[people/pmueller/ipfire-2.x.git] / config / outgoingfw / outgoingfw.pl

#!/usr/bin/perl
#
# IPFire Scripts
#
# This code is distributed under the terms of the GPL
#
# (c) The IPFire Team
#
# Michael Tremer - mitch@ipfire.org
# Christian Schmidt - maniacikarus@ipfire.org
#

use strict;
# enable only the following on debugging purpose
#use warnings;

require '/var/ipfire/general-functions.pl';

my %outfwsettings = ();
my %checked = ();
my %selected= () ;
my %netsettings = ();
my $errormessage = "";
my $configentry = "";
my @configs = ();
my @configline = ();
my $p2pentry = "";
my @p2ps = ();
my @p2pline = ();
my @proto = ();
my $CMD = "";
my $P2PSTRING = "";

my $DEBUG = 0;

my $configfile = "/var/ipfire/outgoing/rules";
my $p2pfile = "/var/ipfire/outgoing/p2protocols";

&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);

### Values that have to be initialized
$outfwsettings{'ACTION'} = '';
$outfwsettings{'VALID'} = 'yes';
$outfwsettings{'EDIT'} = 'no';
$outfwsettings{'NAME'} = '';
$outfwsettings{'SNET'} = '';
$outfwsettings{'SIP'} = '';
$outfwsettings{'SPORT'} = '';
$outfwsettings{'SMAC'} = '';
$outfwsettings{'DIP'} = '';
$outfwsettings{'DPORT'} = '';
$outfwsettings{'PROT'} = '';
$outfwsettings{'STATE'} = '';
$outfwsettings{'DISPLAY_DIP'} = '';
$outfwsettings{'DISPLAY_DPORT'} = '';
$outfwsettings{'DISPLAY_SMAC'} = '';
$outfwsettings{'DISPLAY_SIP'} = '';
$outfwsettings{'POLICY'} = 'MODE0';
my $SOURCE = "";
my $DESTINATION = "";
my $PROTO = "";
my $DPORT = "";
my $DEV = "";
my $MAC = "";
my $POLICY = "";
my $DO = "";

# read files
&General::readhash("${General::swroot}/outgoing/settings", \%outfwsettings);
&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);

open( FILE, "< $configfile" ) or die "Unable to read $configfile";
@configs = <FILE>;
close FILE;

if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
	$outfwsettings{'STATE'} = "ALLOW";
	$POLICY = "DROP";
	$DO = "RETURN";
} elsif ( $outfwsettings{'POLICY'} eq 'MODE2' ) {
	$outfwsettings{'STATE'} = "DENY";
	$POLICY = "ACCEPT";
	$DO = "DROP";
}

### Initialize IPTables
system("/sbin/iptables --flush OUTGOINGFW >/dev/null 2>&1");
system("/sbin/iptables --delete-chain OUTGOINGFW >/dev/null 2>&1");
system("/sbin/iptables -N OUTGOINGFW >/dev/null 2>&1");

if ( $outfwsettings{'POLICY'} eq 'MODE0' ) {
	exit 0
}

if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
	$CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j RETURN";
	if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
		$CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j RETURN";
	if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
}

foreach $configentry (sort @configs)
{
	$SOURCE = "";
	$DESTINATION = "";
	$PROTO = "";
	$DPORT = "";
	$DEV = "";
	$MAC = "";
	@configline = split( /\;/, $configentry );
	if ($outfwsettings{'STATE'} eq $configline[0]) {
		if ($configline[2] eq 'green') {
			$SOURCE = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
			$DEV = $netsettings{'GREEN_DEV'};
		} elsif ($configline[2] eq 'blue') {
			$SOURCE = "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
			$DEV = $netsettings{'BLUE_DEV'};
		} elsif ($configline[2] eq 'orange') {
			$SOURCE = "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}";
			$DEV = $netsettings{'ORANGE_DEV'};
		} elsif ($configline[2] eq 'ip') {
			$SOURCE = "$configline[5]";
			$DEV = "";
		} else  {
			$SOURCE = "0/0";
			$DEV = "";
		}

		if ($configline[7]) { $DESTINATION = "$configline[7]"; } else { $DESTINATION = "0/0"; }
		
		if ($configline[3] eq 'tcp') {
			@proto = ("tcp");
		} elsif ($configline[3] eq 'udp') {
			@proto = ("udp");
		} else {
			@proto = ("tcp", "udp");
		}
		
		foreach $PROTO (@proto) {
			$CMD = "/sbin/iptables -A OUTGOINGFW -s $SOURCE -d $DESTINATION -p $PROTO";
	
			if ($configline[8]) {
				$DPORT = "$configline[8]";
				$CMD = "$CMD --dport $DPORT";
			}
			
			if ($DEV) {
				$CMD = "$CMD -i $DEV";
			}
	
			if ($configline[6]) {
				$MAC = "$configline[6]";
			 	$CMD = "$CMD -m mac --mac-source $MAC";
			}
	
			$CMD = "$CMD -o $netsettings{'RED_DEV'}";
			if ($DEBUG) {
				print "$CMD -j $DO\n";
			} else {
				system("$CMD -j $DO");
			}
			
			if ($configline[9] eq "log") {
				if ($DEBUG) {
					print "$CMD -m state --state NEW -j LOG --log-prefix 'OUTGOINGFW '\n";
				} else {
					system("$CMD -m state --state NEW -j LOG --log-prefix 'OUTGOINGFW '");
				}
			}
    }
	}
}

### Do the P2P-Stuff here
open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
@p2ps = <FILE>;
close FILE;

$CMD = "/sbin/iptables -A OUTGOINGFW -m ipp2p";

foreach $p2pentry (sort @p2ps)
{
	@p2pline = split( /\;/, $p2pentry );
	if ( $outfwsettings{'POLICY'} eq 'MODE2' ) {
		$DO = "DROP";
		if ("$p2pline[2]" eq "off") {
			$P2PSTRING = "$P2PSTRING --$p2pline[1]";
		}
	} else {
		$DO = "RETURN";
		if ("$p2pline[2]" eq "on") {
			$P2PSTRING = "$P2PSTRING --$p2pline[1]";
		}
	}
}
if ($P2PSTRING) {
	if ($DEBUG) {
		print "$CMD $P2PSTRING -j $DO\n";
	} else {
		system("$CMD $P2PSTRING -j $DO");
	}
}

if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
	$CMD = "/sbin/iptables -A OUTGOINGFW -j DROP";
	if ($DEBUG) {
		print "$CMD\n";
	} else {
		system("$CMD");
	}
}
Commit	Line	Data
ebb9187c MT	1	#!/usr/bin/perl
	2	#
	3	# IPFire Scripts
	4	#
	5	# This code is distributed under the terms of the GPL
	6	#
	7	# (c) The IPFire Team
	8	#
b4f8d26c MT	9	# Michael Tremer - mitch@ipfire.org
	10	# Christian Schmidt - maniacikarus@ipfire.org
	11	#
ebb9187c MT	12
	13	use strict;
	14	# enable only the following on debugging purpose
	15	#use warnings;
	16
	17	require '/var/ipfire/general-functions.pl';
	18
	19	my %outfwsettings = ();
	20	my %checked = ();
	21	my %selected= () ;
	22	my %netsettings = ();
	23	my $errormessage = "";
	24	my $configentry = "";
	25	my @configs = ();
	26	my @configline = ();
	27	my $p2pentry = "";
	28	my @p2ps = ();
	29	my @p2pline = ();
b4f8d26c	30	my @proto = ();
ebb9187c	31	my $CMD = "";
b4f8d26c MT	32	my $P2PSTRING = "";
b4f8d26c MT	33
ebb9187c MT	34	my $DEBUG = 0;
	35
	36	my $configfile = "/var/ipfire/outgoing/rules";
	37	my $p2pfile = "/var/ipfire/outgoing/p2protocols";
	38
	39	&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
	40
	41	### Values that have to be initialized
	42	$outfwsettings{'ACTION'} = '';
	43	$outfwsettings{'VALID'} = 'yes';
	44	$outfwsettings{'EDIT'} = 'no';
	45	$outfwsettings{'NAME'} = '';
	46	$outfwsettings{'SNET'} = '';
	47	$outfwsettings{'SIP'} = '';
	48	$outfwsettings{'SPORT'} = '';
	49	$outfwsettings{'SMAC'} = '';
	50	$outfwsettings{'DIP'} = '';
	51	$outfwsettings{'DPORT'} = '';
	52	$outfwsettings{'PROT'} = '';
	53	$outfwsettings{'STATE'} = '';
	54	$outfwsettings{'DISPLAY_DIP'} = '';
	55	$outfwsettings{'DISPLAY_DPORT'} = '';
	56	$outfwsettings{'DISPLAY_SMAC'} = '';
	57	$outfwsettings{'DISPLAY_SIP'} = '';
	58	$outfwsettings{'POLICY'} = 'MODE0';
	59	my $SOURCE = "";
	60	my $DESTINATION = "";
	61	my $PROTO = "";
	62	my $DPORT = "";
	63	my $DEV = "";
	64	my $MAC = "";
	65	my $POLICY = "";
	66	my $DO = "";
	67
	68	# read files
	69	&General::readhash("${General::swroot}/outgoing/settings", \%outfwsettings);
	70	&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
	71
	72	open( FILE, "< $configfile" ) or die "Unable to read $configfile";
	73	@configs = <FILE>;
	74	close FILE;
	75
b4f8d26c	76	if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
ebb9187c MT	77	$outfwsettings{'STATE'} = "ALLOW";
ebb9187c MT	78	$POLICY = "DROP";
b4f8d26c	79	$DO = "RETURN";
ebb9187c MT	80	} elsif ( $outfwsettings{'POLICY'} eq 'MODE2' ) {
	81	$outfwsettings{'STATE'} = "DENY";
	82	$POLICY = "ACCEPT";
	83	$DO = "DROP";
	84	}
	85
	86	### Initialize IPTables
	87	system("/sbin/iptables --flush OUTGOINGFW >/dev/null 2>&1");
	88	system("/sbin/iptables --delete-chain OUTGOINGFW >/dev/null 2>&1");
	89	system("/sbin/iptables -N OUTGOINGFW >/dev/null 2>&1");
	90
b4f8d26c MT	91	if ( $outfwsettings{'POLICY'} eq 'MODE0' ) {
	92	exit 0
	93	}
	94
	95	if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
	96	$CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j RETURN";
	97	if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
	98	$CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j RETURN";
	99	if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
	100	}
	101
ebb9187c MT	102	foreach $configentry (sort @configs)
	103	{
	104	$SOURCE = "";
	105	$DESTINATION = "";
	106	$PROTO = "";
	107	$DPORT = "";
	108	$DEV = "";
	109	$MAC = "";
	110	@configline = split( /\;/, $configentry );
	111	if ($outfwsettings{'STATE'} eq $configline[0]) {
	112	if ($configline[2] eq 'green') {
	113	$SOURCE = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
	114	$DEV = $netsettings{'GREEN_DEV'};
	115	} elsif ($configline[2] eq 'blue') {
	116	$SOURCE = "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
	117	$DEV = $netsettings{'BLUE_DEV'};
	118	} elsif ($configline[2] eq 'orange') {
	119	$SOURCE = "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}";
	120	$DEV = $netsettings{'ORANGE_DEV'};
	121	} elsif ($configline[2] eq 'ip') {
	122	$SOURCE = "$configline[5]";
	123	$DEV = "";
	124	} else {
	125	$SOURCE = "0/0";
	126	$DEV = "";
	127	}
	128
	129	if ($configline[7]) { $DESTINATION = "$configline[7]"; } else { $DESTINATION = "0/0"; }
b4f8d26c MT	130
	131	if ($configline[3] eq 'tcp') {
	132	@proto = ("tcp");
	133	} elsif ($configline[3] eq 'udp') {
	134	@proto = ("udp");
	135	} else {
	136	@proto = ("tcp", "udp");
	137	}
	138
	139	foreach $PROTO (@proto) {
	140	$CMD = "/sbin/iptables -A OUTGOINGFW -s $SOURCE -d $DESTINATION -p $PROTO";
	141
ebb9187c MT	142	if ($configline[8]) {
	143	$DPORT = "$configline[8]";
	144	$CMD = "$CMD --dport $DPORT";
	145	}
b4f8d26c MT	146
	147	if ($DEV) {
	148	$CMD = "$CMD -i $DEV";
	149	}
	150
	151	if ($configline[6]) {
	152	$MAC = "$configline[6]";
	153	$CMD = "$CMD -m mac --mac-source $MAC";
	154	}
	155
	156	$CMD = "$CMD -o $netsettings{'RED_DEV'}";
	157	if ($DEBUG) {
	158	print "$CMD -j $DO\n";
	159	} else {
	160	system("$CMD -j $DO");
	161	}
	162
	163	if ($configline[9] eq "log") {
	164	if ($DEBUG) {
	165	print "$CMD -m state --state NEW -j LOG --log-prefix 'OUTGOINGFW '\n";
	166	} else {
	167	system("$CMD -m state --state NEW -j LOG --log-prefix 'OUTGOINGFW '");
	168	}
	169	}
	170	}
	171	}
	172	}
ebb9187c	173
b4f8d26c MT	174	### Do the P2P-Stuff here
	175	open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
	176	@p2ps = <FILE>;
	177	close FILE;
ebb9187c	178
b4f8d26c	179	$CMD = "/sbin/iptables -A OUTGOINGFW -m ipp2p";
ebb9187c	180
b4f8d26c MT	181	foreach $p2pentry (sort @p2ps)
	182	{
	183	@p2pline = split( /\;/, $p2pentry );
	184	if ( $outfwsettings{'POLICY'} eq 'MODE2' ) {
	185	$DO = "DROP";
	186	if ("$p2pline[2]" eq "off") {
	187	$P2PSTRING = "$P2PSTRING --$p2pline[1]";
	188	}
	189	} else {
	190	$DO = "RETURN";
	191	if ("$p2pline[2]" eq "on") {
	192	$P2PSTRING = "$P2PSTRING --$p2pline[1]";
ebb9187c	193	}
b4f8d26c MT	194	}
	195	}
	196	if ($P2PSTRING) {
	197	if ($DEBUG) {
	198	print "$CMD $P2PSTRING -j $DO\n";
	199	} else {
	200	system("$CMD $P2PSTRING -j $DO");
	201	}
	202	}
ebb9187c	203
b4f8d26c MT	204	if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
	205	$CMD = "/sbin/iptables -A OUTGOINGFW -j DROP";
	206	if ($DEBUG) {
	207	print "$CMD\n";
	208	} else {
	209	system("$CMD");
ebb9187c MT	210	}
ebb9187c MT	211	}