firewall: rules.pl: Remove $command and introduce $IPTABLES.
[people/teissler/ipfire-2.x.git] / config / firewall / rules.pl
1 #!/usr/bin/perl
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21
22 use strict;
23 use Time::Local;
24 no warnings 'uninitialized';
25
26 require '/var/ipfire/general-functions.pl';
27 require "${General::swroot}/lang.pl";
28 require "/usr/lib/firewall/firewall-lib.pl";
29
30 # Set to one to enable debugging mode.
31 my $DEBUG = 0;
32
33 my $IPTABLES = "iptables --wait";
34
35 my %fwdfwsettings=();
36 my %defaultNetworks=();
37 my %configfwdfw=();
38 my %color=();
39 my %icmptypes=();
40 my %ovpnSettings=();
41 my %customgrp=();
42 our %sourcehash=();
43 our %targethash=();
44 my @timeframe=();
45 my %configinputfw=();
46 my %configoutgoingfw=();
47 my %confignatfw=();
48 my %aliases=();
49 my @DPROT=();
50 my @p2ps=();
51
52 my $configfwdfw = "${General::swroot}/firewall/config";
53 my $configinput = "${General::swroot}/firewall/input";
54 my $configoutgoing = "${General::swroot}/firewall/outgoing";
55 my $p2pfile = "${General::swroot}/firewall/p2protocols";
56 my $configgrp = "${General::swroot}/fwhosts/customgroups";
57 my $netsettings = "${General::swroot}/ethernet/settings";
58 my $errormessage = '';
59 my $orange = '';
60 my $green = '';
61 my $blue = '';
62 my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
63 my $CHAIN = "FORWARDFW";
64 my $conexists = 'off';
65 my $dnat ='';
66 my $snat ='';
67
68 &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings);
69 &General::readhash("$netsettings", \%defaultNetworks);
70 &General::readhasharray($configfwdfw, \%configfwdfw);
71 &General::readhasharray($configinput, \%configinputfw);
72 &General::readhasharray($configoutgoing, \%configoutgoingfw);
73 &General::readhasharray($configgrp, \%customgrp);
74 &General::get_aliases(\%aliases);
75
76 #check if we have an internetconnection
77 open (CONN,"/var/ipfire/red/iface");
78 my $con = <CONN>;
79 close(CONN);
80
81 if (-f "/var/ipfire/red/active"){
82 $conexists='on';
83 }
84
85 open (CONN1,"/var/ipfire/red/local-ipaddress");
86 my $redip = <CONN1>;
87 close(CONN1);
88
89 # MAIN
90 &main();
91
92 sub main {
93 # Flush all chains.
94 &flush();
95
96 # Reload firewall rules.
97 &preparerules();
98
99 # Load P2P block rules.
100 &p2pblock();
101
102 # Reload firewall policy.
103 run("/usr/sbin/firewall-policy");
104 }
105
106 sub run {
107 # Executes or prints the given shell command.
108 my $command = shift;
109
110 if ($DEBUG) {
111 print "$command\n";
112 } else {
113 system "$command";
114 }
115 }
116
117 sub flush {
118 run("$IPTABLES -F FORWARDFW");
119 run("$IPTABLES -F INPUTFW");
120 run("$IPTABLES -F OUTGOINGFW");
121 run("$IPTABLES -t nat -F NAT_DESTINATION");
122 run("$IPTABLES -t nat -F NAT_SOURCE");
123 }
124
125 sub preparerules {
126 if (! -z "${General::swroot}/firewall/config"){
127 &buildrules(\%configfwdfw);
128 }
129 if (! -z "${General::swroot}/firewall/input"){
130 &buildrules(\%configinputfw);
131 }
132 if (! -z "${General::swroot}/firewall/outgoing"){
133 &buildrules(\%configoutgoingfw);
134 }
135 }
136
137 sub buildrules {
138 my $hash=shift;
139 my $STAG;
140 my $natip;
141 my $snatport;
142 my $fireport;
143 my $nat;
144 my $fwaccessdport;
145 my $natchain;
146 my $icmptype;
147 foreach my $key (sort {$a <=> $b} keys %$hash){
148 next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' );
149 if ($$hash{$key}[28] eq 'ON'){
150 $natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]);
151 if($$hash{$key}[31] eq 'dnat'){
152 $nat='DNAT';
153 if ($$hash{$key}[30] =~ /\|/){
154 $$hash{$key}[30]=~ tr/|/,/;
155 $fireport='-m multiport --dport '.$$hash{$key}[30];
156 }else{
157 $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0);
158 }
159 }else{
160 $nat='SNAT';
161 }
162 }
163 $STAG='';
164 if($$hash{$key}[2] eq 'ON'){
165 #get source ip's
166 if ($$hash{$key}[3] eq 'cust_grp_src'){
167 foreach my $grp (sort {$a <=> $b} keys %customgrp){
168 if($customgrp{$grp}[0] eq $$hash{$key}[4]){
169 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
170 }
171 }
172 }else{
173 &get_address($$hash{$key}[3],$$hash{$key}[4],"src");
174 }
175 #get target ip's
176 if ($$hash{$key}[5] eq 'cust_grp_tgt'){
177 foreach my $grp (sort {$a <=> $b} keys %customgrp){
178 if($customgrp{$grp}[0] eq $$hash{$key}[6]){
179 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
180 }
181 }
182 }elsif($$hash{$key}[5] eq 'ipfire' ){
183 if($$hash{$key}[6] eq 'GREEN'){
184 $targethash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'};
185 }
186 if($$hash{$key}[6] eq 'BLUE'){
187 $targethash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'};
188 }
189 if($$hash{$key}[6] eq 'ORANGE'){
190 $targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
191 }
192 if($$hash{$key}[6] eq 'ALL'){
193 $targethash{$key}[0]='0.0.0.0/0';
194 }
195 if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){
196 open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress";
197 $targethash{$key}[0]= <FILE>;
198 close(FILE);
199 }else{
200 foreach my $alias (sort keys %aliases){
201 if ($$hash{$key}[6] eq $alias){
202 $targethash{$key}[0]=$aliases{$alias}{'IPT'};
203 }
204 }
205 }
206 }else{
207 &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt");
208 }
209 ##get source prot and port
210 $SRC_TGT='SRC';
211 $SPORT = &get_port($hash,$key);
212 $SRC_TGT='';
213
214 ##get target prot and port
215 $DPROT=&get_prot($hash,$key);
216
217 if ($DPROT eq ''){$DPROT=' ';}
218 @DPROT=split(",",$DPROT);
219
220 #get time if defined
221 if($$hash{$key}[18] eq 'ON'){
222 my ($time1,$time2,$daylight);
223 my $daylight=$$hash{$key}[28];
224 $time1=&get_time($$hash{$key}[26],$daylight);
225 $time2=&get_time($$hash{$key}[27],$daylight);
226 if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
227 if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");}
228 if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");}
229 if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");}
230 if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");}
231 if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");}
232 if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");}
233 $TIME=join(",",@timeframe);
234
235 $TIMEFROM="--timestart $time1 ";
236 $TIMETILL="--timestop $time2 ";
237 $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
238 }
239 foreach my $DPROT (@DPROT){
240 $DPORT = &get_port($hash,$key,$DPROT);
241 $PROT=$DPROT;
242 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
243 if ($DPROT ne 'TCP' && $DPROT ne'UDP' && $DPROT ne 'ICMP' ){
244 $DPORT='';
245 }
246 foreach my $a (sort keys %sourcehash){
247 foreach my $b (sort keys %targethash){
248 if(! $sourcehash{$a}[0] || ! $targethash{$b}[0] || ($natip eq '-d ' && $$hash{$key}[28] eq 'ON') || (!$natip && $$hash{$key}[28] eq 'ON')){
249 #Skip rules when no RED IP is set (DHCP,DSL)
250 next;
251 }
252 next if ($targethash{$b}[0] eq 'none');
253 $STAG='';
254 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
255 if($DPROT ne ''){
256 if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
257 #Process ICMP RULE
258 if(substr($DPORT, 2, 4) eq 'icmp'){
259 my @icmprule= split(",",substr($DPORT, 12,));
260 foreach (@icmprule){
261 $icmptype="--icmp-type ";
262 if ($_ eq "BLANK") {
263 $icmptype="";
264 $_="";
265 }
266 if ($$hash{$key}[17] eq 'ON'){
267 run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG");
268 }
269 run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]");
270 }
271 #PROCESS DNAT RULE (Portforward)
272 }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
273 $natchain='NAT_DESTINATION';
274 if ($$hash{$key}[17] eq 'ON'){
275 run("$IPTABLES -t nat -A $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT'");
276 }
277 my ($ip,$sub) =split("/",$targethash{$b}[0]);
278 #Process NAT with servicegroup used
279 if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[14] eq 'cust_srvgrp'){
280 run("$IPTABLES -t nat -A $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to-destination $ip $DPORT");
281 $fwaccessdport=$DPORT;
282 }else{
283 run("$IPTABLES -t nat -A $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to-destination $ip$DPORT");
284 $DPORT =~ s/\-/:/g;
285 if ($DPORT){
286 $fwaccessdport="--dport ".substr($DPORT,1,);
287 }elsif(! $DPORT && $$hash{$key}[30] ne ''){
288 if ($$hash{$key}[30]=~m/|/i){
289 $$hash{$key}[30] =~ s/\|/,/g;
290 $fwaccessdport="-m multiport --dport $$hash{$key}[30]";
291 }else{
292 $fwaccessdport="--dport $$hash{$key}[30]";
293 }
294 }
295 }
296 run("$IPTABLES -A FORWARDFW $PROT $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]");
297 next;
298 #PROCESS SNAT RULE
299 }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
300 $natchain='NAT_SOURCE';
301 if ($$hash{$key}[17] eq 'ON' ){
302 run("$IPTABLES -t nat -A $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT'");
303 }
304 run("$IPTABLES -t nat -A $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to-source $natip");
305 }
306 #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double)
307 if ($PROT ne '-p ICMP'){
308 if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){
309 run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
310 }
311 run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
312 }
313 #PROCESS Prot ICMP and type = All ICMP-Types
314 if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){
315 if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){
316 run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
317 }
318 run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
319 }
320 }
321 }
322 }
323 }
324 }
325 }
326 %sourcehash=();
327 %targethash=();
328 undef $TIME;
329 undef $TIMEFROM;
330 undef $TIMETILL;
331 undef $fireport;
332 }
333 }
334
335 sub get_nat_ip {
336 my $val=shift;
337 my $type=shift;
338 my $result;
339 if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){
340 $result=$defaultNetworks{$val.'_ADDRESS'};
341 }elsif($val eq 'ALL'){
342 $result='-i '.$con;
343 }elsif($val eq 'Default IP' && $type eq 'dnat'){
344 $result='-d '.$redip;
345 }elsif($val eq 'Default IP' && $type eq 'snat'){
346 $result=$redip;
347 }else{
348 foreach my $al (sort keys %aliases){
349 if($val eq $al && $type eq 'dnat'){
350 $result='-d '.$aliases{$al}{'IPT'};
351 }elsif($val eq $al && $type eq 'snat'){
352 $result=$aliases{$al}{'IPT'};
353 }
354 }
355 }
356 return $result;
357 }
358
359 sub get_time {
360 my $val=shift;
361 my $val1=shift;
362 my $time;
363 my $minutes;
364 my $ruletime;
365 $minutes = &utcmin($val);
366 $ruletime = $minutes + &time_get_utc($val);
367 if ($ruletime < 0){$ruletime +=1440;}
368 if ($ruletime > 1440){$ruletime -=1440;}
369 $time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60;
370 return $time;
371 }
372
373 sub time_get_utc {
374 # Calculates the UTCtime from a given time
375 my $val=shift;
376 my @localtime=localtime(time);
377 my @gmtime=gmtime(time);
378 my $diff = ($gmtime[2]*60+$gmtime[1]%60)-($localtime[2]*60+$localtime[1]%60);
379 return $diff;
380 }
381
382 sub utcmin {
383 my $ruletime=shift;
384 my ($hrs,$min) = split(":",$ruletime);
385 my $newtime = $hrs*60+$min;
386 return $newtime;
387 }
388
389 sub p2pblock {
390 my $P2PSTRING;
391 my $DO;
392 open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
393 @p2ps = <FILE>;
394 close FILE;
395 my $CMD = "-m ipp2p";
396 foreach my $p2pentry (sort @p2ps) {
397 my @p2pline = split( /\;/, $p2pentry );
398 if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) {
399 $DO = "ACCEPT";
400 if ("$p2pline[2]" eq "on") {
401 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
402 }
403 }else {
404 $DO = "RETURN";
405 if ("$p2pline[2]" eq "off") {
406 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
407 }
408 }
409 }
410
411 if($P2PSTRING) {
412 run("$IPTABLES -A FORWARDFW $CMD $P2PSTRING -j $DO");
413 }
414 }
415
416 sub get_address {
417 my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
418 my $base2=shift;
419 my $type=shift; #src or tgt
420 my $hash;
421 if ($type eq 'src'){
422 $hash=\%sourcehash;
423 }else{
424 $hash=\%targethash;
425 }
426 my $key = &General::findhasharraykey($hash);
427 if($base eq 'src_addr' || $base eq 'tgt_addr' ){
428 if (&General::validmac($base2)){
429 $$hash{$key}[0] = "-m mac --mac-source $base2";
430 }else{
431 $$hash{$key}[0] = $base2;
432 }
433 }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){
434 $$hash{$key}[0]=&fwlib::get_std_net_ip($base2,$con);
435 }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){
436 $$hash{$key}[0]=&fwlib::get_net_ip($base2);
437 }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){
438 $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type);
439 }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){
440 $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1);
441 }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){
442 $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33);
443 }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){
444 $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,11);
445 }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){
446 $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11);
447 }elsif($base eq 'ipfire_src' ){
448 if($base2 eq 'GREEN'){
449 $$hash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'};
450 }
451 if($base2 eq 'BLUE'){
452 $$hash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'};
453 }
454 if($base2 eq 'ORANGE'){
455 $$hash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
456 }
457 if($base2 eq 'ALL'){
458 $$hash{$key}[0]='0.0.0.0/0';
459 }
460 if($base2 eq 'RED' || $base2 eq 'RED1'){
461 open(FILE, "/var/ipfire/red/local-ipaddress");
462 $$hash{$key}[0]= <FILE>;
463 close(FILE);
464 }else{
465 foreach my $alias (sort keys %aliases){
466 if ($base2 eq $alias){
467 $$hash{$key}[0]=$aliases{$alias}{'IPT'};
468 }
469 }
470 }
471 }
472 }
473
474 sub get_prot {
475 my $hash=shift;
476 my $key=shift;
477 #check AH,GRE,ESP or ICMP
478 if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON'){
479 return "$$hash{$key}[8]";
480 }
481 if ($$hash{$key}[7] eq 'ON' || $$hash{$key}[11] eq 'ON'){
482 #check if servicegroup or service
483 if($$hash{$key}[14] eq 'cust_srv'){
484 return &fwlib::get_srv_prot($$hash{$key}[15]);
485 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
486 return &fwlib::get_srvgrp_prot($$hash{$key}[15]);
487 }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && $$hash{$key}[8] eq ''){ #when ports are used and prot set to "all"
488 return "TCP,UDP";
489 }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && ($$hash{$key}[8] eq 'TCP' || $$hash{$key}[8] eq 'UDP')){ #when ports are used and prot set to "tcp" or "udp"
490 return "$$hash{$key}[8]";
491 }elsif (($$hash{$key}[10] eq '' && $$hash{$key}[15] eq '') && $$hash{$key}[8] ne 'ICMP'){ #when ports are NOT used and prot NOT set to "ICMP"
492 return "$$hash{$key}[8]";
493 }else{
494 return "$$hash{$key}[8]";
495 }
496 }
497 #DNAT
498 if ($SRC_TGT eq '' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[11] eq '' && $$hash{$key}[12] ne ''){
499 return "$$hash{$key}[8]";
500 }
501 }
502
503 sub get_port {
504 my $hash=shift;
505 my $key=shift;
506 my $prot=shift;
507 #Get manual defined Ports from SOURCE
508 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
509 if ($$hash{$key}[10] ne ''){
510 $$hash{$key}[10] =~ s/\|/,/g;
511 if(index($$hash{$key}[10],",") > 0){
512 return "-m multiport --sport $$hash{$key}[10] ";
513 }else{
514 if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ||($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat') ){
515 return "--sport $$hash{$key}[10] ";
516 }else{
517 return ":$$hash{$key}[10]";
518 }
519 }
520 }
521 #Get manual ports from TARGET
522 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
523 if($$hash{$key}[14] eq 'TGT_PORT'){
524 if ($$hash{$key}[15] ne ''){
525 $$hash{$key}[15] =~ s/\|/,/g;
526 if(index($$hash{$key}[15],",") > 0){
527 return "-m multiport --dport $$hash{$key}[15] ";
528 }else{
529 if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){
530 return "--dport $$hash{$key}[15] ";
531 }else{
532 $$hash{$key}[15] =~ s/\:/-/g;
533 return ":$$hash{$key}[15]";
534 }
535 }
536 }
537 #Get ports defined in custom Service (firewall-groups)
538 }elsif($$hash{$key}[14] eq 'cust_srv'){
539 if ($prot ne 'ICMP'){
540 if($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){
541 my $ports =&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
542 $ports =~ s/\:/-/g;
543 return ":".$ports
544 }else{
545 return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
546 }
547 }elsif($prot eq 'ICMP' && $$hash{$key}[11] eq 'ON'){ #When PROT is ICMP and "use targetport is checked, this is an icmp-service
548 return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot);
549 }
550 #Get ports from services which are used in custom servicegroups (firewall-groups)
551 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
552 if ($prot ne 'ICMP'){
553 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
554 }
555 elsif($prot eq 'ICMP'){
556 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
557 }
558 }
559 }
560 #CHECK ICMP
561 if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON' && $SRC_TGT eq ''){
562 if($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
563 return "--icmp-type $$hash{$key}[9] ";
564 }elsif($$hash{$key}[9] eq 'All ICMP-Types'){
565 return;
566 }
567 }
568 }