]>
Commit | Line | Data |
---|---|---|
1 | #!/usr/bin/perl -w | |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
22 | use strict; | |
23 | ||
24 | require '/var/ipfire/general-functions.pl'; | |
25 | require "${General::swroot}/lang.pl"; | |
26 | require "/usr/lib/firewall/firewall-lib.pl"; | |
27 | ||
28 | # Set to one to enable debugging mode. | |
29 | my $DEBUG = 0; | |
30 | ||
31 | my $IPTABLES = "iptables --wait"; | |
32 | ||
33 | # iptables chains | |
34 | my $CHAIN_INPUT = "INPUTFW"; | |
35 | my $CHAIN_FORWARD = "FORWARDFW"; | |
36 | my $CHAIN_OUTPUT = "OUTGOINGFW"; | |
37 | my $CHAIN = $CHAIN_FORWARD; | |
38 | my $CHAIN_NAT_SOURCE = "NAT_SOURCE"; | |
39 | my $CHAIN_NAT_DESTINATION = "NAT_DESTINATION"; | |
40 | my $CHAIN_MANGLE_NAT_DESTINATION_FIX = "NAT_DESTINATION"; | |
41 | my @VALID_CHAINS = ($CHAIN_INPUT, $CHAIN_FORWARD, $CHAIN_OUTPUT); | |
42 | my @ANY_ADDRESSES = ("0.0.0.0/0.0.0.0", "0.0.0.0/0", "0/0"); | |
43 | ||
44 | my @PROTOCOLS = ("tcp", "udp", "icmp", "igmp", "ah", "esp", "gre", "ipv6", "ipip"); | |
45 | my @PROTOCOLS_WITH_PORTS = ("tcp", "udp"); | |
46 | ||
47 | my @VALID_TARGETS = ("ACCEPT", "DROP", "REJECT"); | |
48 | ||
49 | my %fwdfwsettings=(); | |
50 | my %fwoptions = (); | |
51 | my %defaultNetworks=(); | |
52 | my %configfwdfw=();; | |
53 | my %customgrp=(); | |
54 | my %configinputfw=(); | |
55 | my %configoutgoingfw=(); | |
56 | my %confignatfw=(); | |
57 | my @p2ps=(); | |
58 | ||
59 | my $configfwdfw = "${General::swroot}/firewall/config"; | |
60 | my $configinput = "${General::swroot}/firewall/input"; | |
61 | my $configoutgoing = "${General::swroot}/firewall/outgoing"; | |
62 | my $p2pfile = "${General::swroot}/firewall/p2protocols"; | |
63 | my $configgrp = "${General::swroot}/fwhosts/customgroups"; | |
64 | my $netsettings = "${General::swroot}/ethernet/settings"; | |
65 | ||
66 | &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); | |
67 | &General::readhash("${General::swroot}/optionsfw/settings", \%fwoptions); | |
68 | &General::readhash("$netsettings", \%defaultNetworks); | |
69 | &General::readhasharray($configfwdfw, \%configfwdfw); | |
70 | &General::readhasharray($configinput, \%configinputfw); | |
71 | &General::readhasharray($configoutgoing, \%configoutgoingfw); | |
72 | &General::readhasharray($configgrp, \%customgrp); | |
73 | ||
74 | my @log_limit_options = &make_log_limit_options(); | |
75 | ||
76 | my $POLICY_INPUT_ALLOWED = 0; | |
77 | my $POLICY_FORWARD_ALLOWED = ($fwdfwsettings{"POLICY"} eq "MODE2"); | |
78 | my $POLICY_OUTPUT_ALLOWED = ($fwdfwsettings{"POLICY1"} eq "MODE2"); | |
79 | ||
80 | my $POLICY_INPUT_ACTION = $fwoptions{"FWPOLICY2"}; | |
81 | my $POLICY_FORWARD_ACTION = $fwoptions{"FWPOLICY"}; | |
82 | my $POLICY_OUTPUT_ACTION = $fwoptions{"FWPOLICY1"}; | |
83 | ||
84 | # MAIN | |
85 | &main(); | |
86 | ||
87 | sub main { | |
88 | # Flush all chains. | |
89 | &flush(); | |
90 | ||
91 | # Reload firewall rules. | |
92 | &preparerules(); | |
93 | ||
94 | # Load P2P block rules. | |
95 | &p2pblock(); | |
96 | ||
97 | # Reload firewall policy. | |
98 | run("/usr/sbin/firewall-policy"); | |
99 | } | |
100 | ||
101 | sub run { | |
102 | # Executes or prints the given shell command. | |
103 | my $command = shift; | |
104 | ||
105 | if ($DEBUG) { | |
106 | print "$command\n"; | |
107 | } else { | |
108 | system "$command"; | |
109 | ||
110 | if ($?) { | |
111 | print_error("ERROR: $command"); | |
112 | } | |
113 | } | |
114 | } | |
115 | ||
116 | sub print_error { | |
117 | my $message = shift; | |
118 | ||
119 | print STDERR "$message\n"; | |
120 | } | |
121 | ||
122 | sub print_rule { | |
123 | my $hash = shift; | |
124 | ||
125 | print "\nRULE:"; | |
126 | ||
127 | my $i = 0; | |
128 | foreach (@$hash) { | |
129 | printf(" %2d: %s", $i++, $_); | |
130 | } | |
131 | print "\n"; | |
132 | } | |
133 | ||
134 | sub flush { | |
135 | run("$IPTABLES -F $CHAIN_INPUT"); | |
136 | run("$IPTABLES -F $CHAIN_FORWARD"); | |
137 | run("$IPTABLES -F $CHAIN_OUTPUT"); | |
138 | run("$IPTABLES -t nat -F $CHAIN_NAT_SOURCE"); | |
139 | run("$IPTABLES -t nat -F $CHAIN_NAT_DESTINATION"); | |
140 | run("$IPTABLES -t mangle -F $CHAIN_MANGLE_NAT_DESTINATION_FIX"); | |
141 | } | |
142 | ||
143 | sub preparerules { | |
144 | if (! -z "${General::swroot}/firewall/input"){ | |
145 | &buildrules(\%configinputfw); | |
146 | } | |
147 | if (! -z "${General::swroot}/firewall/outgoing"){ | |
148 | &buildrules(\%configoutgoingfw); | |
149 | } | |
150 | if (! -z "${General::swroot}/firewall/config"){ | |
151 | &buildrules(\%configfwdfw); | |
152 | } | |
153 | } | |
154 | ||
155 | sub buildrules { | |
156 | my $hash = shift; | |
157 | ||
158 | # Search for targets that need to be specially handled when adding | |
159 | # forwarding rules. Additional rules will automatically get inserted | |
160 | # into the INPUT/OUTPUT chains for these targets. | |
161 | my @special_input_targets = (); | |
162 | if (!$POLICY_FORWARD_ALLOWED) { | |
163 | push(@special_input_targets, "ACCEPT"); | |
164 | } | |
165 | ||
166 | if ($POLICY_INPUT_ACTION eq "DROP") { | |
167 | push(@special_input_targets, "REJECT"); | |
168 | } elsif ($POLICY_INPUT_ACTION eq "REJECT") { | |
169 | push(@special_input_targets, "DROP"); | |
170 | } | |
171 | ||
172 | my @special_output_targets = (); | |
173 | if ($POLICY_OUTPUT_ALLOWED) { | |
174 | push(@special_output_targets, ("DROP", "REJECT")); | |
175 | } else { | |
176 | push(@special_output_targets, "ACCEPT"); | |
177 | ||
178 | if ($POLICY_OUTPUT_ACTION eq "DROP") { | |
179 | push(@special_output_targets, "REJECT"); | |
180 | } elsif ($POLICY_OUTPUT_ACTION eq "REJECT") { | |
181 | push(@special_output_targets, "DROP"); | |
182 | } | |
183 | } | |
184 | ||
185 | foreach my $key (sort {$a <=> $b} keys %$hash) { | |
186 | # Skip disabled rules. | |
187 | next unless ($$hash{$key}[2] eq 'ON'); | |
188 | ||
189 | if ($DEBUG) { | |
190 | print_rule($$hash{$key}); | |
191 | } | |
192 | ||
193 | # Check if the target is valid. | |
194 | my $target = $$hash{$key}[0]; | |
195 | if (!$target ~~ @VALID_TARGETS) { | |
196 | print_error("Invalid target '$target' for rule $key"); | |
197 | next; | |
198 | } | |
199 | ||
200 | # Check if the chain is valid. | |
201 | my $chain = $$hash{$key}[1]; | |
202 | if (!$chain ~~ @VALID_CHAINS) { | |
203 | print_error("Invalid chain '$chain' in rule $key"); | |
204 | next; | |
205 | } | |
206 | ||
207 | # Collect all sources. | |
208 | my @sources = &fwlib::get_addresses($hash, $key, "src"); | |
209 | ||
210 | # Collect all destinations. | |
211 | my @destinations = &fwlib::get_addresses($hash, $key, "tgt"); | |
212 | ||
213 | # True if the destination is the firewall itself. | |
214 | my $destination_is_firewall = ($$hash{$key}[5] eq "ipfire"); | |
215 | ||
216 | # Check if logging should be enabled. | |
217 | my $LOG = ($$hash{$key}[17] eq 'ON'); | |
218 | ||
219 | # Check if NAT is enabled and initialize variables, that we use for that. | |
220 | my $NAT = ($$hash{$key}[28] eq 'ON'); | |
221 | my $NAT_MODE; | |
222 | if ($NAT) { | |
223 | $NAT_MODE = uc($$hash{$key}[31]); | |
224 | } | |
225 | ||
226 | # Set up time constraints. | |
227 | my @time_options = (); | |
228 | if ($$hash{$key}[18] eq 'ON') { | |
229 | push(@time_options, ("-m", "time")); | |
230 | ||
231 | # Select all days of the week this match is active. | |
232 | my @weekdays = (); | |
233 | if ($$hash{$key}[19] ne '') { | |
234 | push (@weekdays, "Mon"); | |
235 | } | |
236 | if ($$hash{$key}[20] ne '') { | |
237 | push (@weekdays, "Tue"); | |
238 | } | |
239 | if ($$hash{$key}[21] ne '') { | |
240 | push (@weekdays, "Wed"); | |
241 | } | |
242 | if ($$hash{$key}[22] ne '') { | |
243 | push (@weekdays, "Thu"); | |
244 | } | |
245 | if ($$hash{$key}[23] ne '') { | |
246 | push (@weekdays, "Fri"); | |
247 | } | |
248 | if ($$hash{$key}[24] ne '') { | |
249 | push (@weekdays, "Sat"); | |
250 | } | |
251 | if ($$hash{$key}[25] ne '') { | |
252 | push (@weekdays, "Sun"); | |
253 | } | |
254 | if (@weekdays) { | |
255 | push(@time_options, ("--weekdays", join(",", @weekdays))); | |
256 | } | |
257 | ||
258 | # Convert start time. | |
259 | my $time_start = &format_time($$hash{$key}[26]); | |
260 | if ($time_start) { | |
261 | push(@time_options, ("--timestart", $time_start)); | |
262 | } | |
263 | ||
264 | # Convert end time. | |
265 | my $time_stop = &format_time($$hash{$key}[27]); | |
266 | if ($time_stop) { | |
267 | push(@time_options, ("--timestop", $time_stop)); | |
268 | } | |
269 | } | |
270 | ||
271 | # Check which protocols are used in this rule and so that we can | |
272 | # later group rules by protocols. | |
273 | my @protocols = &get_protocols($hash, $key); | |
274 | if (!@protocols) { | |
275 | print_error("Invalid protocol configuration for rule $key"); | |
276 | next; | |
277 | } | |
278 | ||
279 | foreach my $protocol (@protocols) { | |
280 | # Check if the given protocol is supported. | |
281 | if (($protocol ne "all") && (!$protocol ~~ @PROTOCOLS)) { | |
282 | print_error("Protocol $protocol is not supported (rule $key)"); | |
283 | next; | |
284 | } | |
285 | ||
286 | # Prepare protocol options (like ICMP types, ports, etc...). | |
287 | my @protocol_options = &get_protocol_options($hash, $key, $protocol, 0); | |
288 | ||
289 | # Check if this protocol knows ports. | |
290 | my $protocol_has_ports = ($protocol ~~ @PROTOCOLS_WITH_PORTS); | |
291 | ||
292 | foreach my $src (@sources) { | |
293 | # Skip invalid source. | |
294 | next unless ($src); | |
295 | ||
296 | # Sanitize source. | |
297 | my $source = $src; | |
298 | if ($source ~~ @ANY_ADDRESSES) { | |
299 | $source = ""; | |
300 | } | |
301 | ||
302 | foreach my $dst (@destinations) { | |
303 | # Skip invalid rules. | |
304 | next if (!$dst || ($dst eq "none")); | |
305 | ||
306 | # Sanitize destination. | |
307 | my $destination = $dst; | |
308 | if ($destination ~~ @ANY_ADDRESSES) { | |
309 | $destination = ""; | |
310 | } | |
311 | ||
312 | # Array with iptables arguments. | |
313 | my @options = (); | |
314 | ||
315 | # Append protocol. | |
316 | if ($protocol ne "all") { | |
317 | push(@options, @protocol_options); | |
318 | } | |
319 | ||
320 | # Prepare source options. | |
321 | my @source_options = (); | |
322 | if ($source =~ /mac/) { | |
323 | push(@source_options, $source); | |
324 | } elsif ($source) { | |
325 | push(@source_options, ("-s", $source)); | |
326 | } | |
327 | ||
328 | # Prepare destination options. | |
329 | my @destination_options = (); | |
330 | if ($destination) { | |
331 | push(@destination_options, ("-d", $destination)); | |
332 | } | |
333 | ||
334 | # Add time constraint options. | |
335 | push(@options, @time_options); | |
336 | ||
337 | my $firewall_is_in_source_subnet = 1; | |
338 | if ($source) { | |
339 | $firewall_is_in_source_subnet = &firewall_is_in_subnet($source); | |
340 | } | |
341 | ||
342 | my $firewall_is_in_destination_subnet = 1; | |
343 | if ($destination) { | |
344 | $firewall_is_in_destination_subnet = &firewall_is_in_subnet($destination); | |
345 | } | |
346 | ||
347 | # Process NAT rules. | |
348 | if ($NAT) { | |
349 | my $nat_address = &fwlib::get_nat_address($$hash{$key}[29], $source); | |
350 | ||
351 | # Skip NAT rules if the NAT address is unknown | |
352 | # (i.e. no internet connection has been established, yet). | |
353 | next unless ($nat_address); | |
354 | ||
355 | # Destination NAT | |
356 | if ($NAT_MODE eq "DNAT") { | |
357 | my @nat_options = (); | |
358 | if ($protocol ne "all") { | |
359 | my @nat_protocol_options = &get_protocol_options($hash, $key, $protocol, 1); | |
360 | push(@nat_options, @nat_protocol_options); | |
361 | } | |
362 | push(@nat_options, @time_options); | |
363 | ||
364 | # Make port-forwardings useable from the internal networks. | |
365 | my @internal_addresses = &fwlib::get_internal_firewall_ip_addresses(1); | |
366 | unless ($nat_address ~~ @internal_addresses) { | |
367 | &add_dnat_mangle_rules($nat_address, @nat_options); | |
368 | } | |
369 | ||
370 | push(@nat_options, @source_options); | |
371 | push(@nat_options, ("-d", $nat_address)); | |
372 | ||
373 | my $dnat_port; | |
374 | if ($protocol_has_ports) { | |
375 | $dnat_port = &get_dnat_target_port($hash, $key); | |
376 | } | |
377 | ||
378 | my @nat_action_options = (); | |
379 | ||
380 | # Use iptables REDIRECT | |
381 | my $use_redirect = ($destination_is_firewall && !$destination && $protocol_has_ports && $dnat_port); | |
382 | if ($use_redirect) { | |
383 | push(@nat_action_options, ("-j", "REDIRECT", "--to-ports", $dnat_port)); | |
384 | ||
385 | # Use iptables DNAT | |
386 | } else { | |
387 | if ($destination_is_firewall && !$destination) { | |
388 | $destination = &fwlib::get_external_address(); | |
389 | } | |
390 | next unless ($destination); | |
391 | ||
392 | my ($dnat_address, $dnat_mask) = split("/", $destination); | |
393 | @destination_options = ("-d", $dnat_address); | |
394 | ||
395 | if ($protocol_has_ports) { | |
396 | my $dnat_port = &get_dnat_target_port($hash, $key); | |
397 | ||
398 | if ($dnat_port) { | |
399 | $dnat_address .= ":$dnat_port"; | |
400 | } | |
401 | } | |
402 | ||
403 | push(@nat_action_options, ("-j", "DNAT", "--to-destination", $dnat_address)); | |
404 | } | |
405 | ||
406 | if ($LOG) { | |
407 | run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options @log_limit_options -j LOG --log-prefix 'DNAT '"); | |
408 | } | |
409 | run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options @nat_action_options"); | |
410 | ||
411 | # Source NAT | |
412 | } elsif ($NAT_MODE eq "SNAT") { | |
413 | my @nat_options = @options; | |
414 | ||
415 | push(@nat_options, @source_options); | |
416 | push(@nat_options, @destination_options); | |
417 | ||
418 | if ($LOG) { | |
419 | run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @log_limit_options -j LOG --log-prefix 'SNAT '"); | |
420 | } | |
421 | run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options -j SNAT --to-source $nat_address"); | |
422 | } | |
423 | } | |
424 | ||
425 | push(@options, @source_options); | |
426 | push(@options, @destination_options); | |
427 | ||
428 | # Insert firewall rule. | |
429 | if ($LOG && !$NAT) { | |
430 | run("$IPTABLES -A $chain @options @log_limit_options -j LOG --log-prefix '$chain '"); | |
431 | } | |
432 | run("$IPTABLES -A $chain @options -j $target"); | |
433 | ||
434 | # Handle forwarding rules and add corresponding rules for firewall access. | |
435 | if ($chain eq $CHAIN_FORWARD) { | |
436 | # If the firewall is part of the destination subnet and access to the destination network | |
437 | # is granted/forbidden for any network that the firewall itself is part of, we grant/forbid access | |
438 | # for the firewall, too. | |
439 | if ($firewall_is_in_destination_subnet && ($target ~~ @special_input_targets)) { | |
440 | if ($LOG && !$NAT) { | |
441 | run("$IPTABLES -A $CHAIN_INPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '"); | |
442 | } | |
443 | run("$IPTABLES -A $CHAIN_INPUT @options -j $target"); | |
444 | } | |
445 | ||
446 | # Likewise. | |
447 | if ($firewall_is_in_source_subnet && ($target ~~ @special_output_targets)) { | |
448 | if ($LOG && !$NAT) { | |
449 | run("$IPTABLES -A $CHAIN_OUTPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_OUTPUT '"); | |
450 | } | |
451 | run("$IPTABLES -A $CHAIN_OUTPUT @options -j $target"); | |
452 | } | |
453 | } | |
454 | } | |
455 | } | |
456 | } | |
457 | } | |
458 | } | |
459 | ||
460 | # Formats the given timestamp into the iptables format which is "hh:mm" UTC. | |
461 | sub format_time { | |
462 | my $val = shift; | |
463 | ||
464 | # Convert the given time into minutes. | |
465 | my $minutes = &time_convert_to_minutes($val); | |
466 | ||
467 | # Move the timestamp into UTC. | |
468 | $minutes += &time_utc_offset(); | |
469 | ||
470 | # Make sure $minutes is between 00:00 and 23:59. | |
471 | if ($minutes < 0) { | |
472 | $minutes += 1440; | |
473 | } | |
474 | ||
475 | if ($minutes > 1440) { | |
476 | $minutes -= 1440; | |
477 | } | |
478 | ||
479 | # Format as hh:mm. | |
480 | return sprintf("%02d:%02d", $minutes / 60, $minutes % 60); | |
481 | } | |
482 | ||
483 | # Calculates the offsets in minutes from the local timezone to UTC. | |
484 | sub time_utc_offset { | |
485 | my @localtime = localtime(time); | |
486 | my @gmtime = gmtime(time); | |
487 | ||
488 | return ($gmtime[2] * 60 + $gmtime[1] % 60) - ($localtime[2] * 60 + $localtime[1] % 60); | |
489 | } | |
490 | ||
491 | # Takes a timestamp like "14:00" and converts it into minutes since midnight. | |
492 | sub time_convert_to_minutes { | |
493 | my ($hrs, $min) = split(":", shift); | |
494 | ||
495 | return ($hrs * 60) + $min; | |
496 | } | |
497 | ||
498 | sub p2pblock { | |
499 | my $search_action; | |
500 | my $target; | |
501 | ||
502 | if ($fwdfwsettings{"POLICY"} eq "MODE1") { | |
503 | $search_action = "on"; | |
504 | $target = "ACCEPT"; | |
505 | } else { | |
506 | $search_action = "off"; | |
507 | $target = "DROP"; | |
508 | } | |
509 | ||
510 | open(FILE, "<$p2pfile") or die "Unable to read $p2pfile"; | |
511 | my @protocols = (); | |
512 | foreach my $p2pentry (<FILE>) { | |
513 | my @p2pline = split(/\;/, $p2pentry); | |
514 | next unless ($p2pline[2] eq $search_action); | |
515 | ||
516 | push(@protocols, "--$p2pline[1]"); | |
517 | } | |
518 | close(FILE); | |
519 | ||
520 | if (@protocols) { | |
521 | run("$IPTABLES -A FORWARDFW -m ipp2p @protocols -j $target"); | |
522 | } | |
523 | } | |
524 | ||
525 | sub get_protocols { | |
526 | my $hash = shift; | |
527 | my $key = shift; | |
528 | ||
529 | my $uses_source_ports = ($$hash{$key}[7] eq "ON"); | |
530 | my $uses_services = ($$hash{$key}[11] eq "ON"); | |
531 | ||
532 | my @protocols = (); | |
533 | ||
534 | # Rules which don't have source ports or services (like ICMP, ESP, ...). | |
535 | if (!$uses_source_ports && !$uses_services) { | |
536 | push(@protocols, $$hash{$key}[8]); | |
537 | ||
538 | # Rules which either use ports or services. | |
539 | } elsif ($uses_source_ports || $uses_services) { | |
540 | # Check if service group or service | |
541 | if ($$hash{$key}[14] eq 'cust_srv') { | |
542 | push(@protocols, &fwlib::get_srv_prot($$hash{$key}[15])); | |
543 | ||
544 | } elsif($$hash{$key}[14] eq 'cust_srvgrp'){ | |
545 | my $protos = &fwlib::get_srvgrp_prot($$hash{$key}[15]); | |
546 | push(@protocols, split(",", $protos)); | |
547 | ||
548 | } else { | |
549 | # Fetch the protocol for this rule. | |
550 | my $protocol = lc($$hash{$key}[8]); | |
551 | ||
552 | # Fetch source and destination ports for this rule. | |
553 | my $source_ports = $$hash{$key}[10]; | |
554 | my $destination_ports = $$hash{$key}[15]; | |
555 | ||
556 | # Check if ports are set for protocols which do not support ports. | |
557 | if (!($protocol ~~ @PROTOCOLS_WITH_PORTS) && ($source_ports || $destination_ports)) { | |
558 | print_error("$protocol does not support ports"); | |
559 | return (); | |
560 | } | |
561 | ||
562 | push(@protocols, $protocol); | |
563 | } | |
564 | } | |
565 | ||
566 | # Remove all empty elements | |
567 | @protocols = map { $_ ? $_ : () } @protocols; | |
568 | ||
569 | # If no protocol has been defined, we assume "all". | |
570 | if (!@protocols) { | |
571 | push(@protocols, "all"); | |
572 | } | |
573 | ||
574 | # Make all protocol names lowercase. | |
575 | @protocols = map { lc } @protocols; | |
576 | ||
577 | return @protocols; | |
578 | } | |
579 | ||
580 | sub get_protocol_options { | |
581 | my $hash = shift; | |
582 | my $key = shift; | |
583 | my $protocol = shift; | |
584 | my $nat_options_wanted = shift; | |
585 | my @options = (); | |
586 | ||
587 | # Nothing to do if no protocol is specified. | |
588 | if ($protocol eq "all") { | |
589 | return @options; | |
590 | } else { | |
591 | push(@options, ("-p", $protocol)); | |
592 | } | |
593 | ||
594 | if ($protocol ~~ @PROTOCOLS_WITH_PORTS) { | |
595 | # Process source ports. | |
596 | my $use_src_ports = ($$hash{$key}[7] eq "ON"); | |
597 | my $src_ports = $$hash{$key}[10]; | |
598 | ||
599 | if ($use_src_ports && $src_ports) { | |
600 | push(@options, &format_ports($src_ports, "src")); | |
601 | } | |
602 | ||
603 | # Process destination ports. | |
604 | my $use_dst_ports = ($$hash{$key}[11] eq "ON"); | |
605 | my $use_dnat = (($$hash{$key}[28] eq "ON") && ($$hash{$key}[31] eq "dnat")); | |
606 | ||
607 | if ($use_dst_ports) { | |
608 | my $dst_ports_mode = $$hash{$key}[14]; | |
609 | my $dst_ports = $$hash{$key}[15]; | |
610 | ||
611 | if (($dst_ports_mode eq "TGT_PORT") && $dst_ports) { | |
612 | if ($nat_options_wanted && $use_dnat && $$hash{$key}[30]) { | |
613 | $dst_ports = $$hash{$key}[30]; | |
614 | } | |
615 | push(@options, &format_ports($dst_ports, "dst")); | |
616 | ||
617 | } elsif ($dst_ports_mode eq "cust_srv") { | |
618 | if ($protocol eq "ICMP") { | |
619 | push(@options, ("--icmp-type", &fwlib::get_srv_port($dst_ports, 3, "ICMP"))); | |
620 | } else { | |
621 | $dst_ports = &fwlib::get_srv_port($dst_ports, 1, uc($protocol)); | |
622 | push(@options, &format_ports($dst_ports, "dst")); | |
623 | } | |
624 | ||
625 | } elsif ($dst_ports_mode eq "cust_srvgrp") { | |
626 | push(@options, &fwlib::get_srvgrp_port($dst_ports, uc($protocol))); | |
627 | } | |
628 | } | |
629 | } | |
630 | ||
631 | # Check if a single ICMP type is selected. | |
632 | if ($protocol eq "icmp") { | |
633 | my $icmp_type = $$hash{$key}[9]; | |
634 | ||
635 | if (($icmp_type ne "All ICMP-Types") && $icmp_type) { | |
636 | push(@options, ("--icmp-type", $icmp_type)); | |
637 | } | |
638 | } | |
639 | ||
640 | return @options; | |
641 | } | |
642 | ||
643 | sub format_ports { | |
644 | my $ports = shift; | |
645 | my $type = shift; | |
646 | ||
647 | my $arg; | |
648 | if ($type eq "src") { | |
649 | $arg = "--sport"; | |
650 | } elsif ($type eq "dst") { | |
651 | $arg = "--dport"; | |
652 | } | |
653 | ||
654 | my @options = (); | |
655 | ||
656 | if ($ports =~ /\|/) { | |
657 | $ports =~ s/\|/,/g; | |
658 | push(@options, ("-m", "multiport")); | |
659 | } | |
660 | ||
661 | if ($ports) { | |
662 | push(@options, ($arg, $ports)); | |
663 | } | |
664 | ||
665 | return @options; | |
666 | } | |
667 | ||
668 | sub get_dnat_target_port { | |
669 | my $hash = shift; | |
670 | my $key = shift; | |
671 | ||
672 | if ($$hash{$key}[14] eq "TGT_PORT") { | |
673 | my $port = $$hash{$key}[15]; | |
674 | my $external_port = $$hash{$key}[30]; | |
675 | ||
676 | if ($external_port && ($port ne $external_port)) { | |
677 | return $$hash{$key}[15]; | |
678 | } | |
679 | } | |
680 | } | |
681 | ||
682 | sub add_dnat_mangle_rules { | |
683 | my $nat_address = shift; | |
684 | my @options = @_; | |
685 | ||
686 | my $mark = 0; | |
687 | foreach my $zone ("GREEN", "BLUE", "ORANGE") { | |
688 | $mark++; | |
689 | ||
690 | # Skip rule if not all required information exists. | |
691 | next unless (exists $defaultNetworks{$zone . "_NETADDRESS"}); | |
692 | next unless (exists $defaultNetworks{$zone . "_NETMASK"}); | |
693 | ||
694 | my @mangle_options = @options; | |
695 | ||
696 | my $netaddress = $defaultNetworks{$zone . "_NETADDRESS"}; | |
697 | $netaddress .= "/" . $defaultNetworks{$zone . "_NETMASK"}; | |
698 | ||
699 | push(@mangle_options, ("-s", $netaddress, "-d", $nat_address)); | |
700 | push(@mangle_options, ("-j", "MARK", "--set-mark", $mark)); | |
701 | ||
702 | run("$IPTABLES -t mangle -A $CHAIN_MANGLE_NAT_DESTINATION_FIX @mangle_options"); | |
703 | } | |
704 | } | |
705 | ||
706 | sub make_log_limit_options { | |
707 | my @options = ("-m", "limit"); | |
708 | ||
709 | # Maybe we should get this from the configuration. | |
710 | my $limit = 10; | |
711 | ||
712 | # We limit log messages to $limit messages per minute. | |
713 | push(@options, ("--limit", "$limit/min")); | |
714 | ||
715 | # And we allow bursts of 2x $limit. | |
716 | push(@options, ("--limit-burst", $limit * 2)); | |
717 | ||
718 | return @options; | |
719 | } | |
720 | ||
721 | sub firewall_is_in_subnet { | |
722 | my $subnet = shift; | |
723 | ||
724 | # ORANGE is missing here, because nothing may ever access | |
725 | # the firewall from this network. | |
726 | my $address = &fwlib::get_internal_firewall_ip_address($subnet, 0); | |
727 | ||
728 | if ($address) { | |
729 | return 1; | |
730 | } | |
731 | ||
732 | return 0; | |
733 | } |