Forward Firewall: put rule OUTGOING ACCEPT Related, established into /etc/init.d...
[people/teissler/ipfire-2.x.git] / config / forwardfw / rules.pl
CommitLineData
2a81ab0d
AM
1#!/usr/bin/perl
2###############################################################################
3# #
4# IPFire.org - A linux based firewall #
5# Copyright (C) 2012 #
6# #
7# This program is free software: you can redistribute it and/or modify #
8# it under the terms of the GNU General Public License as published by #
9# the Free Software Foundation, either version 3 of the License, or #
10# (at your option) any later version. #
11# #
12# This program is distributed in the hope that it will be useful, #
13# but WITHOUT ANY WARRANTY; without even the implied warranty of #
14# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15# GNU General Public License for more details. #
16# #
17# You should have received a copy of the GNU General Public License #
18# along with this program. If not, see <http://www.gnu.org/licenses/>. #
19# #
20###############################################################################
21# #
22# Hi folks! I hope this code is useful for all. I needed something to handle #
23# my VPN Connections in a comfortable way. #
24# This script builds firewallrules from the webinterface #
25###############################################################################
26
2a81ab0d
AM
27use strict;
28no warnings 'uninitialized';
29
30# enable only the following on debugging purpose
31#use warnings;
32#use CGI::Carp 'fatalsToBrowser';
33
34my %fwdfwsettings=();
35my %defaultNetworks=();
36my %configfwdfw=();
37my %color=();
38my %icmptypes=();
39my %ovpnSettings=();
40my %customgrp=();
41our %sourcehash=();
42our %targethash=();
43my @timeframe=();
44my %configinputfw=();
5d7faa45 45my %configoutgoingfw=();
31fef6cc 46my %configdmzfw=();
2a81ab0d
AM
47my %aliases=();
48my @DPROT=();
36196d0d 49my @p2ps=();
2a81ab0d
AM
50require '/var/ipfire/general-functions.pl';
51require "${General::swroot}/lang.pl";
52require "${General::swroot}/forward/bin/firewall-lib.pl";
53
31fef6cc 54my $configdmz = "${General::swroot}/forward/dmz";
2a81ab0d
AM
55my $configfwdfw = "${General::swroot}/forward/config";
56my $configinput = "${General::swroot}/forward/input";
5d7faa45 57my $configoutgoing = "${General::swroot}/forward/outgoing";
36196d0d 58my $p2pfile = "${General::swroot}/forward/p2protocols";
2a81ab0d 59my $configgrp = "${General::swroot}/fwhosts/customgroups";
210ee67b 60my $netsettings = "${General::swroot}/ethernet/settings";
2a81ab0d 61my $errormessage='';
210ee67b
AM
62my $orange;
63my $green;
6adcf156 64my $blue;
2a81ab0d
AM
65my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
66my $CHAIN="FORWARDFW";
67
68
69&General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
210ee67b 70&General::readhash("$netsettings", \%defaultNetworks);
31fef6cc 71&General::readhasharray($configdmz, \%configdmzfw);
2a81ab0d
AM
72&General::readhasharray($configfwdfw, \%configfwdfw);
73&General::readhasharray($configinput, \%configinputfw);
5d7faa45 74&General::readhasharray($configoutgoing, \%configoutgoingfw);
2a81ab0d
AM
75&General::readhasharray($configgrp, \%customgrp);
76&General::get_aliases(\%aliases);
77
78################################
79# DEBUG/TEST #
80################################
54cb7ff0 81my $MODE=1; # 0 - normal operation
2a81ab0d
AM
82 # 1 - print configline and rules to console
83 #
84################################
85my $param=shift;
86
87if($param eq 'flush'){
88 if ($MODE eq '1'){
89 print " Flushing chains...\n";
90 }
91 &flush;
92}else{
93 if ($MODE eq '1'){
94 print " Flushing chains...\n";
95 }
96 &flush;
97 if ($MODE eq '1'){
98 print " Preparing rules...\n";
99 }
100 &preparerules;
101 if($MODE eq '0'){
102 if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
af49e367 103 &p2pblock;
5d7faa45 104 system ("/usr/sbin/firewall-policy");
2a81ab0d 105 }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
6adcf156
AM
106 $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'});
107 $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
6adcf156
AM
108 if ($defaultNetworks{'BLUE_DEV'}){
109 $defaultNetworks{'BLUE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'BLUE_NETMASK'});
110 $blue="$defaultNetworks{'BLUE_ADDRESS'}/$defaultNetworks{'BLUE_NETMASK'}";
111 #set default rules for BLUE
112 system ("iptables -A $CHAIN -s $blue -d $green -j RETURN");
113 }
5b7ed8bb
AM
114 if ($defaultNetworks{'ORANGE_DEV'}){
115 $defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'});
116 $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}";
117 #set default rules for DMZ
118 system ("iptables -A $CHAIN -s $orange -d $green -j RETURN");
119 if ($defaultNetworks{'BLUE_DEV'}){
120 system ("iptables -A $CHAIN -s $orange -d $blue -j RETURN");
121 }
122 }
6adcf156 123 &p2pblock;
fd10a52c 124 system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
5d7faa45 125 system ("/usr/sbin/firewall-policy");
2a81ab0d
AM
126 }
127 }
128}
2a81ab0d
AM
129sub flush
130{
131 system ("iptables -F FORWARDFW");
132 system ("iptables -F INPUTFW");
5d7faa45 133 system ("iptables -F OUTGOINGFW");
2a81ab0d
AM
134}
135sub preparerules
136{
31fef6cc
AM
137 if (! -z "${General::swroot}/forward/dmz"){
138 &buildrules(\%configdmzfw);
139 }
2a81ab0d
AM
140 if (! -z "${General::swroot}/forward/config"){
141 &buildrules(\%configfwdfw);
142 }
143 if (! -z "${General::swroot}/forward/input"){
144 &buildrules(\%configinputfw);
145 }
5d7faa45
AM
146 if (! -z "${General::swroot}/forward/outgoing"){
147 &buildrules(\%configoutgoingfw);
148 }
2a81ab0d
AM
149}
150sub buildrules
151{
152 my $hash=shift;
b5269091 153 my $STAG;
992394d5 154 foreach my $key (sort {$a <=> $b} keys %$hash){
b5269091 155 $STAG='';
2a81ab0d
AM
156 if($$hash{$key}[2] eq 'ON'){
157 #get source ip's
158 if ($$hash{$key}[3] eq 'cust_grp_src'){
992394d5 159 foreach my $grp (sort {$a <=> $b} keys %customgrp){
2a81ab0d
AM
160 if($customgrp{$grp}[0] eq $$hash{$key}[4]){
161 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
162 }
163 }
164 }else{
165 &get_address($$hash{$key}[3],$$hash{$key}[4],"src");
166 }
167 #get target ip's
168 if ($$hash{$key}[5] eq 'cust_grp_tgt'){
992394d5 169 foreach my $grp (sort {$a <=> $b} keys %customgrp){
2a81ab0d
AM
170 if($customgrp{$grp}[0] eq $$hash{$key}[6]){
171 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
172 }
173 }
174 }elsif($$hash{$key}[5] eq 'ipfire'){
2a81ab0d
AM
175 if($$hash{$key}[6] eq 'Default IP'){
176 open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.';
177 $targethash{$key}[0]= <FILE>;
178 close(FILE);
179 }else{
180 foreach my $alias (sort keys %aliases){
181 if ($$hash{$key}[6] eq $alias){
182 $targethash{$key}[0]=$aliases{$alias}{'IPT'};
183 }
184 }
185 }
186 }else{
187 &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt");
188 }
2a81ab0d
AM
189 ##get source prot and port
190 $SRC_TGT='SRC';
191 $SPROT = &get_prot($hash,$key);
192 $SPORT = &get_port($hash,$key);
193 $SRC_TGT='';
14f7cb87 194
2a81ab0d
AM
195 ##get target prot and port
196 $DPROT=&get_prot($hash,$key);
14f7cb87 197
2a81ab0d
AM
198 if ($DPROT eq ''){$DPROT=' ';}
199 @DPROT=split(",",$DPROT);
14f7cb87 200
2a81ab0d
AM
201 #get time if defined
202 if($$hash{$key}[18] eq 'ON'){
203 if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
204 if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");}
205 if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");}
206 if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");}
207 if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");}
208 if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");}
209 if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");}
210 $TIME=join(",",@timeframe);
211 $TIMEFROM="--timestart $$hash{$key}[26] ";
212 $TIMETILL="--timestop $$hash{$key}[27] ";
a0f267b9 213 $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
2a81ab0d 214 }
2a81ab0d
AM
215 if ($MODE eq '1'){
216 print "NR:$key ";
217 foreach my $i (0 .. $#{$$hash{$key}}){
218 print "$i: $$hash{$key}[$i] ";
219 }
220 print "\n";
221 print"##################################\n";
222 #print rules to console
2a81ab0d
AM
223 foreach my $DPROT (@DPROT){
224 $DPORT = &get_port($hash,$key,$DPROT);
225 if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
226 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
227 foreach my $a (sort keys %sourcehash){
228 foreach my $b (sort keys %targethash){
d7dc9718 229 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
2a81ab0d 230 if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
5d7faa45 231 if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
8cb1afc8
AM
232 if(substr($DPORT, 2, 4) eq 'icmp'){
233 my @icmprule= split(",",substr($DPORT, 12,));
234 foreach (@icmprule){
235 if ($$hash{$key}[17] eq 'ON'){
236 print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j LOG\n";
237 }
238 print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n";
239 }
240 }else{
241 if ($$hash{$key}[17] eq 'ON'){
242 print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
243 }
244 print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
2a81ab0d 245 }
2a81ab0d
AM
246 }
247 }
248 }
249 }
250 print"\n";
251 }
2a81ab0d
AM
252 }elsif($MODE eq '0'){
253 foreach my $DPROT (@DPROT){
254 $DPORT = &get_port($hash,$key,$DPROT);
255 if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
256 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
257 foreach my $a (sort keys %sourcehash){
258 foreach my $b (sort keys %targethash){
d7dc9718 259 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
2a81ab0d 260 if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
5d7faa45 261 if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
8cb1afc8
AM
262 if(substr($DPORT, 2, 4) eq 'icmp'){
263 my @icmprule= split(",",substr($DPORT, 12,));
264 foreach (@icmprule){
265 if ($$hash{$key}[17] eq 'ON'){
266 system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] -- icmp-type $_ $TIME -j LOG");
267 }
268 system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]");
269 }
270 }else{
271 if ($$hash{$key}[17] eq 'ON'){
272 system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
273 }
274 system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
2a81ab0d 275 }
2a81ab0d
AM
276 }
277 }
278 }
279 }
2a81ab0d
AM
280 }
281 }
282 }
283 %sourcehash=();
284 %targethash=();
285 undef $TIME;
286 undef $TIMEFROM;
287 undef $TIMETILL;
288 }
289}
36196d0d
AM
290sub p2pblock
291{
292 my $P2PSTRING;
293 my $DO;
294 open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
295 @p2ps = <FILE>;
296 close FILE;
297 my $CMD = "-m ipp2p";
298 foreach my $p2pentry (sort @p2ps) {
299 my @p2pline = split( /\;/, $p2pentry );
8d1beadc
AM
300 if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) {
301 $DO = "ACCEPT";
5238a871 302 if ("$p2pline[2]" eq "on") {
36196d0d
AM
303 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
304 }
8d1beadc 305 }else {
36196d0d 306 $DO = "RETURN";
5238a871 307 if ("$p2pline[2]" eq "off") {
36196d0d
AM
308 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
309 }
310 }
311 }
312 if ($MODE eq 1){
313 if($P2PSTRING){
314 print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n";
315 }
316 }else{
317 if($P2PSTRING){
318 system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO");
319 }
320 }
321}
322
2a81ab0d
AM
323sub get_address
324{
325 my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
326 my $base2=shift;
327 my $type=shift; #src or tgt
328 my $hash;
329 if ($type eq 'src'){
330 $hash=\%sourcehash;
331 }else{
332 $hash=\%targethash;
333 }
334 my $key = &General::findhasharraykey($hash);
335 if($base eq 'src_addr' || $base eq 'tgt_addr' ){
b5269091
AM
336 if (&General::validmac($base2)){
337 $$hash{$key}[0] = "-m mac --mac-source $base2";
338 }else{
339 $$hash{$key}[0] = $base2;
340 }
2a81ab0d
AM
341 }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){
342 $$hash{$key}[0]=&fwlib::get_std_net_ip($base2);
343 }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){
344 $$hash{$key}[0]=&fwlib::get_net_ip($base2);
345 }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){
346 $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type);
347 }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){
348 $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1);
349 }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){
350 $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33);
351 }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){
352 $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,27);
353 }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){
354 $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11);
355 }
356}
357sub get_prot
358{
359 my $hash=shift;
360 my $key=shift;
361 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
362 if ($$hash{$key}[10] ne ''){
363 return"$$hash{$key}[8]";
364 }elsif($$hash{$key}[9] ne ''){
365 return"$$hash{$key}[8]";
366 }else{
367 return "$$hash{$key}[8]";
368 }
369 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
370 if ($$hash{$key}[14] eq 'TGT_PORT'){
371 if ($$hash{$key}[15] ne ''){
372 return "$$hash{$key}[12]";
373 }elsif($$hash{$key}[13] ne ''){
374 return "$$hash{$key}[12]";
375 }else{
376 return "$$hash{$key}[12]";
377 }
378 }elsif($$hash{$key}[14] eq 'cust_srv'){
379 return &fwlib::get_srv_prot($$hash{$key}[15]);
380
381 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
382 return &fwlib::get_srvgrp_prot($$hash{$key}[15]);
383 }
384 }
385}
386sub get_port
387{
388 my $hash=shift;
389 my $key=shift;
390 my $prot=shift;
391 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
392 if ($$hash{$key}[10] ne ''){
8f0b047b 393 $$hash{$key}[10] =~ s/\|/,/g;
93a5f4a5
AM
394 if(index($$hash{$key}[10],",") > 0){
395 return "-m multiport --sport $$hash{$key}[10] ";
396 }else{
397 return "--sport $$hash{$key}[10] ";
398 }
62fc8511 399 }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
2a81ab0d 400 return "--icmp-type $$hash{$key}[9] ";
62fc8511
AM
401 }elsif($$hash{$key}[9] eq 'All ICMP-Types'){
402 return;
2a81ab0d
AM
403 }
404 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
b5269091 405
2a81ab0d
AM
406 if($$hash{$key}[14] eq 'TGT_PORT'){
407 if ($$hash{$key}[15] ne ''){
8f0b047b 408 $$hash{$key}[15] =~ s/\|/,/g;
93a5f4a5
AM
409 if(index($$hash{$key}[15],",") > 0){
410 return "-m multiport --dport $$hash{$key}[15] ";
411 }else{
412 return "--dport $$hash{$key}[15] ";
413 }
2a81ab0d
AM
414 }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){
415 return "--icmp-type $$hash{$key}[13] ";
416 }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){
417 return;
418 }
419 }elsif($$hash{$key}[14] eq 'cust_srv'){
420 if ($prot ne 'ICMP'){
421 return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
422 }elsif($prot eq 'ICMP' && $$hash{$key}[15] ne 'All ICMP-Types'){
423 return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot);
424 }elsif($prot eq 'ICMP' && $$hash{$key}[15] eq 'All ICMP-Types'){
425 return;
426 }
427 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
428 if ($prot ne 'ICMP'){
429 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
430 }
431 elsif($prot eq 'ICMP'){
432 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
433 }
2a81ab0d
AM
434 }
435 }
436}