]>
Commit | Line | Data |
---|---|---|
1 | #!/usr/bin/perl | |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
22 | use strict; | |
23 | use Time::Local; | |
24 | no warnings 'uninitialized'; | |
25 | ||
26 | # enable only the following on debugging purpose | |
27 | #use warnings; | |
28 | #use CGI::Carp 'fatalsToBrowser'; | |
29 | ||
30 | my %fwdfwsettings=(); | |
31 | my %defaultNetworks=(); | |
32 | my %configfwdfw=(); | |
33 | my %color=(); | |
34 | my %icmptypes=(); | |
35 | my %ovpnSettings=(); | |
36 | my %customgrp=(); | |
37 | our %sourcehash=(); | |
38 | our %targethash=(); | |
39 | my @timeframe=(); | |
40 | my %configinputfw=(); | |
41 | my %configoutgoingfw=(); | |
42 | my %confignatfw=(); | |
43 | my %aliases=(); | |
44 | my @DPROT=(); | |
45 | my @p2ps=(); | |
46 | require '/var/ipfire/general-functions.pl'; | |
47 | require "${General::swroot}/lang.pl"; | |
48 | require "/usr/lib/firewall/firewall-lib.pl"; | |
49 | ||
50 | my $configfwdfw = "${General::swroot}/firewall/config"; | |
51 | my $configinput = "${General::swroot}/firewall/input"; | |
52 | my $configoutgoing = "${General::swroot}/firewall/outgoing"; | |
53 | my $p2pfile = "${General::swroot}/firewall/p2protocols"; | |
54 | my $configgrp = "${General::swroot}/fwhosts/customgroups"; | |
55 | my $netsettings = "${General::swroot}/ethernet/settings"; | |
56 | my $errormessage = ''; | |
57 | my $orange = ''; | |
58 | my $green = ''; | |
59 | my $blue = ''; | |
60 | my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT); | |
61 | my $CHAIN = "FORWARDFW"; | |
62 | my $conexists = 'off'; | |
63 | my $command = 'iptables --wait -A'; | |
64 | my $dnat =''; | |
65 | my $snat =''; | |
66 | ||
67 | &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); | |
68 | &General::readhash("$netsettings", \%defaultNetworks); | |
69 | &General::readhasharray($configfwdfw, \%configfwdfw); | |
70 | &General::readhasharray($configinput, \%configinputfw); | |
71 | &General::readhasharray($configoutgoing, \%configoutgoingfw); | |
72 | &General::readhasharray($configgrp, \%customgrp); | |
73 | &General::get_aliases(\%aliases); | |
74 | ||
75 | #check if we have an internetconnection | |
76 | open (CONN,"/var/ipfire/red/iface"); | |
77 | my $con = <CONN>; | |
78 | close(CONN); | |
79 | if (-f "/var/ipfire/red/active"){ | |
80 | $conexists='on'; | |
81 | } | |
82 | open (CONN1,"/var/ipfire/red/local-ipaddress"); | |
83 | my $redip = <CONN1>; | |
84 | close(CONN1); | |
85 | ################# | |
86 | # DEBUG/TEST # | |
87 | ################# | |
88 | my $MODE=0; # 0 - normal operation | |
89 | # 1 - print configline and rules to console | |
90 | # | |
91 | ################# | |
92 | my $param=shift; | |
93 | ||
94 | if($param eq 'flush'){ | |
95 | if ($MODE eq '1'){ | |
96 | print " Flushing chains...\n"; | |
97 | } | |
98 | &flush; | |
99 | }else{ | |
100 | if ($MODE eq '1'){ | |
101 | print " Flushing chains...\n"; | |
102 | } | |
103 | &flush; | |
104 | if ($MODE eq '1'){ | |
105 | print " Preparing rules...\n"; | |
106 | } | |
107 | &preparerules; | |
108 | if($MODE eq '0'){ | |
109 | if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ | |
110 | &p2pblock; | |
111 | system ("/usr/sbin/firewall-policy"); | |
112 | }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){ | |
113 | &p2pblock; | |
114 | system ("iptables --wait -A $CHAIN -m conntrack --ctstate NEW -j ACCEPT"); | |
115 | system ("/usr/sbin/firewall-policy"); | |
116 | system ("/etc/sysconfig/firewall.local reload"); | |
117 | } | |
118 | } | |
119 | } | |
120 | sub flush | |
121 | { | |
122 | system ("iptables --wait -F FORWARDFW"); | |
123 | system ("iptables --wait -F INPUTFW"); | |
124 | system ("iptables --wait -F OUTGOINGFW"); | |
125 | system ("iptables --wait -t nat -F NAT_DESTINATION"); | |
126 | system ("iptables --wait -t nat -F NAT_SOURCE"); | |
127 | } | |
128 | sub preparerules | |
129 | { | |
130 | if (! -z "${General::swroot}/firewall/config"){ | |
131 | &buildrules(\%configfwdfw); | |
132 | } | |
133 | if (! -z "${General::swroot}/firewall/input"){ | |
134 | &buildrules(\%configinputfw); | |
135 | } | |
136 | if (! -z "${General::swroot}/firewall/outgoing"){ | |
137 | &buildrules(\%configoutgoingfw); | |
138 | } | |
139 | } | |
140 | sub buildrules | |
141 | { | |
142 | my $hash=shift; | |
143 | my $STAG; | |
144 | my $natip; | |
145 | my $snatport; | |
146 | my $fireport; | |
147 | my $nat; | |
148 | my $fwaccessdport; | |
149 | my $natchain; | |
150 | my $icmptype; | |
151 | foreach my $key (sort {$a <=> $b} keys %$hash){ | |
152 | next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' ); | |
153 | $command="iptables --wait -A"; | |
154 | if ($$hash{$key}[28] eq 'ON'){ | |
155 | $command='iptables --wait -t nat -A'; | |
156 | $natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]); | |
157 | if($$hash{$key}[31] eq 'dnat'){ | |
158 | $nat='DNAT'; | |
159 | if ($$hash{$key}[30] =~ /\|/){ | |
160 | $$hash{$key}[30]=~ tr/|/,/; | |
161 | $fireport='-m multiport --dport '.$$hash{$key}[30]; | |
162 | }else{ | |
163 | $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0); | |
164 | } | |
165 | }else{ | |
166 | $nat='SNAT'; | |
167 | } | |
168 | } | |
169 | $STAG=''; | |
170 | if($$hash{$key}[2] eq 'ON'){ | |
171 | #get source ip's | |
172 | if ($$hash{$key}[3] eq 'cust_grp_src'){ | |
173 | foreach my $grp (sort {$a <=> $b} keys %customgrp){ | |
174 | if($customgrp{$grp}[0] eq $$hash{$key}[4]){ | |
175 | &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src"); | |
176 | } | |
177 | } | |
178 | }else{ | |
179 | &get_address($$hash{$key}[3],$$hash{$key}[4],"src"); | |
180 | } | |
181 | #get target ip's | |
182 | if ($$hash{$key}[5] eq 'cust_grp_tgt'){ | |
183 | foreach my $grp (sort {$a <=> $b} keys %customgrp){ | |
184 | if($customgrp{$grp}[0] eq $$hash{$key}[6]){ | |
185 | &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt"); | |
186 | } | |
187 | } | |
188 | }elsif($$hash{$key}[5] eq 'ipfire' ){ | |
189 | if($$hash{$key}[6] eq 'GREEN'){ | |
190 | $targethash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'}; | |
191 | } | |
192 | if($$hash{$key}[6] eq 'BLUE'){ | |
193 | $targethash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'}; | |
194 | } | |
195 | if($$hash{$key}[6] eq 'ORANGE'){ | |
196 | $targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'}; | |
197 | } | |
198 | if($$hash{$key}[6] eq 'ALL'){ | |
199 | $targethash{$key}[0]='0.0.0.0/0'; | |
200 | } | |
201 | if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){ | |
202 | open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress"; | |
203 | $targethash{$key}[0]= <FILE>; | |
204 | close(FILE); | |
205 | }else{ | |
206 | foreach my $alias (sort keys %aliases){ | |
207 | if ($$hash{$key}[6] eq $alias){ | |
208 | $targethash{$key}[0]=$aliases{$alias}{'IPT'}; | |
209 | } | |
210 | } | |
211 | } | |
212 | }else{ | |
213 | &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt"); | |
214 | } | |
215 | ##get source prot and port | |
216 | $SRC_TGT='SRC'; | |
217 | $SPORT = &get_port($hash,$key); | |
218 | $SRC_TGT=''; | |
219 | ||
220 | ##get target prot and port | |
221 | $DPROT=&get_prot($hash,$key); | |
222 | ||
223 | if ($DPROT eq ''){$DPROT=' ';} | |
224 | @DPROT=split(",",$DPROT); | |
225 | ||
226 | #get time if defined | |
227 | if($$hash{$key}[18] eq 'ON'){ | |
228 | my ($time1,$time2,$daylight); | |
229 | my $daylight=$$hash{$key}[28]; | |
230 | $time1=&get_time($$hash{$key}[26],$daylight); | |
231 | $time2=&get_time($$hash{$key}[27],$daylight); | |
232 | if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");} | |
233 | if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");} | |
234 | if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");} | |
235 | if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");} | |
236 | if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");} | |
237 | if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");} | |
238 | if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");} | |
239 | $TIME=join(",",@timeframe); | |
240 | ||
241 | $TIMEFROM="--timestart $time1 "; | |
242 | $TIMETILL="--timestop $time2 "; | |
243 | $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL"; | |
244 | } | |
245 | if ($MODE eq '1'){ | |
246 | print "NR:$key "; | |
247 | foreach my $i (0 .. $#{$$hash{$key}}){ | |
248 | print "$i: $$hash{$key}[$i] "; | |
249 | } | |
250 | print "\n"; | |
251 | print"##################################\n"; | |
252 | #print rules to console | |
253 | foreach my $DPROT (@DPROT){ | |
254 | $DPORT = &get_port($hash,$key,$DPROT); | |
255 | if ($DPROT ne 'TCP' && $DPROT ne 'UDP' && $DPROT ne 'ICMP' ){ | |
256 | $DPORT=''; | |
257 | } | |
258 | $PROT=$DPROT; | |
259 | $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); | |
260 | foreach my $a (sort keys %sourcehash){ | |
261 | foreach my $b (sort keys %targethash){ | |
262 | next if ($targethash{$b}[0] eq 'none'); | |
263 | $STAG=''; | |
264 | if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ | |
265 | if($DPROT ne ''){ | |
266 | if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} | |
267 | #Process ICMP RULE | |
268 | if(substr($DPORT, 2, 4) eq 'icmp'){ | |
269 | my @icmprule= split(",",substr($DPORT, 12,)); | |
270 | foreach (@icmprule){ | |
271 | $icmptype="--icmp-type "; | |
272 | if ($_ eq "BLANK") { | |
273 | $icmptype=""; | |
274 | $_=""; | |
275 | } | |
276 | if ($$hash{$key}[17] eq 'ON'){ | |
277 | print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG\n"; | |
278 | } | |
279 | print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]\n"; | |
280 | } | |
281 | #PROCESS DNAT RULE (Portforward) | |
282 | }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ | |
283 | $natchain='NAT_DESTINATION'; | |
284 | if ($$hash{$key}[17] eq 'ON'){ | |
285 | print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; | |
286 | } | |
287 | my ($ip,$sub) =split("/",$targethash{$b}[0]); | |
288 | #Process NAT with servicegroup used | |
289 | if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[14] eq 'cust_srvgrp'){ | |
290 | print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip $DPORT\n"; | |
291 | $fwaccessdport=$DPORT; | |
292 | }else{ | |
293 | print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; | |
294 | $DPORT =~ s/\-/:/g; | |
295 | if ($DPORT){ | |
296 | $fwaccessdport="--dport ".substr($DPORT,1,); | |
297 | }elsif(! $DPORT && $$hash{$key}[30] ne ''){ | |
298 | if ($$hash{$key}[30]=~m/|/i){ | |
299 | $$hash{$key}[30] =~ s/\|/,/g; | |
300 | $fwaccessdport="-m multiport --dport $$hash{$key}[30]"; | |
301 | }else{ | |
302 | $fwaccessdport="--dport $$hash{$key}[30]"; | |
303 | } | |
304 | } | |
305 | } | |
306 | print "iptables --wait -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; | |
307 | next; | |
308 | #PROCESS SNAT RULE | |
309 | }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ | |
310 | $natchain='NAT_SOURCE'; | |
311 | if ($$hash{$key}[17] eq 'ON' ){ | |
312 | print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT' \n"; | |
313 | } | |
314 | print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; | |
315 | } | |
316 | #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double) | |
317 | if ($PROT ne '-p ICMP'){ | |
318 | if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){ | |
319 | print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; | |
320 | } | |
321 | print "iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; | |
322 | } | |
323 | #PROCESS Prot ICMP and type = All ICMP-Types | |
324 | if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){ | |
325 | if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){ | |
326 | print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; | |
327 | } | |
328 | print "iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; | |
329 | } | |
330 | } | |
331 | } | |
332 | } | |
333 | } | |
334 | print"\n"; | |
335 | } | |
336 | }elsif($MODE eq '0'){ | |
337 | foreach my $DPROT (@DPROT){ | |
338 | $DPORT = &get_port($hash,$key,$DPROT); | |
339 | $PROT=$DPROT; | |
340 | $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); | |
341 | if ($DPROT ne 'TCP' && $DPROT ne'UDP' && $DPROT ne 'ICMP' ){ | |
342 | $DPORT=''; | |
343 | } | |
344 | foreach my $a (sort keys %sourcehash){ | |
345 | foreach my $b (sort keys %targethash){ | |
346 | next if ($targethash{$b}[0] eq 'none'); | |
347 | $STAG=''; | |
348 | if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ | |
349 | if($DPROT ne ''){ | |
350 | if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} | |
351 | #Process ICMP RULE | |
352 | if(substr($DPORT, 2, 4) eq 'icmp'){ | |
353 | my @icmprule= split(",",substr($DPORT, 12,)); | |
354 | foreach (@icmprule){ | |
355 | $icmptype="--icmp-type "; | |
356 | if ($_ eq "BLANK") { | |
357 | $icmptype=""; | |
358 | $_=""; | |
359 | } | |
360 | if ($$hash{$key}[17] eq 'ON'){ | |
361 | system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG"); | |
362 | } | |
363 | system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]"); | |
364 | } | |
365 | #PROCESS DNAT RULE (Portforward) | |
366 | }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ | |
367 | $natchain='NAT_DESTINATION'; | |
368 | if ($$hash{$key}[17] eq 'ON'){ | |
369 | system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; | |
370 | } | |
371 | my ($ip,$sub) =split("/",$targethash{$b}[0]); | |
372 | #Process NAT with servicegroup used | |
373 | if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[14] eq 'cust_srvgrp'){ | |
374 | system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip $DPORT\n"; | |
375 | $fwaccessdport=$DPORT; | |
376 | }else{ | |
377 | system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; | |
378 | $DPORT =~ s/\-/:/g; | |
379 | if ($DPORT){ | |
380 | $fwaccessdport="--dport ".substr($DPORT,1,); | |
381 | }elsif(! $DPORT && $$hash{$key}[30] ne ''){ | |
382 | if ($$hash{$key}[30]=~m/|/i){ | |
383 | $$hash{$key}[30] =~ s/\|/,/g; | |
384 | $fwaccessdport="-m multiport --dport $$hash{$key}[30]"; | |
385 | }else{ | |
386 | $fwaccessdport="--dport $$hash{$key}[30]"; | |
387 | } | |
388 | } | |
389 | } | |
390 | system "iptables --wait -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; | |
391 | next; | |
392 | #PROCESS SNAT RULE | |
393 | }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ | |
394 | $natchain='NAT_SOURCE'; | |
395 | if ($$hash{$key}[17] eq 'ON' ){ | |
396 | system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT' \n"; | |
397 | } | |
398 | system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; | |
399 | } | |
400 | #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double) | |
401 | if ($PROT ne '-p ICMP'){ | |
402 | if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){ | |
403 | system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; | |
404 | } | |
405 | system "iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; | |
406 | } | |
407 | #PROCESS Prot ICMP and type = All ICMP-Types | |
408 | if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){ | |
409 | if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){ | |
410 | system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; | |
411 | } | |
412 | system "iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; | |
413 | } | |
414 | } | |
415 | } | |
416 | } | |
417 | } | |
418 | } | |
419 | } | |
420 | } | |
421 | %sourcehash=(); | |
422 | %targethash=(); | |
423 | undef $TIME; | |
424 | undef $TIMEFROM; | |
425 | undef $TIMETILL; | |
426 | undef $fireport; | |
427 | } | |
428 | } | |
429 | sub get_nat_ip | |
430 | { | |
431 | my $val=shift; | |
432 | my $type=shift; | |
433 | my $result; | |
434 | if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){ | |
435 | $result=$defaultNetworks{$val.'_ADDRESS'}; | |
436 | }elsif($val eq 'ALL'){ | |
437 | $result='-i '.$con; | |
438 | }elsif($val eq 'Default IP' && $type eq 'dnat'){ | |
439 | $result='-d '.$redip; | |
440 | }elsif($val eq 'Default IP' && $type eq 'snat'){ | |
441 | $result=$redip; | |
442 | }else{ | |
443 | foreach my $al (sort keys %aliases){ | |
444 | if($val eq $al && $type eq 'dnat'){ | |
445 | $result='-d '.$aliases{$al}{'IPT'}; | |
446 | }elsif($val eq $al && $type eq 'snat'){ | |
447 | $result=$aliases{$al}{'IPT'}; | |
448 | } | |
449 | } | |
450 | } | |
451 | return $result; | |
452 | } | |
453 | sub get_time | |
454 | { | |
455 | my $val=shift; | |
456 | my $val1=shift; | |
457 | my $time; | |
458 | my $minutes; | |
459 | my $ruletime; | |
460 | $minutes = &utcmin($val); | |
461 | $ruletime = $minutes + &time_get_utc($val); | |
462 | if ($ruletime < 0){$ruletime +=1440;} | |
463 | if ($ruletime > 1440){$ruletime -=1440;} | |
464 | $time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60; | |
465 | return $time; | |
466 | } | |
467 | sub time_get_utc | |
468 | { | |
469 | # Calculates the UTCtime from a given time | |
470 | my $val=shift; | |
471 | my @localtime=localtime(time); | |
472 | my @gmtime=gmtime(time); | |
473 | my $diff = ($gmtime[2]*60+$gmtime[1]%60)-($localtime[2]*60+$localtime[1]%60); | |
474 | return $diff; | |
475 | } | |
476 | sub utcmin | |
477 | { | |
478 | my $ruletime=shift; | |
479 | my ($hrs,$min) = split(":",$ruletime); | |
480 | my $newtime = $hrs*60+$min; | |
481 | return $newtime; | |
482 | } | |
483 | sub p2pblock | |
484 | { | |
485 | my $P2PSTRING; | |
486 | my $DO; | |
487 | open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; | |
488 | @p2ps = <FILE>; | |
489 | close FILE; | |
490 | my $CMD = "-m ipp2p"; | |
491 | foreach my $p2pentry (sort @p2ps) { | |
492 | my @p2pline = split( /\;/, $p2pentry ); | |
493 | if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) { | |
494 | $DO = "ACCEPT"; | |
495 | if ("$p2pline[2]" eq "on") { | |
496 | $P2PSTRING = "$P2PSTRING --$p2pline[1]"; | |
497 | } | |
498 | }else { | |
499 | $DO = "RETURN"; | |
500 | if ("$p2pline[2]" eq "off") { | |
501 | $P2PSTRING = "$P2PSTRING --$p2pline[1]"; | |
502 | } | |
503 | } | |
504 | } | |
505 | if ($MODE eq 1){ | |
506 | if($P2PSTRING){ | |
507 | print"/sbin/iptables --wait -A FORWARDFW $CMD $P2PSTRING -j $DO\n"; | |
508 | } | |
509 | }else{ | |
510 | if($P2PSTRING){ | |
511 | system("/sbin/iptables --wait -A FORWARDFW $CMD $P2PSTRING -j $DO"); | |
512 | } | |
513 | } | |
514 | } | |
515 | sub get_address | |
516 | { | |
517 | my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey | |
518 | my $base2=shift; | |
519 | my $type=shift; #src or tgt | |
520 | my $hash; | |
521 | if ($type eq 'src'){ | |
522 | $hash=\%sourcehash; | |
523 | }else{ | |
524 | $hash=\%targethash; | |
525 | } | |
526 | my $key = &General::findhasharraykey($hash); | |
527 | if($base eq 'src_addr' || $base eq 'tgt_addr' ){ | |
528 | if (&General::validmac($base2)){ | |
529 | $$hash{$key}[0] = "-m mac --mac-source $base2"; | |
530 | }else{ | |
531 | $$hash{$key}[0] = $base2; | |
532 | } | |
533 | }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){ | |
534 | $$hash{$key}[0]=&fwlib::get_std_net_ip($base2,$con); | |
535 | }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){ | |
536 | $$hash{$key}[0]=&fwlib::get_net_ip($base2); | |
537 | }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){ | |
538 | $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type); | |
539 | }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){ | |
540 | $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1); | |
541 | }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){ | |
542 | $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33); | |
543 | }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){ | |
544 | $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,11); | |
545 | }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){ | |
546 | $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11); | |
547 | }elsif($base eq 'ipfire_src' ){ | |
548 | if($base2 eq 'GREEN'){ | |
549 | $$hash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'}; | |
550 | } | |
551 | if($base2 eq 'BLUE'){ | |
552 | $$hash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'}; | |
553 | } | |
554 | if($base2 eq 'ORANGE'){ | |
555 | $$hash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'}; | |
556 | } | |
557 | if($base2 eq 'ALL'){ | |
558 | $$hash{$key}[0]='0.0.0.0/0'; | |
559 | } | |
560 | if($base2 eq 'RED' || $base2 eq 'RED1'){ | |
561 | open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress"; | |
562 | $$hash{$key}[0]= <FILE>; | |
563 | close(FILE); | |
564 | }else{ | |
565 | foreach my $alias (sort keys %aliases){ | |
566 | if ($base2 eq $alias){ | |
567 | $$hash{$key}[0]=$aliases{$alias}{'IPT'}; | |
568 | } | |
569 | } | |
570 | } | |
571 | } | |
572 | } | |
573 | sub get_prot | |
574 | { | |
575 | my $hash=shift; | |
576 | my $key=shift; | |
577 | #check AH,GRE,ESP or ICMP | |
578 | if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON'){ | |
579 | return "$$hash{$key}[8]"; | |
580 | } | |
581 | if ($$hash{$key}[7] eq 'ON' || $$hash{$key}[11] eq 'ON'){ | |
582 | #check if servicegroup or service | |
583 | if($$hash{$key}[14] eq 'cust_srv'){ | |
584 | return &fwlib::get_srv_prot($$hash{$key}[15]); | |
585 | }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ | |
586 | return &fwlib::get_srvgrp_prot($$hash{$key}[15]); | |
587 | }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && $$hash{$key}[8] eq ''){ #when ports are used and prot set to "all" | |
588 | return "TCP,UDP"; | |
589 | }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && ($$hash{$key}[8] eq 'TCP' || $$hash{$key}[8] eq 'UDP')){ #when ports are used and prot set to "tcp" or "udp" | |
590 | return "$$hash{$key}[8]"; | |
591 | }elsif (($$hash{$key}[10] eq '' && $$hash{$key}[15] eq '') && $$hash{$key}[8] ne 'ICMP'){ #when ports are NOT used and prot NOT set to "ICMP" | |
592 | return "$$hash{$key}[8]"; | |
593 | }else{ | |
594 | return "$$hash{$key}[8]"; | |
595 | } | |
596 | } | |
597 | #DNAT | |
598 | if ($SRC_TGT eq '' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[11] eq '' && $$hash{$key}[12] ne ''){ | |
599 | return "$$hash{$key}[8]"; | |
600 | } | |
601 | } | |
602 | sub get_port | |
603 | { | |
604 | my $hash=shift; | |
605 | my $key=shift; | |
606 | my $prot=shift; | |
607 | #Get manual defined Ports from SOURCE | |
608 | if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){ | |
609 | if ($$hash{$key}[10] ne ''){ | |
610 | $$hash{$key}[10] =~ s/\|/,/g; | |
611 | if(index($$hash{$key}[10],",") > 0){ | |
612 | return "-m multiport --sport $$hash{$key}[10] "; | |
613 | }else{ | |
614 | if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ||($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat') ){ | |
615 | return "--sport $$hash{$key}[10] "; | |
616 | }else{ | |
617 | return ":$$hash{$key}[10]"; | |
618 | } | |
619 | } | |
620 | } | |
621 | #Get manual ports from TARGET | |
622 | }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){ | |
623 | if($$hash{$key}[14] eq 'TGT_PORT'){ | |
624 | if ($$hash{$key}[15] ne ''){ | |
625 | $$hash{$key}[15] =~ s/\|/,/g; | |
626 | if(index($$hash{$key}[15],",") > 0){ | |
627 | return "-m multiport --dport $$hash{$key}[15] "; | |
628 | }else{ | |
629 | if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){ | |
630 | return "--dport $$hash{$key}[15] "; | |
631 | }else{ | |
632 | $$hash{$key}[15] =~ s/\:/-/g; | |
633 | return ":$$hash{$key}[15]"; | |
634 | } | |
635 | } | |
636 | } | |
637 | #Get ports defined in custom Service (firewall-groups) | |
638 | }elsif($$hash{$key}[14] eq 'cust_srv'){ | |
639 | if ($prot ne 'ICMP'){ | |
640 | if($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){ | |
641 | my $ports =&fwlib::get_srv_port($$hash{$key}[15],1,$prot); | |
642 | $ports =~ s/\:/-/g; | |
643 | return ":".$ports | |
644 | }else{ | |
645 | return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); | |
646 | } | |
647 | }elsif($prot eq 'ICMP' && $$hash{$key}[11] eq 'ON'){ #When PROT is ICMP and "use targetport is checked, this is an icmp-service | |
648 | return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot); | |
649 | } | |
650 | #Get ports from services which are used in custom servicegroups (firewall-groups) | |
651 | }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ | |
652 | if ($prot ne 'ICMP'){ | |
653 | return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot); | |
654 | } | |
655 | elsif($prot eq 'ICMP'){ | |
656 | return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot); | |
657 | } | |
658 | } | |
659 | } | |
660 | #CHECK ICMP | |
661 | if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON' && $SRC_TGT eq ''){ | |
662 | if($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){ | |
663 | return "--icmp-type $$hash{$key}[9] "; | |
664 | }elsif($$hash{$key}[9] eq 'All ICMP-Types'){ | |
665 | return; | |
666 | } | |
667 | } | |
668 | } |