Forward Firewall: set standard rules for blue in mode 2
[people/teissler/ipfire-2.x.git] / config / forwardfw / rules.pl
CommitLineData
2a81ab0d
AM
1#!/usr/bin/perl
2###############################################################################
3# #
4# IPFire.org - A linux based firewall #
5# Copyright (C) 2012 #
6# #
7# This program is free software: you can redistribute it and/or modify #
8# it under the terms of the GNU General Public License as published by #
9# the Free Software Foundation, either version 3 of the License, or #
10# (at your option) any later version. #
11# #
12# This program is distributed in the hope that it will be useful, #
13# but WITHOUT ANY WARRANTY; without even the implied warranty of #
14# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15# GNU General Public License for more details. #
16# #
17# You should have received a copy of the GNU General Public License #
18# along with this program. If not, see <http://www.gnu.org/licenses/>. #
19# #
20###############################################################################
21# #
22# Hi folks! I hope this code is useful for all. I needed something to handle #
23# my VPN Connections in a comfortable way. #
24# This script builds firewallrules from the webinterface #
25###############################################################################
26
2a81ab0d
AM
27use strict;
28no warnings 'uninitialized';
29
30# enable only the following on debugging purpose
31#use warnings;
32#use CGI::Carp 'fatalsToBrowser';
33
34my %fwdfwsettings=();
35my %defaultNetworks=();
36my %configfwdfw=();
37my %color=();
38my %icmptypes=();
39my %ovpnSettings=();
40my %customgrp=();
41our %sourcehash=();
42our %targethash=();
43my @timeframe=();
44my %configinputfw=();
45my %aliases=();
46my @DPROT=();
36196d0d 47my @p2ps=();
2a81ab0d
AM
48require '/var/ipfire/general-functions.pl';
49require "${General::swroot}/lang.pl";
50require "${General::swroot}/forward/bin/firewall-lib.pl";
51
52my $configfwdfw = "${General::swroot}/forward/config";
53my $configinput = "${General::swroot}/forward/input";
36196d0d 54my $p2pfile = "${General::swroot}/forward/p2protocols";
2a81ab0d 55my $configgrp = "${General::swroot}/fwhosts/customgroups";
210ee67b 56my $netsettings = "${General::swroot}/ethernet/settings";
2a81ab0d 57my $errormessage='';
210ee67b
AM
58my $orange;
59my $green;
6adcf156 60my $blue;
2a81ab0d
AM
61my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
62my $CHAIN="FORWARDFW";
63
64
65&General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
210ee67b 66&General::readhash("$netsettings", \%defaultNetworks);
2a81ab0d
AM
67&General::readhasharray($configfwdfw, \%configfwdfw);
68&General::readhasharray($configinput, \%configinputfw);
69&General::readhasharray($configgrp, \%customgrp);
70&General::get_aliases(\%aliases);
71
72################################
73# DEBUG/TEST #
74################################
54cb7ff0 75my $MODE=1; # 0 - normal operation
2a81ab0d
AM
76 # 1 - print configline and rules to console
77 #
78################################
79my $param=shift;
80
81if($param eq 'flush'){
82 if ($MODE eq '1'){
83 print " Flushing chains...\n";
84 }
85 &flush;
86}else{
87 if ($MODE eq '1'){
88 print " Flushing chains...\n";
89 }
90 &flush;
91 if ($MODE eq '1'){
92 print " Preparing rules...\n";
93 }
94 &preparerules;
95 if($MODE eq '0'){
96 if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
af49e367 97 &p2pblock;
62fc8511 98 system ("/usr/sbin/firewall-forward-policy");
2a81ab0d 99 }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
6adcf156
AM
100 $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'});
101 $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
210ee67b
AM
102 if ($defaultNetworks{'ORANGE_DEV'}){
103 $defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'});
210ee67b 104 $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}";
210ee67b
AM
105 #set default rules for DMZ
106 system ("iptables -A $CHAIN -s $orange -d $green -j RETURN");
210ee67b 107 }
6adcf156
AM
108 if ($defaultNetworks{'BLUE_DEV'}){
109 $defaultNetworks{'BLUE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'BLUE_NETMASK'});
110 $blue="$defaultNetworks{'BLUE_ADDRESS'}/$defaultNetworks{'BLUE_NETMASK'}";
111 #set default rules for BLUE
112 system ("iptables -A $CHAIN -s $blue -d $green -j RETURN");
113 }
114 &p2pblock;
fd10a52c 115 system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
210ee67b 116 system ("/usr/sbin/firewall-forward-policy");
2a81ab0d
AM
117 }
118 }
119}
2a81ab0d
AM
120sub flush
121{
122 system ("iptables -F FORWARDFW");
123 system ("iptables -F INPUTFW");
124}
125sub preparerules
126{
127 if (! -z "${General::swroot}/forward/config"){
128 &buildrules(\%configfwdfw);
129 }
130 if (! -z "${General::swroot}/forward/input"){
131 &buildrules(\%configinputfw);
132 }
133}
134sub buildrules
135{
136 my $hash=shift;
b5269091 137 my $STAG;
992394d5 138 foreach my $key (sort {$a <=> $b} keys %$hash){
b5269091 139 $STAG='';
2a81ab0d
AM
140 if($$hash{$key}[2] eq 'ON'){
141 #get source ip's
142 if ($$hash{$key}[3] eq 'cust_grp_src'){
992394d5 143 foreach my $grp (sort {$a <=> $b} keys %customgrp){
2a81ab0d
AM
144 if($customgrp{$grp}[0] eq $$hash{$key}[4]){
145 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
146 }
147 }
148 }else{
149 &get_address($$hash{$key}[3],$$hash{$key}[4],"src");
150 }
151 #get target ip's
152 if ($$hash{$key}[5] eq 'cust_grp_tgt'){
992394d5 153 foreach my $grp (sort {$a <=> $b} keys %customgrp){
2a81ab0d
AM
154 if($customgrp{$grp}[0] eq $$hash{$key}[6]){
155 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
156 }
157 }
158 }elsif($$hash{$key}[5] eq 'ipfire'){
14f7cb87 159
2a81ab0d
AM
160 if($$hash{$key}[6] eq 'Default IP'){
161 open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.';
162 $targethash{$key}[0]= <FILE>;
163 close(FILE);
164 }else{
165 foreach my $alias (sort keys %aliases){
166 if ($$hash{$key}[6] eq $alias){
167 $targethash{$key}[0]=$aliases{$alias}{'IPT'};
168 }
169 }
170 }
171 }else{
172 &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt");
173 }
2a81ab0d
AM
174 ##get source prot and port
175 $SRC_TGT='SRC';
176 $SPROT = &get_prot($hash,$key);
177 $SPORT = &get_port($hash,$key);
178 $SRC_TGT='';
14f7cb87 179
2a81ab0d
AM
180 ##get target prot and port
181 $DPROT=&get_prot($hash,$key);
14f7cb87 182
2a81ab0d
AM
183 if ($DPROT eq ''){$DPROT=' ';}
184 @DPROT=split(",",$DPROT);
14f7cb87 185
2a81ab0d
AM
186 #get time if defined
187 if($$hash{$key}[18] eq 'ON'){
188 if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
189 if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");}
190 if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");}
191 if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");}
192 if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");}
193 if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");}
194 if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");}
195 $TIME=join(",",@timeframe);
196 $TIMEFROM="--timestart $$hash{$key}[26] ";
197 $TIMETILL="--timestop $$hash{$key}[27] ";
198 $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
199 }
2a81ab0d
AM
200 if ($MODE eq '1'){
201 print "NR:$key ";
202 foreach my $i (0 .. $#{$$hash{$key}}){
203 print "$i: $$hash{$key}[$i] ";
204 }
205 print "\n";
206 print"##################################\n";
207 #print rules to console
2a81ab0d
AM
208 foreach my $DPROT (@DPROT){
209 $DPORT = &get_port($hash,$key,$DPROT);
210 if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
211 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
212 foreach my $a (sort keys %sourcehash){
213 foreach my $b (sort keys %targethash){
d7dc9718 214 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
2a81ab0d 215 if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
54cb7ff0 216 if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";}
2a81ab0d 217 if ($$hash{$key}[17] eq 'ON'){
b5269091 218 print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
2a81ab0d 219 }
b5269091 220 print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
2a81ab0d
AM
221 }
222 }
223 }
224 }
225 print"\n";
226 }
2a81ab0d
AM
227 }elsif($MODE eq '0'){
228 foreach my $DPROT (@DPROT){
229 $DPORT = &get_port($hash,$key,$DPROT);
230 if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
231 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
232 foreach my $a (sort keys %sourcehash){
233 foreach my $b (sort keys %targethash){
d7dc9718 234 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
2a81ab0d 235 if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
54cb7ff0 236 if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";}
2a81ab0d 237 if ($$hash{$key}[17] eq 'ON'){
b5269091 238 system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
2a81ab0d 239 }
b5269091 240 system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
2a81ab0d
AM
241 }
242 }
243 }
244 }
2a81ab0d
AM
245 }
246 }
247 }
248 %sourcehash=();
249 %targethash=();
250 undef $TIME;
251 undef $TIMEFROM;
252 undef $TIMETILL;
253 }
254}
36196d0d
AM
255sub p2pblock
256{
257 my $P2PSTRING;
258 my $DO;
259 open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
260 @p2ps = <FILE>;
261 close FILE;
262 my $CMD = "-m ipp2p";
263 foreach my $p2pentry (sort @p2ps) {
264 my @p2pline = split( /\;/, $p2pentry );
8d1beadc
AM
265 if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) {
266 $DO = "ACCEPT";
5238a871 267 if ("$p2pline[2]" eq "on") {
36196d0d
AM
268 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
269 }
8d1beadc 270 }else {
36196d0d 271 $DO = "RETURN";
5238a871 272 if ("$p2pline[2]" eq "off") {
36196d0d
AM
273 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
274 }
275 }
276 }
277 if ($MODE eq 1){
278 if($P2PSTRING){
279 print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n";
280 }
281 }else{
282 if($P2PSTRING){
283 system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO");
284 }
285 }
286}
287
2a81ab0d
AM
288sub get_address
289{
290 my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
291 my $base2=shift;
292 my $type=shift; #src or tgt
293 my $hash;
294 if ($type eq 'src'){
295 $hash=\%sourcehash;
296 }else{
297 $hash=\%targethash;
298 }
299 my $key = &General::findhasharraykey($hash);
300 if($base eq 'src_addr' || $base eq 'tgt_addr' ){
b5269091
AM
301 if (&General::validmac($base2)){
302 $$hash{$key}[0] = "-m mac --mac-source $base2";
303 }else{
304 $$hash{$key}[0] = $base2;
305 }
2a81ab0d
AM
306 }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){
307 $$hash{$key}[0]=&fwlib::get_std_net_ip($base2);
308 }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){
309 $$hash{$key}[0]=&fwlib::get_net_ip($base2);
310 }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){
311 $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type);
312 }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){
313 $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1);
314 }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){
315 $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33);
316 }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){
317 $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,27);
318 }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){
319 $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11);
320 }
321}
322sub get_prot
323{
324 my $hash=shift;
325 my $key=shift;
326 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
327 if ($$hash{$key}[10] ne ''){
328 return"$$hash{$key}[8]";
329 }elsif($$hash{$key}[9] ne ''){
330 return"$$hash{$key}[8]";
331 }else{
332 return "$$hash{$key}[8]";
333 }
334 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
335 if ($$hash{$key}[14] eq 'TGT_PORT'){
336 if ($$hash{$key}[15] ne ''){
337 return "$$hash{$key}[12]";
338 }elsif($$hash{$key}[13] ne ''){
339 return "$$hash{$key}[12]";
340 }else{
341 return "$$hash{$key}[12]";
342 }
343 }elsif($$hash{$key}[14] eq 'cust_srv'){
344 return &fwlib::get_srv_prot($$hash{$key}[15]);
345
346 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
347 return &fwlib::get_srvgrp_prot($$hash{$key}[15]);
348 }
349 }
350}
351sub get_port
352{
353 my $hash=shift;
354 my $key=shift;
355 my $prot=shift;
356 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
357 if ($$hash{$key}[10] ne ''){
8f0b047b 358 $$hash{$key}[10] =~ s/\|/,/g;
93a5f4a5
AM
359 if(index($$hash{$key}[10],",") > 0){
360 return "-m multiport --sport $$hash{$key}[10] ";
361 }else{
362 return "--sport $$hash{$key}[10] ";
363 }
62fc8511 364 }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
2a81ab0d 365 return "--icmp-type $$hash{$key}[9] ";
62fc8511
AM
366 }elsif($$hash{$key}[9] eq 'All ICMP-Types'){
367 return;
2a81ab0d
AM
368 }
369 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
b5269091 370
2a81ab0d
AM
371 if($$hash{$key}[14] eq 'TGT_PORT'){
372 if ($$hash{$key}[15] ne ''){
8f0b047b 373 $$hash{$key}[15] =~ s/\|/,/g;
93a5f4a5
AM
374 if(index($$hash{$key}[15],",") > 0){
375 return "-m multiport --dport $$hash{$key}[15] ";
376 }else{
377 return "--dport $$hash{$key}[15] ";
378 }
2a81ab0d
AM
379 }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){
380 return "--icmp-type $$hash{$key}[13] ";
381 }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){
382 return;
383 }
384 }elsif($$hash{$key}[14] eq 'cust_srv'){
385 if ($prot ne 'ICMP'){
386 return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
387 }elsif($prot eq 'ICMP' && $$hash{$key}[15] ne 'All ICMP-Types'){
388 return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot);
389 }elsif($prot eq 'ICMP' && $$hash{$key}[15] eq 'All ICMP-Types'){
390 return;
391 }
392 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
393 if ($prot ne 'ICMP'){
394 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
395 }
396 elsif($prot eq 'ICMP'){
397 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
398 }
2a81ab0d
AM
399 }
400 }
401}