]>
Commit | Line | Data |
---|---|---|
2a81ab0d AM |
1 | #!/usr/bin/perl |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2012 # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | # # | |
22 | # Hi folks! I hope this code is useful for all. I needed something to handle # | |
23 | # my VPN Connections in a comfortable way. # | |
24 | # This script builds firewallrules from the webinterface # | |
25 | ############################################################################### | |
26 | ||
2a81ab0d | 27 | use strict; |
472136c9 | 28 | use Time::Local; |
2a81ab0d AM |
29 | no warnings 'uninitialized'; |
30 | ||
31 | # enable only the following on debugging purpose | |
32 | #use warnings; | |
33 | #use CGI::Carp 'fatalsToBrowser'; | |
34 | ||
35 | my %fwdfwsettings=(); | |
36 | my %defaultNetworks=(); | |
37 | my %configfwdfw=(); | |
38 | my %color=(); | |
39 | my %icmptypes=(); | |
40 | my %ovpnSettings=(); | |
41 | my %customgrp=(); | |
42 | our %sourcehash=(); | |
43 | our %targethash=(); | |
44 | my @timeframe=(); | |
45 | my %configinputfw=(); | |
5d7faa45 | 46 | my %configoutgoingfw=(); |
a6edca5a | 47 | my %confignatfw=(); |
2a81ab0d AM |
48 | my %aliases=(); |
49 | my @DPROT=(); | |
36196d0d | 50 | my @p2ps=(); |
2a81ab0d AM |
51 | require '/var/ipfire/general-functions.pl'; |
52 | require "${General::swroot}/lang.pl"; | |
53 | require "${General::swroot}/forward/bin/firewall-lib.pl"; | |
54 | ||
55 | my $configfwdfw = "${General::swroot}/forward/config"; | |
56 | my $configinput = "${General::swroot}/forward/input"; | |
5d7faa45 | 57 | my $configoutgoing = "${General::swroot}/forward/outgoing"; |
36196d0d | 58 | my $p2pfile = "${General::swroot}/forward/p2protocols"; |
2a81ab0d | 59 | my $configgrp = "${General::swroot}/fwhosts/customgroups"; |
210ee67b | 60 | my $netsettings = "${General::swroot}/ethernet/settings"; |
2a81ab0d | 61 | my $errormessage=''; |
210ee67b AM |
62 | my $orange; |
63 | my $green; | |
6adcf156 | 64 | my $blue; |
2a81ab0d AM |
65 | my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT); |
66 | my $CHAIN="FORWARDFW"; | |
ddcec9d3 | 67 | my $conexists='off'; |
a6edca5a AM |
68 | my $command = 'iptables -A'; |
69 | my $dnat=''; | |
70 | my $snat=''; | |
2a81ab0d | 71 | &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings); |
210ee67b | 72 | &General::readhash("$netsettings", \%defaultNetworks); |
2a81ab0d AM |
73 | &General::readhasharray($configfwdfw, \%configfwdfw); |
74 | &General::readhasharray($configinput, \%configinputfw); | |
5d7faa45 | 75 | &General::readhasharray($configoutgoing, \%configoutgoingfw); |
2a81ab0d AM |
76 | &General::readhasharray($configgrp, \%customgrp); |
77 | &General::get_aliases(\%aliases); | |
78 | ||
ddcec9d3 AM |
79 | #check if we have an internetconnection |
80 | open (CONN,"/var/ipfire/red/iface"); | |
81 | my $con = <CONN>; | |
82 | close(CONN); | |
83 | if (-f "/var/ipfire/red/active"){ | |
84 | $conexists='on'; | |
85 | } | |
a6edca5a AM |
86 | open (CONN1,"/var/ipfire/red/local-ipaddress"); |
87 | my $redip = <CONN1>; | |
88 | close(CONN1); | |
2a81ab0d AM |
89 | ################################ |
90 | # DEBUG/TEST # | |
91 | ################################ | |
54cb7ff0 | 92 | my $MODE=1; # 0 - normal operation |
2a81ab0d AM |
93 | # 1 - print configline and rules to console |
94 | # | |
95 | ################################ | |
96 | my $param=shift; | |
97 | ||
98 | if($param eq 'flush'){ | |
99 | if ($MODE eq '1'){ | |
100 | print " Flushing chains...\n"; | |
101 | } | |
102 | &flush; | |
103 | }else{ | |
104 | if ($MODE eq '1'){ | |
105 | print " Flushing chains...\n"; | |
106 | } | |
107 | &flush; | |
108 | if ($MODE eq '1'){ | |
109 | print " Preparing rules...\n"; | |
110 | } | |
111 | &preparerules; | |
112 | if($MODE eq '0'){ | |
113 | if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ | |
af49e367 | 114 | &p2pblock; |
5d7faa45 | 115 | system ("/usr/sbin/firewall-policy"); |
2a81ab0d | 116 | }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){ |
6adcf156 AM |
117 | $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'}); |
118 | $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}"; | |
6adcf156 AM |
119 | if ($defaultNetworks{'BLUE_DEV'}){ |
120 | $defaultNetworks{'BLUE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'BLUE_NETMASK'}); | |
121 | $blue="$defaultNetworks{'BLUE_ADDRESS'}/$defaultNetworks{'BLUE_NETMASK'}"; | |
122 | #set default rules for BLUE | |
123 | system ("iptables -A $CHAIN -s $blue -d $green -j RETURN"); | |
124 | } | |
5b7ed8bb AM |
125 | if ($defaultNetworks{'ORANGE_DEV'}){ |
126 | $defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'}); | |
127 | $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}"; | |
128 | #set default rules for DMZ | |
129 | system ("iptables -A $CHAIN -s $orange -d $green -j RETURN"); | |
130 | if ($defaultNetworks{'BLUE_DEV'}){ | |
131 | system ("iptables -A $CHAIN -s $orange -d $blue -j RETURN"); | |
132 | } | |
133 | } | |
6adcf156 | 134 | &p2pblock; |
fd10a52c | 135 | system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT"); |
5d7faa45 | 136 | system ("/usr/sbin/firewall-policy"); |
674f4e9d | 137 | system ("/etc/sysconfig/firewall.local reload"); |
2a81ab0d AM |
138 | } |
139 | } | |
140 | } | |
2a81ab0d AM |
141 | sub flush |
142 | { | |
143 | system ("iptables -F FORWARDFW"); | |
144 | system ("iptables -F INPUTFW"); | |
5d7faa45 | 145 | system ("iptables -F OUTGOINGFW"); |
28640b73 AM |
146 | system ("iptables -t nat -F NAT_DESTINATION"); |
147 | system ("iptables -t nat -F NAT_SOURCE"); | |
2a81ab0d AM |
148 | } |
149 | sub preparerules | |
150 | { | |
151 | if (! -z "${General::swroot}/forward/config"){ | |
152 | &buildrules(\%configfwdfw); | |
153 | } | |
154 | if (! -z "${General::swroot}/forward/input"){ | |
155 | &buildrules(\%configinputfw); | |
156 | } | |
5d7faa45 AM |
157 | if (! -z "${General::swroot}/forward/outgoing"){ |
158 | &buildrules(\%configoutgoingfw); | |
159 | } | |
a6edca5a AM |
160 | if (! -z "${General::swroot}/forward/nat"){ |
161 | &buildrules(\%confignatfw); | |
162 | } | |
2a81ab0d AM |
163 | } |
164 | sub buildrules | |
165 | { | |
166 | my $hash=shift; | |
b5269091 | 167 | my $STAG; |
a6edca5a AM |
168 | my $natip; |
169 | my $snatport; | |
170 | my $fireport; | |
bc912c6e | 171 | my $nat; |
98cee89f | 172 | my $fwaccessdport; |
c12392c0 | 173 | my $natchain; |
992394d5 | 174 | foreach my $key (sort {$a <=> $b} keys %$hash){ |
ff4770c7 | 175 | next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' ); |
a6edca5a AM |
176 | if ($$hash{$key}[28] eq 'ON'){ |
177 | $command='iptables -t nat -A'; | |
08e1c65d | 178 | $natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]); |
a6edca5a | 179 | if($$hash{$key}[31] eq 'dnat'){ |
bc912c6e | 180 | $nat='DNAT'; |
98cee89f AM |
181 | if ($$hash{$key}[30] =~ /\|/){ |
182 | $$hash{$key}[30]=~ tr/|/,/; | |
183 | $fireport='-m multiport --dport '.$$hash{$key}[30]; | |
184 | }else{ | |
185 | $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0); | |
186 | } | |
a6edca5a | 187 | }else{ |
bc912c6e | 188 | $nat='SNAT'; |
a6edca5a AM |
189 | } |
190 | } | |
b5269091 | 191 | $STAG=''; |
2a81ab0d AM |
192 | if($$hash{$key}[2] eq 'ON'){ |
193 | #get source ip's | |
194 | if ($$hash{$key}[3] eq 'cust_grp_src'){ | |
992394d5 | 195 | foreach my $grp (sort {$a <=> $b} keys %customgrp){ |
2a81ab0d AM |
196 | if($customgrp{$grp}[0] eq $$hash{$key}[4]){ |
197 | &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src"); | |
198 | } | |
199 | } | |
200 | }else{ | |
201 | &get_address($$hash{$key}[3],$$hash{$key}[4],"src"); | |
202 | } | |
203 | #get target ip's | |
204 | if ($$hash{$key}[5] eq 'cust_grp_tgt'){ | |
992394d5 | 205 | foreach my $grp (sort {$a <=> $b} keys %customgrp){ |
2a81ab0d AM |
206 | if($customgrp{$grp}[0] eq $$hash{$key}[6]){ |
207 | &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt"); | |
208 | } | |
209 | } | |
a0fb1099 | 210 | }elsif($$hash{$key}[5] eq 'ipfire' ){ |
05d4f131 AM |
211 | if($$hash{$key}[6] eq 'GREEN'){ |
212 | $targethash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'}; | |
213 | } | |
214 | if($$hash{$key}[6] eq 'BLUE'){ | |
215 | $targethash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'}; | |
216 | } | |
217 | if($$hash{$key}[6] eq 'ORANGE'){ | |
218 | $targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'}; | |
219 | } | |
8762442c AM |
220 | if($$hash{$key}[6] eq 'ALL'){ |
221 | $targethash{$key}[0]='0.0.0.0/0'; | |
222 | } | |
690b0bd7 | 223 | if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){ |
ff4770c7 | 224 | open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress"; |
2a81ab0d AM |
225 | $targethash{$key}[0]= <FILE>; |
226 | close(FILE); | |
227 | }else{ | |
228 | foreach my $alias (sort keys %aliases){ | |
229 | if ($$hash{$key}[6] eq $alias){ | |
230 | $targethash{$key}[0]=$aliases{$alias}{'IPT'}; | |
231 | } | |
232 | } | |
233 | } | |
234 | }else{ | |
235 | &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt"); | |
236 | } | |
2a81ab0d AM |
237 | ##get source prot and port |
238 | $SRC_TGT='SRC'; | |
239 | $SPROT = &get_prot($hash,$key); | |
240 | $SPORT = &get_port($hash,$key); | |
241 | $SRC_TGT=''; | |
14f7cb87 | 242 | |
2a81ab0d AM |
243 | ##get target prot and port |
244 | $DPROT=&get_prot($hash,$key); | |
14f7cb87 | 245 | |
2a81ab0d AM |
246 | if ($DPROT eq ''){$DPROT=' ';} |
247 | @DPROT=split(",",$DPROT); | |
14f7cb87 | 248 | |
2a81ab0d AM |
249 | #get time if defined |
250 | if($$hash{$key}[18] eq 'ON'){ | |
472136c9 AM |
251 | my ($time1,$time2,$daylight); |
252 | my $daylight=$$hash{$key}[28]; | |
253 | $time1=&get_time($$hash{$key}[26],$daylight); | |
254 | $time2=&get_time($$hash{$key}[27],$daylight); | |
2a81ab0d AM |
255 | if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");} |
256 | if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");} | |
257 | if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");} | |
258 | if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");} | |
259 | if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");} | |
260 | if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");} | |
261 | if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");} | |
262 | $TIME=join(",",@timeframe); | |
472136c9 AM |
263 | |
264 | $TIMEFROM="--timestart $time1 "; | |
265 | $TIMETILL="--timestop $time2 "; | |
a0f267b9 | 266 | $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL"; |
2a81ab0d | 267 | } |
2a81ab0d AM |
268 | if ($MODE eq '1'){ |
269 | print "NR:$key "; | |
270 | foreach my $i (0 .. $#{$$hash{$key}}){ | |
271 | print "$i: $$hash{$key}[$i] "; | |
272 | } | |
273 | print "\n"; | |
274 | print"##################################\n"; | |
275 | #print rules to console | |
2a81ab0d AM |
276 | foreach my $DPROT (@DPROT){ |
277 | $DPORT = &get_port($hash,$key,$DPROT); | |
278 | if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;} | |
279 | $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); | |
280 | foreach my $a (sort keys %sourcehash){ | |
281 | foreach my $b (sort keys %targethash){ | |
d7dc9718 | 282 | if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ |
2a81ab0d | 283 | if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){ |
5d7faa45 | 284 | if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} |
8cb1afc8 AM |
285 | if(substr($DPORT, 2, 4) eq 'icmp'){ |
286 | my @icmprule= split(",",substr($DPORT, 12,)); | |
287 | foreach (@icmprule){ | |
288 | if ($$hash{$key}[17] eq 'ON'){ | |
a6edca5a | 289 | print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j LOG\n"; |
8cb1afc8 | 290 | } |
a6edca5a | 291 | print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n"; |
8cb1afc8 | 292 | } |
28640b73 | 293 | }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ |
c12392c0 | 294 | $natchain='NAT_DESTINATION'; |
28640b73 | 295 | if ($$hash{$key}[17] eq 'ON'){ |
c12392c0 | 296 | print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; |
28640b73 | 297 | } |
28640b73 | 298 | my ($ip,$sub) =split("/",$targethash{$b}[0]); |
c12392c0 | 299 | print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; |
829697d0 | 300 | $DPORT =~ s/\-/:/g; |
98cee89f AM |
301 | if ($DPORT){ |
302 | $fwaccessdport="--dport ".substr($DPORT,1,); | |
303 | }elsif(! $DPORT && $$hash{$key}[30] ne ''){ | |
304 | if ($$hash{$key}[30]=~m/|/i){ | |
305 | $$hash{$key}[30] =~ s/\|/,/g; | |
306 | $fwaccessdport="-m multiport --dport $$hash{$key}[30]"; | |
307 | }else{ | |
308 | $fwaccessdport="--dport $$hash{$key}[30]"; | |
309 | } | |
310 | } | |
c12392c0 AM |
311 | print "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; |
312 | next; | |
08e1c65d | 313 | }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ |
c12392c0 AM |
314 | $natchain='NAT_SOURCE'; |
315 | print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; | |
2a81ab0d | 316 | } |
c12392c0 AM |
317 | if ($$hash{$key}[17] eq 'ON'){ |
318 | print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; | |
319 | } | |
320 | print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; | |
2a81ab0d AM |
321 | } |
322 | } | |
323 | } | |
324 | } | |
325 | print"\n"; | |
326 | } | |
2a81ab0d AM |
327 | }elsif($MODE eq '0'){ |
328 | foreach my $DPROT (@DPROT){ | |
329 | $DPORT = &get_port($hash,$key,$DPROT); | |
330 | if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;} | |
331 | $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); | |
332 | foreach my $a (sort keys %sourcehash){ | |
333 | foreach my $b (sort keys %targethash){ | |
d7dc9718 | 334 | if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ |
2a81ab0d | 335 | if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){ |
5d7faa45 | 336 | if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} |
8cb1afc8 AM |
337 | if(substr($DPORT, 2, 4) eq 'icmp'){ |
338 | my @icmprule= split(",",substr($DPORT, 12,)); | |
339 | foreach (@icmprule){ | |
340 | if ($$hash{$key}[17] eq 'ON'){ | |
a6edca5a | 341 | system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] -- icmp-type $_ $TIME -j LOG"); |
8cb1afc8 | 342 | } |
a6edca5a AM |
343 | system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]"); |
344 | } | |
a6edca5a | 345 | }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ |
c12392c0 | 346 | $natchain='NAT_DESTINATION'; |
a6edca5a | 347 | if ($$hash{$key}[17] eq 'ON'){ |
c12392c0 | 348 | system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; |
8cb1afc8 | 349 | } |
a6edca5a | 350 | my ($ip,$sub) =split("/",$targethash{$b}[0]); |
c12392c0 | 351 | system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; |
829697d0 | 352 | $DPORT =~ s/\-/:/g; |
98cee89f AM |
353 | if ($DPORT){ |
354 | $fwaccessdport="--dport ".substr($DPORT,1,); | |
355 | }elsif(! $DPORT && $$hash{$key}[30] ne ''){ | |
356 | if ($$hash{$key}[30]=~m/|/i){ | |
357 | $$hash{$key}[30] =~ s/\|/,/g; | |
358 | $fwaccessdport="-m multiport --dport $$hash{$key}[30]"; | |
359 | }else{ | |
360 | $fwaccessdport="--dport $$hash{$key}[30]"; | |
361 | } | |
362 | } | |
c12392c0 AM |
363 | system "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; |
364 | next; | |
a6edca5a | 365 | }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ |
c12392c0 AM |
366 | $natchain='NAT_SOURCE'; |
367 | system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; | |
368 | } | |
369 | if ($$hash{$key}[17] eq 'ON'){ | |
370 | system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; | |
2a81ab0d | 371 | } |
c12392c0 | 372 | system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; |
2a81ab0d AM |
373 | } |
374 | } | |
375 | } | |
376 | } | |
2a81ab0d AM |
377 | } |
378 | } | |
379 | } | |
380 | %sourcehash=(); | |
381 | %targethash=(); | |
382 | undef $TIME; | |
383 | undef $TIMEFROM; | |
384 | undef $TIMETILL; | |
a6edca5a | 385 | undef $fireport; |
2a81ab0d AM |
386 | } |
387 | } | |
a6edca5a AM |
388 | sub get_nat_ip |
389 | { | |
390 | my $val=shift; | |
08e1c65d | 391 | my $type=shift; |
a6edca5a AM |
392 | my $result; |
393 | if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){ | |
394 | $result=$defaultNetworks{$val.'_ADDRESS'}; | |
395 | }elsif($val eq 'ALL'){ | |
396 | $result='-i '.$con; | |
08e1c65d | 397 | }elsif($val eq 'Default IP' && $type eq 'dnat'){ |
a6edca5a | 398 | $result='-d '.$redip; |
08e1c65d AM |
399 | }elsif($val eq 'Default IP' && $type eq 'snat'){ |
400 | $result=$redip; | |
a6edca5a AM |
401 | }else{ |
402 | foreach my $al (sort keys %aliases){ | |
08e1c65d | 403 | if($val eq $al && $type eq 'dnat'){ |
a6edca5a | 404 | $result='-d '.$aliases{$al}{'IPT'}; |
08e1c65d AM |
405 | }elsif($val eq $al && $type eq 'snat'){ |
406 | $result=$aliases{$al}{'IPT'}; | |
a6edca5a AM |
407 | } |
408 | } | |
409 | } | |
410 | return $result; | |
411 | } | |
472136c9 AM |
412 | sub get_time |
413 | { | |
414 | my $val=shift; | |
415 | my $val1=shift; | |
416 | my $time; | |
417 | my $minutes; | |
418 | my $ruletime; | |
419 | $minutes = &utcmin($val); | |
420 | $ruletime = $minutes + &time_get_utc($val); | |
421 | if ($ruletime < 0){$ruletime +=1440;} | |
422 | if ($ruletime > 1440){$ruletime -=1440;} | |
423 | $time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60; | |
424 | return $time; | |
425 | } | |
426 | sub time_get_utc | |
427 | { | |
428 | # Calculates the UTCtime from a given time | |
429 | my $val=shift; | |
430 | my @localtime=localtime(time); | |
431 | my @gmtime=gmtime(time); | |
432 | my $diff = ($gmtime[2]*60+$gmtime[1]%60)-($localtime[2]*60+$localtime[1]%60); | |
433 | return $diff; | |
434 | } | |
435 | sub utcmin | |
436 | { | |
437 | my $ruletime=shift; | |
438 | my ($hrs,$min) = split(":",$ruletime); | |
439 | my $newtime = $hrs*60+$min; | |
440 | return $newtime; | |
441 | } | |
36196d0d AM |
442 | sub p2pblock |
443 | { | |
444 | my $P2PSTRING; | |
445 | my $DO; | |
446 | open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; | |
447 | @p2ps = <FILE>; | |
448 | close FILE; | |
449 | my $CMD = "-m ipp2p"; | |
450 | foreach my $p2pentry (sort @p2ps) { | |
451 | my @p2pline = split( /\;/, $p2pentry ); | |
8d1beadc AM |
452 | if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) { |
453 | $DO = "ACCEPT"; | |
5238a871 | 454 | if ("$p2pline[2]" eq "on") { |
36196d0d AM |
455 | $P2PSTRING = "$P2PSTRING --$p2pline[1]"; |
456 | } | |
8d1beadc | 457 | }else { |
36196d0d | 458 | $DO = "RETURN"; |
5238a871 | 459 | if ("$p2pline[2]" eq "off") { |
36196d0d AM |
460 | $P2PSTRING = "$P2PSTRING --$p2pline[1]"; |
461 | } | |
462 | } | |
463 | } | |
464 | if ($MODE eq 1){ | |
465 | if($P2PSTRING){ | |
466 | print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n"; | |
467 | } | |
468 | }else{ | |
469 | if($P2PSTRING){ | |
470 | system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO"); | |
471 | } | |
472 | } | |
473 | } | |
2a81ab0d AM |
474 | sub get_address |
475 | { | |
476 | my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey | |
477 | my $base2=shift; | |
478 | my $type=shift; #src or tgt | |
479 | my $hash; | |
480 | if ($type eq 'src'){ | |
481 | $hash=\%sourcehash; | |
482 | }else{ | |
483 | $hash=\%targethash; | |
484 | } | |
485 | my $key = &General::findhasharraykey($hash); | |
486 | if($base eq 'src_addr' || $base eq 'tgt_addr' ){ | |
b5269091 AM |
487 | if (&General::validmac($base2)){ |
488 | $$hash{$key}[0] = "-m mac --mac-source $base2"; | |
489 | }else{ | |
490 | $$hash{$key}[0] = $base2; | |
491 | } | |
2a81ab0d | 492 | }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){ |
ddcec9d3 | 493 | $$hash{$key}[0]=&fwlib::get_std_net_ip($base2,$con); |
2a81ab0d AM |
494 | }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){ |
495 | $$hash{$key}[0]=&fwlib::get_net_ip($base2); | |
496 | }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){ | |
497 | $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type); | |
498 | }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){ | |
499 | $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1); | |
500 | }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){ | |
501 | $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33); | |
502 | }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){ | |
6fab5bca | 503 | $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,11); |
2a81ab0d AM |
504 | }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){ |
505 | $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11); | |
a0fb1099 AM |
506 | }elsif($base eq 'ipfire_src' ){ |
507 | if($base2 eq 'GREEN'){ | |
508 | $$hash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'}; | |
509 | } | |
510 | if($base2 eq 'BLUE'){ | |
511 | $$hash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'}; | |
512 | } | |
513 | if($base2 eq 'ORANGE'){ | |
514 | $$hash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'}; | |
515 | } | |
516 | if($base2 eq 'ALL'){ | |
517 | $$hash{$key}[0]='0.0.0.0/0'; | |
518 | } | |
519 | if($base2 eq 'RED' || $base2 eq 'RED1'){ | |
520 | open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress"; | |
521 | $$hash{$key}[0]= <FILE>; | |
522 | close(FILE); | |
523 | }else{ | |
524 | foreach my $alias (sort keys %aliases){ | |
525 | if ($base2 eq $alias){ | |
526 | $$hash{$key}[0]=$aliases{$alias}{'IPT'}; | |
527 | } | |
528 | } | |
529 | } | |
2a81ab0d AM |
530 | } |
531 | } | |
532 | sub get_prot | |
533 | { | |
534 | my $hash=shift; | |
535 | my $key=shift; | |
536 | if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){ | |
537 | if ($$hash{$key}[10] ne ''){ | |
538 | return"$$hash{$key}[8]"; | |
539 | }elsif($$hash{$key}[9] ne ''){ | |
540 | return"$$hash{$key}[8]"; | |
541 | }else{ | |
542 | return "$$hash{$key}[8]"; | |
543 | } | |
544 | }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){ | |
545 | if ($$hash{$key}[14] eq 'TGT_PORT'){ | |
546 | if ($$hash{$key}[15] ne ''){ | |
547 | return "$$hash{$key}[12]"; | |
548 | }elsif($$hash{$key}[13] ne ''){ | |
549 | return "$$hash{$key}[12]"; | |
550 | }else{ | |
551 | return "$$hash{$key}[12]"; | |
552 | } | |
553 | }elsif($$hash{$key}[14] eq 'cust_srv'){ | |
554 | return &fwlib::get_srv_prot($$hash{$key}[15]); | |
555 | ||
556 | }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ | |
557 | return &fwlib::get_srvgrp_prot($$hash{$key}[15]); | |
558 | } | |
559 | } | |
98cee89f AM |
560 | #DNAT |
561 | if ($SRC_TGT eq '' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[11] eq '' && $$hash{$key}[12] ne ''){ | |
562 | return "$$hash{$key}[12]"; | |
563 | } | |
2a81ab0d AM |
564 | } |
565 | sub get_port | |
566 | { | |
567 | my $hash=shift; | |
568 | my $key=shift; | |
569 | my $prot=shift; | |
570 | if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){ | |
571 | if ($$hash{$key}[10] ne ''){ | |
8f0b047b | 572 | $$hash{$key}[10] =~ s/\|/,/g; |
93a5f4a5 AM |
573 | if(index($$hash{$key}[10],",") > 0){ |
574 | return "-m multiport --sport $$hash{$key}[10] "; | |
575 | }else{ | |
a6edca5a AM |
576 | if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ||($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat') ){ |
577 | return "--sport $$hash{$key}[10] "; | |
578 | }else{ | |
579 | return ":$$hash{$key}[10]"; | |
580 | } | |
93a5f4a5 | 581 | } |
62fc8511 | 582 | }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){ |
2a81ab0d | 583 | return "--icmp-type $$hash{$key}[9] "; |
62fc8511 AM |
584 | }elsif($$hash{$key}[9] eq 'All ICMP-Types'){ |
585 | return; | |
2a81ab0d AM |
586 | } |
587 | }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){ | |
2a81ab0d AM |
588 | if($$hash{$key}[14] eq 'TGT_PORT'){ |
589 | if ($$hash{$key}[15] ne ''){ | |
8f0b047b | 590 | $$hash{$key}[15] =~ s/\|/,/g; |
93a5f4a5 AM |
591 | if(index($$hash{$key}[15],",") > 0){ |
592 | return "-m multiport --dport $$hash{$key}[15] "; | |
593 | }else{ | |
a6edca5a AM |
594 | if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){ |
595 | return "--dport $$hash{$key}[15] "; | |
596 | }else{ | |
829697d0 | 597 | $$hash{$key}[15] =~ s/\:/-/g; |
a6edca5a AM |
598 | return ":$$hash{$key}[15]"; |
599 | } | |
93a5f4a5 | 600 | } |
2a81ab0d AM |
601 | }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){ |
602 | return "--icmp-type $$hash{$key}[13] "; | |
603 | }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){ | |
604 | return; | |
605 | } | |
606 | }elsif($$hash{$key}[14] eq 'cust_srv'){ | |
607 | if ($prot ne 'ICMP'){ | |
6be32fe5 AM |
608 | if($$hash{$key}[31] eq 'dnat'){ |
609 | return ":".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); | |
610 | }else{ | |
611 | return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); | |
612 | } | |
2a81ab0d AM |
613 | }elsif($prot eq 'ICMP' && $$hash{$key}[15] ne 'All ICMP-Types'){ |
614 | return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot); | |
615 | }elsif($prot eq 'ICMP' && $$hash{$key}[15] eq 'All ICMP-Types'){ | |
616 | return; | |
617 | } | |
618 | }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ | |
619 | if ($prot ne 'ICMP'){ | |
620 | return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot); | |
621 | } | |
622 | elsif($prot eq 'ICMP'){ | |
623 | return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot); | |
624 | } | |
2a81ab0d AM |
625 | } |
626 | } | |
627 | } |