | |
| a6edca5a AM |
559 | if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){ |
| 560 | return "--dport $$hash{$key}[15] "; | |
| 561 | }else{ | |
| 829697d0 | 562 | $$hash{$key}[15] =~ s/\:/-/g; |
| a6edca5a AM |
563 | return ":$$hash{$key}[15]"; |
| 564 | } | |
| 93a5f4a5 | 565 | } |
| 2a81ab0d AM |
566 | }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){ |
| 567 | return "--icmp-type $$hash{$key}[13] "; | |
| 568 | }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){ | |
| 569 | return; | |
| 570 | } | |
| 571 | }elsif($$hash{$key}[14] eq 'cust_srv'){ | |
| 572 | if ($prot ne 'ICMP'){ | |
| 6be32fe5 AM |
573 | if($$hash{$key}[31] eq 'dnat'){ |
| 574 | return ":".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); | |
| 575 | }else{ | |
| 576 | return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); | |
| 577 | } | |
| 2a81ab0d AM |
578 | }elsif($prot eq 'ICMP' && $$hash{$key}[15] ne 'All ICMP-Types'){ |
| 579 | return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot); | |
| 580 | }elsif($prot eq 'ICMP' && $$hash{$key}[15] eq 'All ICMP-Types'){ | |
| 581 | return; | |
| 582 | } | |
| 583 | }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ | |
| 584 | if ($prot ne 'ICMP'){ | |
| 585 | return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot); | |
| 586 | } | |
| 587 | elsif($prot eq 'ICMP'){ | |
| 588 | return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot); | |
| 589 | } | |
| 2a81ab0d AM |
590 | } |
| 591 | } | |
| 592 | } |