]>
Commit | Line | Data |
---|---|---|
2a81ab0d AM |
1 | #!/usr/bin/perl |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2012 # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | # # | |
22 | # Hi folks! I hope this code is useful for all. I needed something to handle # | |
23 | # my VPN Connections in a comfortable way. # | |
24 | # This script builds firewallrules from the webinterface # | |
25 | ############################################################################### | |
26 | ||
2a81ab0d AM |
27 | use strict; |
28 | no warnings 'uninitialized'; | |
29 | ||
30 | # enable only the following on debugging purpose | |
31 | #use warnings; | |
32 | #use CGI::Carp 'fatalsToBrowser'; | |
33 | ||
34 | my %fwdfwsettings=(); | |
35 | my %defaultNetworks=(); | |
36 | my %configfwdfw=(); | |
37 | my %color=(); | |
38 | my %icmptypes=(); | |
39 | my %ovpnSettings=(); | |
40 | my %customgrp=(); | |
41 | our %sourcehash=(); | |
42 | our %targethash=(); | |
43 | my @timeframe=(); | |
44 | my %configinputfw=(); | |
45 | my %aliases=(); | |
46 | my @DPROT=(); | |
36196d0d | 47 | my @p2ps=(); |
2a81ab0d AM |
48 | require '/var/ipfire/general-functions.pl'; |
49 | require "${General::swroot}/lang.pl"; | |
50 | require "${General::swroot}/forward/bin/firewall-lib.pl"; | |
51 | ||
52 | my $configfwdfw = "${General::swroot}/forward/config"; | |
53 | my $configinput = "${General::swroot}/forward/input"; | |
36196d0d | 54 | my $p2pfile = "${General::swroot}/forward/p2protocols"; |
2a81ab0d | 55 | my $configgrp = "${General::swroot}/fwhosts/customgroups"; |
210ee67b | 56 | my $netsettings = "${General::swroot}/ethernet/settings"; |
2a81ab0d | 57 | my $errormessage=''; |
210ee67b AM |
58 | my $orange; |
59 | my $green; | |
6adcf156 | 60 | my $blue; |
2a81ab0d AM |
61 | my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT); |
62 | my $CHAIN="FORWARDFW"; | |
63 | ||
64 | ||
65 | &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings); | |
210ee67b | 66 | &General::readhash("$netsettings", \%defaultNetworks); |
2a81ab0d AM |
67 | &General::readhasharray($configfwdfw, \%configfwdfw); |
68 | &General::readhasharray($configinput, \%configinputfw); | |
69 | &General::readhasharray($configgrp, \%customgrp); | |
70 | &General::get_aliases(\%aliases); | |
71 | ||
72 | ################################ | |
73 | # DEBUG/TEST # | |
74 | ################################ | |
54cb7ff0 | 75 | my $MODE=1; # 0 - normal operation |
2a81ab0d AM |
76 | # 1 - print configline and rules to console |
77 | # | |
78 | ################################ | |
79 | my $param=shift; | |
80 | ||
81 | if($param eq 'flush'){ | |
82 | if ($MODE eq '1'){ | |
83 | print " Flushing chains...\n"; | |
84 | } | |
85 | &flush; | |
86 | }else{ | |
87 | if ($MODE eq '1'){ | |
88 | print " Flushing chains...\n"; | |
89 | } | |
90 | &flush; | |
91 | if ($MODE eq '1'){ | |
92 | print " Preparing rules...\n"; | |
93 | } | |
94 | &preparerules; | |
95 | if($MODE eq '0'){ | |
96 | if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ | |
af49e367 | 97 | &p2pblock; |
62fc8511 | 98 | system ("/usr/sbin/firewall-forward-policy"); |
2a81ab0d | 99 | }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){ |
6adcf156 AM |
100 | $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'}); |
101 | $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}"; | |
210ee67b AM |
102 | if ($defaultNetworks{'ORANGE_DEV'}){ |
103 | $defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'}); | |
210ee67b | 104 | $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}"; |
210ee67b AM |
105 | #set default rules for DMZ |
106 | system ("iptables -A $CHAIN -s $orange -d $green -j RETURN"); | |
210ee67b | 107 | } |
6adcf156 AM |
108 | if ($defaultNetworks{'BLUE_DEV'}){ |
109 | $defaultNetworks{'BLUE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'BLUE_NETMASK'}); | |
110 | $blue="$defaultNetworks{'BLUE_ADDRESS'}/$defaultNetworks{'BLUE_NETMASK'}"; | |
111 | #set default rules for BLUE | |
112 | system ("iptables -A $CHAIN -s $blue -d $green -j RETURN"); | |
113 | } | |
114 | &p2pblock; | |
fd10a52c | 115 | system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT"); |
210ee67b | 116 | system ("/usr/sbin/firewall-forward-policy"); |
2a81ab0d AM |
117 | } |
118 | } | |
119 | } | |
2a81ab0d AM |
120 | sub flush |
121 | { | |
122 | system ("iptables -F FORWARDFW"); | |
123 | system ("iptables -F INPUTFW"); | |
124 | } | |
125 | sub preparerules | |
126 | { | |
127 | if (! -z "${General::swroot}/forward/config"){ | |
128 | &buildrules(\%configfwdfw); | |
129 | } | |
130 | if (! -z "${General::swroot}/forward/input"){ | |
131 | &buildrules(\%configinputfw); | |
132 | } | |
133 | } | |
134 | sub buildrules | |
135 | { | |
136 | my $hash=shift; | |
b5269091 | 137 | my $STAG; |
992394d5 | 138 | foreach my $key (sort {$a <=> $b} keys %$hash){ |
b5269091 | 139 | $STAG=''; |
2a81ab0d AM |
140 | if($$hash{$key}[2] eq 'ON'){ |
141 | #get source ip's | |
142 | if ($$hash{$key}[3] eq 'cust_grp_src'){ | |
992394d5 | 143 | foreach my $grp (sort {$a <=> $b} keys %customgrp){ |
2a81ab0d AM |
144 | if($customgrp{$grp}[0] eq $$hash{$key}[4]){ |
145 | &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src"); | |
146 | } | |
147 | } | |
148 | }else{ | |
149 | &get_address($$hash{$key}[3],$$hash{$key}[4],"src"); | |
150 | } | |
151 | #get target ip's | |
152 | if ($$hash{$key}[5] eq 'cust_grp_tgt'){ | |
992394d5 | 153 | foreach my $grp (sort {$a <=> $b} keys %customgrp){ |
2a81ab0d AM |
154 | if($customgrp{$grp}[0] eq $$hash{$key}[6]){ |
155 | &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt"); | |
156 | } | |
157 | } | |
158 | }elsif($$hash{$key}[5] eq 'ipfire'){ | |
14f7cb87 | 159 | |
2a81ab0d AM |
160 | if($$hash{$key}[6] eq 'Default IP'){ |
161 | open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.'; | |
162 | $targethash{$key}[0]= <FILE>; | |
163 | close(FILE); | |
164 | }else{ | |
165 | foreach my $alias (sort keys %aliases){ | |
166 | if ($$hash{$key}[6] eq $alias){ | |
167 | $targethash{$key}[0]=$aliases{$alias}{'IPT'}; | |
168 | } | |
169 | } | |
170 | } | |
171 | }else{ | |
172 | &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt"); | |
173 | } | |
2a81ab0d AM |
174 | ##get source prot and port |
175 | $SRC_TGT='SRC'; | |
176 | $SPROT = &get_prot($hash,$key); | |
177 | $SPORT = &get_port($hash,$key); | |
178 | $SRC_TGT=''; | |
14f7cb87 | 179 | |
2a81ab0d AM |
180 | ##get target prot and port |
181 | $DPROT=&get_prot($hash,$key); | |
14f7cb87 | 182 | |
2a81ab0d AM |
183 | if ($DPROT eq ''){$DPROT=' ';} |
184 | @DPROT=split(",",$DPROT); | |
14f7cb87 | 185 | |
2a81ab0d AM |
186 | #get time if defined |
187 | if($$hash{$key}[18] eq 'ON'){ | |
188 | if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");} | |
189 | if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");} | |
190 | if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");} | |
191 | if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");} | |
192 | if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");} | |
193 | if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");} | |
194 | if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");} | |
195 | $TIME=join(",",@timeframe); | |
196 | $TIMEFROM="--timestart $$hash{$key}[26] "; | |
197 | $TIMETILL="--timestop $$hash{$key}[27] "; | |
198 | $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL"; | |
199 | } | |
2a81ab0d AM |
200 | if ($MODE eq '1'){ |
201 | print "NR:$key "; | |
202 | foreach my $i (0 .. $#{$$hash{$key}}){ | |
203 | print "$i: $$hash{$key}[$i] "; | |
204 | } | |
205 | print "\n"; | |
206 | print"##################################\n"; | |
207 | #print rules to console | |
2a81ab0d AM |
208 | foreach my $DPROT (@DPROT){ |
209 | $DPORT = &get_port($hash,$key,$DPROT); | |
210 | if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;} | |
211 | $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); | |
212 | foreach my $a (sort keys %sourcehash){ | |
213 | foreach my $b (sort keys %targethash){ | |
d7dc9718 | 214 | if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ |
2a81ab0d | 215 | if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){ |
54cb7ff0 | 216 | if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";} |
2a81ab0d | 217 | if ($$hash{$key}[17] eq 'ON'){ |
b5269091 | 218 | print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; |
2a81ab0d | 219 | } |
b5269091 | 220 | print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; |
2a81ab0d AM |
221 | } |
222 | } | |
223 | } | |
224 | } | |
225 | print"\n"; | |
226 | } | |
2a81ab0d AM |
227 | }elsif($MODE eq '0'){ |
228 | foreach my $DPROT (@DPROT){ | |
229 | $DPORT = &get_port($hash,$key,$DPROT); | |
230 | if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;} | |
231 | $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); | |
232 | foreach my $a (sort keys %sourcehash){ | |
233 | foreach my $b (sort keys %targethash){ | |
d7dc9718 | 234 | if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ |
2a81ab0d | 235 | if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){ |
54cb7ff0 | 236 | if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";} |
2a81ab0d | 237 | if ($$hash{$key}[17] eq 'ON'){ |
b5269091 | 238 | system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG"); |
2a81ab0d | 239 | } |
b5269091 | 240 | system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]"); |
2a81ab0d AM |
241 | } |
242 | } | |
243 | } | |
244 | } | |
2a81ab0d AM |
245 | } |
246 | } | |
247 | } | |
248 | %sourcehash=(); | |
249 | %targethash=(); | |
250 | undef $TIME; | |
251 | undef $TIMEFROM; | |
252 | undef $TIMETILL; | |
253 | } | |
254 | } | |
36196d0d AM |
255 | sub p2pblock |
256 | { | |
257 | my $P2PSTRING; | |
258 | my $DO; | |
259 | open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; | |
260 | @p2ps = <FILE>; | |
261 | close FILE; | |
262 | my $CMD = "-m ipp2p"; | |
263 | foreach my $p2pentry (sort @p2ps) { | |
264 | my @p2pline = split( /\;/, $p2pentry ); | |
8d1beadc AM |
265 | if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) { |
266 | $DO = "ACCEPT"; | |
5238a871 | 267 | if ("$p2pline[2]" eq "on") { |
36196d0d AM |
268 | $P2PSTRING = "$P2PSTRING --$p2pline[1]"; |
269 | } | |
8d1beadc | 270 | }else { |
36196d0d | 271 | $DO = "RETURN"; |
5238a871 | 272 | if ("$p2pline[2]" eq "off") { |
36196d0d AM |
273 | $P2PSTRING = "$P2PSTRING --$p2pline[1]"; |
274 | } | |
275 | } | |
276 | } | |
277 | if ($MODE eq 1){ | |
278 | if($P2PSTRING){ | |
279 | print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n"; | |
280 | } | |
281 | }else{ | |
282 | if($P2PSTRING){ | |
283 | system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO"); | |
284 | } | |
285 | } | |
286 | } | |
287 | ||
2a81ab0d AM |
288 | sub get_address |
289 | { | |
290 | my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey | |
291 | my $base2=shift; | |
292 | my $type=shift; #src or tgt | |
293 | my $hash; | |
294 | if ($type eq 'src'){ | |
295 | $hash=\%sourcehash; | |
296 | }else{ | |
297 | $hash=\%targethash; | |
298 | } | |
299 | my $key = &General::findhasharraykey($hash); | |
300 | if($base eq 'src_addr' || $base eq 'tgt_addr' ){ | |
b5269091 AM |
301 | if (&General::validmac($base2)){ |
302 | $$hash{$key}[0] = "-m mac --mac-source $base2"; | |
303 | }else{ | |
304 | $$hash{$key}[0] = $base2; | |
305 | } | |
2a81ab0d AM |
306 | }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){ |
307 | $$hash{$key}[0]=&fwlib::get_std_net_ip($base2); | |
308 | }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){ | |
309 | $$hash{$key}[0]=&fwlib::get_net_ip($base2); | |
310 | }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){ | |
311 | $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type); | |
312 | }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){ | |
313 | $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1); | |
314 | }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){ | |
315 | $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33); | |
316 | }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){ | |
317 | $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,27); | |
318 | }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){ | |
319 | $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11); | |
320 | } | |
321 | } | |
322 | sub get_prot | |
323 | { | |
324 | my $hash=shift; | |
325 | my $key=shift; | |
326 | if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){ | |
327 | if ($$hash{$key}[10] ne ''){ | |
328 | return"$$hash{$key}[8]"; | |
329 | }elsif($$hash{$key}[9] ne ''){ | |
330 | return"$$hash{$key}[8]"; | |
331 | }else{ | |
332 | return "$$hash{$key}[8]"; | |
333 | } | |
334 | }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){ | |
335 | if ($$hash{$key}[14] eq 'TGT_PORT'){ | |
336 | if ($$hash{$key}[15] ne ''){ | |
337 | return "$$hash{$key}[12]"; | |
338 | }elsif($$hash{$key}[13] ne ''){ | |
339 | return "$$hash{$key}[12]"; | |
340 | }else{ | |
341 | return "$$hash{$key}[12]"; | |
342 | } | |
343 | }elsif($$hash{$key}[14] eq 'cust_srv'){ | |
344 | return &fwlib::get_srv_prot($$hash{$key}[15]); | |
345 | ||
346 | }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ | |
347 | return &fwlib::get_srvgrp_prot($$hash{$key}[15]); | |
348 | } | |
349 | } | |
350 | } | |
351 | sub get_port | |
352 | { | |
353 | my $hash=shift; | |
354 | my $key=shift; | |
355 | my $prot=shift; | |
356 | if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){ | |
357 | if ($$hash{$key}[10] ne ''){ | |
8f0b047b | 358 | $$hash{$key}[10] =~ s/\|/,/g; |
93a5f4a5 AM |
359 | if(index($$hash{$key}[10],",") > 0){ |
360 | return "-m multiport --sport $$hash{$key}[10] "; | |
361 | }else{ | |
362 | return "--sport $$hash{$key}[10] "; | |
363 | } | |
62fc8511 | 364 | }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){ |
2a81ab0d | 365 | return "--icmp-type $$hash{$key}[9] "; |
62fc8511 AM |
366 | }elsif($$hash{$key}[9] eq 'All ICMP-Types'){ |
367 | return; | |
2a81ab0d AM |
368 | } |
369 | }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){ | |
b5269091 | 370 | |
2a81ab0d AM |
371 | if($$hash{$key}[14] eq 'TGT_PORT'){ |
372 | if ($$hash{$key}[15] ne ''){ | |
8f0b047b | 373 | $$hash{$key}[15] =~ s/\|/,/g; |
93a5f4a5 AM |
374 | if(index($$hash{$key}[15],",") > 0){ |
375 | return "-m multiport --dport $$hash{$key}[15] "; | |
376 | }else{ | |
377 | return "--dport $$hash{$key}[15] "; | |
378 | } | |
2a81ab0d AM |
379 | }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){ |
380 | return "--icmp-type $$hash{$key}[13] "; | |
381 | }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){ | |
382 | return; | |
383 | } | |
384 | }elsif($$hash{$key}[14] eq 'cust_srv'){ | |
385 | if ($prot ne 'ICMP'){ | |
386 | return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); | |
387 | }elsif($prot eq 'ICMP' && $$hash{$key}[15] ne 'All ICMP-Types'){ | |
388 | return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot); | |
389 | }elsif($prot eq 'ICMP' && $$hash{$key}[15] eq 'All ICMP-Types'){ | |
390 | return; | |
391 | } | |
392 | }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ | |
393 | if ($prot ne 'ICMP'){ | |
394 | return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot); | |
395 | } | |
396 | elsif($prot eq 'ICMP'){ | |
397 | return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot); | |
398 | } | |
2a81ab0d AM |
399 | } |
400 | } | |
401 | } |