]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/commitdiff
Firewall: make DNAT only accessible from selected source network
authorAlexander Marx <alexander.marx@ipfire.org>
Fri, 18 Jul 2014 06:44:45 +0000 (08:44 +0200)
committerAlexander Marx <alexander.marx@ipfire.org>
Fri, 18 Jul 2014 06:44:45 +0000 (08:44 +0200)
We added RED to the standard networks and now portforwardings are only
useable from the selected source. If selected "all" the portforwarding
can be used from any internal network. Else the access is only grnated
from the selected source network.

config/firewall/firewall-lib.pl
config/firewall/rules.pl
html/cgi-bin/firewall.cgi
html/cgi-bin/fwhosts.cgi

index c4a19e5d80caa17b6cc0dc68b612c8814da14c59..9b3f2bff43525e2d6a93c151354f006460705df8 100755 (executable)
@@ -217,7 +217,7 @@ sub get_std_net_ip
        }elsif($val eq 'BLUE'){
                return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
        }elsif($val eq 'RED'){
        }elsif($val eq 'BLUE'){
                return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
        }elsif($val eq 'RED'){
-               return "0.0.0.0/0 -o $con";
+               return "0.0.0.0/0";
        }elsif($val =~ /OpenVPN/i){
                return "$ovpnsettings{'DOVPN_SUBNET'}";
        }elsif($val =~ /IPsec/i){
        }elsif($val =~ /OpenVPN/i){
                return "$ovpnsettings{'DOVPN_SUBNET'}";
        }elsif($val =~ /IPsec/i){
@@ -226,6 +226,23 @@ sub get_std_net_ip
                return ;
        }
 }
                return ;
        }
 }
+sub get_interface
+{
+       my $net=shift;
+       if($net eq "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"){
+               return "$netsettings{'GREEN_DEV'}";
+       }
+       if($net eq "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"){
+               return "$netsettings{'ORANGE_DEV'}";
+       }
+       if($net eq "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"){
+               return "$netsettings{'BLUE_DEV'}";
+       }
+       if($net eq "0.0.0.0/0"){
+               return "$netsettings{'RED_DEV'}";
+       }
+       return "";
+}
 sub get_net_ip
 {
        my $val=shift;
 sub get_net_ip
 {
        my $val=shift;
@@ -305,9 +322,9 @@ sub get_address
        # address. Otherwise, we assume that it is an IP address.
        if ($key ~~ ["src_addr", "tgt_addr"]) {
                if (&General::validmac($value)) {
        # address. Otherwise, we assume that it is an IP address.
        if ($key ~~ ["src_addr", "tgt_addr"]) {
                if (&General::validmac($value)) {
-                       push(@ret, "-m mac --mac-source $value");
+                       push(@ret, ["-m mac --mac-source $value", ""]);
                } else {
                } else {
-                       push(@ret, $value);
+                       push(@ret, [$value, ""]);
                }
 
        # If a default network interface (GREEN, BLUE, etc.) is selected, we
                }
 
        # If a default network interface (GREEN, BLUE, etc.) is selected, we
@@ -316,88 +333,90 @@ sub get_address
                my $external_interface = &get_external_interface();
 
                my $network_address = &get_std_net_ip($value, $external_interface);
                my $external_interface = &get_external_interface();
 
                my $network_address = &get_std_net_ip($value, $external_interface);
+
                if ($network_address) {
                if ($network_address) {
-                       push(@ret, $network_address);
+                       my $interface = &get_interface($network_address);
+                       push(@ret, [$network_address, $interface]);
                }
 
        # Custom networks.
        } elsif ($key ~~ ["cust_net_src", "cust_net_tgt", "Custom Network"]) {
                my $network_address = &get_net_ip($value);
                if ($network_address) {
                }
 
        # Custom networks.
        } elsif ($key ~~ ["cust_net_src", "cust_net_tgt", "Custom Network"]) {
                my $network_address = &get_net_ip($value);
                if ($network_address) {
-                       push(@ret, $network_address);
+                       push(@ret, [$network_address, ""]);
                }
 
        # Custom hosts.
        } elsif ($key ~~ ["cust_host_src", "cust_host_tgt", "Custom Host"]) {
                my $host_address = &get_host_ip($value, $type);
                if ($host_address) {
                }
 
        # Custom hosts.
        } elsif ($key ~~ ["cust_host_src", "cust_host_tgt", "Custom Host"]) {
                my $host_address = &get_host_ip($value, $type);
                if ($host_address) {
-                       push(@ret, $host_address);
+                       push(@ret, [$host_address, ""]);
                }
 
        # OpenVPN networks.
        } elsif ($key ~~ ["ovpn_net_src", "ovpn_net_tgt", "OpenVPN static network"]) {
                my $network_address = &get_ovpn_net_ip($value, 1);
                if ($network_address) {
                }
 
        # OpenVPN networks.
        } elsif ($key ~~ ["ovpn_net_src", "ovpn_net_tgt", "OpenVPN static network"]) {
                my $network_address = &get_ovpn_net_ip($value, 1);
                if ($network_address) {
-                       push(@ret, $network_address);
+                       push(@ret, [$network_address, ""]);
                }
 
        # OpenVPN hosts.
        } elsif ($key ~~ ["ovpn_host_src", "ovpn_host_tgt", "OpenVPN static host"]) {
                my $host_address = &get_ovpn_host_ip($value, 33);
                if ($host_address) {
                }
 
        # OpenVPN hosts.
        } elsif ($key ~~ ["ovpn_host_src", "ovpn_host_tgt", "OpenVPN static host"]) {
                my $host_address = &get_ovpn_host_ip($value, 33);
                if ($host_address) {
-                       push(@ret, $host_address);
+                       push(@ret, [$host_address, ""]);
                }
 
        # OpenVPN N2N.
        } elsif ($key ~~ ["ovpn_n2n_src", "ovpn_n2n_tgt", "OpenVPN N-2-N"]) {
                my $network_address = &get_ovpn_n2n_ip($value, 11);
                if ($network_address) {
                }
 
        # OpenVPN N2N.
        } elsif ($key ~~ ["ovpn_n2n_src", "ovpn_n2n_tgt", "OpenVPN N-2-N"]) {
                my $network_address = &get_ovpn_n2n_ip($value, 11);
                if ($network_address) {
-                       push(@ret, $network_address);
+                       push(@ret, [$network_address, ""]);
                }
 
        # IPsec networks.
        } elsif ($key ~~ ["ipsec_net_src", "ipsec_net_tgt", "IpSec Network"]) {
                my $network_address = &get_ipsec_net_ip($value, 11);
                if ($network_address) {
                }
 
        # IPsec networks.
        } elsif ($key ~~ ["ipsec_net_src", "ipsec_net_tgt", "IpSec Network"]) {
                my $network_address = &get_ipsec_net_ip($value, 11);
                if ($network_address) {
-                       push(@ret, $network_address);
+                       push(@ret, [$network_address, ""]);
                }
 
        # The firewall's own IP addresses.
        } elsif ($key ~~ ["ipfire", "ipfire_src"]) {
                # ALL
                if ($value eq "ALL") {
                }
 
        # The firewall's own IP addresses.
        } elsif ($key ~~ ["ipfire", "ipfire_src"]) {
                # ALL
                if ($value eq "ALL") {
-                       push(@ret, "0/0");
+                       push(@ret, ["0/0", ""]);
 
                # GREEN
                } elsif ($value eq "GREEN") {
 
                # GREEN
                } elsif ($value eq "GREEN") {
-                       push(@ret, $netsettings{"GREEN_ADDRESS"});
+                       push(@ret, [$netsettings{"GREEN_ADDRESS"}, ""]);
 
                # BLUE
                } elsif ($value eq "BLUE") {
 
                # BLUE
                } elsif ($value eq "BLUE") {
-                       push(@ret, $netsettings{"BLUE_ADDRESS"});
+                       push(@ret, [$netsettings{"BLUE_ADDRESS"}, ""]);
 
                # ORANGE
                } elsif ($value eq "ORANGE") {
 
                # ORANGE
                } elsif ($value eq "ORANGE") {
-                       push(@ret, $netsettings{"ORANGE_ADDRESS"});
+                       push(@ret, [$netsettings{"ORANGE_ADDRESS"}, ""]);
 
                # RED
                } elsif ($value ~~ ["RED", "RED1"]) {
                        my $address = &get_external_address();
                        if ($address) {
 
                # RED
                } elsif ($value ~~ ["RED", "RED1"]) {
                        my $address = &get_external_address();
                        if ($address) {
-                               push(@ret, $address);
+                               push(@ret, [$address, ""]);
                        }
 
                # Aliases
                } else {
                        my $alias = &get_alias($value);
                        if ($alias) {
                        }
 
                # Aliases
                } else {
                        my $alias = &get_alias($value);
                        if ($alias) {
-                               push(@ret, $alias);
+                               push(@ret, [$alias, ""]);
                        }
                }
 
        # If nothing was selected, we assume "any".
        } else {
                        }
                }
 
        # If nothing was selected, we assume "any".
        } else {
-               push(@ret, "0/0");
+               push(@ret, ["0/0", ""]);
        }
 
        return @ret;
        }
 
        return @ret;
index c0ddcb2d69ed96937c3f8e66cad08d8e17b8cd95..887c0526575ed9713a9f399ad623cfcee611ec8d 100755 (executable)
@@ -291,24 +291,28 @@ sub buildrules {
 
                        foreach my $src (@sources) {
                                # Skip invalid source.
 
                        foreach my $src (@sources) {
                                # Skip invalid source.
-                               next unless ($src);
+                               next unless (@$src[0]);
 
                                # Sanitize source.
 
                                # Sanitize source.
-                               my $source = $src;
+                               my $source = @$src[0];
                                if ($source ~~ @ANY_ADDRESSES) {
                                        $source = "";
                                }
 
                                if ($source ~~ @ANY_ADDRESSES) {
                                        $source = "";
                                }
 
+                               my $source_intf = @$src[1];
+
                                foreach my $dst (@destinations) {
                                        # Skip invalid rules.
                                foreach my $dst (@destinations) {
                                        # Skip invalid rules.
-                                       next if (!$dst || ($dst eq "none"));
+                                       next if (!@$dst[0] || (@$dst[0] eq "none"));
 
                                        # Sanitize destination.
 
                                        # Sanitize destination.
-                                       my $destination = $dst;
+                                       my $destination = @$dst[0];
                                        if ($destination ~~ @ANY_ADDRESSES) {
                                                $destination = "";
                                        }
 
                                        if ($destination ~~ @ANY_ADDRESSES) {
                                                $destination = "";
                                        }
 
+                                       my $destination_intf = @$dst[1];
+
                                        # Array with iptables arguments.
                                        my @options = ();
 
                                        # Array with iptables arguments.
                                        my @options = ();
 
@@ -325,12 +329,20 @@ sub buildrules {
                                                push(@source_options, ("-s", $source));
                                        }
 
                                                push(@source_options, ("-s", $source));
                                        }
 
+                                       if ($source_intf) {
+                                               push(@source_options, ("-i", $source_intf));
+                                       }
+
                                        # Prepare destination options.
                                        my @destination_options = ();
                                        if ($destination) {
                                                push(@destination_options, ("-d", $destination));
                                        }
 
                                        # Prepare destination options.
                                        my @destination_options = ();
                                        if ($destination) {
                                                push(@destination_options, ("-d", $destination));
                                        }
 
+                                       if ($destination_intf) {
+                                               push(@destination_options, ("-o", $destination_intf));
+                                       }
+
                                        # Add time constraint options.
                                        push(@options, @time_options);
 
                                        # Add time constraint options.
                                        push(@options, @time_options);
 
@@ -364,7 +376,7 @@ sub buildrules {
                                                        # Make port-forwardings useable from the internal networks.
                                                        my @internal_addresses = &fwlib::get_internal_firewall_ip_addresses(1);
                                                        unless ($nat_address ~~ @internal_addresses) {
                                                        # Make port-forwardings useable from the internal networks.
                                                        my @internal_addresses = &fwlib::get_internal_firewall_ip_addresses(1);
                                                        unless ($nat_address ~~ @internal_addresses) {
-                                                               &add_dnat_mangle_rules($nat_address, @nat_options);
+                                                               &add_dnat_mangle_rules($nat_address, $source_intf, @nat_options);
                                                        }
 
                                                        push(@nat_options, @source_options);
                                                        }
 
                                                        push(@nat_options, @source_options);
@@ -681,6 +693,7 @@ sub get_dnat_target_port {
 
 sub add_dnat_mangle_rules {
        my $nat_address = shift;
 
 sub add_dnat_mangle_rules {
        my $nat_address = shift;
+       my $interface = shift;
        my @options = @_;
 
        my $mark = 0;
        my @options = @_;
 
        my $mark = 0;
@@ -691,6 +704,8 @@ sub add_dnat_mangle_rules {
                next unless (exists $defaultNetworks{$zone . "_NETADDRESS"});
                next unless (exists $defaultNetworks{$zone . "_NETMASK"});
 
                next unless (exists $defaultNetworks{$zone . "_NETADDRESS"});
                next unless (exists $defaultNetworks{$zone . "_NETMASK"});
 
+               next if ($interface && $interface ne $defaultNetworks{$zone . "_DEV"});
+
                my @mangle_options = @options;
 
                my $netaddress = $defaultNetworks{$zone . "_NETADDRESS"};
                my @mangle_options = @options;
 
                my $netaddress = $defaultNetworks{$zone . "_NETADDRESS"};
index e6ae5272a2c2f5f7bc382196c3c91bcaf631510e..2539d102c32477f363d062591ebb6e1dc7709b66 100644 (file)
@@ -1064,7 +1064,6 @@ print<<END;
 END
        foreach my $network (sort keys %defaultNetworks)
                {
 END
        foreach my $network (sort keys %defaultNetworks)
                {
-                       next if($defaultNetworks{$network}{'NAME'} eq "RED" && $srctgt eq 'src');
                        next if($defaultNetworks{$network}{'NAME'} eq "IPFire");
                        print "<option value='$defaultNetworks{$network}{'NAME'}'";
                        print " selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $defaultNetworks{$network}{'NAME'});
                        next if($defaultNetworks{$network}{'NAME'} eq "IPFire");
                        print "<option value='$defaultNetworks{$network}{'NAME'}'";
                        print " selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $defaultNetworks{$network}{'NAME'});
index eeb83ac127bc216b3e7c10e7568c1c82cab7bdb4..ce2f7f558adaa9a9f208722c60aa6479b3bee9d7 100644 (file)
@@ -1644,7 +1644,10 @@ sub getcolor
                        $tdcolor="<font style='color: $Header::colourblue;'>$c</font>";
                        return $tdcolor;
                }
                        $tdcolor="<font style='color: $Header::colourblue;'>$c</font>";
                        return $tdcolor;
                }
-
+               if ("$sip/$scidr" eq "0.0.0.0/0"){
+                       $tdcolor="<font style='color: $Header::colourred;'>$c</font>";
+                       return $tdcolor;
+               }
                #Check if IP is part of OpenVPN N2N subnet
                foreach my $key (sort keys %ccdhost){
                        if ($ccdhost{$key}[3] eq 'net'){
                #Check if IP is part of OpenVPN N2N subnet
                foreach my $key (sort keys %ccdhost){
                        if ($ccdhost{$key}[3] eq 'net'){
@@ -2501,6 +2504,9 @@ sub getipforgroup
                        &General::readhash("${General::swroot}/vpn/settings",\%hash);
                        return $hash{'RW_NET'};
                }
                        &General::readhash("${General::swroot}/vpn/settings",\%hash);
                        return $hash{'RW_NET'};
                }
+               if ($name eq 'RED'){
+                       return "0.0.0.0/0";
+               }
        }
 }
 sub decrease
        }
 }
 sub decrease