]>
Commit | Line | Data |
---|---|---|
ebb9187c MT |
1 | #!/usr/bin/perl |
2 | # | |
3 | # IPFire Scripts | |
4 | # | |
5 | # This code is distributed under the terms of the GPL | |
6 | # | |
7 | # (c) The IPFire Team | |
8 | # | |
b4f8d26c MT |
9 | # Michael Tremer - mitch@ipfire.org |
10 | # Christian Schmidt - maniacikarus@ipfire.org | |
11 | # | |
ebb9187c MT |
12 | |
13 | use strict; | |
14 | # enable only the following on debugging purpose | |
15 | #use warnings; | |
16 | ||
17 | require '/var/ipfire/general-functions.pl'; | |
18 | ||
19 | my %outfwsettings = (); | |
20 | my %checked = (); | |
21 | my %selected= () ; | |
22 | my %netsettings = (); | |
23 | my $errormessage = ""; | |
24 | my $configentry = ""; | |
25 | my @configs = (); | |
26 | my @configline = (); | |
27 | my $p2pentry = ""; | |
28 | my @p2ps = (); | |
29 | my @p2pline = (); | |
b4f8d26c | 30 | my @proto = (); |
ebb9187c | 31 | my $CMD = ""; |
b4f8d26c MT |
32 | my $P2PSTRING = ""; |
33 | ||
ebb9187c MT |
34 | my $DEBUG = 0; |
35 | ||
36 | my $configfile = "/var/ipfire/outgoing/rules"; | |
37 | my $p2pfile = "/var/ipfire/outgoing/p2protocols"; | |
38 | ||
39 | &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); | |
40 | ||
41 | ### Values that have to be initialized | |
42 | $outfwsettings{'ACTION'} = ''; | |
43 | $outfwsettings{'VALID'} = 'yes'; | |
44 | $outfwsettings{'EDIT'} = 'no'; | |
45 | $outfwsettings{'NAME'} = ''; | |
46 | $outfwsettings{'SNET'} = ''; | |
47 | $outfwsettings{'SIP'} = ''; | |
48 | $outfwsettings{'SPORT'} = ''; | |
49 | $outfwsettings{'SMAC'} = ''; | |
50 | $outfwsettings{'DIP'} = ''; | |
51 | $outfwsettings{'DPORT'} = ''; | |
52 | $outfwsettings{'PROT'} = ''; | |
53 | $outfwsettings{'STATE'} = ''; | |
54 | $outfwsettings{'DISPLAY_DIP'} = ''; | |
55 | $outfwsettings{'DISPLAY_DPORT'} = ''; | |
56 | $outfwsettings{'DISPLAY_SMAC'} = ''; | |
57 | $outfwsettings{'DISPLAY_SIP'} = ''; | |
58 | $outfwsettings{'POLICY'} = 'MODE0'; | |
59 | my $SOURCE = ""; | |
60 | my $DESTINATION = ""; | |
61 | my $PROTO = ""; | |
62 | my $DPORT = ""; | |
63 | my $DEV = ""; | |
64 | my $MAC = ""; | |
65 | my $POLICY = ""; | |
66 | my $DO = ""; | |
67 | ||
68 | # read files | |
69 | &General::readhash("${General::swroot}/outgoing/settings", \%outfwsettings); | |
70 | &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); | |
71 | ||
72 | open( FILE, "< $configfile" ) or die "Unable to read $configfile"; | |
73 | @configs = <FILE>; | |
74 | close FILE; | |
75 | ||
b4f8d26c | 76 | if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { |
ebb9187c MT |
77 | $outfwsettings{'STATE'} = "ALLOW"; |
78 | $POLICY = "DROP"; | |
b4f8d26c | 79 | $DO = "RETURN"; |
ebb9187c MT |
80 | } elsif ( $outfwsettings{'POLICY'} eq 'MODE2' ) { |
81 | $outfwsettings{'STATE'} = "DENY"; | |
82 | $POLICY = "ACCEPT"; | |
83 | $DO = "DROP"; | |
84 | } | |
85 | ||
86 | ### Initialize IPTables | |
87 | system("/sbin/iptables --flush OUTGOINGFW >/dev/null 2>&1"); | |
88 | system("/sbin/iptables --delete-chain OUTGOINGFW >/dev/null 2>&1"); | |
89 | system("/sbin/iptables -N OUTGOINGFW >/dev/null 2>&1"); | |
90 | ||
b4f8d26c MT |
91 | if ( $outfwsettings{'POLICY'} eq 'MODE0' ) { |
92 | exit 0 | |
93 | } | |
94 | ||
95 | if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { | |
96 | $CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j RETURN"; | |
97 | if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } | |
98 | $CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j RETURN"; | |
99 | if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } | |
100 | } | |
101 | ||
ebb9187c MT |
102 | foreach $configentry (sort @configs) |
103 | { | |
104 | $SOURCE = ""; | |
105 | $DESTINATION = ""; | |
106 | $PROTO = ""; | |
107 | $DPORT = ""; | |
108 | $DEV = ""; | |
109 | $MAC = ""; | |
110 | @configline = split( /\;/, $configentry ); | |
111 | if ($outfwsettings{'STATE'} eq $configline[0]) { | |
112 | if ($configline[2] eq 'green') { | |
113 | $SOURCE = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; | |
114 | $DEV = $netsettings{'GREEN_DEV'}; | |
115 | } elsif ($configline[2] eq 'blue') { | |
116 | $SOURCE = "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"; | |
117 | $DEV = $netsettings{'BLUE_DEV'}; | |
118 | } elsif ($configline[2] eq 'orange') { | |
119 | $SOURCE = "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"; | |
120 | $DEV = $netsettings{'ORANGE_DEV'}; | |
121 | } elsif ($configline[2] eq 'ip') { | |
122 | $SOURCE = "$configline[5]"; | |
123 | $DEV = ""; | |
124 | } else { | |
125 | $SOURCE = "0/0"; | |
126 | $DEV = ""; | |
127 | } | |
128 | ||
129 | if ($configline[7]) { $DESTINATION = "$configline[7]"; } else { $DESTINATION = "0/0"; } | |
b4f8d26c MT |
130 | |
131 | if ($configline[3] eq 'tcp') { | |
132 | @proto = ("tcp"); | |
133 | } elsif ($configline[3] eq 'udp') { | |
134 | @proto = ("udp"); | |
135 | } else { | |
136 | @proto = ("tcp", "udp"); | |
137 | } | |
138 | ||
139 | foreach $PROTO (@proto) { | |
140 | $CMD = "/sbin/iptables -A OUTGOINGFW -s $SOURCE -d $DESTINATION -p $PROTO"; | |
141 | ||
ebb9187c MT |
142 | if ($configline[8]) { |
143 | $DPORT = "$configline[8]"; | |
144 | $CMD = "$CMD --dport $DPORT"; | |
145 | } | |
b4f8d26c MT |
146 | |
147 | if ($DEV) { | |
148 | $CMD = "$CMD -i $DEV"; | |
149 | } | |
150 | ||
151 | if ($configline[6]) { | |
152 | $MAC = "$configline[6]"; | |
153 | $CMD = "$CMD -m mac --mac-source $MAC"; | |
154 | } | |
155 | ||
156 | $CMD = "$CMD -o $netsettings{'RED_DEV'}"; | |
157 | if ($DEBUG) { | |
158 | print "$CMD -j $DO\n"; | |
159 | } else { | |
160 | system("$CMD -j $DO"); | |
161 | } | |
162 | ||
163 | if ($configline[9] eq "log") { | |
164 | if ($DEBUG) { | |
165 | print "$CMD -m state --state NEW -j LOG --log-prefix 'OUTGOINGFW '\n"; | |
166 | } else { | |
167 | system("$CMD -m state --state NEW -j LOG --log-prefix 'OUTGOINGFW '"); | |
168 | } | |
169 | } | |
170 | } | |
171 | } | |
172 | } | |
ebb9187c | 173 | |
b4f8d26c MT |
174 | ### Do the P2P-Stuff here |
175 | open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; | |
176 | @p2ps = <FILE>; | |
177 | close FILE; | |
ebb9187c | 178 | |
b4f8d26c | 179 | $CMD = "/sbin/iptables -A OUTGOINGFW -m ipp2p"; |
ebb9187c | 180 | |
b4f8d26c MT |
181 | foreach $p2pentry (sort @p2ps) |
182 | { | |
183 | @p2pline = split( /\;/, $p2pentry ); | |
184 | if ( $outfwsettings{'POLICY'} eq 'MODE2' ) { | |
185 | $DO = "DROP"; | |
186 | if ("$p2pline[2]" eq "off") { | |
187 | $P2PSTRING = "$P2PSTRING --$p2pline[1]"; | |
188 | } | |
189 | } else { | |
190 | $DO = "RETURN"; | |
191 | if ("$p2pline[2]" eq "on") { | |
192 | $P2PSTRING = "$P2PSTRING --$p2pline[1]"; | |
ebb9187c | 193 | } |
b4f8d26c MT |
194 | } |
195 | } | |
196 | if ($P2PSTRING) { | |
197 | if ($DEBUG) { | |
198 | print "$CMD $P2PSTRING -j $DO\n"; | |
199 | } else { | |
200 | system("$CMD $P2PSTRING -j $DO"); | |
201 | } | |
202 | } | |
ebb9187c | 203 | |
b4f8d26c MT |
204 | if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { |
205 | $CMD = "/sbin/iptables -A OUTGOINGFW -j DROP"; | |
206 | if ($DEBUG) { | |
207 | print "$CMD\n"; | |
208 | } else { | |
209 | system("$CMD"); | |
ebb9187c MT |
210 | } |
211 | } |