projects / ipfire-2.x.git / blame
| Commit | Line | Data |
|---|---|---|
| 6178953b | 1 | #!/usr/bin/perl -w |
| 2a81ab0d AM |
2 | ############################################################################### |
| 3 | # # | |
| 4 | # IPFire.org - A linux based firewall # | |
| 5bee9a9d | 5 | # Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> # |
| 2a81ab0d AM |
6 | # # |
| 7 | # This program is free software: you can redistribute it and/or modify # | |
| 8 | # it under the terms of the GNU General Public License as published by # | |
| 9 | # the Free Software Foundation, either version 3 of the License, or # | |
| 10 | # (at your option) any later version. # | |
| 11 | # # | |
| 12 | # This program is distributed in the hope that it will be useful, # | |
| 13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
| 14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
| 15 | # GNU General Public License for more details. # | |
| 16 | # # | |
| 17 | # You should have received a copy of the GNU General Public License # | |
| 18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
| 19 | # # | |
| 20 | ############################################################################### | |
| 2a81ab0d | 21 | |
| 2a81ab0d | 22 | use strict; |
| 2a81ab0d | 23 | |
| 97ab0569 MT |
24 | require '/var/ipfire/general-functions.pl'; |
| 25 | require "${General::swroot}/lang.pl"; | |
| 26 | require "/usr/lib/firewall/firewall-lib.pl"; | |
| 2a81ab0d | 27 | |
| 68d1eb10 MT |
28 | # Set to one to enable debugging mode. |
| 29 | my $DEBUG = 0; | |
| 30 | ||
| 1f9e7b53 MT |
31 | my $IPTABLES = "iptables --wait"; |
| 32 | ||
| 6178953b MT |
33 | # iptables chains |
| 34 | my $CHAIN = "FORWARDFW"; | |
| 35 | my $CHAIN_NAT_SOURCE = "NAT_SOURCE"; | |
| 36 | my $CHAIN_NAT_DESTINATION = "NAT_DESTINATION"; | |
| 37 | ||
| 2a81ab0d AM |
38 | my %fwdfwsettings=(); |
| 39 | my %defaultNetworks=(); | |
| 40 | my %configfwdfw=(); | |
| 41 | my %color=(); | |
| 42 | my %icmptypes=(); | |
| 43 | my %ovpnSettings=(); | |
| 44 | my %customgrp=(); | |
| 45 | our %sourcehash=(); | |
| 46 | our %targethash=(); | |
| 47 | my @timeframe=(); | |
| 48 | my %configinputfw=(); | |
| 5d7faa45 | 49 | my %configoutgoingfw=(); |
| a6edca5a | 50 | my %confignatfw=(); |
| 2a81ab0d AM |
51 | my %aliases=(); |
| 52 | my @DPROT=(); | |
| 36196d0d | 53 | my @p2ps=(); |
| 2a81ab0d | 54 | |
| 6d8eb5de AM |
55 | my $configfwdfw = "${General::swroot}/firewall/config"; |
| 56 | my $configinput = "${General::swroot}/firewall/input"; | |
| 57 | my $configoutgoing = "${General::swroot}/firewall/outgoing"; | |
| 58 | my $p2pfile = "${General::swroot}/firewall/p2protocols"; | |
| 2a81ab0d | 59 | my $configgrp = "${General::swroot}/fwhosts/customgroups"; |
| 210ee67b | 60 | my $netsettings = "${General::swroot}/ethernet/settings"; |
| 86a921ee AM |
61 | my $errormessage = ''; |
| 62 | my $orange = ''; | |
| 63 | my $green = ''; | |
| 64 | my $blue = ''; | |
| 6178953b | 65 | my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$SRC_TGT); |
| 86a921ee | 66 | my $conexists = 'off'; |
| 86a921ee AM |
67 | my $dnat =''; |
| 68 | my $snat =''; | |
| 69 | ||
| 6d8eb5de | 70 | &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); |
| 210ee67b | 71 | &General::readhash("$netsettings", \%defaultNetworks); |
| 2a81ab0d AM |
72 | &General::readhasharray($configfwdfw, \%configfwdfw); |
| 73 | &General::readhasharray($configinput, \%configinputfw); | |
| 5d7faa45 | 74 | &General::readhasharray($configoutgoing, \%configoutgoingfw); |
| 2a81ab0d AM |
75 | &General::readhasharray($configgrp, \%customgrp); |
| 76 | &General::get_aliases(\%aliases); | |
| 77 | ||
| ddcec9d3 AM |
78 | #check if we have an internetconnection |
| 79 | open (CONN,"/var/ipfire/red/iface"); | |
| 80 | my $con = <CONN>; | |
| 81 | close(CONN); | |
| 97ab0569 | 82 | |
| ddcec9d3 AM |
83 | if (-f "/var/ipfire/red/active"){ |
| 84 | $conexists='on'; | |
| 85 | } | |
| 97ab0569 | 86 | |
| a6edca5a AM |
87 | open (CONN1,"/var/ipfire/red/local-ipaddress"); |
| 88 | my $redip = <CONN1>; | |
| 89 | close(CONN1); | |
| 97ab0569 | 90 | |
| 8531b94a MT |
91 | # MAIN |
| 92 | &main(); | |
| 93 | ||
| 94 | sub main { | |
| 95 | # Flush all chains. | |
| 96 | &flush(); | |
| 97 | ||
| 98 | # Reload firewall rules. | |
| 99 | &preparerules(); | |
| 100 | ||
| 101 | # Load P2P block rules. | |
| 102 | &p2pblock(); | |
| 103 | ||
| 104 | # Reload firewall policy. | |
| 105 | run("/usr/sbin/firewall-policy"); | |
| 2a81ab0d | 106 | } |
| 97ab0569 | 107 | |
| 68d1eb10 MT |
108 | sub run { |
| 109 | # Executes or prints the given shell command. | |
| 110 | my $command = shift; | |
| 111 | ||
| 112 | if ($DEBUG) { | |
| 113 | print "$command\n"; | |
| 114 | } else { | |
| 115 | system "$command"; | |
| 116 | } | |
| 117 | } | |
| 118 | ||
| 6178953b MT |
119 | sub print_error { |
| 120 | my $message = shift; | |
| 121 | ||
| 122 | print STDERR "$message\n"; | |
| 123 | } | |
| 124 | ||
| 97ab0569 | 125 | sub flush { |
| 1f9e7b53 MT |
126 | run("$IPTABLES -F FORWARDFW"); |
| 127 | run("$IPTABLES -F INPUTFW"); | |
| 128 | run("$IPTABLES -F OUTGOINGFW"); | |
| 129 | run("$IPTABLES -t nat -F NAT_DESTINATION"); | |
| 130 | run("$IPTABLES -t nat -F NAT_SOURCE"); | |
| 86a921ee | 131 | } |
| 97ab0569 MT |
132 | |
| 133 | sub preparerules { | |
| 6d8eb5de | 134 | if (! -z "${General::swroot}/firewall/config"){ |
| 2a81ab0d AM |
135 | &buildrules(\%configfwdfw); |
| 136 | } | |
| 6d8eb5de | 137 | if (! -z "${General::swroot}/firewall/input"){ |
| 2a81ab0d AM |
138 | &buildrules(\%configinputfw); |
| 139 | } | |
| 6d8eb5de | 140 | if (! -z "${General::swroot}/firewall/outgoing"){ |
| 5d7faa45 AM |
141 | &buildrules(\%configoutgoingfw); |
| 142 | } | |
| 2a81ab0d | 143 | } |
| 97ab0569 MT |
144 | |
| 145 | sub buildrules { | |
| 2a81ab0d | 146 | my $hash=shift; |
| b5269091 | 147 | my $STAG; |
| a6edca5a AM |
148 | my $snatport; |
| 149 | my $fireport; | |
| 98cee89f | 150 | my $fwaccessdport; |
| c12392c0 | 151 | my $natchain; |
| 2aeb4b25 | 152 | my $icmptype; |
| 992394d5 | 153 | foreach my $key (sort {$a <=> $b} keys %$hash){ |
| ff4770c7 | 154 | next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' ); |
| 6178953b | 155 | |
| b05ec50a | 156 | my $time_constraints = ""; |
| 6178953b MT |
157 | my $natip = ""; |
| 158 | ||
| 159 | # Check if logging should be enabled. | |
| 160 | my $LOG = 0; | |
| 161 | if ($$hash{$key}[17] eq 'ON') { | |
| 162 | $LOG = 1; | |
| 163 | } | |
| 164 | ||
| 165 | my $NAT = 0; | |
| 166 | my $NAT_MODE; | |
| 167 | ||
| 168 | # Check if NAT is enabled and initialize variables, that we use for that. | |
| 169 | if ($$hash{$key}[28] eq 'ON') { | |
| 170 | $NAT = 1; | |
| 171 | ||
| 172 | # Destination NAT | |
| 173 | if ($$hash{$key}[31] eq 'dnat') { | |
| 174 | $NAT_MODE = "DNAT"; | |
| 175 | ||
| 176 | if ($$hash{$key}[30] =~ /\|/) { | |
| 98cee89f AM |
177 | $$hash{$key}[30]=~ tr/|/,/; |
| 178 | $fireport='-m multiport --dport '.$$hash{$key}[30]; | |
| 6178953b | 179 | } else { |
| 98cee89f AM |
180 | $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0); |
| 181 | } | |
| 6178953b MT |
182 | |
| 183 | # Source NAT | |
| 184 | } elsif ($$hash{$key}[31] eq 'snat') { | |
| 185 | $NAT_MODE = "SNAT"; | |
| 186 | ||
| 187 | } else { | |
| 188 | print_error("Invalid NAT mode: $$hash{$key}[31]"); | |
| 189 | next; | |
| a6edca5a | 190 | } |
| 6178953b MT |
191 | |
| 192 | $natip = &get_nat_ip($$hash{$key}[29], $NAT_MODE); | |
| a6edca5a | 193 | } |
| 6178953b | 194 | |
| b5269091 | 195 | $STAG=''; |
| 2a81ab0d AM |
196 | if($$hash{$key}[2] eq 'ON'){ |
| 197 | #get source ip's | |
| 198 | if ($$hash{$key}[3] eq 'cust_grp_src'){ | |
| 992394d5 | 199 | foreach my $grp (sort {$a <=> $b} keys %customgrp){ |
| 2a81ab0d AM |
200 | if($customgrp{$grp}[0] eq $$hash{$key}[4]){ |
| 201 | &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src"); | |
| 202 | } | |
| 203 | } | |
| 204 | }else{ | |
| 205 | &get_address($$hash{$key}[3],$$hash{$key}[4],"src"); | |
| 206 | } | |
| 207 | #get target ip's | |
| 208 | if ($$hash{$key}[5] eq 'cust_grp_tgt'){ | |
| 992394d5 | 209 | foreach my $grp (sort {$a <=> $b} keys %customgrp){ |
| 2a81ab0d AM |
210 | if($customgrp{$grp}[0] eq $$hash{$key}[6]){ |
| 211 | &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt"); | |
| 212 | } | |
| 213 | } | |
| a0fb1099 | 214 | }elsif($$hash{$key}[5] eq 'ipfire' ){ |
| 05d4f131 AM |
215 | if($$hash{$key}[6] eq 'GREEN'){ |
| 216 | $targethash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'}; | |
| 217 | } | |
| 218 | if($$hash{$key}[6] eq 'BLUE'){ | |
| 219 | $targethash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'}; | |
| 220 | } | |
| 221 | if($$hash{$key}[6] eq 'ORANGE'){ | |
| 222 | $targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'}; | |
| 223 | } | |
| 8762442c AM |
224 | if($$hash{$key}[6] eq 'ALL'){ |
| 225 | $targethash{$key}[0]='0.0.0.0/0'; | |
| 226 | } | |
| 690b0bd7 | 227 | if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){ |
| ff4770c7 | 228 | open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress"; |
| 2a81ab0d AM |
229 | $targethash{$key}[0]= <FILE>; |
| 230 | close(FILE); | |
| 231 | }else{ | |
| 232 | foreach my $alias (sort keys %aliases){ | |
| 233 | if ($$hash{$key}[6] eq $alias){ | |
| 234 | $targethash{$key}[0]=$aliases{$alias}{'IPT'}; | |
| 235 | } | |
| 236 | } | |
| 237 | } | |
| 238 | }else{ | |
| 239 | &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt"); | |
| 240 | } | |
| 2a81ab0d AM |
241 | ##get source prot and port |
| 242 | $SRC_TGT='SRC'; | |
| 2a81ab0d AM |
243 | $SPORT = &get_port($hash,$key); |
| 244 | $SRC_TGT=''; | |
| 14f7cb87 | 245 | |
| 2a81ab0d AM |
246 | ##get target prot and port |
| 247 | $DPROT=&get_prot($hash,$key); | |
| 14f7cb87 | 248 | |
| a4c7bf6b | 249 | if ($DPROT eq ''){$DPROT=' ';} |
| 2a81ab0d | 250 | @DPROT=split(",",$DPROT); |
| 14f7cb87 | 251 | |
| b05ec50a MT |
252 | # Set up time constraints. |
| 253 | if ($$hash{$key}[18] eq 'ON') { | |
| 254 | my @time_args = ("-m", "time"); | |
| 255 | ||
| 256 | # Select all days of the week this match is active. | |
| 257 | my @weekdays = (); | |
| 258 | if ($$hash{$key}[19] ne '') { | |
| 259 | push (@weekdays, "Mon"); | |
| 260 | } | |
| 261 | if ($$hash{$key}[20] ne '') { | |
| 262 | push (@weekdays, "Tue"); | |
| 263 | } | |
| 264 | if ($$hash{$key}[21] ne '') { | |
| 265 | push (@weekdays, "Wed"); | |
| 266 | } | |
| 267 | if ($$hash{$key}[22] ne '') { | |
| 268 | push (@weekdays, "Thu"); | |
| 269 | } | |
| 270 | if ($$hash{$key}[23] ne '') { | |
| 271 | push (@weekdays, "Fri"); | |
| 272 | } | |
| 273 | if ($$hash{$key}[24] ne '') { | |
| 274 | push (@weekdays, "Sat"); | |
| 275 | } | |
| 276 | if ($$hash{$key}[25] ne '') { | |
| 277 | push (@weekdays, "Sun"); | |
| 278 | } | |
| 279 | if (@weekdays) { | |
| 280 | push(@time_args, ("--weekdays", join(",", @weekdays))); | |
| 281 | } | |
| 282 | ||
| 283 | # Convert start time. | |
| 284 | my $time_start = &format_time($$hash{$key}[26]); | |
| 285 | if ($time_start) { | |
| 286 | push(@time_args, ("--timestart", $time_start)); | |
| 287 | } | |
| 288 | ||
| 289 | # Convert end time. | |
| 290 | my $time_stop = &format_time($$hash{$key}[27]); | |
| 291 | if ($time_stop) { | |
| 292 | push(@time_args, ("--timestop", $time_stop)); | |
| 293 | } | |
| 294 | ||
| 295 | # Format command line. | |
| 296 | $time_constraints = join(" ", @time_args); | |
| 2a81ab0d | 297 | } |
| b05ec50a | 298 | |
| b57edbd8 MT |
299 | foreach my $DPROT (@DPROT){ |
| 300 | $DPORT = &get_port($hash,$key,$DPROT); | |
| 301 | $PROT=$DPROT; | |
| 302 | $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); | |
| 303 | if ($DPROT ne 'TCP' && $DPROT ne'UDP' && $DPROT ne 'ICMP' ){ | |
| 304 | $DPORT=''; | |
| 2a81ab0d | 305 | } |
| b57edbd8 MT |
306 | foreach my $a (sort keys %sourcehash){ |
| 307 | foreach my $b (sort keys %targethash){ | |
| 6178953b | 308 | if(! $sourcehash{$a}[0] || ! $targethash{$b}[0] || ($natip eq '-d ' && $NAT) || (!$natip && $NAT)){ |
| b57edbd8 MT |
309 | #Skip rules when no RED IP is set (DHCP,DSL) |
| 310 | next; | |
| 311 | } | |
| 312 | next if ($targethash{$b}[0] eq 'none'); | |
| 313 | $STAG=''; | |
| 314 | if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ | |
| 315 | if($DPROT ne ''){ | |
| 316 | if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} | |
| 317 | #Process ICMP RULE | |
| 318 | if(substr($DPORT, 2, 4) eq 'icmp'){ | |
| 319 | my @icmprule= split(",",substr($DPORT, 12,)); | |
| 320 | foreach (@icmprule){ | |
| 321 | $icmptype="--icmp-type "; | |
| 322 | if ($_ eq "BLANK") { | |
| 323 | $icmptype=""; | |
| 324 | $_=""; | |
| 8cb1afc8 | 325 | } |
| 6178953b | 326 | if ($LOG) { |
| b05ec50a | 327 | run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $time_constraints -j LOG"); |
| cdb3536b | 328 | } |
| b05ec50a | 329 | run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $time_constraints -j $$hash{$key}[0]"); |
| 2a81ab0d | 330 | } |
| b57edbd8 | 331 | #PROCESS DNAT RULE (Portforward) |
| 6178953b MT |
332 | } elsif ($NAT && $NAT_MODE eq "DNAT") { |
| 333 | if ($LOG) { | |
| b05ec50a | 334 | run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $time_constraints -j LOG --log-prefix 'DNAT'"); |
| 86a921ee | 335 | } |
| b57edbd8 MT |
336 | my ($ip,$sub) =split("/",$targethash{$b}[0]); |
| 337 | #Process NAT with servicegroup used | |
| 6178953b | 338 | if ($$hash{$key}[14] eq 'cust_srvgrp') { |
| b05ec50a | 339 | run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $time_constraints -j DNAT --to-destination $ip $DPORT"); |
| b57edbd8 | 340 | $fwaccessdport=$DPORT; |
| 6178953b | 341 | } else { |
| b05ec50a | 342 | run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $time_constraints -j DNAT --to-destination $ip$DPORT"); |
| b57edbd8 MT |
343 | $DPORT =~ s/\-/:/g; |
| 344 | if ($DPORT){ | |
| 345 | $fwaccessdport="--dport ".substr($DPORT,1,); | |
| 346 | }elsif(! $DPORT && $$hash{$key}[30] ne ''){ | |
| 347 | if ($$hash{$key}[30]=~m/|/i){ | |
| 348 | $$hash{$key}[30] =~ s/\|/,/g; | |
| 349 | $fwaccessdport="-m multiport --dport $$hash{$key}[30]"; | |
| 350 | }else{ | |
| 351 | $fwaccessdport="--dport $$hash{$key}[30]"; | |
| 98cee89f AM |
352 | } |
| 353 | } | |
| c12392c0 | 354 | } |
| b05ec50a | 355 | run("$IPTABLES -A FORWARDFW $PROT $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $time_constraints -j $$hash{$key}[0]"); |
| b57edbd8 MT |
356 | next; |
| 357 | #PROCESS SNAT RULE | |
| 6178953b MT |
358 | } elsif ($NAT && $NAT_MODE eq "SNAT") { |
| 359 | if ($LOG) { | |
| b05ec50a | 360 | run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $time_constraints -j LOG --log-prefix 'SNAT'"); |
| 93c2de1c | 361 | } |
| b05ec50a | 362 | run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $time_constraints -j SNAT --to-source $natip"); |
| b57edbd8 MT |
363 | } |
| 364 | #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double) | |
| 365 | if ($PROT ne '-p ICMP'){ | |
| 6178953b | 366 | if ($LOG && !$NAT) { |
| b05ec50a | 367 | run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $time_constraints -j LOG"); |
| b57edbd8 | 368 | } |
| b05ec50a | 369 | run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $time_constraints -j $$hash{$key}[0]"); |
| b57edbd8 MT |
370 | } |
| 371 | #PROCESS Prot ICMP and type = All ICMP-Types | |
| 372 | if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){ | |
| 6178953b | 373 | if ($LOG && !$NAT) { |
| b05ec50a | 374 | run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $time_constraints -j LOG"); |
| 86a921ee | 375 | } |
| b05ec50a | 376 | run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $time_constraints -j $$hash{$key}[0]"); |
| 86a921ee | 377 | } |
| 2a81ab0d AM |
378 | } |
| 379 | } | |
| 380 | } | |
| 2a81ab0d AM |
381 | } |
| 382 | } | |
| 383 | } | |
| 384 | %sourcehash=(); | |
| 385 | %targethash=(); | |
| a6edca5a | 386 | undef $fireport; |
| 2a81ab0d AM |
387 | } |
| 388 | } | |
| 97ab0569 MT |
389 | |
| 390 | sub get_nat_ip { | |
| a6edca5a | 391 | my $val=shift; |
| 08e1c65d | 392 | my $type=shift; |
| a6edca5a AM |
393 | my $result; |
| 394 | if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){ | |
| 395 | $result=$defaultNetworks{$val.'_ADDRESS'}; | |
| 396 | }elsif($val eq 'ALL'){ | |
| 397 | $result='-i '.$con; | |
| 6178953b | 398 | }elsif($val eq 'Default IP' && $type eq "DNAT"){ |
| a6edca5a | 399 | $result='-d '.$redip; |
| 6178953b | 400 | }elsif($val eq 'Default IP' && $type eq "SNAT"){ |
| 08e1c65d | 401 | $result=$redip; |
| a6edca5a AM |
402 | }else{ |
| 403 | foreach my $al (sort keys %aliases){ | |
| 6178953b | 404 | if($val eq $al && $type eq "DNAT"){ |
| a6edca5a | 405 | $result='-d '.$aliases{$al}{'IPT'}; |
| 6178953b | 406 | }elsif($val eq $al && $type eq "SNAT"){ |
| 08e1c65d | 407 | $result=$aliases{$al}{'IPT'}; |
| a6edca5a AM |
408 | } |
| 409 | } | |
| 410 | } | |
| 411 | return $result; | |
| 412 | } | |
| 97ab0569 | 413 | |
| b05ec50a MT |
414 | # Formats the given timestamp into the iptables format which is "hh:mm" UTC. |
| 415 | sub format_time { | |
| 416 | my $val = shift; | |
| 417 | ||
| 418 | # Convert the given time into minutes. | |
| 419 | my $minutes = &time_convert_to_minutes($val); | |
| 420 | ||
| 421 | # Move the timestamp into UTC. | |
| 422 | $minutes += &time_utc_offset(); | |
| 423 | ||
| 424 | # Make sure $minutes is between 00:00 and 23:59. | |
| 425 | if ($minutes < 0) { | |
| 426 | $minutes += 1440; | |
| 427 | } | |
| 428 | ||
| 429 | if ($minutes > 1440) { | |
| 430 | $minutes -= 1440; | |
| 431 | } | |
| 432 | ||
| 433 | # Format as hh:mm. | |
| 434 | return sprintf("%02d:%02d", $minutes / 60, $minutes % 60); | |
| 472136c9 | 435 | } |
| 97ab0569 | 436 | |
| b05ec50a MT |
437 | # Calculates the offsets in minutes from the local timezone to UTC. |
| 438 | sub time_utc_offset { | |
| 439 | my @localtime = localtime(time); | |
| 440 | my @gmtime = gmtime(time); | |
| 441 | ||
| 442 | return ($gmtime[2] * 60 + $gmtime[1] % 60) - ($localtime[2] * 60 + $localtime[1] % 60); | |
| 472136c9 | 443 | } |
| 97ab0569 | 444 | |
| b05ec50a MT |
445 | # Takes a timestamp like "14:00" and converts it into minutes since midnight. |
| 446 | sub time_convert_to_minutes { | |
| 447 | my ($hrs, $min) = split(":", shift); | |
| 448 | ||
| 449 | return ($hrs * 60) + $min; | |
| 472136c9 | 450 | } |
| 97ab0569 MT |
451 | |
| 452 | sub p2pblock { | |
| 6178953b | 453 | my $P2PSTRING = ""; |
| 36196d0d AM |
454 | my $DO; |
| 455 | open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; | |
| 456 | @p2ps = <FILE>; | |
| 457 | close FILE; | |
| 458 | my $CMD = "-m ipp2p"; | |
| 459 | foreach my $p2pentry (sort @p2ps) { | |
| 460 | my @p2pline = split( /\;/, $p2pentry ); | |
| 8d1beadc AM |
461 | if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) { |
| 462 | $DO = "ACCEPT"; | |
| 5238a871 | 463 | if ("$p2pline[2]" eq "on") { |
| 36196d0d AM |
464 | $P2PSTRING = "$P2PSTRING --$p2pline[1]"; |
| 465 | } | |
| 8d1beadc | 466 | }else { |
| 36196d0d | 467 | $DO = "RETURN"; |
| 5238a871 | 468 | if ("$p2pline[2]" eq "off") { |
| 36196d0d AM |
469 | $P2PSTRING = "$P2PSTRING --$p2pline[1]"; |
| 470 | } | |
| 471 | } | |
| 472 | } | |
| 68d1eb10 MT |
473 | |
| 474 | if($P2PSTRING) { | |
| 1f9e7b53 | 475 | run("$IPTABLES -A FORWARDFW $CMD $P2PSTRING -j $DO"); |
| 36196d0d AM |
476 | } |
| 477 | } | |
| 97ab0569 MT |
478 | |
| 479 | sub get_address { | |
| 2a81ab0d AM |
480 | my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey |
| 481 | my $base2=shift; | |
| 482 | my $type=shift; #src or tgt | |
| 483 | my $hash; | |
| 484 | if ($type eq 'src'){ | |
| 86a921ee | 485 | $hash=\%sourcehash; |
| 2a81ab0d AM |
486 | }else{ |
| 487 | $hash=\%targethash; | |
| 488 | } | |
| 489 | my $key = &General::findhasharraykey($hash); | |
| 490 | if($base eq 'src_addr' || $base eq 'tgt_addr' ){ | |
| b5269091 AM |
491 | if (&General::validmac($base2)){ |
| 492 | $$hash{$key}[0] = "-m mac --mac-source $base2"; | |
| 493 | }else{ | |
| 494 | $$hash{$key}[0] = $base2; | |
| 495 | } | |
| 2a81ab0d | 496 | }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){ |
| ddcec9d3 | 497 | $$hash{$key}[0]=&fwlib::get_std_net_ip($base2,$con); |
| 2a81ab0d AM |
498 | }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){ |
| 499 | $$hash{$key}[0]=&fwlib::get_net_ip($base2); | |
| 500 | }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){ | |
| 501 | $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type); | |
| 502 | }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){ | |
| 503 | $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1); | |
| 504 | }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){ | |
| 505 | $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33); | |
| 506 | }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){ | |
| 6fab5bca | 507 | $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,11); |
| 2a81ab0d AM |
508 | }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){ |
| 509 | $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11); | |
| a0fb1099 AM |
510 | }elsif($base eq 'ipfire_src' ){ |
| 511 | if($base2 eq 'GREEN'){ | |
| 512 | $$hash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'}; | |
| 513 | } | |
| 514 | if($base2 eq 'BLUE'){ | |
| 515 | $$hash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'}; | |
| 516 | } | |
| 517 | if($base2 eq 'ORANGE'){ | |
| 518 | $$hash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'}; | |
| 519 | } | |
| 520 | if($base2 eq 'ALL'){ | |
| 521 | $$hash{$key}[0]='0.0.0.0/0'; | |
| 522 | } | |
| 523 | if($base2 eq 'RED' || $base2 eq 'RED1'){ | |
| 800077a6 | 524 | open(FILE, "/var/ipfire/red/local-ipaddress"); |
| a0fb1099 AM |
525 | $$hash{$key}[0]= <FILE>; |
| 526 | close(FILE); | |
| 527 | }else{ | |
| 528 | foreach my $alias (sort keys %aliases){ | |
| 529 | if ($base2 eq $alias){ | |
| 530 | $$hash{$key}[0]=$aliases{$alias}{'IPT'}; | |
| 531 | } | |
| 532 | } | |
| 533 | } | |
| 2a81ab0d AM |
534 | } |
| 535 | } | |
| 97ab0569 MT |
536 | |
| 537 | sub get_prot { | |
| 2a81ab0d AM |
538 | my $hash=shift; |
| 539 | my $key=shift; | |
| a4c7bf6b AM |
540 | #check AH,GRE,ESP or ICMP |
| 541 | if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON'){ | |
| 542 | return "$$hash{$key}[8]"; | |
| 543 | } | |
| 544 | if ($$hash{$key}[7] eq 'ON' || $$hash{$key}[11] eq 'ON'){ | |
| 545 | #check if servicegroup or service | |
| 546 | if($$hash{$key}[14] eq 'cust_srv'){ | |
| 2a81ab0d | 547 | return &fwlib::get_srv_prot($$hash{$key}[15]); |
| 2a81ab0d AM |
548 | }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ |
| 549 | return &fwlib::get_srvgrp_prot($$hash{$key}[15]); | |
| a4c7bf6b AM |
550 | }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && $$hash{$key}[8] eq ''){ #when ports are used and prot set to "all" |
| 551 | return "TCP,UDP"; | |
| 552 | }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && ($$hash{$key}[8] eq 'TCP' || $$hash{$key}[8] eq 'UDP')){ #when ports are used and prot set to "tcp" or "udp" | |
| 553 | return "$$hash{$key}[8]"; | |
| 554 | }elsif (($$hash{$key}[10] eq '' && $$hash{$key}[15] eq '') && $$hash{$key}[8] ne 'ICMP'){ #when ports are NOT used and prot NOT set to "ICMP" | |
| 555 | return "$$hash{$key}[8]"; | |
| 556 | }else{ | |
| 557 | return "$$hash{$key}[8]"; | |
| 2a81ab0d AM |
558 | } |
| 559 | } | |
| 98cee89f AM |
560 | #DNAT |
| 561 | if ($SRC_TGT eq '' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[11] eq '' && $$hash{$key}[12] ne ''){ | |
| fadcfb73 | 562 | return "$$hash{$key}[8]"; |
| 98cee89f | 563 | } |
| 2a81ab0d | 564 | } |
| 97ab0569 MT |
565 | |
| 566 | sub get_port { | |
| 2a81ab0d AM |
567 | my $hash=shift; |
| 568 | my $key=shift; | |
| 569 | my $prot=shift; | |
| 14bcb9a2 | 570 | #Get manual defined Ports from SOURCE |
| 2a81ab0d AM |
571 | if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){ |
| 572 | if ($$hash{$key}[10] ne ''){ | |
| 8f0b047b | 573 | $$hash{$key}[10] =~ s/\|/,/g; |
| 93a5f4a5 AM |
574 | if(index($$hash{$key}[10],",") > 0){ |
| 575 | return "-m multiport --sport $$hash{$key}[10] "; | |
| 576 | }else{ | |
| a6edca5a AM |
577 | if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ||($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat') ){ |
| 578 | return "--sport $$hash{$key}[10] "; | |
| 579 | }else{ | |
| 580 | return ":$$hash{$key}[10]"; | |
| 581 | } | |
| 93a5f4a5 | 582 | } |
| 2a81ab0d | 583 | } |
| 14bcb9a2 | 584 | #Get manual ports from TARGET |
| 2a81ab0d | 585 | }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){ |
| 2a81ab0d AM |
586 | if($$hash{$key}[14] eq 'TGT_PORT'){ |
| 587 | if ($$hash{$key}[15] ne ''){ | |
| 8f0b047b | 588 | $$hash{$key}[15] =~ s/\|/,/g; |
| 93a5f4a5 AM |
589 | if(index($$hash{$key}[15],",") > 0){ |
| 590 | return "-m multiport --dport $$hash{$key}[15] "; | |
| 591 | }else{ | |
| a6edca5a AM |
592 | if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){ |
| 593 | return "--dport $$hash{$key}[15] "; | |
| 594 | }else{ | |
| 829697d0 | 595 | $$hash{$key}[15] =~ s/\:/-/g; |
| 653a71b9 | 596 | return ":$$hash{$key}[15]"; |
| a6edca5a | 597 | } |
| 93a5f4a5 | 598 | } |
| 2a81ab0d | 599 | } |
| 14bcb9a2 | 600 | #Get ports defined in custom Service (firewall-groups) |
| 2a81ab0d AM |
601 | }elsif($$hash{$key}[14] eq 'cust_srv'){ |
| 602 | if ($prot ne 'ICMP'){ | |
| 653a71b9 | 603 | if($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){ |
| 14bcb9a2 AM |
604 | my $ports =&fwlib::get_srv_port($$hash{$key}[15],1,$prot); |
| 605 | $ports =~ s/\:/-/g; | |
| 606 | return ":".$ports | |
| 6be32fe5 AM |
607 | }else{ |
| 608 | return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); | |
| 609 | } | |
| e6e9a811 AM |
610 | }elsif($prot eq 'ICMP' && $$hash{$key}[11] eq 'ON'){ #When PROT is ICMP and "use targetport is checked, this is an icmp-service |
| 611 | return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot); | |
| 2a81ab0d | 612 | } |
| 14bcb9a2 | 613 | #Get ports from services which are used in custom servicegroups (firewall-groups) |
| 2a81ab0d AM |
614 | }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ |
| 615 | if ($prot ne 'ICMP'){ | |
| 616 | return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot); | |
| 617 | } | |
| 618 | elsif($prot eq 'ICMP'){ | |
| 619 | return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot); | |
| 620 | } | |
| 2a81ab0d AM |
621 | } |
| 622 | } | |
| a4c7bf6b AM |
623 | #CHECK ICMP |
| 624 | if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON' && $SRC_TGT eq ''){ | |
| 625 | if($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){ | |
| 626 | return "--icmp-type $$hash{$key}[9] "; | |
| 627 | }elsif($$hash{$key}[9] eq 'All ICMP-Types'){ | |
| 628 | return; | |
| 629 | } | |
| 630 | } | |
| 2a81ab0d | 631 | } |