]>
Commit | Line | Data |
---|---|---|
ebb9187c MT |
1 | #!/usr/bin/perl |
2 | # | |
3 | # IPFire Scripts | |
4 | # | |
5 | # This code is distributed under the terms of the GPL | |
6 | # | |
7 | # (c) The IPFire Team | |
8 | # | |
9 | ||
10 | use strict; | |
11 | # enable only the following on debugging purpose | |
12 | #use warnings; | |
13 | ||
14 | require '/var/ipfire/general-functions.pl'; | |
15 | ||
16 | my %outfwsettings = (); | |
17 | my %checked = (); | |
18 | my %selected= () ; | |
19 | my %netsettings = (); | |
20 | my $errormessage = ""; | |
21 | my $configentry = ""; | |
22 | my @configs = (); | |
23 | my @configline = (); | |
24 | my $p2pentry = ""; | |
25 | my @p2ps = (); | |
26 | my @p2pline = (); | |
27 | my @protos = (); | |
28 | my $CMD = ""; | |
29 | my $DEBUG = 0; | |
30 | ||
31 | my $configfile = "/var/ipfire/outgoing/rules"; | |
32 | my $p2pfile = "/var/ipfire/outgoing/p2protocols"; | |
33 | ||
34 | &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); | |
35 | ||
36 | ### Values that have to be initialized | |
37 | $outfwsettings{'ACTION'} = ''; | |
38 | $outfwsettings{'VALID'} = 'yes'; | |
39 | $outfwsettings{'EDIT'} = 'no'; | |
40 | $outfwsettings{'NAME'} = ''; | |
41 | $outfwsettings{'SNET'} = ''; | |
42 | $outfwsettings{'SIP'} = ''; | |
43 | $outfwsettings{'SPORT'} = ''; | |
44 | $outfwsettings{'SMAC'} = ''; | |
45 | $outfwsettings{'DIP'} = ''; | |
46 | $outfwsettings{'DPORT'} = ''; | |
47 | $outfwsettings{'PROT'} = ''; | |
48 | $outfwsettings{'STATE'} = ''; | |
49 | $outfwsettings{'DISPLAY_DIP'} = ''; | |
50 | $outfwsettings{'DISPLAY_DPORT'} = ''; | |
51 | $outfwsettings{'DISPLAY_SMAC'} = ''; | |
52 | $outfwsettings{'DISPLAY_SIP'} = ''; | |
53 | $outfwsettings{'POLICY'} = 'MODE0'; | |
54 | my $SOURCE = ""; | |
55 | my $DESTINATION = ""; | |
56 | my $PROTO = ""; | |
57 | my $DPORT = ""; | |
58 | my $DEV = ""; | |
59 | my $MAC = ""; | |
60 | my $POLICY = ""; | |
61 | my $DO = ""; | |
62 | ||
63 | # read files | |
64 | &General::readhash("${General::swroot}/outgoing/settings", \%outfwsettings); | |
65 | &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); | |
66 | ||
67 | open( FILE, "< $configfile" ) or die "Unable to read $configfile"; | |
68 | @configs = <FILE>; | |
69 | close FILE; | |
70 | ||
71 | # Say hello! | |
72 | print "Outgoing firewall for IPFire - $outfwsettings{'POLICY'}\n"; | |
73 | if ($DEBUG) { print "Debugging mode!\n"; } | |
74 | print "\n"; | |
75 | ||
76 | ||
77 | if ( $outfwsettings{'POLICY'} eq 'MODE0' ) { | |
78 | system("/sbin/iptables --flush OUTGOINGFW >/dev/null 2>&1"); | |
79 | system("/sbin/iptables --delete-chain OUTGOINGFW >/dev/null 2>&1"); | |
80 | ||
81 | exit 0 | |
82 | } elsif ( $outfwsettings{'POLICY'} eq 'MODE1' ) { | |
83 | $outfwsettings{'STATE'} = "ALLOW"; | |
84 | $POLICY = "DROP"; | |
85 | $DO = "ACCEPT"; | |
86 | } elsif ( $outfwsettings{'POLICY'} eq 'MODE2' ) { | |
87 | $outfwsettings{'STATE'} = "DENY"; | |
88 | $POLICY = "ACCEPT"; | |
89 | $DO = "DROP"; | |
90 | } | |
91 | ||
92 | ### Initialize IPTables | |
93 | system("/sbin/iptables --flush OUTGOINGFW >/dev/null 2>&1"); | |
94 | system("/sbin/iptables --delete-chain OUTGOINGFW >/dev/null 2>&1"); | |
95 | system("/sbin/iptables -N OUTGOINGFW >/dev/null 2>&1"); | |
96 | ||
97 | foreach $configentry (sort @configs) | |
98 | { | |
99 | $SOURCE = ""; | |
100 | $DESTINATION = ""; | |
101 | $PROTO = ""; | |
102 | $DPORT = ""; | |
103 | $DEV = ""; | |
104 | $MAC = ""; | |
105 | @configline = split( /\;/, $configentry ); | |
106 | if ($outfwsettings{'STATE'} eq $configline[0]) { | |
107 | if ($configline[2] eq 'green') { | |
108 | $SOURCE = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; | |
109 | $DEV = $netsettings{'GREEN_DEV'}; | |
110 | } elsif ($configline[2] eq 'blue') { | |
111 | $SOURCE = "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"; | |
112 | $DEV = $netsettings{'BLUE_DEV'}; | |
113 | } elsif ($configline[2] eq 'orange') { | |
114 | $SOURCE = "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"; | |
115 | $DEV = $netsettings{'ORANGE_DEV'}; | |
116 | } elsif ($configline[2] eq 'ip') { | |
117 | $SOURCE = "$configline[5]"; | |
118 | $DEV = ""; | |
119 | } else { | |
120 | $SOURCE = "0/0"; | |
121 | $DEV = ""; | |
122 | } | |
123 | ||
124 | if ($configline[7]) { $DESTINATION = "$configline[7]"; } else { $DESTINATION = "0/0"; } | |
125 | ||
126 | $CMD = "/sbin/iptables -A OUTGOINGFW -s $SOURCE -d $DESTINATION"; | |
127 | ||
128 | if ($configline[3] ne 'tcp&udp') { | |
129 | $PROTO = "$configline[3]"; | |
130 | $CMD = "$CMD -p $PROTO"; | |
131 | if ($configline[8]) { | |
132 | $DPORT = "$configline[8]"; | |
133 | $CMD = "$CMD --dport $DPORT"; | |
134 | } | |
135 | } | |
136 | ||
137 | if ($DEV) { | |
138 | $CMD = "$CMD -i $DEV"; | |
139 | } | |
140 | ||
141 | if ($configline[6]) { | |
142 | $MAC = "$configline[6]"; | |
143 | $CMD = "$CMD -m mac --mac-source $MAC"; | |
144 | } | |
145 | ||
146 | $CMD = "$CMD -o $netsettings{'RED_DEV'}"; | |
147 | if ($DEBUG) { print "$CMD -j $DO\n"; } else { system("$CMD -j $DO"); } | |
148 | ||
149 | if ($configline[9] eq "log") { | |
150 | if ($DEBUG) { print "$CMD -m state --state NEW -j LOG --log-prefix 'OUTGOINGFW '\n"; } else { system("$CMD -m state --state NEW -j LOG --log-prefix 'OUTGOINGFW '"); } | |
151 | } | |
152 | ||
153 | } | |
154 | } |