my @VALID_TARGETS = ("ACCEPT", "DROP", "REJECT");
my %fwdfwsettings=();
+my %fwoptions = ();
my %defaultNetworks=();
my %configfwdfw=();;
my %customgrp=();
my $netsettings = "${General::swroot}/ethernet/settings";
&General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings);
+&General::readhash("${General::swroot}/optionsfw/settings", \%fwoptions);
&General::readhash("$netsettings", \%defaultNetworks);
&General::readhasharray($configfwdfw, \%configfwdfw);
&General::readhasharray($configinput, \%configinputfw);
my @log_limit_options = &make_log_limit_options();
+my $POLICY_INPUT_ALLOWED = 0;
+my $POLICY_FORWARD_ALLOWED = ($fwdfwsettings{"POLICY"} eq "MODE2");
+my $POLICY_OUTPUT_ALLOWED = ($fwdfwsettings{"POLICY1"} eq "MODE2");
+
+my $POLICY_INPUT_ACTION = $fwoptions{"FWPOLICY2"};
+my $POLICY_FORWARD_ACTION = $fwoptions{"FWPOLICY"};
+my $POLICY_OUTPUT_ACTION = $fwoptions{"FWPOLICY1"};
+
# MAIN
&main();
# Flush all chains.
&flush();
- # Reload firewall rules.
- &preparerules();
+ # Prepare firewall rules.
+ if (! -z "${General::swroot}/firewall/input"){
+ &buildrules(\%configinputfw);
+ }
+ if (! -z "${General::swroot}/firewall/outgoing"){
+ &buildrules(\%configoutgoingfw);
+ }
+ if (! -z "${General::swroot}/firewall/config"){
+ &buildrules(\%configfwdfw);
+ }
# Load P2P block rules.
&p2pblock();
# Reload firewall policy.
run("/usr/sbin/firewall-policy");
+
+ #Reload firewall.local if present
+ if ( -f '/etc/sysconfig/firewall.local'){
+ run("/etc/sysconfig/firewall.local reload");
+ }
}
sub run {
print "\n";
}
+sub count_elements {
+ my $hash = shift;
+
+ return scalar @$hash;
+}
+
sub flush {
run("$IPTABLES -F $CHAIN_INPUT");
run("$IPTABLES -F $CHAIN_FORWARD");
run("$IPTABLES -t mangle -F $CHAIN_MANGLE_NAT_DESTINATION_FIX");
}
-sub preparerules {
- if (! -z "${General::swroot}/firewall/config"){
- &buildrules(\%configfwdfw);
- }
- if (! -z "${General::swroot}/firewall/input"){
- &buildrules(\%configinputfw);
+sub buildrules {
+ my $hash = shift;
+
+ # Search for targets that need to be specially handled when adding
+ # forwarding rules. Additional rules will automatically get inserted
+ # into the INPUT/OUTPUT chains for these targets.
+ my @special_input_targets = ();
+ if (!$POLICY_FORWARD_ALLOWED) {
+ push(@special_input_targets, "ACCEPT");
}
- if (! -z "${General::swroot}/firewall/outgoing"){
- &buildrules(\%configoutgoingfw);
+
+ if ($POLICY_INPUT_ACTION eq "DROP") {
+ push(@special_input_targets, "REJECT");
+ } elsif ($POLICY_INPUT_ACTION eq "REJECT") {
+ push(@special_input_targets, "DROP");
}
-}
-sub buildrules {
- my $hash = shift;
+ my @special_output_targets = ();
+ if ($POLICY_OUTPUT_ALLOWED) {
+ push(@special_output_targets, ("DROP", "REJECT"));
+ } else {
+ push(@special_output_targets, "ACCEPT");
+
+ if ($POLICY_OUTPUT_ACTION eq "DROP") {
+ push(@special_output_targets, "REJECT");
+ } elsif ($POLICY_OUTPUT_ACTION eq "REJECT") {
+ push(@special_output_targets, "DROP");
+ }
+ }
foreach my $key (sort {$a <=> $b} keys %$hash) {
# Skip disabled rules.
next unless ($$hash{$key}[2] eq 'ON');
+ # Count number of elements in this line
+ my $elements = &count_elements($$hash{$key});
+
if ($DEBUG) {
print_rule($$hash{$key});
}
}
}
+ # Concurrent connection limit
+ my @ratelimit_options = ();
+
+ if (($elements ge 34) && ($$hash{$key}[32] eq 'ON')) {
+ my $conn_limit = $$hash{$key}[33];
+
+ if ($conn_limit ge 1) {
+ push(@ratelimit_options, ("-m", "connlimit"));
+
+ # Use the the entire source IP address
+ push(@ratelimit_options, "--connlimit-saddr");
+ push(@ratelimit_options, ("--connlimit-mask", "32"));
+
+ # Apply the limit
+ push(@ratelimit_options, ("--connlimit-upto", $conn_limit));
+ }
+ }
+
+ # Ratelimit
+ if (($elements ge 37) && ($$hash{$key}[34] eq 'ON')) {
+ my $rate_limit = "$$hash{$key}[35]/$$hash{$key}[36]";
+
+ if ($rate_limit) {
+ push(@ratelimit_options, ("-m", "limit"));
+ push(@ratelimit_options, ("--limit", $rate_limit));
+ }
+ }
+
# Check which protocols are used in this rule and so that we can
# later group rules by protocols.
my @protocols = &get_protocols($hash, $key);
foreach my $src (@sources) {
# Skip invalid source.
+ next unless (defined $src);
next unless ($src);
# Sanitize source.
- my $source = $src;
+ my $source = @$src[0];
if ($source ~~ @ANY_ADDRESSES) {
$source = "";
}
+ my $source_intf = @$src[1];
+
foreach my $dst (@destinations) {
# Skip invalid rules.
+ next unless (defined $dst);
next if (!$dst || ($dst eq "none"));
# Sanitize destination.
- my $destination = $dst;
+ my $destination = @$dst[0];
if ($destination ~~ @ANY_ADDRESSES) {
$destination = "";
}
+ my $destination_intf = @$dst[1];
+
# Array with iptables arguments.
my @options = ();
# Add time constraint options.
push(@options, @time_options);
- my $firewall_is_in_source_subnet = 0;
+ # Add ratelimiting option
+ push(@options, @ratelimit_options);
+
+ my $firewall_is_in_source_subnet = 1;
if ($source) {
$firewall_is_in_source_subnet = &firewall_is_in_subnet($source);
}
+ my $firewall_is_in_destination_subnet = 1;
+ if ($destination) {
+ $firewall_is_in_destination_subnet = &firewall_is_in_subnet($destination);
+ }
+
# Process NAT rules.
if ($NAT) {
my $nat_address = &fwlib::get_nat_address($$hash{$key}[29], $source);
# Destination NAT
if ($NAT_MODE eq "DNAT") {
- # Make port-forwardings useable from the internal networks.
- my @internal_addresses = &fwlib::get_internal_firewall_ip_addresses(1);
- unless ($nat_address ~~ @internal_addresses) {
- &add_dnat_mangle_rules($nat_address, @options);
- }
-
my @nat_options = ();
if ($protocol ne "all") {
my @nat_protocol_options = &get_protocol_options($hash, $key, $protocol, 1);
push(@nat_options, @nat_protocol_options);
}
+ push(@nat_options, @time_options);
+
+ # Make port-forwardings useable from the internal networks.
+ my @internal_addresses = &fwlib::get_internal_firewall_ip_addresses(1);
+ unless ($nat_address ~~ @internal_addresses) {
+ &add_dnat_mangle_rules($nat_address, $source_intf, @nat_options);
+ }
+
push(@nat_options, @source_options);
push(@nat_options, ("-d", $nat_address));
- push(@nat_options, @time_options);
my $dnat_port;
if ($protocol_has_ports) {
}
}
- push(@options, @source_options);
+ # Add source and destination interface to the filter rules.
+ # These are supposed to help filtering forged packets that originate
+ # from BLUE with an IP address from GREEN for instance.
+ if ($source_intf) {
+ push(@source_options, ("-i", $source_intf));
+ }
- if ($firewall_is_in_source_subnet && ($fwdfwsettings{"POLICY"} eq "MODE1") && ($chain eq $CHAIN_FORWARD)) {
- if ($LOG && !$NAT) {
- run("$IPTABLES -A $CHAIN_INPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '");
- }
- run("$IPTABLES -A $CHAIN_INPUT @options -j $target");
+ if ($destination_intf) {
+ push(@destination_options, ("-o", $destination_intf));
}
+ push(@options, @source_options);
push(@options, @destination_options);
# Insert firewall rule.
run("$IPTABLES -A $chain @options @log_limit_options -j LOG --log-prefix '$chain '");
}
run("$IPTABLES -A $chain @options -j $target");
+
+ # Handle forwarding rules and add corresponding rules for firewall access.
+ if ($chain eq $CHAIN_FORWARD) {
+ # If the firewall is part of the destination subnet and access to the destination network
+ # is granted/forbidden for any network that the firewall itself is part of, we grant/forbid access
+ # for the firewall, too.
+ if ($firewall_is_in_destination_subnet && ($target ~~ @special_input_targets)) {
+ if ($LOG && !$NAT) {
+ run("$IPTABLES -A $CHAIN_INPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '");
+ }
+ run("$IPTABLES -A $CHAIN_INPUT @options -j $target");
+ }
+
+ # Likewise.
+ if ($firewall_is_in_source_subnet && ($target ~~ @special_output_targets)) {
+ if ($LOG && !$NAT) {
+ run("$IPTABLES -A $CHAIN_OUTPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_OUTPUT '");
+ }
+ run("$IPTABLES -A $CHAIN_OUTPUT @options -j $target");
+ }
+ }
}
}
}
}
sub p2pblock {
- my $P2PSTRING = "";
- my $DO;
- open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
- @p2ps = <FILE>;
- close FILE;
- my $CMD = "-m ipp2p";
- foreach my $p2pentry (sort @p2ps) {
- my @p2pline = split( /\;/, $p2pentry );
- if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) {
- $DO = "ACCEPT";
- if ("$p2pline[2]" eq "on") {
- $P2PSTRING = "$P2PSTRING --$p2pline[1]";
- }
- }else {
- $DO = "RETURN";
- if ("$p2pline[2]" eq "off") {
- $P2PSTRING = "$P2PSTRING --$p2pline[1]";
- }
- }
+ open(FILE, "<$p2pfile") or die "Unable to read $p2pfile";
+ my @protocols = ();
+ foreach my $p2pentry (<FILE>) {
+ my @p2pline = split(/\;/, $p2pentry);
+ next unless ($p2pline[2] eq "off");
+
+ push(@protocols, "--$p2pline[1]");
}
+ close(FILE);
- if($P2PSTRING) {
- run("$IPTABLES -A FORWARDFW $CMD $P2PSTRING -j $DO");
+ run("$IPTABLES -F P2PBLOCK");
+ if (@protocols) {
+ run("$IPTABLES -A P2PBLOCK -m ipp2p @protocols -j DROP");
}
}
sub add_dnat_mangle_rules {
my $nat_address = shift;
+ my $interface = shift;
my @options = @_;
my $mark = 0;
next unless (exists $defaultNetworks{$zone . "_NETADDRESS"});
next unless (exists $defaultNetworks{$zone . "_NETMASK"});
+ next if ($interface && $interface ne $defaultNetworks{$zone . "_DEV"});
+
my @mangle_options = @options;
my $netaddress = $defaultNetworks{$zone . "_NETADDRESS"};
return 0;
}
-
projects / people / pmueller / ipfire-2.x.git / blobdiff