]>
Commit | Line | Data |
---|---|---|
dba3aa2b | 1 | #!/usr/bin/perl |
70df8302 MT |
2 | ############################################################################### |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
e4e42008 | 5 | # Copyright (C) 2007-2011 IPFire Team # |
70df8302 MT |
6 | # # |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
ebb9187c MT |
22 | |
23 | use strict; | |
24 | # enable only the following on debugging purpose | |
25 | #use warnings; | |
26 | ||
27 | require '/var/ipfire/general-functions.pl'; | |
e4e42008 | 28 | require "${General::swroot}/lang.pl"; |
ebb9187c MT |
29 | |
30 | my %outfwsettings = (); | |
31 | my %checked = (); | |
32 | my %selected= () ; | |
33 | my %netsettings = (); | |
34 | my $errormessage = ""; | |
35 | my $configentry = ""; | |
36 | my @configs = (); | |
37 | my @configline = (); | |
38 | my $p2pentry = ""; | |
39 | my @p2ps = (); | |
40 | my @p2pline = (); | |
ebb9187c | 41 | my $CMD = ""; |
b4f8d26c MT |
42 | my $P2PSTRING = ""; |
43 | ||
ebb9187c MT |
44 | my $DEBUG = 0; |
45 | ||
46 | my $configfile = "/var/ipfire/outgoing/rules"; | |
47 | my $p2pfile = "/var/ipfire/outgoing/p2protocols"; | |
48 | ||
ebb9187c MT |
49 | ### Values that have to be initialized |
50 | $outfwsettings{'ACTION'} = ''; | |
51 | $outfwsettings{'VALID'} = 'yes'; | |
52 | $outfwsettings{'EDIT'} = 'no'; | |
53 | $outfwsettings{'NAME'} = ''; | |
54 | $outfwsettings{'SNET'} = ''; | |
55 | $outfwsettings{'SIP'} = ''; | |
56 | $outfwsettings{'SPORT'} = ''; | |
57 | $outfwsettings{'SMAC'} = ''; | |
58 | $outfwsettings{'DIP'} = ''; | |
59 | $outfwsettings{'DPORT'} = ''; | |
60 | $outfwsettings{'PROT'} = ''; | |
61 | $outfwsettings{'STATE'} = ''; | |
62 | $outfwsettings{'DISPLAY_DIP'} = ''; | |
63 | $outfwsettings{'DISPLAY_DPORT'} = ''; | |
64 | $outfwsettings{'DISPLAY_SMAC'} = ''; | |
65 | $outfwsettings{'DISPLAY_SIP'} = ''; | |
66 | $outfwsettings{'POLICY'} = 'MODE0'; | |
39008af7 | 67 | |
fdeaa057 | 68 | my @SOURCE = ""; |
ebb9187c MT |
69 | my $SOURCE = ""; |
70 | my $DESTINATION = ""; | |
fdeaa057 | 71 | my @PROTO = ""; |
ebb9187c MT |
72 | my $PROTO = ""; |
73 | my $DPORT = ""; | |
74 | my $DEV = ""; | |
75 | my $MAC = ""; | |
ebb9187c | 76 | my $DO = ""; |
39008af7 | 77 | my $DAY = ""; |
ebb9187c MT |
78 | |
79 | # read files | |
80 | &General::readhash("${General::swroot}/outgoing/settings", \%outfwsettings); | |
81 | &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); | |
82 | ||
ed828642 | 83 | $netsettings{'RED_DEV'}=`cat /var/ipfire/red/iface`; |
39008af7 | 84 | $netsettings{'RED_IP'}=`cat /var/ipfire/red/local-ipaddress`; |
ed828642 | 85 | |
ebb9187c MT |
86 | open( FILE, "< $configfile" ) or die "Unable to read $configfile"; |
87 | @configs = <FILE>; | |
88 | close FILE; | |
89 | ||
b4f8d26c | 90 | if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { |
ebb9187c | 91 | $outfwsettings{'STATE'} = "ALLOW"; |
78a14abf | 92 | $DO = "RETURN"; |
ebb9187c MT |
93 | } elsif ( $outfwsettings{'POLICY'} eq 'MODE2' ) { |
94 | $outfwsettings{'STATE'} = "DENY"; | |
d9716b06 | 95 | $DO = "DROP -m comment --comment 'DROP_OUTGOINGFW '"; |
ebb9187c MT |
96 | } |
97 | ||
98 | ### Initialize IPTables | |
99 | system("/sbin/iptables --flush OUTGOINGFW >/dev/null 2>&1"); | |
100 | system("/sbin/iptables --delete-chain OUTGOINGFW >/dev/null 2>&1"); | |
101 | system("/sbin/iptables -N OUTGOINGFW >/dev/null 2>&1"); | |
102 | ||
d9716b06 CS |
103 | system("/sbin/iptables --flush OUTGOINGFWMAC >/dev/null 2>&1"); |
104 | system("/sbin/iptables --delete-chain OUTGOINGFWMAC >/dev/null 2>&1"); | |
105 | system("/sbin/iptables -N OUTGOINGFWMAC >/dev/null 2>&1"); | |
106 | ||
b4f8d26c | 107 | if ( $outfwsettings{'POLICY'} eq 'MODE0' ) { |
f4c3f514 | 108 | &firewall_local_reload(); |
b4f8d26c MT |
109 | exit 0 |
110 | } | |
111 | ||
112 | if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { | |
78a14abf | 113 | $CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j RETURN"; |
d9716b06 | 114 | if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } |
78a14abf | 115 | $CMD = "/sbin/iptables -A OUTGOINGFWMAC -m state --state ESTABLISHED,RELATED -j RETURN"; |
b4f8d26c | 116 | if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } |
78a14abf | 117 | $CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j RETURN"; |
b4f8d26c | 118 | if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } |
78a14abf | 119 | $CMD = "/sbin/iptables -A OUTGOINGFWMAC -p icmp -j RETURN"; |
d9716b06 | 120 | if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } |
b4f8d26c MT |
121 | } |
122 | ||
ebb9187c MT |
123 | foreach $configentry (sort @configs) |
124 | { | |
fdeaa057 | 125 | @SOURCE = ""; |
ebb9187c MT |
126 | $DESTINATION = ""; |
127 | $PROTO = ""; | |
128 | $DPORT = ""; | |
129 | $DEV = ""; | |
130 | $MAC = ""; | |
131 | @configline = split( /\;/, $configentry ); | |
fdeaa057 | 132 | |
ebb9187c MT |
133 | if ($outfwsettings{'STATE'} eq $configline[0]) { |
134 | if ($configline[2] eq 'green') { | |
fdeaa057 | 135 | @SOURCE = ("$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"); |
ebb9187c | 136 | $DEV = $netsettings{'GREEN_DEV'}; |
39008af7 | 137 | } elsif ($configline[2] eq 'red') { |
fdeaa057 | 138 | @SOURCE = ("$netsettings{'RED_IP'}"); |
39008af7 | 139 | $DEV = ""; |
ebb9187c | 140 | } elsif ($configline[2] eq 'blue') { |
fdeaa057 | 141 | @SOURCE = ("$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"); |
ebb9187c MT |
142 | $DEV = $netsettings{'BLUE_DEV'}; |
143 | } elsif ($configline[2] eq 'orange') { | |
fdeaa057 | 144 | @SOURCE = ("$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"); |
ebb9187c | 145 | $DEV = $netsettings{'ORANGE_DEV'}; |
fdeaa057 CS |
146 | } elsif ($configline[2] eq 'ipsec') { |
147 | @SOURCE = ""; | |
148 | $DEV = "ipsec+"; | |
149 | } elsif ($configline[2] eq 'ovpn') { | |
150 | @SOURCE = ""; | |
151 | $DEV = "tun+"; | |
ebb9187c | 152 | } elsif ($configline[2] eq 'ip') { |
fdeaa057 CS |
153 | @SOURCE = ("$configline[5]"); |
154 | $DEV = ""; | |
d9716b06 CS |
155 | } elsif ($configline[2] eq 'mac') { |
156 | @SOURCE = ("$configline[6]"); | |
157 | $DEV = ""; | |
70248550 CS |
158 | } elsif ($configline[2] eq 'all') { |
159 | @SOURCE = ("0/0"); | |
160 | $DEV = ""; | |
fdeaa057 | 161 | } else { |
d9716b06 | 162 | if ( -e "/var/ipfire/outgoing/groups/ipgroups/$configline[2]" ) { |
fdeaa057 | 163 | @SOURCE = `cat /var/ipfire/outgoing/groups/ipgroups/$configline[2]`; |
d9716b06 CS |
164 | } elsif ( -e "/var/ipfire/outgoing/groups/macgroups/$configline[2]" ) { |
165 | @SOURCE = `cat /var/ipfire/outgoing/groups/macgroups/$configline[2]`; | |
bd4ea3c2 | 166 | $configline[2] = "mac"; |
fdeaa057 | 167 | } |
ebb9187c MT |
168 | $DEV = ""; |
169 | } | |
170 | ||
171 | if ($configline[7]) { $DESTINATION = "$configline[7]"; } else { $DESTINATION = "0/0"; } | |
d9716b06 | 172 | |
b4f8d26c | 173 | if ($configline[3] eq 'tcp') { |
fdeaa057 | 174 | @PROTO = ("tcp"); |
b4f8d26c | 175 | } elsif ($configline[3] eq 'udp') { |
fdeaa057 | 176 | @PROTO = ("udp"); |
c791bb2a | 177 | } elsif ($configline[3] eq 'esp') { |
fdeaa057 | 178 | @PROTO = ("esp"); |
c791bb2a | 179 | } elsif ($configline[3] eq 'gre') { |
fdeaa057 | 180 | @PROTO = ("gre"); |
b4f8d26c | 181 | } else { |
fdeaa057 | 182 | @PROTO = ("tcp","udp"); |
b4f8d26c | 183 | } |
4cb74dce | 184 | |
ab74c839 | 185 | my $macrule = 0; |
fdeaa057 CS |
186 | foreach $PROTO (@PROTO){ |
187 | foreach $SOURCE (@SOURCE) { | |
188 | $SOURCE =~ s/\s//gi; | |
189 | ||
68dd6726 | 190 | if ( $SOURCE eq "" || $configline[1] eq "" ){next;} |
fdeaa057 | 191 | |
70248550 | 192 | if ( ( $configline[6] ne "" || $configline[2] eq 'mac' ) && $configline[2] ne 'all'){ |
d9716b06 | 193 | $SOURCE =~ s/[^a-zA-Z0-9]/:/gi; |
ab74c839 MT |
194 | $CMD = "-m mac --mac-source $SOURCE -d $DESTINATION -p $PROTO"; |
195 | $macrule = 1; | |
d9716b06 | 196 | } else { |
ab74c839 | 197 | $CMD = "-s $SOURCE -d $DESTINATION -p $PROTO"; |
d9716b06 | 198 | } |
fdeaa057 CS |
199 | |
200 | if ($configline[8] && ( $configline[3] ne 'esp' || $configline[3] ne 'gre') ) { | |
201 | $DPORT = "$configline[8]"; | |
202 | $CMD = "$CMD -m multiport --destination-port $DPORT"; | |
203 | } | |
204 | ||
205 | if ($DEV) { | |
206 | $CMD = "$CMD -i $DEV"; | |
207 | } | |
208 | ||
fdeaa057 | 209 | if ($configline[17] && $configline[18]) { |
d89eab6d | 210 | $DAY = ""; |
fdeaa057 CS |
211 | if ($configline[10]){$DAY = "Mon,"} |
212 | if ($configline[11]){$DAY .= "Tue,"} | |
213 | if ($configline[12]){$DAY .= "Wed,"} | |
214 | if ($configline[13]){$DAY .= "Thu,"} | |
215 | if ($configline[14]){$DAY .= "Fri,"} | |
216 | if ($configline[15]){$DAY .= "Sat,"} | |
217 | if ($configline[16]){$DAY .= "Sun"} | |
218 | $CMD = "$CMD -m time --timestart $configline[17] --timestop $configline[18] --weekdays $DAY"; | |
219 | } | |
220 | ||
221 | $CMD = "$CMD -o $netsettings{'RED_DEV'}"; | |
222 | ||
e4e42008 | 223 | if ( $configline[9] eq $Lang::tr{'aktiv'} && $outfwsettings{'POLICY'} eq 'MODE1' ) { |
ab74c839 | 224 | applyrule("$CMD -m limit --limit 10/minute -j LOG --log-prefix 'LOG_OUTGOINGFW '", $macrule); |
e4e42008 | 225 | } elsif ( $configline[9] eq $Lang::tr{'aktiv'} && $outfwsettings{'POLICY'} eq 'MODE2' ) { |
ab74c839 | 226 | applyrule("$CMD -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW '", $macrule); |
fdeaa057 CS |
227 | } |
228 | ||
ab74c839 | 229 | applyrule("$CMD -j $DO", $macrule); |
4cb74dce | 230 | } |
fdeaa057 | 231 | } |
b4f8d26c MT |
232 | } |
233 | } | |
ebb9187c | 234 | |
b4f8d26c MT |
235 | ### Do the P2P-Stuff here |
236 | open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; | |
237 | @p2ps = <FILE>; | |
238 | close FILE; | |
ebb9187c | 239 | |
ab74c839 | 240 | $CMD = "-m ipp2p"; |
ebb9187c | 241 | |
ab74c839 | 242 | foreach $p2pentry (sort @p2ps) { |
b4f8d26c MT |
243 | @p2pline = split( /\;/, $p2pentry ); |
244 | if ( $outfwsettings{'POLICY'} eq 'MODE2' ) { | |
245 | $DO = "DROP"; | |
246 | if ("$p2pline[2]" eq "off") { | |
247 | $P2PSTRING = "$P2PSTRING --$p2pline[1]"; | |
248 | } | |
249 | } else { | |
78a14abf | 250 | $DO = "RETURN"; |
b4f8d26c MT |
251 | if ("$p2pline[2]" eq "on") { |
252 | $P2PSTRING = "$P2PSTRING --$p2pline[1]"; | |
ebb9187c | 253 | } |
b4f8d26c MT |
254 | } |
255 | } | |
256 | if ($P2PSTRING) { | |
ab74c839 | 257 | applyrule("$CMD $P2PSTRING -j $DO", 0); |
b4f8d26c | 258 | } |
ebb9187c | 259 | |
b4f8d26c | 260 | if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { |
ab74c839 MT |
261 | if ( $outfwsettings{'MODE1LOG'} eq 'on' ) { |
262 | applyrule("-o $netsettings{'RED_DEV'} -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW '", 0); | |
263 | } | |
52802b5f | 264 | |
ab74c839 MT |
265 | applyrule("-o $netsettings{'RED_DEV'} -j DROP -m comment --comment 'DROP_OUTGOINGFW '", 0); |
266 | } | |
267 | ||
f4c3f514 MT |
268 | &firewall_local_reload(); |
269 | ||
ab74c839 MT |
270 | sub applyrule($$) { |
271 | my $cmd = shift; | |
272 | my $macrule = shift; | |
273 | ||
274 | system("/sbin/iptables -A OUTGOINGFWMAC $cmd"); | |
275 | if ($macrule == 0) { | |
276 | system("/sbin/iptables -A OUTGOINGFW $cmd"); | |
ebb9187c | 277 | } |
78a14abf | 278 | } |
f4c3f514 MT |
279 | |
280 | sub firewall_local_reload() { | |
281 | my $script = "/etc/sysconfig/firewall.local"; | |
282 | ||
283 | if ( -x $script ) { | |
284 | system("$script reload >/dev/null 2>&1"); | |
285 | } | |
286 | } |