my $configinput = "${General::swroot}/firewall/input";
my $configoutgoing = "${General::swroot}/firewall/outgoing";
my $p2pfile = "${General::swroot}/firewall/p2protocols";
+my $geoipfile = "${General::swroot}/firewall/geoipblock";
my $configgrp = "${General::swroot}/fwhosts/customgroups";
my $netsettings = "${General::swroot}/ethernet/settings";
# Flush all chains.
&flush();
- # Reload firewall rules.
- &preparerules();
+ # Prepare firewall rules.
+ if (! -z "${General::swroot}/firewall/input"){
+ &buildrules(\%configinputfw);
+ }
+ if (! -z "${General::swroot}/firewall/outgoing"){
+ &buildrules(\%configoutgoingfw);
+ }
+ if (! -z "${General::swroot}/firewall/config"){
+ &buildrules(\%configfwdfw);
+ }
# Load P2P block rules.
&p2pblock();
+ # Load GeoIP block rules.
+ &geoipblock();
+
# Reload firewall policy.
run("/usr/sbin/firewall-policy");
+
+ #Reload firewall.local if present
+ if ( -f '/etc/sysconfig/firewall.local'){
+ run("/etc/sysconfig/firewall.local reload");
+ }
}
sub run {
print "\n";
}
+sub count_elements {
+ my $hash = shift;
+
+ return scalar @$hash;
+}
+
sub flush {
run("$IPTABLES -F $CHAIN_INPUT");
run("$IPTABLES -F $CHAIN_FORWARD");
run("$IPTABLES -t mangle -F $CHAIN_MANGLE_NAT_DESTINATION_FIX");
}
-sub preparerules {
- if (! -z "${General::swroot}/firewall/input"){
- &buildrules(\%configinputfw);
- }
- if (! -z "${General::swroot}/firewall/outgoing"){
- &buildrules(\%configoutgoingfw);
- }
- if (! -z "${General::swroot}/firewall/config"){
- &buildrules(\%configfwdfw);
- }
-}
-
sub buildrules {
my $hash = shift;
# Skip disabled rules.
next unless ($$hash{$key}[2] eq 'ON');
+ # Count number of elements in this line
+ my $elements = &count_elements($$hash{$key});
+
if ($DEBUG) {
print_rule($$hash{$key});
}
}
}
+ # Concurrent connection limit
+ my @ratelimit_options = ();
+
+ if (($elements ge 34) && ($$hash{$key}[32] eq 'ON')) {
+ my $conn_limit = $$hash{$key}[33];
+
+ if ($conn_limit ge 1) {
+ push(@ratelimit_options, ("-m", "connlimit"));
+
+ # Use the the entire source IP address
+ push(@ratelimit_options, "--connlimit-saddr");
+ push(@ratelimit_options, ("--connlimit-mask", "32"));
+
+ # Apply the limit
+ push(@ratelimit_options, ("--connlimit-upto", $conn_limit));
+ }
+ }
+
+ # Ratelimit
+ if (($elements ge 37) && ($$hash{$key}[34] eq 'ON')) {
+ my $rate_limit = "$$hash{$key}[35]/$$hash{$key}[36]";
+
+ if ($rate_limit) {
+ push(@ratelimit_options, ("-m", "limit"));
+ push(@ratelimit_options, ("--limit", $rate_limit));
+ }
+ }
+
# Check which protocols are used in this rule and so that we can
# later group rules by protocols.
my @protocols = &get_protocols($hash, $key);
my @source_options = ();
if ($source =~ /mac/) {
push(@source_options, $source);
- } elsif ($source) {
+ } elsif ($source =~ /-m geoip/) {
+ push(@source_options, $source);
+ } elsif($source) {
push(@source_options, ("-s", $source));
}
- if ($source_intf) {
- push(@source_options, ("-i", $source_intf));
- }
-
# Prepare destination options.
my @destination_options = ();
- if ($destination) {
+ if ($destination =~ /-m geoip/) {
+ push(@destination_options, $destination);
+ } elsif ($destination) {
push(@destination_options, ("-d", $destination));
}
- if ($destination_intf) {
- push(@destination_options, ("-o", $destination_intf));
- }
-
# Add time constraint options.
push(@options, @time_options);
+ # Add ratelimiting option
+ push(@options, @ratelimit_options);
+
my $firewall_is_in_source_subnet = 1;
if ($source) {
$firewall_is_in_source_subnet = &firewall_is_in_subnet($source);
} elsif ($NAT_MODE eq "SNAT") {
my @nat_options = @options;
+ if ($destination_intf) {
+ push(@nat_options, ("-o", $destination_intf));
+ }
+
push(@nat_options, @source_options);
push(@nat_options, @destination_options);
}
}
+ # Add source and destination interface to the filter rules.
+ # These are supposed to help filtering forged packets that originate
+ # from BLUE with an IP address from GREEN for instance.
+ if ($source_intf) {
+ push(@source_options, ("-i", $source_intf));
+ }
+
+ if ($destination_intf) {
+ push(@destination_options, ("-o", $destination_intf));
+ }
+
push(@options, @source_options);
push(@options, @destination_options);
}
sub p2pblock {
- my $search_action;
- my $target;
-
- if ($fwdfwsettings{"POLICY"} eq "MODE1") {
- $search_action = "on";
- $target = "ACCEPT";
- } else {
- $search_action = "off";
- $target = "DROP";
- }
-
open(FILE, "<$p2pfile") or die "Unable to read $p2pfile";
my @protocols = ();
foreach my $p2pentry (<FILE>) {
my @p2pline = split(/\;/, $p2pentry);
- next unless ($p2pline[2] eq $search_action);
+ next unless ($p2pline[2] eq "off");
push(@protocols, "--$p2pline[1]");
}
close(FILE);
+ run("$IPTABLES -F P2PBLOCK");
if (@protocols) {
- run("$IPTABLES -A FORWARDFW -m ipp2p @protocols -j $target");
+ run("$IPTABLES -A P2PBLOCK -m ipp2p @protocols -j DROP");
+ }
+}
+
+sub geoipblock {
+ my %geoipsettings = ();
+ $geoipsettings{'GEOIPBLOCK_ENABLED'} = "off";
+
+ # Flush iptables chain.
+ run("$IPTABLES -F GEOIPBLOCK");
+
+ # Check if the geoip settings file exists
+ if (-e "$geoipfile") {
+ # Read settings file
+ &General::readhash("$geoipfile", \%geoipsettings);
+ }
+
+ # If geoip blocking is not enabled, we are finished here.
+ if ($geoipsettings{'GEOIPBLOCK_ENABLED'} ne "on") {
+ # Exit submodule. Process remaining script.
+ return;
+ }
+
+ # Get supported locations.
+ my @locations = &fwlib::get_geoip_locations();
+
+ # Loop through all supported geoip locations and
+ # create iptables rules, if blocking this country
+ # is enabled.
+ foreach my $location (@locations) {
+ if(exists $geoipsettings{$location} && $geoipsettings{$location} eq "on") {
+ run("$IPTABLES -A GEOIPBLOCK -m geoip --src-cc $location -j DROP");
+ }
}
}