#!/usr/bin/perl
-#
-# IPFire Scripts
-#
-# This code is distributed under the terms of the GPL
-#
-# (c) The IPFire Team
-#
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2007 Michael Tremer & Christian Schmidt #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
use strict;
# enable only the following on debugging purpose
my $p2pentry = "";
my @p2ps = ();
my @p2pline = ();
-my @protos = ();
+my @proto = ();
my $CMD = "";
+my $P2PSTRING = "";
+
my $DEBUG = 0;
my $configfile = "/var/ipfire/outgoing/rules";
my $p2pfile = "/var/ipfire/outgoing/p2protocols";
-&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
-
### Values that have to be initialized
$outfwsettings{'ACTION'} = '';
$outfwsettings{'VALID'} = 'yes';
&General::readhash("${General::swroot}/outgoing/settings", \%outfwsettings);
&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
+$netsettings{'RED_DEV'}=`cat /var/ipfire/red/iface`;
+
open( FILE, "< $configfile" ) or die "Unable to read $configfile";
@configs = <FILE>;
close FILE;
-# Say hello!
-print "Outgoing firewall for IPFire - $outfwsettings{'POLICY'}\n";
-if ($DEBUG) { print "Debugging mode!\n"; }
-print "\n";
-
-
-if ( $outfwsettings{'POLICY'} eq 'MODE0' ) {
- system("/sbin/iptables --flush OUTGOINGFW >/dev/null 2>&1");
- system("/sbin/iptables --delete-chain OUTGOINGFW >/dev/null 2>&1");
-
- exit 0
-} elsif ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
+if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
$outfwsettings{'STATE'} = "ALLOW";
$POLICY = "DROP";
$DO = "ACCEPT";
} elsif ( $outfwsettings{'POLICY'} eq 'MODE2' ) {
$outfwsettings{'STATE'} = "DENY";
$POLICY = "ACCEPT";
- $DO = "DROP";
+ $DO = "DROP -m comment --comment 'DROP_OUTGOINGFW'";
}
### Initialize IPTables
system("/sbin/iptables --delete-chain OUTGOINGFW >/dev/null 2>&1");
system("/sbin/iptables -N OUTGOINGFW >/dev/null 2>&1");
+if ( $outfwsettings{'POLICY'} eq 'MODE0' ) {
+ exit 0
+}
+
+if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
+ $CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT";
+ if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
+ $CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j ACCEPT";
+ if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
+}
+
foreach $configentry (sort @configs)
{
$SOURCE = "";
}
if ($configline[7]) { $DESTINATION = "$configline[7]"; } else { $DESTINATION = "0/0"; }
-
- $CMD = "/sbin/iptables -A OUTGOINGFW -s $SOURCE -d $DESTINATION";
-
- if ($configline[3] ne 'tcp&udp') {
- $PROTO = "$configline[3]";
- $CMD = "$CMD -p $PROTO";
+
+ if ($configline[3] eq 'tcp') {
+ @proto = ("tcp");
+ } elsif ($configline[3] eq 'udp') {
+ @proto = ("udp");
+ } elsif ($configline[3] eq 'all') {
+ @proto = ("all");
+ } else {
+ @proto = ("tcp", "udp");
+ }
+
+ foreach $PROTO (@proto) {
+ $CMD = "/sbin/iptables -A OUTGOINGFW -s $SOURCE -d $DESTINATION -p $PROTO";
+
if ($configline[8]) {
$DPORT = "$configline[8]";
$CMD = "$CMD --dport $DPORT";
}
- }
+
+ if ($DEV) {
+ $CMD = "$CMD -i $DEV";
+ }
+
+ if ($configline[6]) {
+ $MAC = "$configline[6]";
+ $CMD = "$CMD -m mac --mac-source $MAC";
+ }
+
+ $CMD = "$CMD -o $netsettings{'RED_DEV'}";
+
+ if ($configline[9] eq "aktiv") {
+ if ($DEBUG) {
+ print "$CMD -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW'\n";
+ } else {
+ system("$CMD -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW'");
+ }
+ }
+
+ if ($DEBUG) {
+ print "$CMD -j $DO\n";
+ } else {
+ system("$CMD -j $DO");
+ }
+ }
+ }
+}
- if ($DEV) {
- $CMD = "$CMD -i $DEV";
- }
+### Do the P2P-Stuff here
+open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
+@p2ps = <FILE>;
+close FILE;
- if ($configline[6]) {
- $MAC = "$configline[6]";
- $CMD = "$CMD -m mac --mac-source $MAC";
- }
+$CMD = "/sbin/iptables -A OUTGOINGFW -m ipp2p";
- $CMD = "$CMD -o $netsettings{'RED_DEV'}";
- if ($DEBUG) { print "$CMD -j $DO\n"; } else { system("$CMD -j $DO"); }
+foreach $p2pentry (sort @p2ps)
+{
+ @p2pline = split( /\;/, $p2pentry );
+ if ( $outfwsettings{'POLICY'} eq 'MODE2' ) {
+ $DO = "DROP";
+ if ("$p2pline[2]" eq "off") {
+ $P2PSTRING = "$P2PSTRING --$p2pline[1]";
+ }
+ } else {
+ $DO = "ACCEPT";
+ if ("$p2pline[2]" eq "on") {
+ $P2PSTRING = "$P2PSTRING --$p2pline[1]";
+ }
+ }
+}
+if ($P2PSTRING) {
+ if ($DEBUG) {
+ print "$CMD $P2PSTRING -j $DO\n";
+ } else {
+ system("$CMD $P2PSTRING -j $DO");
+ }
+}
- if ($configline[9] eq "log") {
- if ($DEBUG) { print "$CMD -m state --state NEW -j LOG --log-prefix 'OUTGOINGFW '\n"; } else { system("$CMD -m state --state NEW -j LOG --log-prefix 'OUTGOINGFW '"); }
+if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
+ if ( $outfwsettings{'MODE1LOG'} eq 'on' ) {
+ $CMD = "/sbin/iptables -A OUTGOINGFW -o $netsettings{'RED_DEV'} -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW'";
+ if ($DEBUG) {
+ print "$CMD\n";
+ } else {
+ system("$CMD");
}
+ }
+ $CMD = "/sbin/iptables -A OUTGOINGFW -o $netsettings{'RED_DEV'} -j DROP -m comment --comment 'DROP_OUTGOINGFW'";
+ if ($DEBUG) {
+ print "$CMD\n";
+ } else {
+ system("$CMD");
}
}