| | 1 | #!/usr/bin/perl |
| | 2 | ############################################################################### |
| | 3 | # # |
| | 4 | # IPFire.org - A linux based firewall # |
| | 5 | # Copyright (C) 2012 # |
| | 6 | # # |
| | 7 | # This program is free software: you can redistribute it and/or modify # |
| | 8 | # it under the terms of the GNU General Public License as published by # |
| | 9 | # the Free Software Foundation, either version 3 of the License, or # |
| | 10 | # (at your option) any later version. # |
| | 11 | # # |
| | 12 | # This program is distributed in the hope that it will be useful, # |
| | 13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # |
| | 14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # |
| | 15 | # GNU General Public License for more details. # |
| | 16 | # # |
| | 17 | # You should have received a copy of the GNU General Public License # |
| | 18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # |
| | 19 | # # |
| | 20 | ############################################################################### |
| | 21 | # # |
| | 22 | # Hi folks! I hope this code is useful for all. I needed something to handle # |
| | 23 | # my VPN Connections in a comfortable way. # |
| | 24 | # This script builds firewallrules from the webinterface # |
| | 25 | ############################################################################### |
| | 26 | |
| | 27 | use strict; |
| | 28 | use Time::Local; |
| | 29 | no warnings 'uninitialized'; |
| | 30 | |
| | 31 | # enable only the following on debugging purpose |
| | 32 | #use warnings; |
| | 33 | #use CGI::Carp 'fatalsToBrowser'; |
| | 34 | |
| | 35 | my %fwdfwsettings=(); |
| | 36 | my %defaultNetworks=(); |
| | 37 | my %configfwdfw=(); |
| | 38 | my %color=(); |
| | 39 | my %icmptypes=(); |
| | 40 | my %ovpnSettings=(); |
| | 41 | my %customgrp=(); |
| | 42 | our %sourcehash=(); |
| | 43 | our %targethash=(); |
| | 44 | my @timeframe=(); |
| | 45 | my %configinputfw=(); |
| | 46 | my %configoutgoingfw=(); |
| | 47 | my %configdmzfw=(); |
| | 48 | my %confignatfw=(); |
| | 49 | my %aliases=(); |
| | 50 | my @DPROT=(); |
| | 51 | my @p2ps=(); |
| | 52 | require '/var/ipfire/general-functions.pl'; |
| | 53 | require "${General::swroot}/lang.pl"; |
| | 54 | require "${General::swroot}/forward/bin/firewall-lib.pl"; |
| | 55 | |
| | 56 | my $configdmz = "${General::swroot}/forward/dmz"; |
| | 57 | my $configfwdfw = "${General::swroot}/forward/config"; |
| | 58 | my $configinput = "${General::swroot}/forward/input"; |
| | 59 | my $configoutgoing = "${General::swroot}/forward/outgoing"; |
| | 60 | my $confignat = "${General::swroot}/forward/nat"; |
| | 61 | my $p2pfile = "${General::swroot}/forward/p2protocols"; |
| | 62 | my $configgrp = "${General::swroot}/fwhosts/customgroups"; |
| | 63 | my $netsettings = "${General::swroot}/ethernet/settings"; |
| | 64 | my $errormessage=''; |
| | 65 | my $orange; |
| | 66 | my $green; |
| | 67 | my $blue; |
| | 68 | my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT); |
| | 69 | my $CHAIN="FORWARDFW"; |
| | 70 | my $conexists='off'; |
| | 71 | my $command = 'iptables -A'; |
| | 72 | my $dnat=''; |
| | 73 | my $snat=''; |
| | 74 | &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings); |
| | 75 | &General::readhash("$netsettings", \%defaultNetworks); |
| | 76 | &General::readhasharray($configdmz, \%configdmzfw); |
| | 77 | &General::readhasharray($configfwdfw, \%configfwdfw); |
| | 78 | &General::readhasharray($configinput, \%configinputfw); |
| | 79 | &General::readhasharray($configoutgoing, \%configoutgoingfw); |
| | 80 | &General::readhasharray($confignat, \%confignatfw); |
| | 81 | &General::readhasharray($configgrp, \%customgrp); |
| | 82 | &General::get_aliases(\%aliases); |
| | 83 | |
| | 84 | #check if we have an internetconnection |
| | 85 | open (CONN,"/var/ipfire/red/iface"); |
| | 86 | my $con = <CONN>; |
| | 87 | close(CONN); |
| | 88 | if (-f "/var/ipfire/red/active"){ |
| | 89 | $conexists='on'; |
| | 90 | } |
| | 91 | open (CONN1,"/var/ipfire/red/local-ipaddress"); |
| | 92 | my $redip = <CONN1>; |
| | 93 | close(CONN1); |
| | 94 | ################################ |
| | 95 | # DEBUG/TEST # |
| | 96 | ################################ |
| | 97 | my $MODE=1; # 0 - normal operation |
| | 98 | # 1 - print configline and rules to console |
| | 99 | # |
| | 100 | ################################ |
| | 101 | my $param=shift; |
| | 102 | |
| | 103 | if($param eq 'flush'){ |
| | 104 | if ($MODE eq '1'){ |
| | 105 | print " Flushing chains...\n"; |
| | 106 | } |
| | 107 | &flush; |
| | 108 | }else{ |
| | 109 | if ($MODE eq '1'){ |
| | 110 | print " Flushing chains...\n"; |
| | 111 | } |
| | 112 | &flush; |
| | 113 | if ($MODE eq '1'){ |
| | 114 | print " Preparing rules...\n"; |
| | 115 | } |
| | 116 | &preparerules; |
| | 117 | if($MODE eq '0'){ |
| | 118 | if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ |
| | 119 | &p2pblock; |
| | 120 | system ("/usr/sbin/firewall-policy"); |
| | 121 | }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){ |
| | 122 | $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'}); |
| | 123 | $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}"; |
| | 124 | if ($defaultNetworks{'BLUE_DEV'}){ |
| | 125 | $defaultNetworks{'BLUE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'BLUE_NETMASK'}); |
| | 126 | $blue="$defaultNetworks{'BLUE_ADDRESS'}/$defaultNetworks{'BLUE_NETMASK'}"; |
| | 127 | #set default rules for BLUE |
| | 128 | system ("iptables -A $CHAIN -s $blue -d $green -j RETURN"); |
| | 129 | } |
| | 130 | if ($defaultNetworks{'ORANGE_DEV'}){ |
| | 131 | $defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'}); |
| | 132 | $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}"; |
| | 133 | #set default rules for DMZ |
| | 134 | system ("iptables -A $CHAIN -s $orange -d $green -j RETURN"); |
| | 135 | if ($defaultNetworks{'BLUE_DEV'}){ |
| | 136 | system ("iptables -A $CHAIN -s $orange -d $blue -j RETURN"); |
| | 137 | } |
| | 138 | } |
| | 139 | &p2pblock; |
| | 140 | system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT"); |
| | 141 | system ("/usr/sbin/firewall-policy"); |
| | 142 | } |
| | 143 | } |
| | 144 | } |
| | 145 | sub flush |
| | 146 | { |
| | 147 | system ("iptables -F FORWARDFW"); |
| | 148 | system ("iptables -F INPUTFW"); |
| | 149 | system ("iptables -F OUTGOINGFW"); |
| | 150 | system ("iptables -F PORTFWACCESS"); |
| | 151 | system ("iptables -t nat -F NAT_DESTINATION"); |
| | 152 | system ("iptables -t nat -F NAT_SOURCE"); |
| | 153 | } |
| | 154 | sub preparerules |
| | 155 | { |
| | 156 | if (! -z "${General::swroot}/forward/dmz"){ |
| | 157 | &buildrules(\%configdmzfw); |
| | 158 | } |
| | 159 | if (! -z "${General::swroot}/forward/config"){ |
| | 160 | &buildrules(\%configfwdfw); |
| | 161 | } |
| | 162 | if (! -z "${General::swroot}/forward/input"){ |
| | 163 | &buildrules(\%configinputfw); |
| | 164 | } |
| | 165 | if (! -z "${General::swroot}/forward/outgoing"){ |
| | 166 | &buildrules(\%configoutgoingfw); |
| | 167 | } |
| | 168 | if (! -z "${General::swroot}/forward/nat"){ |
| | 169 | &buildrules(\%confignatfw); |
| | 170 | } |
| | 171 | } |
| | 172 | sub buildrules |
| | 173 | { |
| | 174 | my $hash=shift; |
| | 175 | my $STAG; |
| | 176 | my $natip; |
| | 177 | my $snatport; |
| | 178 | my $fireport; |
| | 179 | my $nat; |
| | 180 | my $fwaccessdport; |
| | 181 | foreach my $key (sort {$a <=> $b} keys %$hash){ |
| | 182 | next if ($$hash{$key}[6] eq 'RED' && $conexists eq 'off' ); |
| | 183 | if ($$hash{$key}[28] eq 'ON'){ |
| | 184 | $command='iptables -t nat -A'; |
| | 185 | $natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]); |
| | 186 | if($$hash{$key}[31] eq 'dnat'){ |
| | 187 | $nat='DNAT'; |
| | 188 | if ($$hash{$key}[30] =~ /\|/){ |
| | 189 | $$hash{$key}[30]=~ tr/|/,/; |
| | 190 | $fireport='-m multiport --dport '.$$hash{$key}[30]; |
| | 191 | }else{ |
| | 192 | $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0); |
| | 193 | } |
| | 194 | }else{ |
| | 195 | $nat='SNAT'; |
| | 196 | } |
| | 197 | } |
| | 198 | $STAG=''; |
| | 199 | if($$hash{$key}[2] eq 'ON'){ |
| | 200 | #get source ip's |
| | 201 | if ($$hash{$key}[3] eq 'cust_grp_src'){ |
| | 202 | foreach my $grp (sort {$a <=> $b} keys %customgrp){ |
| | 203 | if($customgrp{$grp}[0] eq $$hash{$key}[4]){ |
| | 204 | &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src"); |
| | 205 | } |
| | 206 | } |
| | 207 | }else{ |
| | 208 | &get_address($$hash{$key}[3],$$hash{$key}[4],"src"); |
| | 209 | } |
| | 210 | #get target ip's |
| | 211 | if ($$hash{$key}[5] eq 'cust_grp_tgt'){ |
| | 212 | foreach my $grp (sort {$a <=> $b} keys %customgrp){ |
| | 213 | if($customgrp{$grp}[0] eq $$hash{$key}[6]){ |
| | 214 | &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt"); |
| | 215 | } |
| | 216 | } |
| | 217 | }elsif($$hash{$key}[5] eq 'ipfire'){ |
| | 218 | if($$hash{$key}[6] eq 'GREEN'){ |
| | 219 | $targethash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'}; |
| | 220 | } |
| | 221 | if($$hash{$key}[6] eq 'BLUE'){ |
| | 222 | $targethash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'}; |
| | 223 | } |
| | 224 | if($$hash{$key}[6] eq 'ORANGE'){ |
| | 225 | $targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'}; |
| | 226 | } |
| | 227 | if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){ |
| | 228 | open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.'; |
| | 229 | $targethash{$key}[0]= <FILE>; |
| | 230 | close(FILE); |
| | 231 | }else{ |
| | 232 | foreach my $alias (sort keys %aliases){ |
| | 233 | if ($$hash{$key}[6] eq $alias){ |
| | 234 | $targethash{$key}[0]=$aliases{$alias}{'IPT'}; |
| | 235 | } |
| | 236 | } |
| | 237 | } |
| | 238 | }else{ |
| | 239 | &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt"); |
| | 240 | } |
| | 241 | ##get source prot and port |
| | 242 | $SRC_TGT='SRC'; |
| | 243 | $SPROT = &get_prot($hash,$key); |
| | 244 | $SPORT = &get_port($hash,$key); |
| | 245 | $SRC_TGT=''; |
| | 246 | |
| | 247 | ##get target prot and port |
| | 248 | $DPROT=&get_prot($hash,$key); |
| | 249 | |
| | 250 | if ($DPROT eq ''){$DPROT=' ';} |
| | 251 | @DPROT=split(",",$DPROT); |
| | 252 | |
| | 253 | #get time if defined |
| | 254 | if($$hash{$key}[18] eq 'ON'){ |
| | 255 | my ($time1,$time2,$daylight); |
| | 256 | my $daylight=$$hash{$key}[28]; |
| | 257 | $time1=&get_time($$hash{$key}[26],$daylight); |
| | 258 | $time2=&get_time($$hash{$key}[27],$daylight); |
| | 259 | if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");} |
| | 260 | if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");} |
| | 261 | if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");} |
| | 262 | if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");} |
| | 263 | if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");} |
| | 264 | if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");} |
| | 265 | if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");} |
| | 266 | $TIME=join(",",@timeframe); |
| | 267 | |
| | 268 | $TIMEFROM="--timestart $time1 "; |
| | 269 | $TIMETILL="--timestop $time2 "; |
| | 270 | $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL"; |
| | 271 | } |
| | 272 | if ($MODE eq '1'){ |
| | 273 | print "NR:$key "; |
| | 274 | foreach my $i (0 .. $#{$$hash{$key}}){ |
| | 275 | print "$i: $$hash{$key}[$i] "; |
| | 276 | } |
| | 277 | print "\n"; |
| | 278 | print"##################################\n"; |
| | 279 | #print rules to console |
| | 280 | foreach my $DPROT (@DPROT){ |
| | 281 | $DPORT = &get_port($hash,$key,$DPROT); |
| | 282 | if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;} |
| | 283 | $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); |
| | 284 | foreach my $a (sort keys %sourcehash){ |
| | 285 | foreach my $b (sort keys %targethash){ |
| | 286 | if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ |
| | 287 | if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){ |
| | 288 | if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} |
| | 289 | if(substr($DPORT, 2, 4) eq 'icmp'){ |
| | 290 | my @icmprule= split(",",substr($DPORT, 12,)); |
| | 291 | foreach (@icmprule){ |
| | 292 | if ($$hash{$key}[17] eq 'ON'){ |
| | 293 | print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j LOG\n"; |
| | 294 | } |
| | 295 | print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n"; |
| | 296 | } |
| | 297 | }elsif($$hash{$key}[28] ne 'ON'){ |
| | 298 | if ($$hash{$key}[17] eq 'ON'){ |
| | 299 | print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; |
| | 300 | } |
| | 301 | print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; |
| | 302 | }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ |
| | 303 | if ($$hash{$key}[17] eq 'ON'){ |
| | 304 | print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; |
| | 305 | } |
| | 306 | my ($ip,$sub) =split("/",$targethash{$b}[0]); |
| | 307 | print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; |
| | 308 | $DPORT =~ s/\-/:/g; |
| | 309 | if ($DPORT){ |
| | 310 | $fwaccessdport="--dport ".substr($DPORT,1,); |
| | 311 | }elsif(! $DPORT && $$hash{$key}[30] ne ''){ |
| | 312 | if ($$hash{$key}[30]=~m/|/i){ |
| | 313 | $$hash{$key}[30] =~ s/\|/,/g; |
| | 314 | $fwaccessdport="-m multiport --dport $$hash{$key}[30]"; |
| | 315 | }else{ |
| | 316 | $fwaccessdport="--dport $$hash{$key}[30]"; |
| | 317 | } |
| | 318 | } |
| | 319 | print "iptables -A PORTFWACCESS $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; |
| | 320 | }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ |
| | 321 | print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; |
| | 322 | } |
| | 323 | } |
| | 324 | } |
| | 325 | } |
| | 326 | } |
| | 327 | print"\n"; |
| | 328 | } |
| | 329 | }elsif($MODE eq '0'){ |
| | 330 | foreach my $DPROT (@DPROT){ |
| | 331 | $DPORT = &get_port($hash,$key,$DPROT); |
| | 332 | if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;} |
| | 333 | $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); |
| | 334 | foreach my $a (sort keys %sourcehash){ |
| | 335 | foreach my $b (sort keys %targethash){ |
| | 336 | if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ |
| | 337 | if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){ |
| | 338 | if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} |
| | 339 | if(substr($DPORT, 2, 4) eq 'icmp'){ |
| | 340 | my @icmprule= split(",",substr($DPORT, 12,)); |
| | 341 | foreach (@icmprule){ |
| | 342 | if ($$hash{$key}[17] eq 'ON'){ |
| | 343 | system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] -- icmp-type $_ $TIME -j LOG"); |
| | 344 | } |
| | 345 | system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]"); |
| | 346 | } |
| | 347 | }elsif($$hash{$key}[28] ne 'ON'){ |
| | 348 | if ($$hash{$key}[17] eq 'ON'){ |
| | 349 | system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; |
| | 350 | } |
| | 351 | system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; |
| | 352 | }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ |
| | 353 | if ($$hash{$key}[17] eq 'ON'){ |
| | 354 | system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; |
| | 355 | } |
| | 356 | my ($ip,$sub) =split("/",$targethash{$b}[0]); |
| | 357 | system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; |
| | 358 | $DPORT =~ s/\-/:/g; |
| | 359 | if ($DPORT){ |
| | 360 | $fwaccessdport="--dport ".substr($DPORT,1,); |
| | 361 | }elsif(! $DPORT && $$hash{$key}[30] ne ''){ |
| | 362 | if ($$hash{$key}[30]=~m/|/i){ |
| | 363 | $$hash{$key}[30] =~ s/\|/,/g; |
| | 364 | $fwaccessdport="-m multiport --dport $$hash{$key}[30]"; |
| | 365 | }else{ |
| | 366 | $fwaccessdport="--dport $$hash{$key}[30]"; |
| | 367 | } |
| | 368 | } |
| | 369 | system "iptables -A PORTFWACCESS $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; |
| | 370 | }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ |
| | 371 | if ($$hash{$key}[17] eq 'ON'){ |
| | 372 | system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT '\n"; |
| | 373 | } |
| | 374 | system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip$fireport\n"; |
| | 375 | } |
| | 376 | } |
| | 377 | } |
| | 378 | } |
| | 379 | } |
| | 380 | } |
| | 381 | } |
| | 382 | } |
| | 383 | %sourcehash=(); |
| | 384 | %targethash=(); |
| | 385 | undef $TIME; |
| | 386 | undef $TIMEFROM; |
| | 387 | undef $TIMETILL; |
| | 388 | undef $fireport; |
| | 389 | } |
| | 390 | } |
| | 391 | sub get_nat_ip |
| | 392 | { |
| | 393 | my $val=shift; |
| | 394 | my $type=shift; |
| | 395 | my $result; |
| | 396 | if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){ |
| | 397 | $result=$defaultNetworks{$val.'_ADDRESS'}; |
| | 398 | }elsif($val eq 'ALL'){ |
| | 399 | $result='-i '.$con; |
| | 400 | }elsif($val eq 'Default IP' && $type eq 'dnat'){ |
| | 401 | $result='-d '.$redip; |
| | 402 | }elsif($val eq 'Default IP' && $type eq 'snat'){ |
| | 403 | $result=$redip; |
| | 404 | }else{ |
| | 405 | foreach my $al (sort keys %aliases){ |
| | 406 | if($val eq $al && $type eq 'dnat'){ |
| | 407 | $result='-d '.$aliases{$al}{'IPT'}; |
| | 408 | }elsif($val eq $al && $type eq 'snat'){ |
| | 409 | $result=$aliases{$al}{'IPT'}; |
| | 410 | } |
| | 411 | } |
| | 412 | } |
| | 413 | return $result; |
| | 414 | } |
| | 415 | sub get_time |
| | 416 | { |
| | 417 | my $val=shift; |
| | 418 | my $val1=shift; |
| | 419 | my $time; |
| | 420 | my $minutes; |
| | 421 | my $ruletime; |
| | 422 | $minutes = &utcmin($val); |
| | 423 | $ruletime = $minutes + &time_get_utc($val); |
| | 424 | if ($ruletime < 0){$ruletime +=1440;} |
| | 425 | if ($ruletime > 1440){$ruletime -=1440;} |
| | 426 | $time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60; |
| | 427 | return $time; |
| | 428 | } |
| | 429 | sub time_get_utc |
| | 430 | { |
| | 431 | # Calculates the UTCtime from a given time |
| | 432 | my $val=shift; |
| | 433 | my @localtime=localtime(time); |
| | 434 | my @gmtime=gmtime(time); |
| | 435 | my $diff = ($gmtime[2]*60+$gmtime[1]%60)-($localtime[2]*60+$localtime[1]%60); |
| | 436 | return $diff; |
| | 437 | } |
| | 438 | sub utcmin |
| | 439 | { |
| | 440 | my $ruletime=shift; |
| | 441 | my ($hrs,$min) = split(":",$ruletime); |
| | 442 | my $newtime = $hrs*60+$min; |
| | 443 | return $newtime; |
| | 444 | } |
| | 445 | sub p2pblock |
| | 446 | { |
| | 447 | my $P2PSTRING; |
| | 448 | my $DO; |
| | 449 | open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; |
| | 450 | @p2ps = <FILE>; |
| | 451 | close FILE; |
| | 452 | my $CMD = "-m ipp2p"; |
| | 453 | foreach my $p2pentry (sort @p2ps) { |
| | 454 | my @p2pline = split( /\;/, $p2pentry ); |
| | 455 | if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) { |
| | 456 | $DO = "ACCEPT"; |
| | 457 | if ("$p2pline[2]" eq "on") { |
| | 458 | $P2PSTRING = "$P2PSTRING --$p2pline[1]"; |
| | 459 | } |
| | 460 | }else { |
| | 461 | $DO = "RETURN"; |
| | 462 | if ("$p2pline[2]" eq "off") { |
| | 463 | $P2PSTRING = "$P2PSTRING --$p2pline[1]"; |
| | 464 | } |
| | 465 | } |
| | 466 | } |
| | 467 | if ($MODE eq 1){ |
| | 468 | if($P2PSTRING){ |
| | 469 | print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n"; |
| | 470 | } |
| | 471 | }else{ |
| | 472 | if($P2PSTRING){ |
| | 473 | system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO"); |
| | 474 | } |
| | 475 | } |
| | 476 | } |
| | 477 | sub get_address |
| | 478 | { |
| | 479 | my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey |
| | 480 | my $base2=shift; |
| | 481 | my $type=shift; #src or tgt |
| | 482 | my $hash; |
| | 483 | if ($type eq 'src'){ |
| | 484 | $hash=\%sourcehash; |
| | 485 | }else{ |
| | 486 | $hash=\%targethash; |
| | 487 | } |
| | 488 | my $key = &General::findhasharraykey($hash); |
| | 489 | if($base eq 'src_addr' || $base eq 'tgt_addr' ){ |
| | 490 | if (&General::validmac($base2)){ |
| | 491 | $$hash{$key}[0] = "-m mac --mac-source $base2"; |
| | 492 | }else{ |
| | 493 | $$hash{$key}[0] = $base2; |
| | 494 | } |
| | 495 | }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){ |
| | 496 | $$hash{$key}[0]=&fwlib::get_std_net_ip($base2,$con); |
| | 497 | }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){ |
| | 498 | $$hash{$key}[0]=&fwlib::get_net_ip($base2); |
| | 499 | }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){ |
| | 500 | $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type); |
| | 501 | }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){ |
| | 502 | $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1); |
| | 503 | }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){ |
| | 504 | $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33); |
| | 505 | }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){ |
| | 506 | $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,11); |
| | 507 | }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){ |
| | 508 | $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11); |
| | 509 | } |
| | 510 | } |
| | 511 | sub get_prot |
| | 512 | { |
| | 513 | my $hash=shift; |
| | 514 | my $key=shift; |
| | 515 | if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){ |
| | 516 | if ($$hash{$key}[10] ne ''){ |
| | 517 | return"$$hash{$key}[8]"; |
| | 518 | }elsif($$hash{$key}[9] ne ''){ |
| | 519 | return"$$hash{$key}[8]"; |
| | 520 | }else{ |
| | 521 | return "$$hash{$key}[8]"; |
| | 522 | } |
| | 523 | }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){ |
| | 524 | if ($$hash{$key}[14] eq 'TGT_PORT'){ |
| | 525 | if ($$hash{$key}[15] ne ''){ |
| | 526 | return "$$hash{$key}[12]"; |
| | 527 | }elsif($$hash{$key}[13] ne ''){ |
| | 528 | return "$$hash{$key}[12]"; |
| | 529 | }else{ |
| | 530 | return "$$hash{$key}[12]"; |
| | 531 | } |
| | 532 | }elsif($$hash{$key}[14] eq 'cust_srv'){ |
| | 533 | return &fwlib::get_srv_prot($$hash{$key}[15]); |
| | 534 | |
| | 535 | }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ |
| | 536 | return &fwlib::get_srvgrp_prot($$hash{$key}[15]); |
| | 537 | } |
| | 538 | } |
| | 539 | #DNAT |
| | 540 | if ($SRC_TGT eq '' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[11] eq '' && $$hash{$key}[12] ne ''){ |
| | 541 | return "$$hash{$key}[12]"; |
| | 542 | } |
| | 543 | } |
| | 544 | sub get_port |
| | 545 | { |
| | 546 | my $hash=shift; |
| | 547 | my $key=shift; |
| | 548 | my $prot=shift; |
| | 549 | if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){ |
| | 550 | if ($$hash{$key}[10] ne ''){ |
| | 551 | $$hash{$key}[10] =~ s/\|/,/g; |
| | 552 | if(index($$hash{$key}[10],",") > 0){ |
| | 553 | return "-m multiport --sport $$hash{$key}[10] "; |
| | 554 | }else{ |
| | 555 | if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ||($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat') ){ |
| | 556 | return "--sport $$hash{$key}[10] "; |
| | 557 | }else{ |
| | 558 | return ":$$hash{$key}[10]"; |
| | 559 | } |
| | 560 | } |
| | 561 | }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){ |
| | 562 | return "--icmp-type $$hash{$key}[9] "; |
| | 563 | }elsif($$hash{$key}[9] eq 'All ICMP-Types'){ |
| | 564 | return; |
| | 565 | } |
| | 566 | }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){ |
| | 567 | if($$hash{$key}[14] eq 'TGT_PORT'){ |
| | 568 | if ($$hash{$key}[15] ne ''){ |
| | 569 | $$hash{$key}[15] =~ s/\|/,/g; |
| | 570 | if(index($$hash{$key}[15],",") > 0){ |
| | 571 | return "-m multiport --dport $$hash{$key}[15] "; |
| | 572 | }else{ |
| | 573 | if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){ |
| | 574 | return "--dport $$hash{$key}[15] "; |
| | 575 | }else{ |
| | 576 | $$hash{$key}[15] =~ s/\:/-/g; |
| | 577 | return ":$$hash{$key}[15]"; |
| | 578 | } |
| | 579 | } |
| | 580 | }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){ |
| | 581 | return "--icmp-type $$hash{$key}[13] "; |
| | 582 | }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){ |
| | 583 | return; |
| | 584 | } |
| | 585 | }elsif($$hash{$key}[14] eq 'cust_srv'){ |
| | 586 | if ($prot ne 'ICMP'){ |
| | 587 | if($$hash{$key}[31] eq 'dnat'){ |
| | 588 | return ":".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); |
| | 589 | }else{ |
| | 590 | return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); |
| | 591 | } |
| | 592 | }elsif($prot eq 'ICMP' && $$hash{$key}[15] ne 'All ICMP-Types'){ |
| | 593 | return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot); |
| | 594 | }elsif($prot eq 'ICMP' && $$hash{$key}[15] eq 'All ICMP-Types'){ |
| | 595 | return; |
| | 596 | } |
| | 597 | }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ |
| | 598 | if ($prot ne 'ICMP'){ |
| | 599 | return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot); |
| | 600 | } |
| | 601 | elsif($prot eq 'ICMP'){ |
| | 602 | return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot); |
| | 603 | } |
| | 604 | } |
| | 605 | } |
| | 606 | } |
projects / people / teissler / ipfire-2.x.git / blame_incremental