]> git.ipfire.org Git - ipfire-2.x.git/blob - config/firewall/rules.pl
projects / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Firewall: BUGFIX: RUles.pl did not create LOGGING rules properly.
[ipfire-2.x.git] / config / firewall / rules.pl
1 #!/usr/bin/perl
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21
22 use strict;
23 use Time::Local;
24 no warnings 'uninitialized';
25
26 # enable only the following on debugging purpose
27 #use warnings;
28 #use CGI::Carp 'fatalsToBrowser';
29
30 my %fwdfwsettings=();
31 my %defaultNetworks=();
32 my %configfwdfw=();
33 my %color=();
34 my %icmptypes=();
35 my %ovpnSettings=();
36 my %customgrp=();
37 our %sourcehash=();
38 our %targethash=();
39 my @timeframe=();
40 my %configinputfw=();
41 my %configoutgoingfw=();
42 my %confignatfw=();
43 my %aliases=();
44 my @DPROT=();
45 my @p2ps=();
46 require '/var/ipfire/general-functions.pl';
47 require "${General::swroot}/lang.pl";
48 require "${General::swroot}/firewall/bin/firewall-lib.pl";
49
50 my $configfwdfw = "${General::swroot}/firewall/config";
51 my $configinput = "${General::swroot}/firewall/input";
52 my $configoutgoing = "${General::swroot}/firewall/outgoing";
53 my $p2pfile = "${General::swroot}/firewall/p2protocols";
54 my $configgrp = "${General::swroot}/fwhosts/customgroups";
55 my $netsettings = "${General::swroot}/ethernet/settings";
56 my $errormessage = '';
57 my $orange = '';
58 my $green = '';
59 my $blue = '';
60 my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
61 my $CHAIN = "FORWARDFW";
62 my $conexists = 'off';
63 my $command = 'iptables -A';
64 my $dnat ='';
65 my $snat ='';
66
67 &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings);
68 &General::readhash("$netsettings", \%defaultNetworks);
69 &General::readhasharray($configfwdfw, \%configfwdfw);
70 &General::readhasharray($configinput, \%configinputfw);
71 &General::readhasharray($configoutgoing, \%configoutgoingfw);
72 &General::readhasharray($configgrp, \%customgrp);
73 &General::get_aliases(\%aliases);
74
75 #check if we have an internetconnection
76 open (CONN,"/var/ipfire/red/iface");
77 my $con = <CONN>;
78 close(CONN);
79 if (-f "/var/ipfire/red/active"){
80 $conexists='on';
81 }
82 open (CONN1,"/var/ipfire/red/local-ipaddress");
83 my $redip = <CONN1>;
84 close(CONN1);
85 #################
86 # DEBUG/TEST #
87 #################
88 my $MODE=0; # 0 - normal operation
89 # 1 - print configline and rules to console
90 #
91 #################
92 my $param=shift;
93
94 if($param eq 'flush'){
95 if ($MODE eq '1'){
96 print " Flushing chains...\n";
97 }
98 &flush;
99 }else{
100 if ($MODE eq '1'){
101 print " Flushing chains...\n";
102 }
103 &flush;
104 if ($MODE eq '1'){
105 print " Preparing rules...\n";
106 }
107 &preparerules;
108 if($MODE eq '0'){
109 if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
110 &p2pblock;
111 system ("/usr/sbin/firewall-policy");
112 }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
113 &p2pblock;
114 system ("iptables -A $CHAIN -m conntrack --ctstate NEW -j ACCEPT");
115 system ("/usr/sbin/firewall-policy");
116 system ("/etc/sysconfig/firewall.local reload");
117 }
118 }
119 }
120 sub flush
121 {
122 system ("iptables -F FORWARDFW");
123 system ("iptables -F INPUTFW");
124 system ("iptables -F OUTGOINGFW");
125 system ("iptables -t nat -F NAT_DESTINATION");
126 system ("iptables -t nat -F NAT_SOURCE");
127 }
128 sub preparerules
129 {
130 if (! -z "${General::swroot}/firewall/config"){
131 &buildrules(\%configfwdfw);
132 }
133 if (! -z "${General::swroot}/firewall/input"){
134 &buildrules(\%configinputfw);
135 }
136 if (! -z "${General::swroot}/firewall/outgoing"){
137 &buildrules(\%configoutgoingfw);
138 }
139 }
140 sub buildrules
141 {
142 my $hash=shift;
143 my $STAG;
144 my $natip;
145 my $snatport;
146 my $fireport;
147 my $nat;
148 my $fwaccessdport;
149 my $natchain;
150 my $icmptype;
151 foreach my $key (sort {$a <=> $b} keys %$hash){
152 next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' );
153 $command="iptables -A";
154 if ($$hash{$key}[28] eq 'ON'){
155 $command='iptables -t nat -A';
156 $natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]);
157 if($$hash{$key}[31] eq 'dnat'){
158 $nat='DNAT';
159 if ($$hash{$key}[30] =~ /\|/){
160 $$hash{$key}[30]=~ tr/|/,/;
161 $fireport='-m multiport --dport '.$$hash{$key}[30];
162 }else{
163 $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0);
164 }
165 }else{
166 $nat='SNAT';
167 }
168 }
169 $STAG='';
170 if($$hash{$key}[2] eq 'ON'){
171 #get source ip's
172 if ($$hash{$key}[3] eq 'cust_grp_src'){
173 foreach my $grp (sort {$a <=> $b} keys %customgrp){
174 if($customgrp{$grp}[0] eq $$hash{$key}[4]){
175 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
176 }
177 }
178 }else{
179 &get_address($$hash{$key}[3],$$hash{$key}[4],"src");
180 }
181 #get target ip's
182 if ($$hash{$key}[5] eq 'cust_grp_tgt'){
183 foreach my $grp (sort {$a <=> $b} keys %customgrp){
184 if($customgrp{$grp}[0] eq $$hash{$key}[6]){
185 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
186 }
187 }
188 }elsif($$hash{$key}[5] eq 'ipfire' ){
189 if($$hash{$key}[6] eq 'GREEN'){
190 $targethash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'};
191 }
192 if($$hash{$key}[6] eq 'BLUE'){
193 $targethash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'};
194 }
195 if($$hash{$key}[6] eq 'ORANGE'){
196 $targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
197 }
198 if($$hash{$key}[6] eq 'ALL'){
199 $targethash{$key}[0]='0.0.0.0/0';
200 }
201 if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){
202 open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress";
203 $targethash{$key}[0]= <FILE>;
204 close(FILE);
205 }else{
206 foreach my $alias (sort keys %aliases){
207 if ($$hash{$key}[6] eq $alias){
208 $targethash{$key}[0]=$aliases{$alias}{'IPT'};
209 }
210 }
211 }
212 }else{
213 &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt");
214 }
215 ##get source prot and port
216 $SRC_TGT='SRC';
217 $SPORT = &get_port($hash,$key);
218 $SRC_TGT='';
219
220 ##get target prot and port
221 $DPROT=&get_prot($hash,$key);
222
223 if ($DPROT eq ''){$DPROT=' ';}
224 @DPROT=split(",",$DPROT);
225
226 #get time if defined
227 if($$hash{$key}[18] eq 'ON'){
228 my ($time1,$time2,$daylight);
229 my $daylight=$$hash{$key}[28];
230 $time1=&get_time($$hash{$key}[26],$daylight);
231 $time2=&get_time($$hash{$key}[27],$daylight);
232 if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
233 if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");}
234 if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");}
235 if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");}
236 if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");}
237 if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");}
238 if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");}
239 $TIME=join(",",@timeframe);
240
241 $TIMEFROM="--timestart $time1 ";
242 $TIMETILL="--timestop $time2 ";
243 $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
244 }
245 if ($MODE eq '1'){
246 print "NR:$key ";
247 foreach my $i (0 .. $#{$$hash{$key}}){
248 print "$i: $$hash{$key}[$i] ";
249 }
250 print "\n";
251 print"##################################\n";
252 #print rules to console
253 foreach my $DPROT (@DPROT){
254 $DPORT = &get_port($hash,$key,$DPROT);
255 $PROT=$DPROT;
256 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
257 foreach my $a (sort keys %sourcehash){
258 foreach my $b (sort keys %targethash){
259 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
260 if($DPROT ne ''){
261 if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
262 #Process ICMP RULE
263 if(substr($DPORT, 2, 4) eq 'icmp'){
264 print"uzlputz ICMP Regel\n";
265 my @icmprule= split(",",substr($DPORT, 12,));
266 foreach (@icmprule){
267 $icmptype="--icmp-type ";
268 if ($_ eq "BLANK") {
269 $icmptype="";
270 $_="";
271 }
272 if ($$hash{$key}[17] eq 'ON'){
273 print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG\n";
274 }
275 print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]\n";
276 }
277 #PROCESS DNAT RULE (Portforward)
278 }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
279 $natchain='NAT_DESTINATION';
280 if ($$hash{$key}[17] eq 'ON'){
281 print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
282 }
283 my ($ip,$sub) =split("/",$targethash{$b}[0]);
284 #Process NAT with servicegroup used
285 if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[14] eq 'cust_srvgrp'){
286 print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip $DPORT\n";
287 $fwaccessdport=$DPORT;
288 }else{
289 print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
290 $DPORT =~ s/\-/:/g;
291 if ($DPORT){
292 $fwaccessdport="--dport ".substr($DPORT,1,);
293 }elsif(! $DPORT && $$hash{$key}[30] ne ''){
294 if ($$hash{$key}[30]=~m/|/i){
295 $$hash{$key}[30] =~ s/\|/,/g;
296 $fwaccessdport="-m multiport --dport $$hash{$key}[30]";
297 }else{
298 $fwaccessdport="--dport $$hash{$key}[30]";
299 }
300 }
301 }
302 print "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
303 next;
304 #PROCESS SNAT RULE
305 }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
306 $natchain='NAT_SOURCE';
307 if ($$hash{$key}[17] eq 'ON' ){
308 print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT' \n";
309 }
310 print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
311 }
312 #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double)
313 if ($PROT ne '-p ICMP'){
314 if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){
315 print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
316 }
317 print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
318 }
319 #PROCESS Prot ICMP and type = All ICMP-Types
320 if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){
321 if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){
322 print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
323 }
324 print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
325 }
326 }
327 }
328 }
329 }
330 print"\n";
331 }
332 }elsif($MODE eq '0'){
333 foreach my $DPROT (@DPROT){
334 $DPORT = &get_port($hash,$key,$DPROT);
335 $PROT=$DPROT;
336 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
337 foreach my $a (sort keys %sourcehash){
338 foreach my $b (sort keys %targethash){
339 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
340 if($DPROT ne ''){
341 if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
342 #Process ICMP RULE
343 if(substr($DPORT, 2, 4) eq 'icmp'){
344 my @icmprule= split(",",substr($DPORT, 12,));
345 foreach (@icmprule){
346 $icmptype="--icmp-type ";
347 if ($_ eq "BLANK") {
348 $icmptype="";
349 $_="";
350 }
351 if ($$hash{$key}[17] eq 'ON'){
352 system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG");
353 }
354 system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]");
355 }
356 #PROCESS DNAT RULE (Portforward)
357 }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
358 $natchain='NAT_DESTINATION';
359 if ($$hash{$key}[17] eq 'ON'){
360 system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
361 }
362 my ($ip,$sub) =split("/",$targethash{$b}[0]);
363 #Process NAT with servicegroup used
364 if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[14] eq 'cust_srvgrp'){
365 system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip $DPORT\n";
366 $fwaccessdport=$DPORT;
367 }else{
368 system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
369 $DPORT =~ s/\-/:/g;
370 if ($DPORT){
371 $fwaccessdport="--dport ".substr($DPORT,1,);
372 }elsif(! $DPORT && $$hash{$key}[30] ne ''){
373 if ($$hash{$key}[30]=~m/|/i){
374 $$hash{$key}[30] =~ s/\|/,/g;
375 $fwaccessdport="-m multiport --dport $$hash{$key}[30]";
376 }else{
377 $fwaccessdport="--dport $$hash{$key}[30]";
378 }
379 }
380 }
381 system "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
382 next;
383 #PROCESS SNAT RULE
384 }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
385 $natchain='NAT_SOURCE';
386 if ($$hash{$key}[17] eq 'ON' ){
387 system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT' \n";
388 }
389 system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
390 }
391 #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double)
392 if ($PROT ne '-p ICMP'){
393 if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){
394 system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
395 }
396 system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
397 }
398 #PROCESS Prot ICMP and type = All ICMP-Types
399 if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){
400 if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){
401 system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
402 }
403 system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
404 }
405 }
406 }
407 }
408 }
409 }
410 }
411 }
412 %sourcehash=();
413 %targethash=();
414 undef $TIME;
415 undef $TIMEFROM;
416 undef $TIMETILL;
417 undef $fireport;
418 }
419 }
420 sub get_nat_ip
421 {
422 my $val=shift;
423 my $type=shift;
424 my $result;
425 if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){
426 $result=$defaultNetworks{$val.'_ADDRESS'};
427 }elsif($val eq 'ALL'){
428 $result='-i '.$con;
429 }elsif($val eq 'Default IP' && $type eq 'dnat'){
430 $result='-d '.$redip;
431 }elsif($val eq 'Default IP' && $type eq 'snat'){
432 $result=$redip;
433 }else{
434 foreach my $al (sort keys %aliases){
435 if($val eq $al && $type eq 'dnat'){
436 $result='-d '.$aliases{$al}{'IPT'};
437 }elsif($val eq $al && $type eq 'snat'){
438 $result=$aliases{$al}{'IPT'};
439 }
440 }
441 }
442 return $result;
443 }
444 sub get_time
445 {
446 my $val=shift;
447 my $val1=shift;
448 my $time;
449 my $minutes;
450 my $ruletime;
451 $minutes = &utcmin($val);
452 $ruletime = $minutes + &time_get_utc($val);
453 if ($ruletime < 0){$ruletime +=1440;}
454 if ($ruletime > 1440){$ruletime -=1440;}
455 $time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60;
456 return $time;
457 }
458 sub time_get_utc
459 {
460 # Calculates the UTCtime from a given time
461 my $val=shift;
462 my @localtime=localtime(time);
463 my @gmtime=gmtime(time);
464 my $diff = ($gmtime[2]*60+$gmtime[1]%60)-($localtime[2]*60+$localtime[1]%60);
465 return $diff;
466 }
467 sub utcmin
468 {
469 my $ruletime=shift;
470 my ($hrs,$min) = split(":",$ruletime);
471 my $newtime = $hrs*60+$min;
472 return $newtime;
473 }
474 sub p2pblock
475 {
476 my $P2PSTRING;
477 my $DO;
478 open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
479 @p2ps = <FILE>;
480 close FILE;
481 my $CMD = "-m ipp2p";
482 foreach my $p2pentry (sort @p2ps) {
483 my @p2pline = split( /\;/, $p2pentry );
484 if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) {
485 $DO = "ACCEPT";
486 if ("$p2pline[2]" eq "on") {
487 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
488 }
489 }else {
490 $DO = "RETURN";
491 if ("$p2pline[2]" eq "off") {
492 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
493 }
494 }
495 }
496 if ($MODE eq 1){
497 if($P2PSTRING){
498 print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n";
499 }
500 }else{
501 if($P2PSTRING){
502 system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO");
503 }
504 }
505 }
506 sub get_address
507 {
508 my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
509 my $base2=shift;
510 my $type=shift; #src or tgt
511 my $hash;
512 if ($type eq 'src'){
513 $hash=\%sourcehash;
514 }else{
515 $hash=\%targethash;
516 }
517 my $key = &General::findhasharraykey($hash);
518 if($base eq 'src_addr' || $base eq 'tgt_addr' ){
519 if (&General::validmac($base2)){
520 $$hash{$key}[0] = "-m mac --mac-source $base2";
521 }else{
522 $$hash{$key}[0] = $base2;
523 }
524 }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){
525 $$hash{$key}[0]=&fwlib::get_std_net_ip($base2,$con);
526 }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){
527 $$hash{$key}[0]=&fwlib::get_net_ip($base2);
528 }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){
529 $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type);
530 }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){
531 $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1);
532 }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){
533 $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33);
534 }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){
535 $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,11);
536 }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){
537 $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11);
538 }elsif($base eq 'ipfire_src' ){
539 if($base2 eq 'GREEN'){
540 $$hash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'};
541 }
542 if($base2 eq 'BLUE'){
543 $$hash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'};
544 }
545 if($base2 eq 'ORANGE'){
546 $$hash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
547 }
548 if($base2 eq 'ALL'){
549 $$hash{$key}[0]='0.0.0.0/0';
550 }
551 if($base2 eq 'RED' || $base2 eq 'RED1'){
552 open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress";
553 $$hash{$key}[0]= <FILE>;
554 close(FILE);
555 }else{
556 foreach my $alias (sort keys %aliases){
557 if ($base2 eq $alias){
558 $$hash{$key}[0]=$aliases{$alias}{'IPT'};
559 }
560 }
561 }
562 }
563 }
564 sub get_prot
565 {
566 my $hash=shift;
567 my $key=shift;
568 #check AH,GRE,ESP or ICMP
569 if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON'){
570 return "$$hash{$key}[8]";
571 }
572 if ($$hash{$key}[7] eq 'ON' || $$hash{$key}[11] eq 'ON'){
573 #check if servicegroup or service
574 if($$hash{$key}[14] eq 'cust_srv'){
575 return &fwlib::get_srv_prot($$hash{$key}[15]);
576 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
577 return &fwlib::get_srvgrp_prot($$hash{$key}[15]);
578 }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && $$hash{$key}[8] eq ''){ #when ports are used and prot set to "all"
579 return "TCP,UDP";
580 }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && ($$hash{$key}[8] eq 'TCP' || $$hash{$key}[8] eq 'UDP')){ #when ports are used and prot set to "tcp" or "udp"
581 return "$$hash{$key}[8]";
582 }elsif (($$hash{$key}[10] eq '' && $$hash{$key}[15] eq '') && $$hash{$key}[8] ne 'ICMP'){ #when ports are NOT used and prot NOT set to "ICMP"
583 return "$$hash{$key}[8]";
584 }else{
585 return "$$hash{$key}[8]";
586 }
587 }
588 #DNAT
589 if ($SRC_TGT eq '' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[11] eq '' && $$hash{$key}[12] ne ''){
590 return "$$hash{$key}[8]";
591 }
592 }
593 sub get_port
594 {
595 my $hash=shift;
596 my $key=shift;
597 my $prot=shift;
598 #Get manual defined Ports from SOURCE
599 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
600 if ($$hash{$key}[10] ne ''){
601 $$hash{$key}[10] =~ s/\|/,/g;
602 if(index($$hash{$key}[10],",") > 0){
603 return "-m multiport --sport $$hash{$key}[10] ";
604 }else{
605 if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ||($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat') ){
606 return "--sport $$hash{$key}[10] ";
607 }else{
608 return ":$$hash{$key}[10]";
609 }
610 }
611 }
612 #Get manual ports from TARGET
613 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
614 if($$hash{$key}[14] eq 'TGT_PORT'){
615 if ($$hash{$key}[15] ne ''){
616 $$hash{$key}[15] =~ s/\|/,/g;
617 if(index($$hash{$key}[15],",") > 0){
618 return "-m multiport --dport $$hash{$key}[15] ";
619 }else{
620 if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){
621 return "--dport $$hash{$key}[15] ";
622 }else{
623 $$hash{$key}[15] =~ s/\:/-/g;
624 return ":$$hash{$key}[15]";
625 }
626 }
627 }
628 #Get ports defined in custom Service (firewall-groups)
629 }elsif($$hash{$key}[14] eq 'cust_srv'){
630 if ($prot ne 'ICMP'){
631 if($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){
632 my $ports =&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
633 $ports =~ s/\:/-/g;
634 return ":".$ports
635 }else{
636 return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
637 }
638 }elsif($prot eq 'ICMP' && $$hash{$key}[11] eq 'ON'){ #When PROT is ICMP and "use targetport is checked, this is an icmp-service
639 return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot);
640 }
641 #Get ports from services which are used in custom servicegroups (firewall-groups)
642 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
643 if ($prot ne 'ICMP'){
644 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
645 }
646 elsif($prot eq 'ICMP'){
647 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
648 }
649 }
650 }
651 #CHECK ICMP
652 if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON' && $SRC_TGT eq ''){
653 if($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
654 return "--icmp-type $$hash{$key}[9] ";
655 }elsif($$hash{$key}[9] eq 'All ICMP-Types'){
656 return;
657 }
658 }
659 }
IPFire 2.x development tree