projects / ipfire-2.x.git / blame
| Commit | Line | Data |
|---|---|---|
| 2a81ab0d AM |
1 | #!/usr/bin/perl |
| 2 | ############################################################################### | |
| 3 | # # | |
| 4 | # IPFire.org - A linux based firewall # | |
| 5bee9a9d | 5 | # Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> # |
| 2a81ab0d AM |
6 | # # |
| 7 | # This program is free software: you can redistribute it and/or modify # | |
| 8 | # it under the terms of the GNU General Public License as published by # | |
| 9 | # the Free Software Foundation, either version 3 of the License, or # | |
| 10 | # (at your option) any later version. # | |
| 11 | # # | |
| 12 | # This program is distributed in the hope that it will be useful, # | |
| 13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
| 14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
| 15 | # GNU General Public License for more details. # | |
| 16 | # # | |
| 17 | # You should have received a copy of the GNU General Public License # | |
| 18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
| 19 | # # | |
| 20 | ############################################################################### | |
| 2a81ab0d | 21 | |
| 2a81ab0d | 22 | use strict; |
| 472136c9 | 23 | use Time::Local; |
| 2a81ab0d AM |
24 | no warnings 'uninitialized'; |
| 25 | ||
| 26 | # enable only the following on debugging purpose | |
| 27 | #use warnings; | |
| 28 | #use CGI::Carp 'fatalsToBrowser'; | |
| 29 | ||
| 30 | my %fwdfwsettings=(); | |
| 31 | my %defaultNetworks=(); | |
| 32 | my %configfwdfw=(); | |
| 33 | my %color=(); | |
| 34 | my %icmptypes=(); | |
| 35 | my %ovpnSettings=(); | |
| 36 | my %customgrp=(); | |
| 37 | our %sourcehash=(); | |
| 38 | our %targethash=(); | |
| 39 | my @timeframe=(); | |
| 40 | my %configinputfw=(); | |
| 5d7faa45 | 41 | my %configoutgoingfw=(); |
| a6edca5a | 42 | my %confignatfw=(); |
| 2a81ab0d AM |
43 | my %aliases=(); |
| 44 | my @DPROT=(); | |
| 36196d0d | 45 | my @p2ps=(); |
| 2a81ab0d AM |
46 | require '/var/ipfire/general-functions.pl'; |
| 47 | require "${General::swroot}/lang.pl"; | |
| 73372ed4 | 48 | require "/usr/lib/firewall/firewall-lib.pl"; |
| 2a81ab0d | 49 | |
| 6d8eb5de AM |
50 | my $configfwdfw = "${General::swroot}/firewall/config"; |
| 51 | my $configinput = "${General::swroot}/firewall/input"; | |
| 52 | my $configoutgoing = "${General::swroot}/firewall/outgoing"; | |
| 53 | my $p2pfile = "${General::swroot}/firewall/p2protocols"; | |
| 2a81ab0d | 54 | my $configgrp = "${General::swroot}/fwhosts/customgroups"; |
| 210ee67b | 55 | my $netsettings = "${General::swroot}/ethernet/settings"; |
| 86a921ee AM |
56 | my $errormessage = ''; |
| 57 | my $orange = ''; | |
| 58 | my $green = ''; | |
| 59 | my $blue = ''; | |
| 2a81ab0d | 60 | my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT); |
| 86a921ee AM |
61 | my $CHAIN = "FORWARDFW"; |
| 62 | my $conexists = 'off'; | |
| a211fee3 | 63 | my $command = 'iptables --wait -A'; |
| 86a921ee AM |
64 | my $dnat =''; |
| 65 | my $snat =''; | |
| 66 | ||
| 6d8eb5de | 67 | &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); |
| 210ee67b | 68 | &General::readhash("$netsettings", \%defaultNetworks); |
| 2a81ab0d AM |
69 | &General::readhasharray($configfwdfw, \%configfwdfw); |
| 70 | &General::readhasharray($configinput, \%configinputfw); | |
| 5d7faa45 | 71 | &General::readhasharray($configoutgoing, \%configoutgoingfw); |
| 2a81ab0d AM |
72 | &General::readhasharray($configgrp, \%customgrp); |
| 73 | &General::get_aliases(\%aliases); | |
| 74 | ||
| ddcec9d3 AM |
75 | #check if we have an internetconnection |
| 76 | open (CONN,"/var/ipfire/red/iface"); | |
| 77 | my $con = <CONN>; | |
| 78 | close(CONN); | |
| 79 | if (-f "/var/ipfire/red/active"){ | |
| 80 | $conexists='on'; | |
| 81 | } | |
| a6edca5a AM |
82 | open (CONN1,"/var/ipfire/red/local-ipaddress"); |
| 83 | my $redip = <CONN1>; | |
| 84 | close(CONN1); | |
| 86a921ee AM |
85 | ################# |
| 86 | # DEBUG/TEST # | |
| 87 | ################# | |
| dc21519f | 88 | my $MODE=0; # 0 - normal operation |
| 14bcb9a2 AM |
89 | # 1 - print configline and rules to console |
| 90 | # | |
| 86a921ee | 91 | ################# |
| 2a81ab0d AM |
92 | my $param=shift; |
| 93 | ||
| 94 | if($param eq 'flush'){ | |
| 95 | if ($MODE eq '1'){ | |
| 96 | print " Flushing chains...\n"; | |
| 97 | } | |
| 98 | &flush; | |
| 99 | }else{ | |
| 100 | if ($MODE eq '1'){ | |
| 101 | print " Flushing chains...\n"; | |
| 102 | } | |
| 103 | &flush; | |
| 104 | if ($MODE eq '1'){ | |
| 105 | print " Preparing rules...\n"; | |
| 106 | } | |
| 107 | &preparerules; | |
| 108 | if($MODE eq '0'){ | |
| 109 | if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ | |
| af49e367 | 110 | &p2pblock; |
| 86a921ee | 111 | system ("/usr/sbin/firewall-policy"); |
| 2a81ab0d | 112 | }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){ |
| 6adcf156 | 113 | &p2pblock; |
| 5d7faa45 | 114 | system ("/usr/sbin/firewall-policy"); |
| 2a81ab0d AM |
115 | } |
| 116 | } | |
| 117 | } | |
| 2a81ab0d AM |
118 | sub flush |
| 119 | { | |
| a211fee3 MT |
120 | system ("iptables --wait -F FORWARDFW"); |
| 121 | system ("iptables --wait -F INPUTFW"); | |
| 122 | system ("iptables --wait -F OUTGOINGFW"); | |
| 123 | system ("iptables --wait -t nat -F NAT_DESTINATION"); | |
| 124 | system ("iptables --wait -t nat -F NAT_SOURCE"); | |
| 86a921ee | 125 | } |
| 2a81ab0d AM |
126 | sub preparerules |
| 127 | { | |
| 6d8eb5de | 128 | if (! -z "${General::swroot}/firewall/config"){ |
| 2a81ab0d AM |
129 | &buildrules(\%configfwdfw); |
| 130 | } | |
| 6d8eb5de | 131 | if (! -z "${General::swroot}/firewall/input"){ |
| 2a81ab0d AM |
132 | &buildrules(\%configinputfw); |
| 133 | } | |
| 6d8eb5de | 134 | if (! -z "${General::swroot}/firewall/outgoing"){ |
| 5d7faa45 AM |
135 | &buildrules(\%configoutgoingfw); |
| 136 | } | |
| 2a81ab0d AM |
137 | } |
| 138 | sub buildrules | |
| 139 | { | |
| 140 | my $hash=shift; | |
| b5269091 | 141 | my $STAG; |
| a6edca5a AM |
142 | my $natip; |
| 143 | my $snatport; | |
| 144 | my $fireport; | |
| bc912c6e | 145 | my $nat; |
| 98cee89f | 146 | my $fwaccessdport; |
| c12392c0 | 147 | my $natchain; |
| 2aeb4b25 | 148 | my $icmptype; |
| 992394d5 | 149 | foreach my $key (sort {$a <=> $b} keys %$hash){ |
| ff4770c7 | 150 | next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' ); |
| a211fee3 | 151 | $command="iptables --wait -A"; |
| a6edca5a | 152 | if ($$hash{$key}[28] eq 'ON'){ |
| a211fee3 | 153 | $command='iptables --wait -t nat -A'; |
| 08e1c65d | 154 | $natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]); |
| a6edca5a | 155 | if($$hash{$key}[31] eq 'dnat'){ |
| bc912c6e | 156 | $nat='DNAT'; |
| 98cee89f AM |
157 | if ($$hash{$key}[30] =~ /\|/){ |
| 158 | $$hash{$key}[30]=~ tr/|/,/; | |
| 159 | $fireport='-m multiport --dport '.$$hash{$key}[30]; | |
| 160 | }else{ | |
| 161 | $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0); | |
| 162 | } | |
| a6edca5a | 163 | }else{ |
| bc912c6e | 164 | $nat='SNAT'; |
| a6edca5a AM |
165 | } |
| 166 | } | |
| b5269091 | 167 | $STAG=''; |
| 2a81ab0d AM |
168 | if($$hash{$key}[2] eq 'ON'){ |
| 169 | #get source ip's | |
| 170 | if ($$hash{$key}[3] eq 'cust_grp_src'){ | |
| 992394d5 | 171 | foreach my $grp (sort {$a <=> $b} keys %customgrp){ |
| 2a81ab0d AM |
172 | if($customgrp{$grp}[0] eq $$hash{$key}[4]){ |
| 173 | &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src"); | |
| 174 | } | |
| 175 | } | |
| 176 | }else{ | |
| 177 | &get_address($$hash{$key}[3],$$hash{$key}[4],"src"); | |
| 178 | } | |
| 179 | #get target ip's | |
| 180 | if ($$hash{$key}[5] eq 'cust_grp_tgt'){ | |
| 992394d5 | 181 | foreach my $grp (sort {$a <=> $b} keys %customgrp){ |
| 2a81ab0d AM |
182 | if($customgrp{$grp}[0] eq $$hash{$key}[6]){ |
| 183 | &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt"); | |
| 184 | } | |
| 185 | } | |
| a0fb1099 | 186 | }elsif($$hash{$key}[5] eq 'ipfire' ){ |
| 05d4f131 AM |
187 | if($$hash{$key}[6] eq 'GREEN'){ |
| 188 | $targethash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'}; | |
| 189 | } | |
| 190 | if($$hash{$key}[6] eq 'BLUE'){ | |
| 191 | $targethash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'}; | |
| 192 | } | |
| 193 | if($$hash{$key}[6] eq 'ORANGE'){ | |
| 194 | $targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'}; | |
| 195 | } | |
| 8762442c AM |
196 | if($$hash{$key}[6] eq 'ALL'){ |
| 197 | $targethash{$key}[0]='0.0.0.0/0'; | |
| 198 | } | |
| 690b0bd7 | 199 | if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){ |
| ff4770c7 | 200 | open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress"; |
| 2a81ab0d AM |
201 | $targethash{$key}[0]= <FILE>; |
| 202 | close(FILE); | |
| 203 | }else{ | |
| 204 | foreach my $alias (sort keys %aliases){ | |
| 205 | if ($$hash{$key}[6] eq $alias){ | |
| 206 | $targethash{$key}[0]=$aliases{$alias}{'IPT'}; | |
| 207 | } | |
| 208 | } | |
| 209 | } | |
| 210 | }else{ | |
| 211 | &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt"); | |
| 212 | } | |
| 2a81ab0d AM |
213 | ##get source prot and port |
| 214 | $SRC_TGT='SRC'; | |
| 2a81ab0d AM |
215 | $SPORT = &get_port($hash,$key); |
| 216 | $SRC_TGT=''; | |
| 14f7cb87 | 217 | |
| 2a81ab0d AM |
218 | ##get target prot and port |
| 219 | $DPROT=&get_prot($hash,$key); | |
| 14f7cb87 | 220 | |
| a4c7bf6b | 221 | if ($DPROT eq ''){$DPROT=' ';} |
| 2a81ab0d | 222 | @DPROT=split(",",$DPROT); |
| 14f7cb87 | 223 | |
| 2a81ab0d AM |
224 | #get time if defined |
| 225 | if($$hash{$key}[18] eq 'ON'){ | |
| 472136c9 AM |
226 | my ($time1,$time2,$daylight); |
| 227 | my $daylight=$$hash{$key}[28]; | |
| 228 | $time1=&get_time($$hash{$key}[26],$daylight); | |
| 229 | $time2=&get_time($$hash{$key}[27],$daylight); | |
| 2a81ab0d AM |
230 | if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");} |
| 231 | if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");} | |
| 232 | if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");} | |
| 233 | if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");} | |
| 234 | if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");} | |
| 235 | if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");} | |
| 236 | if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");} | |
| 237 | $TIME=join(",",@timeframe); | |
| 86a921ee | 238 | |
| 472136c9 AM |
239 | $TIMEFROM="--timestart $time1 "; |
| 240 | $TIMETILL="--timestop $time2 "; | |
| a0f267b9 | 241 | $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL"; |
| 2a81ab0d | 242 | } |
| 86a921ee | 243 | if ($MODE eq '1'){ |
| 2a81ab0d AM |
244 | print "NR:$key "; |
| 245 | foreach my $i (0 .. $#{$$hash{$key}}){ | |
| 246 | print "$i: $$hash{$key}[$i] "; | |
| 247 | } | |
| 248 | print "\n"; | |
| 249 | print"##################################\n"; | |
| 250 | #print rules to console | |
| 2a81ab0d AM |
251 | foreach my $DPROT (@DPROT){ |
| 252 | $DPORT = &get_port($hash,$key,$DPROT); | |
| 82b837cf AM |
253 | if ($DPROT ne 'TCP' && $DPROT ne 'UDP' && $DPROT ne 'ICMP' ){ |
| 254 | $DPORT=''; | |
| 255 | } | |
| a4c7bf6b | 256 | $PROT=$DPROT; |
| 3af3ecd3 | 257 | $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); |
| 2a81ab0d AM |
258 | foreach my $a (sort keys %sourcehash){ |
| 259 | foreach my $b (sort keys %targethash){ | |
| 800077a6 AM |
260 | if(! $sourcehash{$a}[0] || ! $targethash{$b}[0] || ($natip eq '-d ' && $$hash{$key}[28] eq 'ON') || (!$natip && $$hash{$key}[28] eq 'ON')){ |
| 261 | #Skip rules when no RED IP is set (DHCP,DSL) | |
| 262 | next; | |
| 263 | } | |
| d334d7cb AM |
264 | next if ($targethash{$b}[0] eq 'none'); |
| 265 | $STAG=''; | |
| d7dc9718 | 266 | if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ |
| 6e62882d | 267 | if($DPROT ne ''){ |
| 5d7faa45 | 268 | if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} |
| cdb3536b | 269 | #Process ICMP RULE |
| 8cb1afc8 AM |
270 | if(substr($DPORT, 2, 4) eq 'icmp'){ |
| 271 | my @icmprule= split(",",substr($DPORT, 12,)); | |
| 272 | foreach (@icmprule){ | |
| 2aeb4b25 AM |
273 | $icmptype="--icmp-type "; |
| 274 | if ($_ eq "BLANK") { | |
| 275 | $icmptype=""; | |
| 276 | $_=""; | |
| 277 | } | |
| 8cb1afc8 | 278 | if ($$hash{$key}[17] eq 'ON'){ |
| 2aeb4b25 | 279 | print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG\n"; |
| 8cb1afc8 | 280 | } |
| 2aeb4b25 | 281 | print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]\n"; |
| 8cb1afc8 | 282 | } |
| cdb3536b | 283 | #PROCESS DNAT RULE (Portforward) |
| 28640b73 | 284 | }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ |
| c12392c0 | 285 | $natchain='NAT_DESTINATION'; |
| 28640b73 | 286 | if ($$hash{$key}[17] eq 'ON'){ |
| cdb3536b | 287 | print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; |
| 28640b73 | 288 | } |
| 28640b73 | 289 | my ($ip,$sub) =split("/",$targethash{$b}[0]); |
| f0befbc3 AM |
290 | #Process NAT with servicegroup used |
| 291 | if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[14] eq 'cust_srvgrp'){ | |
| 525204e0 | 292 | print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to-destination $ip $DPORT\n"; |
| f0befbc3 AM |
293 | $fwaccessdport=$DPORT; |
| 294 | }else{ | |
| 525204e0 | 295 | print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to-destination $ip$DPORT\n"; |
| f0befbc3 AM |
296 | $DPORT =~ s/\-/:/g; |
| 297 | if ($DPORT){ | |
| 298 | $fwaccessdport="--dport ".substr($DPORT,1,); | |
| 299 | }elsif(! $DPORT && $$hash{$key}[30] ne ''){ | |
| 300 | if ($$hash{$key}[30]=~m/|/i){ | |
| 301 | $$hash{$key}[30] =~ s/\|/,/g; | |
| 302 | $fwaccessdport="-m multiport --dport $$hash{$key}[30]"; | |
| 303 | }else{ | |
| 304 | $fwaccessdport="--dport $$hash{$key}[30]"; | |
| 305 | } | |
| 98cee89f AM |
306 | } |
| 307 | } | |
| 97bf45e5 | 308 | print "iptables --wait -A FORWARDFW $PROT $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; |
| c12392c0 | 309 | next; |
| cdb3536b | 310 | #PROCESS SNAT RULE |
| 08e1c65d | 311 | }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ |
| c12392c0 | 312 | $natchain='NAT_SOURCE'; |
| cdb3536b AM |
313 | if ($$hash{$key}[17] eq 'ON' ){ |
| 314 | print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT' \n"; | |
| 315 | } | |
| 525204e0 | 316 | print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to-source $natip\n"; |
| 2a81ab0d | 317 | } |
| cdb3536b | 318 | #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double) |
| 93c2de1c | 319 | if ($PROT ne '-p ICMP'){ |
| cdb3536b AM |
320 | if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){ |
| 321 | print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; | |
| 322 | } | |
| a211fee3 | 323 | print "iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; |
| 93c2de1c | 324 | } |
| cdb3536b | 325 | #PROCESS Prot ICMP and type = All ICMP-Types |
| 86a921ee | 326 | if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){ |
| cdb3536b AM |
327 | if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){ |
| 328 | print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; | |
| 329 | } | |
| a211fee3 | 330 | print "iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; |
| 86a921ee AM |
331 | } |
| 332 | } | |
| 2a81ab0d AM |
333 | } |
| 334 | } | |
| 335 | } | |
| 336 | print"\n"; | |
| 337 | } | |
| 2a81ab0d AM |
338 | }elsif($MODE eq '0'){ |
| 339 | foreach my $DPROT (@DPROT){ | |
| 340 | $DPORT = &get_port($hash,$key,$DPROT); | |
| a4c7bf6b | 341 | $PROT=$DPROT; |
| 3af3ecd3 | 342 | $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); |
| 82b837cf AM |
343 | if ($DPROT ne 'TCP' && $DPROT ne'UDP' && $DPROT ne 'ICMP' ){ |
| 344 | $DPORT=''; | |
| 345 | } | |
| 2a81ab0d AM |
346 | foreach my $a (sort keys %sourcehash){ |
| 347 | foreach my $b (sort keys %targethash){ | |
| 800077a6 AM |
348 | if(! $sourcehash{$a}[0] || ! $targethash{$b}[0] || ($natip eq '-d ' && $$hash{$key}[28] eq 'ON') || (!$natip && $$hash{$key}[28] eq 'ON')){ |
| 349 | #Skip rules when no RED IP is set (DHCP,DSL) | |
| 350 | next; | |
| 351 | } | |
| d334d7cb AM |
352 | next if ($targethash{$b}[0] eq 'none'); |
| 353 | $STAG=''; | |
| d7dc9718 | 354 | if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ |
| 6e62882d | 355 | if($DPROT ne ''){ |
| 5d7faa45 | 356 | if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} |
| 93c2de1c | 357 | #Process ICMP RULE |
| 8cb1afc8 AM |
358 | if(substr($DPORT, 2, 4) eq 'icmp'){ |
| 359 | my @icmprule= split(",",substr($DPORT, 12,)); | |
| 360 | foreach (@icmprule){ | |
| 2aeb4b25 AM |
361 | $icmptype="--icmp-type "; |
| 362 | if ($_ eq "BLANK") { | |
| 363 | $icmptype=""; | |
| 364 | $_=""; | |
| 365 | } | |
| 8cb1afc8 | 366 | if ($$hash{$key}[17] eq 'ON'){ |
| 2aeb4b25 | 367 | system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG"); |
| 8cb1afc8 | 368 | } |
| 2aeb4b25 | 369 | system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]"); |
| a6edca5a | 370 | } |
| 93c2de1c | 371 | #PROCESS DNAT RULE (Portforward) |
| a6edca5a | 372 | }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ |
| c12392c0 | 373 | $natchain='NAT_DESTINATION'; |
| a6edca5a | 374 | if ($$hash{$key}[17] eq 'ON'){ |
| cdb3536b | 375 | system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; |
| 8cb1afc8 | 376 | } |
| a6edca5a | 377 | my ($ip,$sub) =split("/",$targethash{$b}[0]); |
| f0befbc3 AM |
378 | #Process NAT with servicegroup used |
| 379 | if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[14] eq 'cust_srvgrp'){ | |
| 525204e0 | 380 | system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to-destination $ip $DPORT\n"; |
| f0befbc3 AM |
381 | $fwaccessdport=$DPORT; |
| 382 | }else{ | |
| 525204e0 | 383 | system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to-destination $ip$DPORT\n"; |
| f0befbc3 AM |
384 | $DPORT =~ s/\-/:/g; |
| 385 | if ($DPORT){ | |
| 386 | $fwaccessdport="--dport ".substr($DPORT,1,); | |
| 387 | }elsif(! $DPORT && $$hash{$key}[30] ne ''){ | |
| 388 | if ($$hash{$key}[30]=~m/|/i){ | |
| 389 | $$hash{$key}[30] =~ s/\|/,/g; | |
| 390 | $fwaccessdport="-m multiport --dport $$hash{$key}[30]"; | |
| 391 | }else{ | |
| 392 | $fwaccessdport="--dport $$hash{$key}[30]"; | |
| 393 | } | |
| 98cee89f AM |
394 | } |
| 395 | } | |
| 97bf45e5 | 396 | system "iptables --wait -A FORWARDFW $PROT $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; |
| c12392c0 | 397 | next; |
| 93c2de1c | 398 | #PROCESS SNAT RULE |
| a6edca5a | 399 | }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ |
| c12392c0 | 400 | $natchain='NAT_SOURCE'; |
| cdb3536b AM |
401 | if ($$hash{$key}[17] eq 'ON' ){ |
| 402 | system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT' \n"; | |
| 403 | } | |
| 525204e0 | 404 | system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to-source $natip\n"; |
| c12392c0 | 405 | } |
| 93c2de1c AM |
406 | #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double) |
| 407 | if ($PROT ne '-p ICMP'){ | |
| cdb3536b AM |
408 | if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){ |
| 409 | system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; | |
| 410 | } | |
| a211fee3 | 411 | system "iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; |
| 93c2de1c | 412 | } |
| 86a921ee AM |
413 | #PROCESS Prot ICMP and type = All ICMP-Types |
| 414 | if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){ | |
| cdb3536b AM |
415 | if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){ |
| 416 | system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; | |
| 417 | } | |
| a211fee3 | 418 | system "iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; |
| 86a921ee AM |
419 | } |
| 420 | } | |
| 2a81ab0d AM |
421 | } |
| 422 | } | |
| 423 | } | |
| 2a81ab0d AM |
424 | } |
| 425 | } | |
| 426 | } | |
| 427 | %sourcehash=(); | |
| 428 | %targethash=(); | |
| 429 | undef $TIME; | |
| 430 | undef $TIMEFROM; | |
| 431 | undef $TIMETILL; | |
| a6edca5a | 432 | undef $fireport; |
| 2a81ab0d AM |
433 | } |
| 434 | } | |
| a6edca5a AM |
435 | sub get_nat_ip |
| 436 | { | |
| 437 | my $val=shift; | |
| 08e1c65d | 438 | my $type=shift; |
| a6edca5a AM |
439 | my $result; |
| 440 | if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){ | |
| 441 | $result=$defaultNetworks{$val.'_ADDRESS'}; | |
| 442 | }elsif($val eq 'ALL'){ | |
| 443 | $result='-i '.$con; | |
| 08e1c65d | 444 | }elsif($val eq 'Default IP' && $type eq 'dnat'){ |
| a6edca5a | 445 | $result='-d '.$redip; |
| 08e1c65d AM |
446 | }elsif($val eq 'Default IP' && $type eq 'snat'){ |
| 447 | $result=$redip; | |
| a6edca5a AM |
448 | }else{ |
| 449 | foreach my $al (sort keys %aliases){ | |
| 08e1c65d | 450 | if($val eq $al && $type eq 'dnat'){ |
| a6edca5a | 451 | $result='-d '.$aliases{$al}{'IPT'}; |
| 08e1c65d AM |
452 | }elsif($val eq $al && $type eq 'snat'){ |
| 453 | $result=$aliases{$al}{'IPT'}; | |
| a6edca5a AM |
454 | } |
| 455 | } | |
| 456 | } | |
| 457 | return $result; | |
| 458 | } | |
| 472136c9 AM |
459 | sub get_time |
| 460 | { | |
| 461 | my $val=shift; | |
| 462 | my $val1=shift; | |
| 463 | my $time; | |
| 464 | my $minutes; | |
| 465 | my $ruletime; | |
| 466 | $minutes = &utcmin($val); | |
| 467 | $ruletime = $minutes + &time_get_utc($val); | |
| 468 | if ($ruletime < 0){$ruletime +=1440;} | |
| 469 | if ($ruletime > 1440){$ruletime -=1440;} | |
| 470 | $time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60; | |
| 471 | return $time; | |
| 472 | } | |
| 473 | sub time_get_utc | |
| 474 | { | |
| 475 | # Calculates the UTCtime from a given time | |
| 476 | my $val=shift; | |
| 477 | my @localtime=localtime(time); | |
| 478 | my @gmtime=gmtime(time); | |
| 479 | my $diff = ($gmtime[2]*60+$gmtime[1]%60)-($localtime[2]*60+$localtime[1]%60); | |
| 480 | return $diff; | |
| 481 | } | |
| 482 | sub utcmin | |
| 483 | { | |
| 484 | my $ruletime=shift; | |
| 485 | my ($hrs,$min) = split(":",$ruletime); | |
| 486 | my $newtime = $hrs*60+$min; | |
| 487 | return $newtime; | |
| 488 | } | |
| 36196d0d AM |
489 | sub p2pblock |
| 490 | { | |
| 491 | my $P2PSTRING; | |
| 492 | my $DO; | |
| 493 | open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; | |
| 494 | @p2ps = <FILE>; | |
| 495 | close FILE; | |
| 496 | my $CMD = "-m ipp2p"; | |
| 497 | foreach my $p2pentry (sort @p2ps) { | |
| 498 | my @p2pline = split( /\;/, $p2pentry ); | |
| 8d1beadc AM |
499 | if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) { |
| 500 | $DO = "ACCEPT"; | |
| 5238a871 | 501 | if ("$p2pline[2]" eq "on") { |
| 36196d0d AM |
502 | $P2PSTRING = "$P2PSTRING --$p2pline[1]"; |
| 503 | } | |
| 8d1beadc | 504 | }else { |
| 36196d0d | 505 | $DO = "RETURN"; |
| 5238a871 | 506 | if ("$p2pline[2]" eq "off") { |
| 36196d0d AM |
507 | $P2PSTRING = "$P2PSTRING --$p2pline[1]"; |
| 508 | } | |
| 509 | } | |
| 510 | } | |
| 511 | if ($MODE eq 1){ | |
| 512 | if($P2PSTRING){ | |
| a211fee3 | 513 | print"/sbin/iptables --wait -A FORWARDFW $CMD $P2PSTRING -j $DO\n"; |
| 36196d0d AM |
514 | } |
| 515 | }else{ | |
| 516 | if($P2PSTRING){ | |
| a211fee3 | 517 | system("/sbin/iptables --wait -A FORWARDFW $CMD $P2PSTRING -j $DO"); |
| 36196d0d AM |
518 | } |
| 519 | } | |
| 520 | } | |
| 2a81ab0d AM |
521 | sub get_address |
| 522 | { | |
| 523 | my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey | |
| 524 | my $base2=shift; | |
| 525 | my $type=shift; #src or tgt | |
| 526 | my $hash; | |
| 527 | if ($type eq 'src'){ | |
| 86a921ee | 528 | $hash=\%sourcehash; |
| 2a81ab0d AM |
529 | }else{ |
| 530 | $hash=\%targethash; | |
| 531 | } | |
| 532 | my $key = &General::findhasharraykey($hash); | |
| 533 | if($base eq 'src_addr' || $base eq 'tgt_addr' ){ | |
| b5269091 AM |
534 | if (&General::validmac($base2)){ |
| 535 | $$hash{$key}[0] = "-m mac --mac-source $base2"; | |
| 536 | }else{ | |
| 537 | $$hash{$key}[0] = $base2; | |
| 538 | } | |
| 2a81ab0d | 539 | }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){ |
| ddcec9d3 | 540 | $$hash{$key}[0]=&fwlib::get_std_net_ip($base2,$con); |
| 2a81ab0d AM |
541 | }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){ |
| 542 | $$hash{$key}[0]=&fwlib::get_net_ip($base2); | |
| 543 | }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){ | |
| 544 | $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type); | |
| 545 | }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){ | |
| 546 | $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1); | |
| 547 | }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){ | |
| 548 | $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33); | |
| 549 | }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){ | |
| 6fab5bca | 550 | $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,11); |
| 2a81ab0d AM |
551 | }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){ |
| 552 | $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11); | |
| a0fb1099 AM |
553 | }elsif($base eq 'ipfire_src' ){ |
| 554 | if($base2 eq 'GREEN'){ | |
| 555 | $$hash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'}; | |
| 556 | } | |
| 557 | if($base2 eq 'BLUE'){ | |
| 558 | $$hash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'}; | |
| 559 | } | |
| 560 | if($base2 eq 'ORANGE'){ | |
| 561 | $$hash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'}; | |
| 562 | } | |
| 563 | if($base2 eq 'ALL'){ | |
| 564 | $$hash{$key}[0]='0.0.0.0/0'; | |
| 565 | } | |
| 566 | if($base2 eq 'RED' || $base2 eq 'RED1'){ | |
| 800077a6 | 567 | open(FILE, "/var/ipfire/red/local-ipaddress"); |
| a0fb1099 AM |
568 | $$hash{$key}[0]= <FILE>; |
| 569 | close(FILE); | |
| 570 | }else{ | |
| 571 | foreach my $alias (sort keys %aliases){ | |
| 572 | if ($base2 eq $alias){ | |
| 573 | $$hash{$key}[0]=$aliases{$alias}{'IPT'}; | |
| 574 | } | |
| 575 | } | |
| 576 | } | |
| 2a81ab0d AM |
577 | } |
| 578 | } | |
| 579 | sub get_prot | |
| 580 | { | |
| 581 | my $hash=shift; | |
| 582 | my $key=shift; | |
| a4c7bf6b AM |
583 | #check AH,GRE,ESP or ICMP |
| 584 | if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON'){ | |
| 585 | return "$$hash{$key}[8]"; | |
| 586 | } | |
| 587 | if ($$hash{$key}[7] eq 'ON' || $$hash{$key}[11] eq 'ON'){ | |
| 588 | #check if servicegroup or service | |
| 589 | if($$hash{$key}[14] eq 'cust_srv'){ | |
| 2a81ab0d | 590 | return &fwlib::get_srv_prot($$hash{$key}[15]); |
| 2a81ab0d AM |
591 | }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ |
| 592 | return &fwlib::get_srvgrp_prot($$hash{$key}[15]); | |
| a4c7bf6b AM |
593 | }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && $$hash{$key}[8] eq ''){ #when ports are used and prot set to "all" |
| 594 | return "TCP,UDP"; | |
| 595 | }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && ($$hash{$key}[8] eq 'TCP' || $$hash{$key}[8] eq 'UDP')){ #when ports are used and prot set to "tcp" or "udp" | |
| 596 | return "$$hash{$key}[8]"; | |
| 597 | }elsif (($$hash{$key}[10] eq '' && $$hash{$key}[15] eq '') && $$hash{$key}[8] ne 'ICMP'){ #when ports are NOT used and prot NOT set to "ICMP" | |
| 598 | return "$$hash{$key}[8]"; | |
| 599 | }else{ | |
| 600 | return "$$hash{$key}[8]"; | |
| 2a81ab0d AM |
601 | } |
| 602 | } | |
| 98cee89f AM |
603 | #DNAT |
| 604 | if ($SRC_TGT eq '' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[11] eq '' && $$hash{$key}[12] ne ''){ | |
| fadcfb73 | 605 | return "$$hash{$key}[8]"; |
| 98cee89f | 606 | } |
| 2a81ab0d AM |
607 | } |
| 608 | sub get_port | |
| 609 | { | |
| 610 | my $hash=shift; | |
| 611 | my $key=shift; | |
| 612 | my $prot=shift; | |
| 14bcb9a2 | 613 | #Get manual defined Ports from SOURCE |
| 2a81ab0d AM |
614 | if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){ |
| 615 | if ($$hash{$key}[10] ne ''){ | |
| 8f0b047b | 616 | $$hash{$key}[10] =~ s/\|/,/g; |
| 93a5f4a5 AM |
617 | if(index($$hash{$key}[10],",") > 0){ |
| 618 | return "-m multiport --sport $$hash{$key}[10] "; | |
| 619 | }else{ | |
| a6edca5a AM |
620 | if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ||($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat') ){ |
| 621 | return "--sport $$hash{$key}[10] "; | |
| 622 | }else{ | |
| 623 | return ":$$hash{$key}[10]"; | |
| 624 | } | |
| 93a5f4a5 | 625 | } |
| 2a81ab0d | 626 | } |
| 14bcb9a2 | 627 | #Get manual ports from TARGET |
| 2a81ab0d | 628 | }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){ |
| 2a81ab0d AM |
629 | if($$hash{$key}[14] eq 'TGT_PORT'){ |
| 630 | if ($$hash{$key}[15] ne ''){ | |
| 8f0b047b | 631 | $$hash{$key}[15] =~ s/\|/,/g; |
| 93a5f4a5 AM |
632 | if(index($$hash{$key}[15],",") > 0){ |
| 633 | return "-m multiport --dport $$hash{$key}[15] "; | |
| 634 | }else{ | |
| a6edca5a AM |
635 | if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){ |
| 636 | return "--dport $$hash{$key}[15] "; | |
| 637 | }else{ | |
| 829697d0 | 638 | $$hash{$key}[15] =~ s/\:/-/g; |
| 653a71b9 | 639 | return ":$$hash{$key}[15]"; |
| a6edca5a | 640 | } |
| 93a5f4a5 | 641 | } |
| 2a81ab0d | 642 | } |
| 14bcb9a2 | 643 | #Get ports defined in custom Service (firewall-groups) |
| 2a81ab0d AM |
644 | }elsif($$hash{$key}[14] eq 'cust_srv'){ |
| 645 | if ($prot ne 'ICMP'){ | |
| 653a71b9 | 646 | if($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){ |
| 14bcb9a2 AM |
647 | my $ports =&fwlib::get_srv_port($$hash{$key}[15],1,$prot); |
| 648 | $ports =~ s/\:/-/g; | |
| 649 | return ":".$ports | |
| 6be32fe5 AM |
650 | }else{ |
| 651 | return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); | |
| 652 | } | |
| e6e9a811 AM |
653 | }elsif($prot eq 'ICMP' && $$hash{$key}[11] eq 'ON'){ #When PROT is ICMP and "use targetport is checked, this is an icmp-service |
| 654 | return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot); | |
| 2a81ab0d | 655 | } |
| 14bcb9a2 | 656 | #Get ports from services which are used in custom servicegroups (firewall-groups) |
| 2a81ab0d AM |
657 | }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ |
| 658 | if ($prot ne 'ICMP'){ | |
| 659 | return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot); | |
| 660 | } | |
| 661 | elsif($prot eq 'ICMP'){ | |
| 662 | return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot); | |
| 663 | } | |
| 2a81ab0d AM |
664 | } |
| 665 | } | |
| a4c7bf6b AM |
666 | #CHECK ICMP |
| 667 | if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON' && $SRC_TGT eq ''){ | |
| 668 | if($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){ | |
| 669 | return "--icmp-type $$hash{$key}[9] "; | |
| 670 | }elsif($$hash{$key}[9] eq 'All ICMP-Types'){ | |
| 671 | return; | |
| 672 | } | |
| 673 | } | |
| 2a81ab0d | 674 | } |