firewall: rules.pl: Remove totally bloated debug mode.
[people/teissler/ipfire-2.x.git] / config / firewall / rules.pl
1 #!/usr/bin/perl
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21
22 use strict;
23 use Time::Local;
24 no warnings 'uninitialized';
25
26 # enable only the following on debugging purpose
27 #use warnings;
28 #use CGI::Carp 'fatalsToBrowser';
29
30 my %fwdfwsettings=();
31 my %defaultNetworks=();
32 my %configfwdfw=();
33 my %color=();
34 my %icmptypes=();
35 my %ovpnSettings=();
36 my %customgrp=();
37 our %sourcehash=();
38 our %targethash=();
39 my @timeframe=();
40 my %configinputfw=();
41 my %configoutgoingfw=();
42 my %confignatfw=();
43 my %aliases=();
44 my @DPROT=();
45 my @p2ps=();
46 require '/var/ipfire/general-functions.pl';
47 require "${General::swroot}/lang.pl";
48 require "/usr/lib/firewall/firewall-lib.pl";
49
50 my $configfwdfw = "${General::swroot}/firewall/config";
51 my $configinput = "${General::swroot}/firewall/input";
52 my $configoutgoing = "${General::swroot}/firewall/outgoing";
53 my $p2pfile = "${General::swroot}/firewall/p2protocols";
54 my $configgrp = "${General::swroot}/fwhosts/customgroups";
55 my $netsettings = "${General::swroot}/ethernet/settings";
56 my $errormessage = '';
57 my $orange = '';
58 my $green = '';
59 my $blue = '';
60 my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
61 my $CHAIN = "FORWARDFW";
62 my $conexists = 'off';
63 my $command = 'iptables --wait -A';
64 my $dnat ='';
65 my $snat ='';
66
67 &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings);
68 &General::readhash("$netsettings", \%defaultNetworks);
69 &General::readhasharray($configfwdfw, \%configfwdfw);
70 &General::readhasharray($configinput, \%configinputfw);
71 &General::readhasharray($configoutgoing, \%configoutgoingfw);
72 &General::readhasharray($configgrp, \%customgrp);
73 &General::get_aliases(\%aliases);
74
75 #check if we have an internetconnection
76 open (CONN,"/var/ipfire/red/iface");
77 my $con = <CONN>;
78 close(CONN);
79 if (-f "/var/ipfire/red/active"){
80 $conexists='on';
81 }
82 open (CONN1,"/var/ipfire/red/local-ipaddress");
83 my $redip = <CONN1>;
84 close(CONN1);
85 #################
86 # DEBUG/TEST #
87 #################
88 my $MODE=0; # 0 - normal operation
89 # 1 - print configline and rules to console
90 #
91 #################
92 my $param=shift;
93
94 if($param eq 'flush'){
95 if ($MODE eq '1'){
96 print " Flushing chains...\n";
97 }
98 &flush;
99 }else{
100 if ($MODE eq '1'){
101 print " Flushing chains...\n";
102 }
103 &flush;
104 if ($MODE eq '1'){
105 print " Preparing rules...\n";
106 }
107 &preparerules;
108 if($MODE eq '0'){
109 if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
110 &p2pblock;
111 system ("/usr/sbin/firewall-policy");
112 }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
113 &p2pblock;
114 system ("/usr/sbin/firewall-policy");
115 }
116 }
117 }
118 sub flush
119 {
120 system ("iptables --wait -F FORWARDFW");
121 system ("iptables --wait -F INPUTFW");
122 system ("iptables --wait -F OUTGOINGFW");
123 system ("iptables --wait -t nat -F NAT_DESTINATION");
124 system ("iptables --wait -t nat -F NAT_SOURCE");
125 }
126 sub preparerules
127 {
128 if (! -z "${General::swroot}/firewall/config"){
129 &buildrules(\%configfwdfw);
130 }
131 if (! -z "${General::swroot}/firewall/input"){
132 &buildrules(\%configinputfw);
133 }
134 if (! -z "${General::swroot}/firewall/outgoing"){
135 &buildrules(\%configoutgoingfw);
136 }
137 }
138 sub buildrules
139 {
140 my $hash=shift;
141 my $STAG;
142 my $natip;
143 my $snatport;
144 my $fireport;
145 my $nat;
146 my $fwaccessdport;
147 my $natchain;
148 my $icmptype;
149 foreach my $key (sort {$a <=> $b} keys %$hash){
150 next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' );
151 $command="iptables --wait -A";
152 if ($$hash{$key}[28] eq 'ON'){
153 $command='iptables --wait -t nat -A';
154 $natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]);
155 if($$hash{$key}[31] eq 'dnat'){
156 $nat='DNAT';
157 if ($$hash{$key}[30] =~ /\|/){
158 $$hash{$key}[30]=~ tr/|/,/;
159 $fireport='-m multiport --dport '.$$hash{$key}[30];
160 }else{
161 $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0);
162 }
163 }else{
164 $nat='SNAT';
165 }
166 }
167 $STAG='';
168 if($$hash{$key}[2] eq 'ON'){
169 #get source ip's
170 if ($$hash{$key}[3] eq 'cust_grp_src'){
171 foreach my $grp (sort {$a <=> $b} keys %customgrp){
172 if($customgrp{$grp}[0] eq $$hash{$key}[4]){
173 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
174 }
175 }
176 }else{
177 &get_address($$hash{$key}[3],$$hash{$key}[4],"src");
178 }
179 #get target ip's
180 if ($$hash{$key}[5] eq 'cust_grp_tgt'){
181 foreach my $grp (sort {$a <=> $b} keys %customgrp){
182 if($customgrp{$grp}[0] eq $$hash{$key}[6]){
183 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
184 }
185 }
186 }elsif($$hash{$key}[5] eq 'ipfire' ){
187 if($$hash{$key}[6] eq 'GREEN'){
188 $targethash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'};
189 }
190 if($$hash{$key}[6] eq 'BLUE'){
191 $targethash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'};
192 }
193 if($$hash{$key}[6] eq 'ORANGE'){
194 $targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
195 }
196 if($$hash{$key}[6] eq 'ALL'){
197 $targethash{$key}[0]='0.0.0.0/0';
198 }
199 if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){
200 open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress";
201 $targethash{$key}[0]= <FILE>;
202 close(FILE);
203 }else{
204 foreach my $alias (sort keys %aliases){
205 if ($$hash{$key}[6] eq $alias){
206 $targethash{$key}[0]=$aliases{$alias}{'IPT'};
207 }
208 }
209 }
210 }else{
211 &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt");
212 }
213 ##get source prot and port
214 $SRC_TGT='SRC';
215 $SPORT = &get_port($hash,$key);
216 $SRC_TGT='';
217
218 ##get target prot and port
219 $DPROT=&get_prot($hash,$key);
220
221 if ($DPROT eq ''){$DPROT=' ';}
222 @DPROT=split(",",$DPROT);
223
224 #get time if defined
225 if($$hash{$key}[18] eq 'ON'){
226 my ($time1,$time2,$daylight);
227 my $daylight=$$hash{$key}[28];
228 $time1=&get_time($$hash{$key}[26],$daylight);
229 $time2=&get_time($$hash{$key}[27],$daylight);
230 if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
231 if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");}
232 if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");}
233 if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");}
234 if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");}
235 if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");}
236 if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");}
237 $TIME=join(",",@timeframe);
238
239 $TIMEFROM="--timestart $time1 ";
240 $TIMETILL="--timestop $time2 ";
241 $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
242 }
243 foreach my $DPROT (@DPROT){
244 $DPORT = &get_port($hash,$key,$DPROT);
245 $PROT=$DPROT;
246 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
247 if ($DPROT ne 'TCP' && $DPROT ne'UDP' && $DPROT ne 'ICMP' ){
248 $DPORT='';
249 }
250 foreach my $a (sort keys %sourcehash){
251 foreach my $b (sort keys %targethash){
252 if(! $sourcehash{$a}[0] || ! $targethash{$b}[0] || ($natip eq '-d ' && $$hash{$key}[28] eq 'ON') || (!$natip && $$hash{$key}[28] eq 'ON')){
253 #Skip rules when no RED IP is set (DHCP,DSL)
254 next;
255 }
256 next if ($targethash{$b}[0] eq 'none');
257 $STAG='';
258 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
259 if($DPROT ne ''){
260 if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
261 #Process ICMP RULE
262 if(substr($DPORT, 2, 4) eq 'icmp'){
263 my @icmprule= split(",",substr($DPORT, 12,));
264 foreach (@icmprule){
265 $icmptype="--icmp-type ";
266 if ($_ eq "BLANK") {
267 $icmptype="";
268 $_="";
269 }
270 if ($$hash{$key}[17] eq 'ON'){
271 system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG");
272 }
273 system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]");
274 }
275 #PROCESS DNAT RULE (Portforward)
276 }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
277 $natchain='NAT_DESTINATION';
278 if ($$hash{$key}[17] eq 'ON'){
279 system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
280 }
281 my ($ip,$sub) =split("/",$targethash{$b}[0]);
282 #Process NAT with servicegroup used
283 if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[14] eq 'cust_srvgrp'){
284 system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to-destination $ip $DPORT\n";
285 $fwaccessdport=$DPORT;
286 }else{
287 system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to-destination $ip$DPORT\n";
288 $DPORT =~ s/\-/:/g;
289 if ($DPORT){
290 $fwaccessdport="--dport ".substr($DPORT,1,);
291 }elsif(! $DPORT && $$hash{$key}[30] ne ''){
292 if ($$hash{$key}[30]=~m/|/i){
293 $$hash{$key}[30] =~ s/\|/,/g;
294 $fwaccessdport="-m multiport --dport $$hash{$key}[30]";
295 }else{
296 $fwaccessdport="--dport $$hash{$key}[30]";
297 }
298 }
299 }
300 system "iptables --wait -A FORWARDFW $PROT $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
301 next;
302 #PROCESS SNAT RULE
303 }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
304 $natchain='NAT_SOURCE';
305 if ($$hash{$key}[17] eq 'ON' ){
306 system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT' \n";
307 }
308 system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to-source $natip\n";
309 }
310 #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double)
311 if ($PROT ne '-p ICMP'){
312 if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){
313 system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
314 }
315 system "iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
316 }
317 #PROCESS Prot ICMP and type = All ICMP-Types
318 if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){
319 if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){
320 system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
321 }
322 system "iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
323 }
324 }
325 }
326 }
327 }
328 }
329 }
330 %sourcehash=();
331 %targethash=();
332 undef $TIME;
333 undef $TIMEFROM;
334 undef $TIMETILL;
335 undef $fireport;
336 }
337 }
338 sub get_nat_ip
339 {
340 my $val=shift;
341 my $type=shift;
342 my $result;
343 if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){
344 $result=$defaultNetworks{$val.'_ADDRESS'};
345 }elsif($val eq 'ALL'){
346 $result='-i '.$con;
347 }elsif($val eq 'Default IP' && $type eq 'dnat'){
348 $result='-d '.$redip;
349 }elsif($val eq 'Default IP' && $type eq 'snat'){
350 $result=$redip;
351 }else{
352 foreach my $al (sort keys %aliases){
353 if($val eq $al && $type eq 'dnat'){
354 $result='-d '.$aliases{$al}{'IPT'};
355 }elsif($val eq $al && $type eq 'snat'){
356 $result=$aliases{$al}{'IPT'};
357 }
358 }
359 }
360 return $result;
361 }
362 sub get_time
363 {
364 my $val=shift;
365 my $val1=shift;
366 my $time;
367 my $minutes;
368 my $ruletime;
369 $minutes = &utcmin($val);
370 $ruletime = $minutes + &time_get_utc($val);
371 if ($ruletime < 0){$ruletime +=1440;}
372 if ($ruletime > 1440){$ruletime -=1440;}
373 $time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60;
374 return $time;
375 }
376 sub time_get_utc
377 {
378 # Calculates the UTCtime from a given time
379 my $val=shift;
380 my @localtime=localtime(time);
381 my @gmtime=gmtime(time);
382 my $diff = ($gmtime[2]*60+$gmtime[1]%60)-($localtime[2]*60+$localtime[1]%60);
383 return $diff;
384 }
385 sub utcmin
386 {
387 my $ruletime=shift;
388 my ($hrs,$min) = split(":",$ruletime);
389 my $newtime = $hrs*60+$min;
390 return $newtime;
391 }
392 sub p2pblock
393 {
394 my $P2PSTRING;
395 my $DO;
396 open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
397 @p2ps = <FILE>;
398 close FILE;
399 my $CMD = "-m ipp2p";
400 foreach my $p2pentry (sort @p2ps) {
401 my @p2pline = split( /\;/, $p2pentry );
402 if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) {
403 $DO = "ACCEPT";
404 if ("$p2pline[2]" eq "on") {
405 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
406 }
407 }else {
408 $DO = "RETURN";
409 if ("$p2pline[2]" eq "off") {
410 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
411 }
412 }
413 }
414 if ($MODE eq 1){
415 if($P2PSTRING){
416 print"/sbin/iptables --wait -A FORWARDFW $CMD $P2PSTRING -j $DO\n";
417 }
418 }else{
419 if($P2PSTRING){
420 system("/sbin/iptables --wait -A FORWARDFW $CMD $P2PSTRING -j $DO");
421 }
422 }
423 }
424 sub get_address
425 {
426 my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
427 my $base2=shift;
428 my $type=shift; #src or tgt
429 my $hash;
430 if ($type eq 'src'){
431 $hash=\%sourcehash;
432 }else{
433 $hash=\%targethash;
434 }
435 my $key = &General::findhasharraykey($hash);
436 if($base eq 'src_addr' || $base eq 'tgt_addr' ){
437 if (&General::validmac($base2)){
438 $$hash{$key}[0] = "-m mac --mac-source $base2";
439 }else{
440 $$hash{$key}[0] = $base2;
441 }
442 }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){
443 $$hash{$key}[0]=&fwlib::get_std_net_ip($base2,$con);
444 }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){
445 $$hash{$key}[0]=&fwlib::get_net_ip($base2);
446 }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){
447 $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type);
448 }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){
449 $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1);
450 }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){
451 $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33);
452 }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){
453 $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,11);
454 }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){
455 $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11);
456 }elsif($base eq 'ipfire_src' ){
457 if($base2 eq 'GREEN'){
458 $$hash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'};
459 }
460 if($base2 eq 'BLUE'){
461 $$hash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'};
462 }
463 if($base2 eq 'ORANGE'){
464 $$hash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
465 }
466 if($base2 eq 'ALL'){
467 $$hash{$key}[0]='0.0.0.0/0';
468 }
469 if($base2 eq 'RED' || $base2 eq 'RED1'){
470 open(FILE, "/var/ipfire/red/local-ipaddress");
471 $$hash{$key}[0]= <FILE>;
472 close(FILE);
473 }else{
474 foreach my $alias (sort keys %aliases){
475 if ($base2 eq $alias){
476 $$hash{$key}[0]=$aliases{$alias}{'IPT'};
477 }
478 }
479 }
480 }
481 }
482 sub get_prot
483 {
484 my $hash=shift;
485 my $key=shift;
486 #check AH,GRE,ESP or ICMP
487 if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON'){
488 return "$$hash{$key}[8]";
489 }
490 if ($$hash{$key}[7] eq 'ON' || $$hash{$key}[11] eq 'ON'){
491 #check if servicegroup or service
492 if($$hash{$key}[14] eq 'cust_srv'){
493 return &fwlib::get_srv_prot($$hash{$key}[15]);
494 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
495 return &fwlib::get_srvgrp_prot($$hash{$key}[15]);
496 }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && $$hash{$key}[8] eq ''){ #when ports are used and prot set to "all"
497 return "TCP,UDP";
498 }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && ($$hash{$key}[8] eq 'TCP' || $$hash{$key}[8] eq 'UDP')){ #when ports are used and prot set to "tcp" or "udp"
499 return "$$hash{$key}[8]";
500 }elsif (($$hash{$key}[10] eq '' && $$hash{$key}[15] eq '') && $$hash{$key}[8] ne 'ICMP'){ #when ports are NOT used and prot NOT set to "ICMP"
501 return "$$hash{$key}[8]";
502 }else{
503 return "$$hash{$key}[8]";
504 }
505 }
506 #DNAT
507 if ($SRC_TGT eq '' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[11] eq '' && $$hash{$key}[12] ne ''){
508 return "$$hash{$key}[8]";
509 }
510 }
511 sub get_port
512 {
513 my $hash=shift;
514 my $key=shift;
515 my $prot=shift;
516 #Get manual defined Ports from SOURCE
517 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
518 if ($$hash{$key}[10] ne ''){
519 $$hash{$key}[10] =~ s/\|/,/g;
520 if(index($$hash{$key}[10],",") > 0){
521 return "-m multiport --sport $$hash{$key}[10] ";
522 }else{
523 if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ||($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat') ){
524 return "--sport $$hash{$key}[10] ";
525 }else{
526 return ":$$hash{$key}[10]";
527 }
528 }
529 }
530 #Get manual ports from TARGET
531 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
532 if($$hash{$key}[14] eq 'TGT_PORT'){
533 if ($$hash{$key}[15] ne ''){
534 $$hash{$key}[15] =~ s/\|/,/g;
535 if(index($$hash{$key}[15],",") > 0){
536 return "-m multiport --dport $$hash{$key}[15] ";
537 }else{
538 if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){
539 return "--dport $$hash{$key}[15] ";
540 }else{
541 $$hash{$key}[15] =~ s/\:/-/g;
542 return ":$$hash{$key}[15]";
543 }
544 }
545 }
546 #Get ports defined in custom Service (firewall-groups)
547 }elsif($$hash{$key}[14] eq 'cust_srv'){
548 if ($prot ne 'ICMP'){
549 if($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){
550 my $ports =&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
551 $ports =~ s/\:/-/g;
552 return ":".$ports
553 }else{
554 return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
555 }
556 }elsif($prot eq 'ICMP' && $$hash{$key}[11] eq 'ON'){ #When PROT is ICMP and "use targetport is checked, this is an icmp-service
557 return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot);
558 }
559 #Get ports from services which are used in custom servicegroups (firewall-groups)
560 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
561 if ($prot ne 'ICMP'){
562 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
563 }
564 elsif($prot eq 'ICMP'){
565 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
566 }
567 }
568 }
569 #CHECK ICMP
570 if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON' && $SRC_TGT eq ''){
571 if($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
572 return "--icmp-type $$hash{$key}[9] ";
573 }elsif($$hash{$key}[9] eq 'All ICMP-Types'){
574 return;
575 }
576 }
577 }