]>
Commit | Line | Data |
---|---|---|
dba3aa2b | 1 | #!/usr/bin/perl |
70df8302 MT |
2 | ############################################################################### |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
39008af7 | 5 | # Copyright (C) 2009 Michael Tremer & Christian Schmidt # |
70df8302 MT |
6 | # # |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
ebb9187c MT |
22 | |
23 | use strict; | |
24 | # enable only the following on debugging purpose | |
25 | #use warnings; | |
26 | ||
27 | require '/var/ipfire/general-functions.pl'; | |
28 | ||
29 | my %outfwsettings = (); | |
30 | my %checked = (); | |
31 | my %selected= () ; | |
32 | my %netsettings = (); | |
33 | my $errormessage = ""; | |
34 | my $configentry = ""; | |
35 | my @configs = (); | |
36 | my @configline = (); | |
37 | my $p2pentry = ""; | |
38 | my @p2ps = (); | |
39 | my @p2pline = (); | |
b4f8d26c | 40 | my @proto = (); |
ebb9187c | 41 | my $CMD = ""; |
b4f8d26c MT |
42 | my $P2PSTRING = ""; |
43 | ||
ebb9187c MT |
44 | my $DEBUG = 0; |
45 | ||
46 | my $configfile = "/var/ipfire/outgoing/rules"; | |
47 | my $p2pfile = "/var/ipfire/outgoing/p2protocols"; | |
48 | ||
ebb9187c MT |
49 | ### Values that have to be initialized |
50 | $outfwsettings{'ACTION'} = ''; | |
51 | $outfwsettings{'VALID'} = 'yes'; | |
52 | $outfwsettings{'EDIT'} = 'no'; | |
53 | $outfwsettings{'NAME'} = ''; | |
54 | $outfwsettings{'SNET'} = ''; | |
55 | $outfwsettings{'SIP'} = ''; | |
56 | $outfwsettings{'SPORT'} = ''; | |
57 | $outfwsettings{'SMAC'} = ''; | |
58 | $outfwsettings{'DIP'} = ''; | |
59 | $outfwsettings{'DPORT'} = ''; | |
60 | $outfwsettings{'PROT'} = ''; | |
61 | $outfwsettings{'STATE'} = ''; | |
62 | $outfwsettings{'DISPLAY_DIP'} = ''; | |
63 | $outfwsettings{'DISPLAY_DPORT'} = ''; | |
64 | $outfwsettings{'DISPLAY_SMAC'} = ''; | |
65 | $outfwsettings{'DISPLAY_SIP'} = ''; | |
66 | $outfwsettings{'POLICY'} = 'MODE0'; | |
39008af7 | 67 | |
ebb9187c MT |
68 | my $SOURCE = ""; |
69 | my $DESTINATION = ""; | |
70 | my $PROTO = ""; | |
71 | my $DPORT = ""; | |
72 | my $DEV = ""; | |
73 | my $MAC = ""; | |
74 | my $POLICY = ""; | |
75 | my $DO = ""; | |
39008af7 | 76 | my $DAY = ""; |
ebb9187c MT |
77 | |
78 | # read files | |
79 | &General::readhash("${General::swroot}/outgoing/settings", \%outfwsettings); | |
80 | &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); | |
81 | ||
ed828642 | 82 | $netsettings{'RED_DEV'}=`cat /var/ipfire/red/iface`; |
39008af7 | 83 | $netsettings{'RED_IP'}=`cat /var/ipfire/red/local-ipaddress`; |
ed828642 | 84 | |
ebb9187c MT |
85 | open( FILE, "< $configfile" ) or die "Unable to read $configfile"; |
86 | @configs = <FILE>; | |
87 | close FILE; | |
88 | ||
b4f8d26c | 89 | if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { |
ebb9187c MT |
90 | $outfwsettings{'STATE'} = "ALLOW"; |
91 | $POLICY = "DROP"; | |
4cb74dce | 92 | $DO = "ACCEPT"; |
ebb9187c MT |
93 | } elsif ( $outfwsettings{'POLICY'} eq 'MODE2' ) { |
94 | $outfwsettings{'STATE'} = "DENY"; | |
95 | $POLICY = "ACCEPT"; | |
a332b303 | 96 | $DO = "DROP -m comment --comment 'DROP_OUTGOINGFW'"; |
ebb9187c MT |
97 | } |
98 | ||
99 | ### Initialize IPTables | |
100 | system("/sbin/iptables --flush OUTGOINGFW >/dev/null 2>&1"); | |
101 | system("/sbin/iptables --delete-chain OUTGOINGFW >/dev/null 2>&1"); | |
102 | system("/sbin/iptables -N OUTGOINGFW >/dev/null 2>&1"); | |
103 | ||
b4f8d26c MT |
104 | if ( $outfwsettings{'POLICY'} eq 'MODE0' ) { |
105 | exit 0 | |
106 | } | |
107 | ||
108 | if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { | |
4cb74dce | 109 | $CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT"; |
b4f8d26c | 110 | if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } |
4cb74dce | 111 | $CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j ACCEPT"; |
b4f8d26c MT |
112 | if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } |
113 | } | |
114 | ||
ebb9187c MT |
115 | foreach $configentry (sort @configs) |
116 | { | |
117 | $SOURCE = ""; | |
118 | $DESTINATION = ""; | |
119 | $PROTO = ""; | |
120 | $DPORT = ""; | |
121 | $DEV = ""; | |
122 | $MAC = ""; | |
123 | @configline = split( /\;/, $configentry ); | |
124 | if ($outfwsettings{'STATE'} eq $configline[0]) { | |
125 | if ($configline[2] eq 'green') { | |
126 | $SOURCE = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; | |
127 | $DEV = $netsettings{'GREEN_DEV'}; | |
39008af7 CS |
128 | } elsif ($configline[2] eq 'red') { |
129 | $SOURCE = "$netsettings{'RED_IP'}"; | |
130 | $DEV = ""; | |
ebb9187c MT |
131 | } elsif ($configline[2] eq 'blue') { |
132 | $SOURCE = "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"; | |
133 | $DEV = $netsettings{'BLUE_DEV'}; | |
134 | } elsif ($configline[2] eq 'orange') { | |
135 | $SOURCE = "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"; | |
136 | $DEV = $netsettings{'ORANGE_DEV'}; | |
137 | } elsif ($configline[2] eq 'ip') { | |
138 | $SOURCE = "$configline[5]"; | |
139 | $DEV = ""; | |
140 | } else { | |
141 | $SOURCE = "0/0"; | |
142 | $DEV = ""; | |
143 | } | |
144 | ||
145 | if ($configline[7]) { $DESTINATION = "$configline[7]"; } else { $DESTINATION = "0/0"; } | |
b4f8d26c MT |
146 | |
147 | if ($configline[3] eq 'tcp') { | |
148 | @proto = ("tcp"); | |
149 | } elsif ($configline[3] eq 'udp') { | |
150 | @proto = ("udp"); | |
c791bb2a CS |
151 | } elsif ($configline[3] eq 'esp') { |
152 | @proto = ("esp"); | |
153 | } elsif ($configline[3] eq 'gre') { | |
154 | @proto = ("gre"); | |
b4f8d26c | 155 | } else { |
b29a66a5 | 156 | @proto = ("tcp","udp"); |
b4f8d26c | 157 | } |
b29a66a5 | 158 | |
b4f8d26c MT |
159 | |
160 | foreach $PROTO (@proto) { | |
161 | $CMD = "/sbin/iptables -A OUTGOINGFW -s $SOURCE -d $DESTINATION -p $PROTO"; | |
162 | ||
b29a66a5 | 163 | if ($configline[8] && $configline[3] ne 'esp' && $configline[3] ne 'gre') { |
ebb9187c MT |
164 | $DPORT = "$configline[8]"; |
165 | $CMD = "$CMD --dport $DPORT"; | |
b29a66a5 | 166 | } |
b4f8d26c MT |
167 | |
168 | if ($DEV) { | |
169 | $CMD = "$CMD -i $DEV"; | |
170 | } | |
171 | ||
172 | if ($configline[6]) { | |
173 | $MAC = "$configline[6]"; | |
174 | $CMD = "$CMD -m mac --mac-source $MAC"; | |
175 | } | |
4cb74dce | 176 | |
39008af7 CS |
177 | if ($configline[17] && $configline[18]) { |
178 | if ($configline[10]){$DAY = "Mon,"} | |
179 | if ($configline[11]){$DAY .= "Tue,"} | |
180 | if ($configline[12]){$DAY .= "Wed,"} | |
181 | if ($configline[13]){$DAY .= "Thu,"} | |
182 | if ($configline[14]){$DAY .= "Fri,"} | |
183 | if ($configline[15]){$DAY .= "Sat,"} | |
184 | if ($configline[16]){$DAY .= "Sun"} | |
185 | $CMD = "$CMD -m time --timestart $configline[17] --timestop $configline[18] --weekdays $DAY"; | |
186 | } | |
187 | ||
b4f8d26c | 188 | $CMD = "$CMD -o $netsettings{'RED_DEV'}"; |
4cb74dce MT |
189 | |
190 | if ($configline[9] eq "aktiv") { | |
191 | if ($DEBUG) { | |
52485124 | 192 | print "$CMD -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW'\n"; |
4cb74dce | 193 | } else { |
52485124 | 194 | system("$CMD -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW'"); |
4cb74dce MT |
195 | } |
196 | } | |
197 | ||
b4f8d26c MT |
198 | if ($DEBUG) { |
199 | print "$CMD -j $DO\n"; | |
200 | } else { | |
201 | system("$CMD -j $DO"); | |
202 | } | |
b4f8d26c MT |
203 | } |
204 | } | |
205 | } | |
ebb9187c | 206 | |
b4f8d26c MT |
207 | ### Do the P2P-Stuff here |
208 | open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; | |
209 | @p2ps = <FILE>; | |
210 | close FILE; | |
ebb9187c | 211 | |
b4f8d26c | 212 | $CMD = "/sbin/iptables -A OUTGOINGFW -m ipp2p"; |
ebb9187c | 213 | |
b4f8d26c MT |
214 | foreach $p2pentry (sort @p2ps) |
215 | { | |
216 | @p2pline = split( /\;/, $p2pentry ); | |
217 | if ( $outfwsettings{'POLICY'} eq 'MODE2' ) { | |
218 | $DO = "DROP"; | |
219 | if ("$p2pline[2]" eq "off") { | |
220 | $P2PSTRING = "$P2PSTRING --$p2pline[1]"; | |
221 | } | |
222 | } else { | |
4cb74dce | 223 | $DO = "ACCEPT"; |
b4f8d26c MT |
224 | if ("$p2pline[2]" eq "on") { |
225 | $P2PSTRING = "$P2PSTRING --$p2pline[1]"; | |
ebb9187c | 226 | } |
b4f8d26c MT |
227 | } |
228 | } | |
229 | if ($P2PSTRING) { | |
230 | if ($DEBUG) { | |
231 | print "$CMD $P2PSTRING -j $DO\n"; | |
232 | } else { | |
233 | system("$CMD $P2PSTRING -j $DO"); | |
234 | } | |
235 | } | |
ebb9187c | 236 | |
b4f8d26c | 237 | if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { |
52802b5f | 238 | if ( $outfwsettings{'MODE1LOG'} eq 'on' ) { |
52485124 | 239 | $CMD = "/sbin/iptables -A OUTGOINGFW -o $netsettings{'RED_DEV'} -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW'"; |
52802b5f CS |
240 | if ($DEBUG) { |
241 | print "$CMD\n"; | |
242 | } else { | |
243 | system("$CMD"); | |
244 | } | |
245 | } | |
246 | ||
a332b303 | 247 | $CMD = "/sbin/iptables -A OUTGOINGFW -o $netsettings{'RED_DEV'} -j DROP -m comment --comment 'DROP_OUTGOINGFW'"; |
b4f8d26c MT |
248 | if ($DEBUG) { |
249 | print "$CMD\n"; | |
250 | } else { | |
251 | system("$CMD"); | |
ebb9187c | 252 | } |
39008af7 | 253 | } |