[people/teissler/ipfire-2.x.git] / config / forwardfw / rules.pl

#!/usr/bin/perl
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2012														  #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################
#																			  #
# Hi folks! I hope this code is useful for all. I needed something to handle  #
# my VPN Connections in a comfortable way. 				      				  #
# This script builds firewallrules from the webinterface                      #
###############################################################################

use strict;
use Time::Local;
no warnings 'uninitialized';

# enable only the following on debugging purpose
#use warnings;
#use CGI::Carp 'fatalsToBrowser';

my %fwdfwsettings=();
my %defaultNetworks=();
my %configfwdfw=();
my %color=();
my %icmptypes=();
my %ovpnSettings=();
my %customgrp=();
our %sourcehash=();
our %targethash=();
my @timeframe=();
my %configinputfw=();
my %configoutgoingfw=();
my %confignatfw=();
my %aliases=();
my @DPROT=();
my @p2ps=();
require '/var/ipfire/general-functions.pl';
require "${General::swroot}/lang.pl";
require "${General::swroot}/forward/bin/firewall-lib.pl";

my $configfwdfw		= "${General::swroot}/forward/config";
my $configinput	    = "${General::swroot}/forward/input";
my $configoutgoing  = "${General::swroot}/forward/outgoing";
my $p2pfile			= "${General::swroot}/forward/p2protocols";
my $configgrp		= "${General::swroot}/fwhosts/customgroups";
my $netsettings		= "${General::swroot}/ethernet/settings";
my $errormessage='';
my $orange;
my $green;
my $blue;
my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
my $CHAIN="FORWARDFW";
my $conexists='off';
my $command = 'iptables -A';
my $dnat='';
my $snat='';
&General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
&General::readhash("$netsettings", \%defaultNetworks);
&General::readhasharray($configfwdfw, \%configfwdfw);
&General::readhasharray($configinput, \%configinputfw);
&General::readhasharray($configoutgoing, \%configoutgoingfw);
&General::readhasharray($configgrp, \%customgrp);
&General::get_aliases(\%aliases);

#check if we have an internetconnection
open (CONN,"/var/ipfire/red/iface");
my $con = <CONN>;
close(CONN);
if (-f "/var/ipfire/red/active"){
	$conexists='on';
}
open (CONN1,"/var/ipfire/red/local-ipaddress");
my $redip = <CONN1>;
close(CONN1);
################################
#    DEBUG/TEST                #
################################
my $MODE=1;     # 0 - normal operation
				# 1 - print configline and rules to console	
				# 
################################		
my $param=shift;

if($param eq 'flush'){
	if ($MODE eq '1'){
		print " Flushing chains...\n";
	}
	&flush;
}else{
	if ($MODE eq '1'){
		print " Flushing chains...\n";
	}
	&flush;
	if ($MODE eq '1'){
		print " Preparing rules...\n";
	}
	&preparerules;
	if($MODE eq '0'){
		if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
			&p2pblock;
			system ("/usr/sbin/firewall-policy"); 
		}elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
			&p2pblock;
			system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
			system ("/usr/sbin/firewall-policy");
			system ("/etc/sysconfig/firewall.local reload");
		}
	}
}
sub flush
{
	system ("iptables -F FORWARDFW");
	system ("iptables -F INPUTFW");
	system ("iptables -F OUTGOINGFW");
	system ("iptables -t nat -F NAT_DESTINATION");
	system ("iptables -t nat -F NAT_SOURCE");
}			
sub preparerules
{
	if (! -z  "${General::swroot}/forward/config"){
		&buildrules(\%configfwdfw);
	}
	if (! -z  "${General::swroot}/forward/input"){
		&buildrules(\%configinputfw);
	}
	if (! -z  "${General::swroot}/forward/outgoing"){
		&buildrules(\%configoutgoingfw);
	}
	if (! -z  "${General::swroot}/forward/nat"){
		&buildrules(\%confignatfw);
	}
}
sub buildrules
{
	my $hash=shift;
	my $STAG;
	my $natip;
	my $snatport;
	my $fireport;
	my $nat;
	my $fwaccessdport;
	my $natchain;
	foreach my $key (sort {$a <=> $b} keys %$hash){
		next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' );
		if ($$hash{$key}[28] eq 'ON'){
			$command='iptables -t nat -A';
			$natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]);
			if($$hash{$key}[31] eq 'dnat'){
				$nat='DNAT';
				if ($$hash{$key}[30] =~ /\|/){
					$$hash{$key}[30]=~ tr/|/,/;
					$fireport='-m multiport --dport '.$$hash{$key}[30];
				}else{
					$fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0);
				}
			}else{
				$nat='SNAT';
			}
		}
		$STAG='';
		if($$hash{$key}[2] eq 'ON'){
			#get source ip's
			if ($$hash{$key}[3] eq 'cust_grp_src'){
				foreach my $grp (sort {$a <=> $b} keys %customgrp){
						if($customgrp{$grp}[0] eq $$hash{$key}[4]){
						&get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
					}
				}
			}else{
				&get_address($$hash{$key}[3],$$hash{$key}[4],"src");
			}
			#get target ip's
			if ($$hash{$key}[5] eq 'cust_grp_tgt'){
				foreach my $grp (sort {$a <=> $b} keys %customgrp){
					if($customgrp{$grp}[0] eq $$hash{$key}[6]){
						&get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
					}
				}
			}elsif($$hash{$key}[5] eq 'ipfire' ){
				if($$hash{$key}[6] eq 'GREEN'){
					$targethash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'};
				}
				if($$hash{$key}[6] eq 'BLUE'){
					$targethash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'};
				}
				if($$hash{$key}[6] eq 'ORANGE'){
					$targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
				}
				if($$hash{$key}[6] eq 'ALL'){
					$targethash{$key}[0]='0.0.0.0/0';
				}
				if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){
					open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress";
					$targethash{$key}[0]= <FILE>;
					close(FILE);
				}else{
					foreach my $alias (sort keys %aliases){
						if ($$hash{$key}[6] eq $alias){
							$targethash{$key}[0]=$aliases{$alias}{'IPT'};
						}
					}
				}
			}else{
				&get_address($$hash{$key}[5],$$hash{$key}[6],"tgt");
			}
			##get source prot and port
			$SRC_TGT='SRC';
			$SPROT = &get_prot($hash,$key);
			$SPORT = &get_port($hash,$key);
			$SRC_TGT='';

			##get target prot and port
			$DPROT=&get_prot($hash,$key);

			if ($DPROT eq ''){$DPROT=' ';}				
			@DPROT=split(",",$DPROT);

			#get time if defined
			if($$hash{$key}[18] eq 'ON'){
				my ($time1,$time2,$daylight);
				my $daylight=$$hash{$key}[28];
				$time1=&get_time($$hash{$key}[26],$daylight);
				$time2=&get_time($$hash{$key}[27],$daylight);
				if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
				if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");}
				if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");}
				if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");}
				if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");}
				if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");}
				if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");}
				$TIME=join(",",@timeframe);
				
				$TIMEFROM="--timestart $time1 ";
				$TIMETILL="--timestop $time2 ";
				$TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
			}
			if ($MODE eq '1'){	
				print "NR:$key ";
				foreach my $i (0 .. $#{$$hash{$key}}){
					print "$i: $$hash{$key}[$i]  ";
				}
				print "\n";
				print"##################################\n";
				#print rules to console
				foreach my $DPROT (@DPROT){
					$DPORT = &get_port($hash,$key,$DPROT);
					if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
					$PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
					foreach my $a (sort keys %sourcehash){
						foreach my $b (sort keys %targethash){
							if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
								if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
									if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
									if(substr($DPORT, 2, 4) eq 'icmp'){
										my @icmprule= split(",",substr($DPORT, 12,));
										foreach (@icmprule){
											if ($$hash{$key}[17] eq 'ON'){
												print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j LOG\n";
											}
											print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n";
										}
									}elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
										$natchain='NAT_DESTINATION';
										if ($$hash{$key}[17] eq 'ON'){
											print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
										}
										my ($ip,$sub) =split("/",$targethash{$b}[0]);
										print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
										$DPORT =~ s/\-/:/g;
										if ($DPORT){
											$fwaccessdport="--dport ".substr($DPORT,1,);
										}elsif(! $DPORT && $$hash{$key}[30] ne ''){
											if ($$hash{$key}[30]=~m/|/i){
												$$hash{$key}[30] =~ s/\|/,/g;
												$fwaccessdport="-m multiport --dport $$hash{$key}[30]";
											}else{
												$fwaccessdport="--dport $$hash{$key}[30]";
											}
										}
										print "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
										next;
									}elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
										$natchain='NAT_SOURCE';
										print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
									}
									if ($$hash{$key}[17] eq 'ON'){
											print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
									}
									print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
								}				
							}
						}
					}
					print"\n";
				}
			}elsif($MODE eq '0'){
				foreach my $DPROT (@DPROT){
					$DPORT = &get_port($hash,$key,$DPROT);
					if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
					$PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
					foreach my $a (sort keys %sourcehash){
						foreach my $b (sort keys %targethash){
							if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
								if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
									if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
									if(substr($DPORT, 2, 4) eq 'icmp'){
										my @icmprule= split(",",substr($DPORT, 12,));
										foreach (@icmprule){
											if ($$hash{$key}[17] eq 'ON'){
												system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] -- icmp-type $_ $TIME -j LOG");
											}
											system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]");
										}
									}elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
										$natchain='NAT_DESTINATION';
										if ($$hash{$key}[17] eq 'ON'){
											system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
										}
										my ($ip,$sub) =split("/",$targethash{$b}[0]);
										system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
										$DPORT =~ s/\-/:/g;
										if ($DPORT){
											$fwaccessdport="--dport ".substr($DPORT,1,);
										}elsif(! $DPORT && $$hash{$key}[30] ne ''){
											if ($$hash{$key}[30]=~m/|/i){
												$$hash{$key}[30] =~ s/\|/,/g;
												$fwaccessdport="-m multiport --dport $$hash{$key}[30]";
											}else{
												$fwaccessdport="--dport $$hash{$key}[30]";
											}
										}
										system "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
										next;
									}elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
										$natchain='NAT_SOURCE';
										system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
									}
									if ($$hash{$key}[17] eq 'ON'){
										system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
									}
									system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
								}				
							}
						}
					}
				}
			}
		}
		%sourcehash=();
		%targethash=();
		undef $TIME;
		undef $TIMEFROM;
		undef $TIMETILL;
		undef $fireport;
	}
}
sub get_nat_ip
{
	my $val=shift;
	my $type=shift;
	my $result;
	if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){
		$result=$defaultNetworks{$val.'_ADDRESS'};
	}elsif($val eq 'ALL'){
		$result='-i '.$con;
	}elsif($val eq 'Default IP' && $type eq 'dnat'){
		$result='-d '.$redip;
	}elsif($val eq 'Default IP' && $type eq 'snat'){
		$result=$redip;
	}else{
		foreach my $al (sort keys %aliases){
			if($val eq $al && $type eq 'dnat'){
				$result='-d '.$aliases{$al}{'IPT'};
			}elsif($val eq $al && $type eq 'snat'){
				$result=$aliases{$al}{'IPT'};
			}
		}
	}
	return $result;
}
sub get_time
{
	my $val=shift;
	my $val1=shift;
	my $time;
	my $minutes;
	my $ruletime;
	$minutes = &utcmin($val);
	$ruletime = $minutes + &time_get_utc($val);
	if ($ruletime < 0){$ruletime +=1440;}
	if ($ruletime > 1440){$ruletime -=1440;}
	$time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60;
	return $time;
}
sub time_get_utc
{
	# Calculates the UTCtime from a given time
	my $val=shift;
	my @localtime=localtime(time);
	my @gmtime=gmtime(time);
	my $diff = ($gmtime[2]*60+$gmtime[1]%60)-($localtime[2]*60+$localtime[1]%60);
	return $diff;
}
sub utcmin
{
	my $ruletime=shift;
	my ($hrs,$min) = split(":",$ruletime);
	my $newtime = $hrs*60+$min;
	return $newtime;
}
sub p2pblock
{
	my $P2PSTRING;
	my $DO;
	open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
	@p2ps = <FILE>;
	close FILE;
	my $CMD = "-m ipp2p";
	foreach my $p2pentry (sort @p2ps) {
		my @p2pline = split( /\;/, $p2pentry );
		if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) {
			$DO = "ACCEPT";
			if ("$p2pline[2]" eq "on") {
				$P2PSTRING = "$P2PSTRING --$p2pline[1]";
			}
		}else {
			$DO = "RETURN";
			if ("$p2pline[2]" eq "off") {
				$P2PSTRING = "$P2PSTRING --$p2pline[1]";
			}
		}
	}
	if ($MODE eq 1){
		if($P2PSTRING){
			print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n";
		}
	}else{
		if($P2PSTRING){
			system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO");
		}
	}
}
sub get_address
{
	my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
	my $base2=shift;
	my $type=shift; #src or tgt
	my $hash;
	if ($type eq 'src'){
		$hash=\%sourcehash;	
	}else{
		$hash=\%targethash;
	}
	my $key = &General::findhasharraykey($hash);
	if($base eq 'src_addr' || $base eq 'tgt_addr' ){
		if (&General::validmac($base2)){
			$$hash{$key}[0] = "-m mac --mac-source $base2";
		}else{
			$$hash{$key}[0] = $base2;
		}
	}elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){
		$$hash{$key}[0]=&fwlib::get_std_net_ip($base2,$con);
	}elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){
		$$hash{$key}[0]=&fwlib::get_net_ip($base2);
	}elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){
		$$hash{$key}[0]=&fwlib::get_host_ip($base2,$type);
	}elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){
		$$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1);
	}elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){
		$$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33);
	}elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){
		$$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,11);
	}elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){
		$$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11);
	}elsif($base eq 'ipfire_src' ){
		if($base2 eq 'GREEN'){
			$$hash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'};
		}
		if($base2 eq 'BLUE'){
			$$hash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'};
		}
		if($base2 eq 'ORANGE'){
			$$hash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
		}
		if($base2 eq 'ALL'){
			$$hash{$key}[0]='0.0.0.0/0';
		}
		if($base2 eq 'RED' || $base2 eq 'RED1'){
			open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress";
			$$hash{$key}[0]= <FILE>;
			close(FILE);
		}else{
			foreach my $alias (sort keys %aliases){
				if ($base2 eq $alias){
					$$hash{$key}[0]=$aliases{$alias}{'IPT'};
				}
			}
		}
	}
}
sub get_prot
{
	my $hash=shift;
	my $key=shift;
	if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
		if ($$hash{$key}[10] ne ''){
			return"$$hash{$key}[8]";
		}elsif($$hash{$key}[9] ne ''){
			return"$$hash{$key}[8]";
		}else{
			return "$$hash{$key}[8]";
		}
	}elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
		if ($$hash{$key}[14] eq 'TGT_PORT'){
			if ($$hash{$key}[15] ne ''){
				return "$$hash{$key}[12]";
			}elsif($$hash{$key}[13] ne ''){
				return "$$hash{$key}[12]";
			}else{
				return "$$hash{$key}[12]";
			}
		}elsif($$hash{$key}[14] eq 'cust_srv'){
			return &fwlib::get_srv_prot($$hash{$key}[15]);
			
		}elsif($$hash{$key}[14] eq 'cust_srvgrp'){
			return &fwlib::get_srvgrp_prot($$hash{$key}[15]);
		}
	}
	#DNAT
	if ($SRC_TGT eq '' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[11] eq '' && $$hash{$key}[12] ne ''){
		return "$$hash{$key}[12]";
	}
}
sub get_port
{
	my $hash=shift;
	my $key=shift;
	my $prot=shift;
	if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
		if ($$hash{$key}[10] ne ''){
			$$hash{$key}[10] =~ s/\|/,/g;
			if(index($$hash{$key}[10],",") > 0){
				return "-m multiport --sport $$hash{$key}[10] ";
			}else{
				if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ||($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat')  ){
					return "--sport $$hash{$key}[10] ";
				}else{
					return ":$$hash{$key}[10]";
				}
			}
		}elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
			return "--icmp-type $$hash{$key}[9] ";
		}elsif($$hash{$key}[9] eq 'All ICMP-Types'){
			return;
		}
	}elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
		if($$hash{$key}[14] eq 'TGT_PORT'){
			if ($$hash{$key}[15] ne ''){
				$$hash{$key}[15] =~ s/\|/,/g;
				if(index($$hash{$key}[15],",") > 0){
					return "-m multiport --dport $$hash{$key}[15] ";
				}else{
					if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){
						return "--dport $$hash{$key}[15] ";
					 }else{
						 $$hash{$key}[15] =~ s/\:/-/g;
						return ":$$hash{$key}[15]";
					 }
				}
			}elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){
				return "--icmp-type $$hash{$key}[13] ";
			}elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){
				return;
			}
		}elsif($$hash{$key}[14] eq 'cust_srv'){
			if ($prot ne 'ICMP'){
				if($$hash{$key}[31] eq 'dnat'){
					return ":".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
				}else{
					return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
				}
			}elsif($prot eq 'ICMP' && $$hash{$key}[15] ne 'All ICMP-Types'){
				return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot);
			}elsif($prot eq 'ICMP' && $$hash{$key}[15] eq 'All ICMP-Types'){
				return;
			}
		}elsif($$hash{$key}[14] eq 'cust_srvgrp'){
			if 	($prot ne 'ICMP'){
				return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
			}
			elsif($prot eq 'ICMP'){
				return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
			}
		}
	}
}
Commit	Line	Data
	1	#!/usr/bin/perl
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2012 #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21	# #
	22	# Hi folks! I hope this code is useful for all. I needed something to handle #
	23	# my VPN Connections in a comfortable way. #
	24	# This script builds firewallrules from the webinterface #
	25	###############################################################################
	26
	27	use strict;
	28	use Time::Local;
	29	no warnings 'uninitialized';
	30
	31	# enable only the following on debugging purpose
	32	#use warnings;
	33	#use CGI::Carp 'fatalsToBrowser';
	34
	35	my %fwdfwsettings=();
	36	my %defaultNetworks=();
	37	my %configfwdfw=();
	38	my %color=();
	39	my %icmptypes=();
	40	my %ovpnSettings=();
	41	my %customgrp=();
	42	our %sourcehash=();
	43	our %targethash=();
	44	my @timeframe=();
	45	my %configinputfw=();
	46	my %configoutgoingfw=();
	47	my %confignatfw=();
	48	my %aliases=();
	49	my @DPROT=();
	50	my @p2ps=();
	51	require '/var/ipfire/general-functions.pl';
	52	require "${General::swroot}/lang.pl";
	53	require "${General::swroot}/forward/bin/firewall-lib.pl";
	54
	55	my $configfwdfw = "${General::swroot}/forward/config";
	56	my $configinput = "${General::swroot}/forward/input";
	57	my $configoutgoing = "${General::swroot}/forward/outgoing";
	58	my $p2pfile = "${General::swroot}/forward/p2protocols";
	59	my $configgrp = "${General::swroot}/fwhosts/customgroups";
	60	my $netsettings = "${General::swroot}/ethernet/settings";
	61	my $errormessage='';
	62	my $orange;
	63	my $green;
	64	my $blue;
	65	my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
	66	my $CHAIN="FORWARDFW";
	67	my $conexists='off';
	68	my $command = 'iptables -A';
	69	my $dnat='';
	70	my $snat='';
	71	&General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
	72	&General::readhash("$netsettings", \%defaultNetworks);
	73	&General::readhasharray($configfwdfw, \%configfwdfw);
	74	&General::readhasharray($configinput, \%configinputfw);
	75	&General::readhasharray($configoutgoing, \%configoutgoingfw);
	76	&General::readhasharray($configgrp, \%customgrp);
	77	&General::get_aliases(\%aliases);
	78
	79	#check if we have an internetconnection
	80	open (CONN,"/var/ipfire/red/iface");
	81	my $con = <CONN>;
	82	close(CONN);
	83	if (-f "/var/ipfire/red/active"){
	84	$conexists='on';
	85	}
	86	open (CONN1,"/var/ipfire/red/local-ipaddress");
	87	my $redip = <CONN1>;
	88	close(CONN1);
	89	################################
	90	# DEBUG/TEST #
	91	################################
	92	my $MODE=1; # 0 - normal operation
	93	# 1 - print configline and rules to console
	94	#
	95	################################
	96	my $param=shift;
	97
	98	if($param eq 'flush'){
	99	if ($MODE eq '1'){
	100	print " Flushing chains...\n";
	101	}
	102	&flush;
	103	}else{
	104	if ($MODE eq '1'){
	105	print " Flushing chains...\n";
	106	}
	107	&flush;
	108	if ($MODE eq '1'){
	109	print " Preparing rules...\n";
	110	}
	111	&preparerules;
	112	if($MODE eq '0'){
	113	if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
	114	&p2pblock;
	115	system ("/usr/sbin/firewall-policy");
	116	}elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
	117	&p2pblock;
	118	system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
	119	system ("/usr/sbin/firewall-policy");
	120	system ("/etc/sysconfig/firewall.local reload");
	121	}
	122	}
	123	}
	124	sub flush
	125	{
	126	system ("iptables -F FORWARDFW");
	127	system ("iptables -F INPUTFW");
	128	system ("iptables -F OUTGOINGFW");
	129	system ("iptables -t nat -F NAT_DESTINATION");
	130	system ("iptables -t nat -F NAT_SOURCE");
	131	}
	132	sub preparerules
	133	{
	134	if (! -z "${General::swroot}/forward/config"){
	135	&buildrules(\%configfwdfw);
	136	}
	137	if (! -z "${General::swroot}/forward/input"){
	138	&buildrules(\%configinputfw);
	139	}
	140	if (! -z "${General::swroot}/forward/outgoing"){
	141	&buildrules(\%configoutgoingfw);
	142	}
	143	if (! -z "${General::swroot}/forward/nat"){
	144	&buildrules(\%confignatfw);
	145	}
	146	}
	147	sub buildrules
	148	{
	149	my $hash=shift;
	150	my $STAG;
	151	my $natip;
	152	my $snatport;
	153	my $fireport;
	154	my $nat;
	155	my $fwaccessdport;
	156	my $natchain;
	157	foreach my $key (sort {$a <=> $b} keys %$hash){
	158	next if (($$hash{$key}[6] eq 'RED' \|\| $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' );
	159	if ($$hash{$key}[28] eq 'ON'){
	160	$command='iptables -t nat -A';
	161	$natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]);
	162	if($$hash{$key}[31] eq 'dnat'){
	163	$nat='DNAT';
	164	if ($$hash{$key}[30] =~ /\\|/){
	165	$$hash{$key}[30]=~ tr/\|/,/;
	166	$fireport='-m multiport --dport '.$$hash{$key}[30];
	167	}else{
	168	$fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0);
	169	}
	170	}else{
	171	$nat='SNAT';
	172	}
	173	}
	174	$STAG='';
	175	if($$hash{$key}[2] eq 'ON'){
	176	#get source ip's
	177	if ($$hash{$key}[3] eq 'cust_grp_src'){
	178	foreach my $grp (sort {$a <=> $b} keys %customgrp){
	179	if($customgrp{$grp}[0] eq $$hash{$key}[4]){
	180	&get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
	181	}
	182	}
	183	}else{
	184	&get_address($$hash{$key}[3],$$hash{$key}[4],"src");
	185	}
	186	#get target ip's
	187	if ($$hash{$key}[5] eq 'cust_grp_tgt'){
	188	foreach my $grp (sort {$a <=> $b} keys %customgrp){
	189	if($customgrp{$grp}[0] eq $$hash{$key}[6]){
	190	&get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
	191	}
	192	}
	193	}elsif($$hash{$key}[5] eq 'ipfire' ){
	194	if($$hash{$key}[6] eq 'GREEN'){
	195	$targethash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'};
	196	}
	197	if($$hash{$key}[6] eq 'BLUE'){
	198	$targethash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'};
	199	}
	200	if($$hash{$key}[6] eq 'ORANGE'){
	201	$targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
	202	}
	203	if($$hash{$key}[6] eq 'ALL'){
	204	$targethash{$key}[0]='0.0.0.0/0';
	205	}
	206	if($$hash{$key}[6] eq 'RED' \|\| $$hash{$key}[6] eq 'RED1'){
	207	open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress";
	208	$targethash{$key}[0]= <FILE>;
	209	close(FILE);
	210	}else{
	211	foreach my $alias (sort keys %aliases){
	212	if ($$hash{$key}[6] eq $alias){
	213	$targethash{$key}[0]=$aliases{$alias}{'IPT'};
	214	}
	215	}
	216	}
	217	}else{
	218	&get_address($$hash{$key}[5],$$hash{$key}[6],"tgt");
	219	}
	220	##get source prot and port
	221	$SRC_TGT='SRC';
	222	$SPROT = &get_prot($hash,$key);
	223	$SPORT = &get_port($hash,$key);
	224	$SRC_TGT='';
	225
	226	##get target prot and port
	227	$DPROT=&get_prot($hash,$key);
	228
	229	if ($DPROT eq ''){$DPROT=' ';}
	230	@DPROT=split(",",$DPROT);
	231
	232	#get time if defined
	233	if($$hash{$key}[18] eq 'ON'){
	234	my ($time1,$time2,$daylight);
	235	my $daylight=$$hash{$key}[28];
	236	$time1=&get_time($$hash{$key}[26],$daylight);
	237	$time2=&get_time($$hash{$key}[27],$daylight);
	238	if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
	239	if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");}
	240	if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");}
	241	if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");}
	242	if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");}
	243	if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");}
	244	if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");}
	245	$TIME=join(",",@timeframe);
	246
	247	$TIMEFROM="--timestart $time1 ";
	248	$TIMETILL="--timestop $time2 ";
	249	$TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
	250	}
	251	if ($MODE eq '1'){
	252	print "NR:$key ";
	253	foreach my $i (0 .. $#{$$hash{$key}}){
	254	print "$i: $$hash{$key}[$i] ";
	255	}
	256	print "\n";
	257	print"##################################\n";
	258	#print rules to console
	259	foreach my $DPROT (@DPROT){
	260	$DPORT = &get_port($hash,$key,$DPROT);
	261	if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
	262	$PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
	263	foreach my $a (sort keys %sourcehash){
	264	foreach my $b (sort keys %targethash){
	265	if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' \|\| $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
	266	if($SPROT eq '' \|\| $SPROT eq $DPROT \|\| $DPROT eq ' '){
	267	if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
	268	if(substr($DPORT, 2, 4) eq 'icmp'){
	269	my @icmprule= split(",",substr($DPORT, 12,));
	270	foreach (@icmprule){
	271	if ($$hash{$key}[17] eq 'ON'){
	272	print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j LOG\n";
	273	}
	274	print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n";
	275	}
	276	}elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
	277	$natchain='NAT_DESTINATION';
	278	if ($$hash{$key}[17] eq 'ON'){
	279	print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
	280	}
	281	my ($ip,$sub) =split("/",$targethash{$b}[0]);
	282	print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
	283	$DPORT =~ s/\-/:/g;
	284	if ($DPORT){
	285	$fwaccessdport="--dport ".substr($DPORT,1,);
	286	}elsif(! $DPORT && $$hash{$key}[30] ne ''){
	287	if ($$hash{$key}[30]=~m/\|/i){
	288	$$hash{$key}[30] =~ s/\\|/,/g;
	289	$fwaccessdport="-m multiport --dport $$hash{$key}[30]";
	290	}else{
	291	$fwaccessdport="--dport $$hash{$key}[30]";
	292	}
	293	}
	294	print "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
	295	next;
	296	}elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
	297	$natchain='NAT_SOURCE';
	298	print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
	299	}
	300	if ($$hash{$key}[17] eq 'ON'){
	301	print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
	302	}
	303	print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
	304	}
	305	}
	306	}
	307	}
	308	print"\n";
	309	}
	310	}elsif($MODE eq '0'){
	311	foreach my $DPROT (@DPROT){
	312	$DPORT = &get_port($hash,$key,$DPROT);
	313	if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
	314	$PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
	315	foreach my $a (sort keys %sourcehash){
	316	foreach my $b (sort keys %targethash){
	317	if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' \|\| $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
	318	if($SPROT eq '' \|\| $SPROT eq $DPROT \|\| $DPROT eq ' '){
	319	if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
	320	if(substr($DPORT, 2, 4) eq 'icmp'){
	321	my @icmprule= split(",",substr($DPORT, 12,));
	322	foreach (@icmprule){
	323	if ($$hash{$key}[17] eq 'ON'){
	324	system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] -- icmp-type $_ $TIME -j LOG");
	325	}
	326	system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]");
	327	}
	328	}elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
	329	$natchain='NAT_DESTINATION';
	330	if ($$hash{$key}[17] eq 'ON'){
	331	system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
	332	}
	333	my ($ip,$sub) =split("/",$targethash{$b}[0]);
	334	system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
	335	$DPORT =~ s/\-/:/g;
	336	if ($DPORT){
	337	$fwaccessdport="--dport ".substr($DPORT,1,);
	338	}elsif(! $DPORT && $$hash{$key}[30] ne ''){
	339	if ($$hash{$key}[30]=~m/\|/i){
	340	$$hash{$key}[30] =~ s/\\|/,/g;
	341	$fwaccessdport="-m multiport --dport $$hash{$key}[30]";
	342	}else{
	343	$fwaccessdport="--dport $$hash{$key}[30]";
	344	}
	345	}
	346	system "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
	347	next;
	348	}elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
	349	$natchain='NAT_SOURCE';
	350	system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
	351	}
	352	if ($$hash{$key}[17] eq 'ON'){
	353	system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
	354	}
	355	system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
	356	}
	357	}
	358	}
	359	}
	360	}
	361	}
	362	}
	363	%sourcehash=();
	364	%targethash=();
	365	undef $TIME;
	366	undef $TIMEFROM;
	367	undef $TIMETILL;
	368	undef $fireport;
	369	}
	370	}
	371	sub get_nat_ip
	372	{
	373	my $val=shift;
	374	my $type=shift;
	375	my $result;
	376	if($val eq 'RED' \|\| $val eq 'GREEN' \|\| $val eq 'ORANGE' \|\| $val eq 'BLUE'){
	377	$result=$defaultNetworks{$val.'_ADDRESS'};
	378	}elsif($val eq 'ALL'){
	379	$result='-i '.$con;
	380	}elsif($val eq 'Default IP' && $type eq 'dnat'){
	381	$result='-d '.$redip;
	382	}elsif($val eq 'Default IP' && $type eq 'snat'){
	383	$result=$redip;
	384	}else{
	385	foreach my $al (sort keys %aliases){
	386	if($val eq $al && $type eq 'dnat'){
	387	$result='-d '.$aliases{$al}{'IPT'};
	388	}elsif($val eq $al && $type eq 'snat'){
	389	$result=$aliases{$al}{'IPT'};
	390	}
	391	}
	392	}
	393	return $result;
	394	}
	395	sub get_time
	396	{
	397	my $val=shift;
	398	my $val1=shift;
	399	my $time;
	400	my $minutes;
	401	my $ruletime;
	402	$minutes = &utcmin($val);
	403	$ruletime = $minutes + &time_get_utc($val);
	404	if ($ruletime < 0){$ruletime +=1440;}
	405	if ($ruletime > 1440){$ruletime -=1440;}
	406	$time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60;
	407	return $time;
	408	}
	409	sub time_get_utc
	410	{
	411	# Calculates the UTCtime from a given time
	412	my $val=shift;
	413	my @localtime=localtime(time);
	414	my @gmtime=gmtime(time);
	415	my $diff = ($gmtime[2]60+$gmtime[1]%60)-($localtime[2]60+$localtime[1]%60);
	416	return $diff;
	417	}
	418	sub utcmin
	419	{
	420	my $ruletime=shift;
	421	my ($hrs,$min) = split(":",$ruletime);
	422	my $newtime = $hrs*60+$min;
	423	return $newtime;
	424	}
	425	sub p2pblock
	426	{
	427	my $P2PSTRING;
	428	my $DO;
	429	open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
	430	@p2ps = <FILE>;
	431	close FILE;
	432	my $CMD = "-m ipp2p";
	433	foreach my $p2pentry (sort @p2ps) {
	434	my @p2pline = split( /\;/, $p2pentry );
	435	if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) {
	436	$DO = "ACCEPT";
	437	if ("$p2pline[2]" eq "on") {
	438	$P2PSTRING = "$P2PSTRING --$p2pline[1]";
	439	}
	440	}else {
	441	$DO = "RETURN";
	442	if ("$p2pline[2]" eq "off") {
	443	$P2PSTRING = "$P2PSTRING --$p2pline[1]";
	444	}
	445	}
	446	}
	447	if ($MODE eq 1){
	448	if($P2PSTRING){
	449	print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n";
	450	}
	451	}else{
	452	if($P2PSTRING){
	453	system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO");
	454	}
	455	}
	456	}
	457	sub get_address
	458	{
	459	my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
	460	my $base2=shift;
	461	my $type=shift; #src or tgt
	462	my $hash;
	463	if ($type eq 'src'){
	464	$hash=\%sourcehash;
	465	}else{
	466	$hash=\%targethash;
	467	}
	468	my $key = &General::findhasharraykey($hash);
	469	if($base eq 'src_addr' \|\| $base eq 'tgt_addr' ){
	470	if (&General::validmac($base2)){
	471	$$hash{$key}[0] = "-m mac --mac-source $base2";
	472	}else{
	473	$$hash{$key}[0] = $base2;
	474	}
	475	}elsif($base eq 'std_net_src' \|\| $base eq 'std_net_tgt' \|\| $base eq 'Standard Network'){
	476	$$hash{$key}[0]=&fwlib::get_std_net_ip($base2,$con);
	477	}elsif($base eq 'cust_net_src' \|\| $base eq 'cust_net_tgt' \|\| $base eq 'Custom Network'){
	478	$$hash{$key}[0]=&fwlib::get_net_ip($base2);
	479	}elsif($base eq 'cust_host_src' \|\| $base eq 'cust_host_tgt' \|\| $base eq 'Custom Host'){
	480	$$hash{$key}[0]=&fwlib::get_host_ip($base2,$type);
	481	}elsif($base eq 'ovpn_net_src' \|\| $base eq 'ovpn_net_tgt' \|\| $base eq 'OpenVPN static network'){
	482	$$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1);
	483	}elsif($base eq 'ovpn_host_src' \|\|$base eq 'ovpn_host_tgt' \|\| $base eq 'OpenVPN static host'){
	484	$$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33);
	485	}elsif($base eq 'ovpn_n2n_src' \|\|$base eq 'ovpn_n2n_tgt' \|\| $base eq 'OpenVPN N-2-N'){
	486	$$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,11);
	487	}elsif($base eq 'ipsec_net_src' \|\| $base eq 'ipsec_net_tgt' \|\| $base eq 'IpSec Network'){
	488	$$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11);
	489	}elsif($base eq 'ipfire_src' ){
	490	if($base2 eq 'GREEN'){
	491	$$hash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'};
	492	}
	493	if($base2 eq 'BLUE'){
	494	$$hash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'};
	495	}
	496	if($base2 eq 'ORANGE'){
	497	$$hash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
	498	}
	499	if($base2 eq 'ALL'){
	500	$$hash{$key}[0]='0.0.0.0/0';
	501	}
	502	if($base2 eq 'RED' \|\| $base2 eq 'RED1'){
	503	open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress";
	504	$$hash{$key}[0]= <FILE>;
	505	close(FILE);
	506	}else{
	507	foreach my $alias (sort keys %aliases){
	508	if ($base2 eq $alias){
	509	$$hash{$key}[0]=$aliases{$alias}{'IPT'};
	510	}
	511	}
	512	}
	513	}
	514	}
	515	sub get_prot
	516	{
	517	my $hash=shift;
	518	my $key=shift;
	519	if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
	520	if ($$hash{$key}[10] ne ''){
	521	return"$$hash{$key}[8]";
	522	}elsif($$hash{$key}[9] ne ''){
	523	return"$$hash{$key}[8]";
	524	}else{
	525	return "$$hash{$key}[8]";
	526	}
	527	}elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
	528	if ($$hash{$key}[14] eq 'TGT_PORT'){
	529	if ($$hash{$key}[15] ne ''){
	530	return "$$hash{$key}[12]";
	531	}elsif($$hash{$key}[13] ne ''){
	532	return "$$hash{$key}[12]";
	533	}else{
	534	return "$$hash{$key}[12]";
	535	}
	536	}elsif($$hash{$key}[14] eq 'cust_srv'){
	537	return &fwlib::get_srv_prot($$hash{$key}[15]);
	538
	539	}elsif($$hash{$key}[14] eq 'cust_srvgrp'){
	540	return &fwlib::get_srvgrp_prot($$hash{$key}[15]);
	541	}
	542	}
	543	#DNAT
	544	if ($SRC_TGT eq '' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[11] eq '' && $$hash{$key}[12] ne ''){
	545	return "$$hash{$key}[12]";
	546	}
	547	}
	548	sub get_port
	549	{
	550	my $hash=shift;
	551	my $key=shift;
	552	my $prot=shift;
	553	if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
	554	if ($$hash{$key}[10] ne ''){
	555	$$hash{$key}[10] =~ s/\\|/,/g;
	556	if(index($$hash{$key}[10],",") > 0){
	557	return "-m multiport --sport $$hash{$key}[10] ";
	558	}else{
	559	if($$hash{$key}[28] ne 'ON' \|\| ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') \|\|($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat') ){
	560	return "--sport $$hash{$key}[10] ";
	561	}else{
	562	return ":$$hash{$key}[10]";
	563	}
	564	}
	565	}elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
	566	return "--icmp-type $$hash{$key}[9] ";
	567	}elsif($$hash{$key}[9] eq 'All ICMP-Types'){
	568	return;
	569	}
	570	}elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
	571	if($$hash{$key}[14] eq 'TGT_PORT'){
	572	if ($$hash{$key}[15] ne ''){
	573	$$hash{$key}[15] =~ s/\\|/,/g;
	574	if(index($$hash{$key}[15],",") > 0){
	575	return "-m multiport --dport $$hash{$key}[15] ";
	576	}else{
	577	if($$hash{$key}[28] ne 'ON' \|\| ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){
	578	return "--dport $$hash{$key}[15] ";
	579	}else{
	580	$$hash{$key}[15] =~ s/\:/-/g;
	581	return ":$$hash{$key}[15]";
	582	}
	583	}
	584	}elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){
	585	return "--icmp-type $$hash{$key}[13] ";
	586	}elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){
	587	return;
	588	}
	589	}elsif($$hash{$key}[14] eq 'cust_srv'){
	590	if ($prot ne 'ICMP'){
	591	if($$hash{$key}[31] eq 'dnat'){
	592	return ":".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
	593	}else{
	594	return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
	595	}
	596	}elsif($prot eq 'ICMP' && $$hash{$key}[15] ne 'All ICMP-Types'){
	597	return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot);
	598	}elsif($prot eq 'ICMP' && $$hash{$key}[15] eq 'All ICMP-Types'){
	599	return;
	600	}
	601	}elsif($$hash{$key}[14] eq 'cust_srvgrp'){
	602	if ($prot ne 'ICMP'){
	603	return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
	604	}
	605	elsif($prot eq 'ICMP'){
	606	return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
	607	}
	608	}
	609	}
	610	}