[ipfire-2.x.git] / config / outgoingfw / outgoingfw.pl

#!/usr/bin/perl
#
# IPFire Scripts
#
# This code is distributed under the terms of the GPL
#
# (c) The IPFire Team
#

use strict;
# enable only the following on debugging purpose
#use warnings;

require '/var/ipfire/general-functions.pl';

my %outfwsettings = ();
my %checked = ();
my %selected= () ;
my %netsettings = ();
my $errormessage = "";
my $configentry = "";
my @configs = ();
my @configline = ();
my $p2pentry = "";
my @p2ps = ();
my @p2pline = ();
my @protos = ();
my $CMD = "";
my $DEBUG = 0;

my $configfile = "/var/ipfire/outgoing/rules";
my $p2pfile = "/var/ipfire/outgoing/p2protocols";

&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);

### Values that have to be initialized
$outfwsettings{'ACTION'} = '';
$outfwsettings{'VALID'} = 'yes';
$outfwsettings{'EDIT'} = 'no';
$outfwsettings{'NAME'} = '';
$outfwsettings{'SNET'} = '';
$outfwsettings{'SIP'} = '';
$outfwsettings{'SPORT'} = '';
$outfwsettings{'SMAC'} = '';
$outfwsettings{'DIP'} = '';
$outfwsettings{'DPORT'} = '';
$outfwsettings{'PROT'} = '';
$outfwsettings{'STATE'} = '';
$outfwsettings{'DISPLAY_DIP'} = '';
$outfwsettings{'DISPLAY_DPORT'} = '';
$outfwsettings{'DISPLAY_SMAC'} = '';
$outfwsettings{'DISPLAY_SIP'} = '';
$outfwsettings{'POLICY'} = 'MODE0';
my $SOURCE = "";
my $DESTINATION = "";
my $PROTO = "";
my $DPORT = "";
my $DEV = "";
my $MAC = "";
my $POLICY = "";
my $DO = "";

# read files
&General::readhash("${General::swroot}/outgoing/settings", \%outfwsettings);
&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);

open( FILE, "< $configfile" ) or die "Unable to read $configfile";
@configs = <FILE>;
close FILE;

# Say hello!
print "Outgoing firewall for IPFire - $outfwsettings{'POLICY'}\n";
if ($DEBUG) { print "Debugging mode!\n"; }
print "\n";


if ( $outfwsettings{'POLICY'} eq 'MODE0' ) {
	system("/sbin/iptables --flush OUTGOINGFW >/dev/null 2>&1");
	system("/sbin/iptables --delete-chain OUTGOINGFW >/dev/null 2>&1");

	exit 0
} elsif ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
	$outfwsettings{'STATE'} = "ALLOW";
	$POLICY = "DROP";
	$DO = "ACCEPT";
} elsif ( $outfwsettings{'POLICY'} eq 'MODE2' ) {
	$outfwsettings{'STATE'} = "DENY";
	$POLICY = "ACCEPT";
	$DO = "DROP";
}

### Initialize IPTables
system("/sbin/iptables --flush OUTGOINGFW >/dev/null 2>&1");
system("/sbin/iptables --delete-chain OUTGOINGFW >/dev/null 2>&1");
system("/sbin/iptables -N OUTGOINGFW >/dev/null 2>&1");

foreach $configentry (sort @configs)
{
	$SOURCE = "";
	$DESTINATION = "";
	$PROTO = "";
	$DPORT = "";
	$DEV = "";
	$MAC = "";
	@configline = split( /\;/, $configentry );
	if ($outfwsettings{'STATE'} eq $configline[0]) {
		if ($configline[2] eq 'green') {
			$SOURCE = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
			$DEV = $netsettings{'GREEN_DEV'};
		} elsif ($configline[2] eq 'blue') {
			$SOURCE = "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
			$DEV = $netsettings{'BLUE_DEV'};
		} elsif ($configline[2] eq 'orange') {
			$SOURCE = "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}";
			$DEV = $netsettings{'ORANGE_DEV'};
		} elsif ($configline[2] eq 'ip') {
			$SOURCE = "$configline[5]";
			$DEV = "";
		} else  {
			$SOURCE = "0/0";
			$DEV = "";
		}

		if ($configline[7]) { $DESTINATION = "$configline[7]"; } else { $DESTINATION = "0/0"; }

		$CMD = "/sbin/iptables -A OUTGOINGFW -s $SOURCE -d $DESTINATION";

		if ($configline[3] ne 'tcp&udp') {
			$PROTO = "$configline[3]";
			$CMD = "$CMD -p $PROTO";
			if ($configline[8]) {
				$DPORT = "$configline[8]";
				$CMD = "$CMD --dport $DPORT";
			}
		}

		if ($DEV) {
			$CMD = "$CMD -i $DEV";
		}

		if ($configline[6]) {
			$MAC = "$configline[6]";
		 	$CMD = "$CMD -m mac --mac-source $MAC";
		}

		$CMD = "$CMD -o $netsettings{'RED_DEV'}";
		if ($DEBUG) { print "$CMD -j $DO\n"; } else { system("$CMD -j $DO"); }

		if ($configline[9] eq "log") {
			if ($DEBUG) { print "$CMD -m state --state NEW -j LOG --log-prefix 'OUTGOINGFW '\n"; } else { system("$CMD -m state --state NEW -j LOG --log-prefix 'OUTGOINGFW '"); }
		}

	}
}
Commit	Line	Data
ebb9187c MT	1	#!/usr/bin/perl
	2	#
	3	# IPFire Scripts
	4	#
	5	# This code is distributed under the terms of the GPL
	6	#
	7	# (c) The IPFire Team
	8	#
	9
	10	use strict;
	11	# enable only the following on debugging purpose
	12	#use warnings;
	13
	14	require '/var/ipfire/general-functions.pl';
	15
	16	my %outfwsettings = ();
	17	my %checked = ();
	18	my %selected= () ;
	19	my %netsettings = ();
	20	my $errormessage = "";
	21	my $configentry = "";
	22	my @configs = ();
	23	my @configline = ();
	24	my $p2pentry = "";
	25	my @p2ps = ();
	26	my @p2pline = ();
	27	my @protos = ();
	28	my $CMD = "";
	29	my $DEBUG = 0;
	30
	31	my $configfile = "/var/ipfire/outgoing/rules";
	32	my $p2pfile = "/var/ipfire/outgoing/p2protocols";
	33
	34	&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
	35
	36	### Values that have to be initialized
	37	$outfwsettings{'ACTION'} = '';
	38	$outfwsettings{'VALID'} = 'yes';
	39	$outfwsettings{'EDIT'} = 'no';
	40	$outfwsettings{'NAME'} = '';
	41	$outfwsettings{'SNET'} = '';
	42	$outfwsettings{'SIP'} = '';
	43	$outfwsettings{'SPORT'} = '';
	44	$outfwsettings{'SMAC'} = '';
	45	$outfwsettings{'DIP'} = '';
	46	$outfwsettings{'DPORT'} = '';
	47	$outfwsettings{'PROT'} = '';
	48	$outfwsettings{'STATE'} = '';
	49	$outfwsettings{'DISPLAY_DIP'} = '';
	50	$outfwsettings{'DISPLAY_DPORT'} = '';
	51	$outfwsettings{'DISPLAY_SMAC'} = '';
	52	$outfwsettings{'DISPLAY_SIP'} = '';
	53	$outfwsettings{'POLICY'} = 'MODE0';
	54	my $SOURCE = "";
	55	my $DESTINATION = "";
	56	my $PROTO = "";
	57	my $DPORT = "";
	58	my $DEV = "";
	59	my $MAC = "";
	60	my $POLICY = "";
	61	my $DO = "";
	62
	63	# read files
	64	&General::readhash("${General::swroot}/outgoing/settings", \%outfwsettings);
65	&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
66
67	open( FILE, "< $configfile" ) or die "Unable to read $configfile";
68	@configs = <FILE>;
69	close FILE;
70
71	# Say hello!
72	print "Outgoing firewall for IPFire - $outfwsettings{'POLICY'}\n";
73	if ($DEBUG) { print "Debugging mode!\n"; }
74	print "\n";
75
76
77	if ( $outfwsettings{'POLICY'} eq 'MODE0' ) {
78	system("/sbin/iptables --flush OUTGOINGFW >/dev/null 2>&1");
79	system("/sbin/iptables --delete-chain OUTGOINGFW >/dev/null 2>&1");
80
81	exit 0
82	} elsif ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
83	$outfwsettings{'STATE'} = "ALLOW";
84	$POLICY = "DROP";
85	$DO = "ACCEPT";
86	} elsif ( $outfwsettings{'POLICY'} eq 'MODE2' ) {
87	$outfwsettings{'STATE'} = "DENY";
88	$POLICY = "ACCEPT";
89	$DO = "DROP";
90	}
91
92	### Initialize IPTables
93	system("/sbin/iptables --flush OUTGOINGFW >/dev/null 2>&1");
94	system("/sbin/iptables --delete-chain OUTGOINGFW >/dev/null 2>&1");
95	system("/sbin/iptables -N OUTGOINGFW >/dev/null 2>&1");
96
97	foreach $configentry (sort @configs)
98	{
99	$SOURCE = "";
100	$DESTINATION = "";
101	$PROTO = "";
102	$DPORT = "";
103	$DEV = "";
104	$MAC = "";
105	@configline = split( /\;/, $configentry );
106	if ($outfwsettings{'STATE'} eq $configline[0]) {
107	if ($configline[2] eq 'green') {
108	$SOURCE = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
109	$DEV = $netsettings{'GREEN_DEV'};
110	} elsif ($configline[2] eq 'blue') {
111	$SOURCE = "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
112	$DEV = $netsettings{'BLUE_DEV'};
113	} elsif ($configline[2] eq 'orange') {
114	$SOURCE = "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}";
115	$DEV = $netsettings{'ORANGE_DEV'};
116	} elsif ($configline[2] eq 'ip') {
117	$SOURCE = "$configline[5]";
118	$DEV = "";
119	} else {
120	$SOURCE = "0/0";
121	$DEV = "";
122	}
123
124	if ($configline[7]) { $DESTINATION = "$configline[7]"; } else { $DESTINATION = "0/0"; }
125
126	$CMD = "/sbin/iptables -A OUTGOINGFW -s $SOURCE -d $DESTINATION";
127
128	if ($configline[3] ne 'tcp&udp') {
129	$PROTO = "$configline[3]";
130	$CMD = "$CMD -p $PROTO";
131	if ($configline[8]) {
132	$DPORT = "$configline[8]";
133	$CMD = "$CMD --dport $DPORT";
134	}
135	}
136
137	if ($DEV) {
138	$CMD = "$CMD -i $DEV";
139	}
140
141	if ($configline[6]) {
142	$MAC = "$configline[6]";
143	$CMD = "$CMD -m mac --mac-source $MAC";
144	}
145
146	$CMD = "$CMD -o $netsettings{'RED_DEV'}";
147	if ($DEBUG) { print "$CMD -j $DO\n"; } else { system("$CMD -j $DO"); }
148
149	if ($configline[9] eq "log") {
150	if ($DEBUG) { print "$CMD -m state --state NEW -j LOG --log-prefix 'OUTGOINGFW '\n"; } else { system("$CMD -m state --state NEW -j LOG --log-prefix 'OUTGOINGFW '"); }
151	}
152
153	}
154	}