config/outgoingfw/outgoingfw.pl

   1 #!/usr/bin/perl
   2 #
   3 # IPFire Scripts
   4 #
   5 # This code is distributed under the terms of the GPL
   6 #
   7 # (c) The IPFire Team
   8 #
   9
  10 use strict;
  11 # enable only the following on debugging purpose
  12 #use warnings;
  13
  14 require '/var/ipfire/general-functions.pl';
  15
  16 my %outfwsettings = ();
  17 my %checked = ();
  18 my %selected= () ;
  19 my %netsettings = ();
  20 my $errormessage = "";
  21 my $configentry = "";
  22 my @configs = ();
  23 my @configline = ();
  24 my $p2pentry = "";
  25 my @p2ps = ();
  26 my @p2pline = ();
  27 my @protos = ();
  28 my $CMD = "";
  29 my $DEBUG = 0;
  30
  31 my $configfile = "/var/ipfire/outgoing/rules";
  32 my $p2pfile = "/var/ipfire/outgoing/p2protocols";
  33
  34 &General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
  35
  36 ### Values that have to be initialized
  37 $outfwsettings{'ACTION'} = '';
  38 $outfwsettings{'VALID'} = 'yes';
  39 $outfwsettings{'EDIT'} = 'no';
  40 $outfwsettings{'NAME'} = '';
  41 $outfwsettings{'SNET'} = '';
  42 $outfwsettings{'SIP'} = '';
  43 $outfwsettings{'SPORT'} = '';
  44 $outfwsettings{'SMAC'} = '';
  45 $outfwsettings{'DIP'} = '';
  46 $outfwsettings{'DPORT'} = '';
  47 $outfwsettings{'PROT'} = '';
  48 $outfwsettings{'STATE'} = '';
  49 $outfwsettings{'DISPLAY_DIP'} = '';
  50 $outfwsettings{'DISPLAY_DPORT'} = '';
  51 $outfwsettings{'DISPLAY_SMAC'} = '';
  52 $outfwsettings{'DISPLAY_SIP'} = '';
  53 $outfwsettings{'POLICY'} = 'MODE0';
  54 my $SOURCE = "";
  55 my $DESTINATION = "";
  56 my $PROTO = "";
  57 my $DPORT = "";
  58 my $DEV = "";
  59 my $MAC = "";
  60 my $POLICY = "";
  61 my $DO = "";
  62
  63 # read files
  64 &General::readhash("${General::swroot}/outgoing/settings", \%outfwsettings);
  65 &General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
  66
  67 open( FILE, "< $configfile" ) or die "Unable to read $configfile";
  68 @configs = <FILE>;
  69 close FILE;
  70
  71 # Say hello!
  72 print "Outgoing firewall for IPFire - $outfwsettings{'POLICY'}\n";
  73 if ($DEBUG) { print "Debugging mode!\n"; }
  74 print "\n";
  75
  76
  77 if ( $outfwsettings{'POLICY'} eq 'MODE0' ) {
  78         system("/sbin/iptables --flush OUTGOINGFW >/dev/null 2>&1");
  79         system("/sbin/iptables --delete-chain OUTGOINGFW >/dev/null 2>&1");
  80
  81         exit 0
  82 } elsif ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
  83         $outfwsettings{'STATE'} = "ALLOW";
  84         $POLICY = "DROP";
  85         $DO = "ACCEPT";
  86 } elsif ( $outfwsettings{'POLICY'} eq 'MODE2' ) {
  87         $outfwsettings{'STATE'} = "DENY";
  88         $POLICY = "ACCEPT";
  89         $DO = "DROP";
  90 }
  91
  92 ### Initialize IPTables
  93 system("/sbin/iptables --flush OUTGOINGFW >/dev/null 2>&1");
  94 system("/sbin/iptables --delete-chain OUTGOINGFW >/dev/null 2>&1");
  95 system("/sbin/iptables -N OUTGOINGFW >/dev/null 2>&1");
  96
  97 foreach $configentry (sort @configs)
  98 {
  99         $SOURCE = "";
 100         $DESTINATION = "";
 101         $PROTO = "";
 102         $DPORT = "";
 103         $DEV = "";
 104         $MAC = "";
 105         @configline = split( /\;/, $configentry );
 106         if ($outfwsettings{'STATE'} eq $configline[0]) {
 107                 if ($configline[2] eq 'green') {
 108                         $SOURCE = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
 109                         $DEV = $netsettings{'GREEN_DEV'};
 110                 } elsif ($configline[2] eq 'blue') {
 111                         $SOURCE = "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
 112                         $DEV = $netsettings{'BLUE_DEV'};
 113                 } elsif ($configline[2] eq 'orange') {
 114                         $SOURCE = "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}";
 115                         $DEV = $netsettings{'ORANGE_DEV'};
 116                 } elsif ($configline[2] eq 'ip') {
 117                         $SOURCE = "$configline[5]";
 118                         $DEV = "";
 119                 } else  {
 120                         $SOURCE = "0/0";
 121                         $DEV = "";
 122                 }
 123
 124                 if ($configline[7]) { $DESTINATION = "$configline[7]"; } else { $DESTINATION = "0/0"; }
 125
 126                 $CMD = "/sbin/iptables -A OUTGOINGFW -s $SOURCE -d $DESTINATION";
 127
 128                 if ($configline[3] ne 'tcp&udp') {
 129                         $PROTO = "$configline[3]";
 130                         $CMD = "$CMD -p $PROTO";
 131                         if ($configline[8]) {
 132                                 $DPORT = "$configline[8]";
 133                                 $CMD = "$CMD --dport $DPORT";
 134                         }
 135                 }
 136
 137                 if ($DEV) {
 138                         $CMD = "$CMD -i $DEV";
 139                 }
 140
 141                 if ($configline[6]) {
 142                         $MAC = "$configline[6]";
 143                         $CMD = "$CMD -m mac --mac-source $MAC";
 144                 }
 145
 146                 $CMD = "$CMD -o $netsettings{'RED_DEV'}";
 147                 if ($DEBUG) { print "$CMD -j $DO\n"; } else { system("$CMD -j $DO"); }
 148
 149                 if ($configline[9] eq "log") {
 150                         if ($DEBUG) { print "$CMD -m state --state NEW -j LOG --log-prefix 'OUTGOINGFW '\n"; } else { system("$CMD -m state --state NEW -j LOG --log-prefix 'OUTGOINGFW '"); }
 151                 }
 152
 153         }
 154 }