b5555d168228a000f5407bffbf706f5923579510
[people/teissler/ipfire-2.x.git] / config / firewall / rules.pl
1 #!/usr/bin/perl -w
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21
22 use strict;
23
24 require '/var/ipfire/general-functions.pl';
25 require "${General::swroot}/lang.pl";
26 require "/usr/lib/firewall/firewall-lib.pl";
27
28 # Set to one to enable debugging mode.
29 my $DEBUG = 0;
30
31 my $IPTABLES = "iptables --wait";
32
33 # iptables chains
34 my $CHAIN = "FORWARDFW";
35 my $CHAIN_NAT_SOURCE = "NAT_SOURCE";
36 my $CHAIN_NAT_DESTINATION = "NAT_DESTINATION";
37
38 my %fwdfwsettings=();
39 my %defaultNetworks=();
40 my %configfwdfw=();
41 my %color=();
42 my %icmptypes=();
43 my %ovpnSettings=();
44 my %customgrp=();
45 our %sourcehash=();
46 our %targethash=();
47 my @timeframe=();
48 my %configinputfw=();
49 my %configoutgoingfw=();
50 my %confignatfw=();
51 my %aliases=();
52 my @DPROT=();
53 my @p2ps=();
54
55 my $configfwdfw = "${General::swroot}/firewall/config";
56 my $configinput = "${General::swroot}/firewall/input";
57 my $configoutgoing = "${General::swroot}/firewall/outgoing";
58 my $p2pfile = "${General::swroot}/firewall/p2protocols";
59 my $configgrp = "${General::swroot}/fwhosts/customgroups";
60 my $netsettings = "${General::swroot}/ethernet/settings";
61 my $errormessage = '';
62 my $orange = '';
63 my $green = '';
64 my $blue = '';
65 my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$SRC_TGT);
66 my $conexists = 'off';
67 my $dnat ='';
68 my $snat ='';
69
70 &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings);
71 &General::readhash("$netsettings", \%defaultNetworks);
72 &General::readhasharray($configfwdfw, \%configfwdfw);
73 &General::readhasharray($configinput, \%configinputfw);
74 &General::readhasharray($configoutgoing, \%configoutgoingfw);
75 &General::readhasharray($configgrp, \%customgrp);
76 &General::get_aliases(\%aliases);
77
78 #check if we have an internetconnection
79 open (CONN,"/var/ipfire/red/iface");
80 my $con = <CONN>;
81 close(CONN);
82
83 if (-f "/var/ipfire/red/active"){
84 $conexists='on';
85 }
86
87 open (CONN1,"/var/ipfire/red/local-ipaddress");
88 my $redip = <CONN1>;
89 close(CONN1);
90
91 # MAIN
92 &main();
93
94 sub main {
95 # Flush all chains.
96 &flush();
97
98 # Reload firewall rules.
99 &preparerules();
100
101 # Load P2P block rules.
102 &p2pblock();
103
104 # Reload firewall policy.
105 run("/usr/sbin/firewall-policy");
106 }
107
108 sub run {
109 # Executes or prints the given shell command.
110 my $command = shift;
111
112 if ($DEBUG) {
113 print "$command\n";
114 } else {
115 system "$command";
116 }
117 }
118
119 sub print_error {
120 my $message = shift;
121
122 print STDERR "$message\n";
123 }
124
125 sub flush {
126 run("$IPTABLES -F FORWARDFW");
127 run("$IPTABLES -F INPUTFW");
128 run("$IPTABLES -F OUTGOINGFW");
129 run("$IPTABLES -t nat -F NAT_DESTINATION");
130 run("$IPTABLES -t nat -F NAT_SOURCE");
131 }
132
133 sub preparerules {
134 if (! -z "${General::swroot}/firewall/config"){
135 &buildrules(\%configfwdfw);
136 }
137 if (! -z "${General::swroot}/firewall/input"){
138 &buildrules(\%configinputfw);
139 }
140 if (! -z "${General::swroot}/firewall/outgoing"){
141 &buildrules(\%configoutgoingfw);
142 }
143 }
144
145 sub buildrules {
146 my $hash=shift;
147 my $STAG;
148 my $snatport;
149 my $fireport;
150 my $fwaccessdport;
151 my $natchain;
152 my $icmptype;
153 foreach my $key (sort {$a <=> $b} keys %$hash){
154 next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' );
155
156 my $time_constraints = "";
157 my $natip = "";
158
159 # Check if logging should be enabled.
160 my $LOG = 0;
161 if ($$hash{$key}[17] eq 'ON') {
162 $LOG = 1;
163 }
164
165 my $NAT = 0;
166 my $NAT_MODE;
167
168 # Check if NAT is enabled and initialize variables, that we use for that.
169 if ($$hash{$key}[28] eq 'ON') {
170 $NAT = 1;
171
172 # Destination NAT
173 if ($$hash{$key}[31] eq 'dnat') {
174 $NAT_MODE = "DNAT";
175
176 if ($$hash{$key}[30] =~ /\|/) {
177 $$hash{$key}[30]=~ tr/|/,/;
178 $fireport='-m multiport --dport '.$$hash{$key}[30];
179 } else {
180 $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0);
181 }
182
183 # Source NAT
184 } elsif ($$hash{$key}[31] eq 'snat') {
185 $NAT_MODE = "SNAT";
186
187 } else {
188 print_error("Invalid NAT mode: $$hash{$key}[31]");
189 next;
190 }
191
192 $natip = &get_nat_ip($$hash{$key}[29], $NAT_MODE);
193 }
194
195 $STAG='';
196 if($$hash{$key}[2] eq 'ON'){
197 #get source ip's
198 if ($$hash{$key}[3] eq 'cust_grp_src'){
199 foreach my $grp (sort {$a <=> $b} keys %customgrp){
200 if($customgrp{$grp}[0] eq $$hash{$key}[4]){
201 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
202 }
203 }
204 }else{
205 &get_address($$hash{$key}[3],$$hash{$key}[4],"src");
206 }
207 #get target ip's
208 if ($$hash{$key}[5] eq 'cust_grp_tgt'){
209 foreach my $grp (sort {$a <=> $b} keys %customgrp){
210 if($customgrp{$grp}[0] eq $$hash{$key}[6]){
211 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
212 }
213 }
214 }elsif($$hash{$key}[5] eq 'ipfire' ){
215 if($$hash{$key}[6] eq 'GREEN'){
216 $targethash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'};
217 }
218 if($$hash{$key}[6] eq 'BLUE'){
219 $targethash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'};
220 }
221 if($$hash{$key}[6] eq 'ORANGE'){
222 $targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
223 }
224 if($$hash{$key}[6] eq 'ALL'){
225 $targethash{$key}[0]='0.0.0.0/0';
226 }
227 if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){
228 open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress";
229 $targethash{$key}[0]= <FILE>;
230 close(FILE);
231 }else{
232 foreach my $alias (sort keys %aliases){
233 if ($$hash{$key}[6] eq $alias){
234 $targethash{$key}[0]=$aliases{$alias}{'IPT'};
235 }
236 }
237 }
238 }else{
239 &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt");
240 }
241 ##get source prot and port
242 $SRC_TGT='SRC';
243 $SPORT = &get_port($hash,$key);
244 $SRC_TGT='';
245
246 ##get target prot and port
247 $DPROT=&get_prot($hash,$key);
248
249 if ($DPROT eq ''){$DPROT=' ';}
250 @DPROT=split(",",$DPROT);
251
252 # Set up time constraints.
253 if ($$hash{$key}[18] eq 'ON') {
254 my @time_args = ("-m", "time");
255
256 # Select all days of the week this match is active.
257 my @weekdays = ();
258 if ($$hash{$key}[19] ne '') {
259 push (@weekdays, "Mon");
260 }
261 if ($$hash{$key}[20] ne '') {
262 push (@weekdays, "Tue");
263 }
264 if ($$hash{$key}[21] ne '') {
265 push (@weekdays, "Wed");
266 }
267 if ($$hash{$key}[22] ne '') {
268 push (@weekdays, "Thu");
269 }
270 if ($$hash{$key}[23] ne '') {
271 push (@weekdays, "Fri");
272 }
273 if ($$hash{$key}[24] ne '') {
274 push (@weekdays, "Sat");
275 }
276 if ($$hash{$key}[25] ne '') {
277 push (@weekdays, "Sun");
278 }
279 if (@weekdays) {
280 push(@time_args, ("--weekdays", join(",", @weekdays)));
281 }
282
283 # Convert start time.
284 my $time_start = &format_time($$hash{$key}[26]);
285 if ($time_start) {
286 push(@time_args, ("--timestart", $time_start));
287 }
288
289 # Convert end time.
290 my $time_stop = &format_time($$hash{$key}[27]);
291 if ($time_stop) {
292 push(@time_args, ("--timestop", $time_stop));
293 }
294
295 # Format command line.
296 $time_constraints = join(" ", @time_args);
297 }
298
299 foreach my $DPROT (@DPROT){
300 $DPORT = &get_port($hash,$key,$DPROT);
301 $PROT=$DPROT;
302 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
303 if ($DPROT ne 'TCP' && $DPROT ne'UDP' && $DPROT ne 'ICMP' ){
304 $DPORT='';
305 }
306 foreach my $a (sort keys %sourcehash){
307 foreach my $b (sort keys %targethash){
308 if(! $sourcehash{$a}[0] || ! $targethash{$b}[0] || ($natip eq '-d ' && $NAT) || (!$natip && $NAT)){
309 #Skip rules when no RED IP is set (DHCP,DSL)
310 next;
311 }
312 next if ($targethash{$b}[0] eq 'none');
313 $STAG='';
314 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
315 if($DPROT ne ''){
316 if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
317 #Process ICMP RULE
318 if(substr($DPORT, 2, 4) eq 'icmp'){
319 my @icmprule= split(",",substr($DPORT, 12,));
320 foreach (@icmprule){
321 $icmptype="--icmp-type ";
322 if ($_ eq "BLANK") {
323 $icmptype="";
324 $_="";
325 }
326 if ($LOG) {
327 run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $time_constraints -j LOG");
328 }
329 run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $time_constraints -j $$hash{$key}[0]");
330 }
331 #PROCESS DNAT RULE (Portforward)
332 } elsif ($NAT && $NAT_MODE eq "DNAT") {
333 if ($LOG) {
334 run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $time_constraints -j LOG --log-prefix 'DNAT'");
335 }
336 my ($ip,$sub) =split("/",$targethash{$b}[0]);
337 #Process NAT with servicegroup used
338 if ($$hash{$key}[14] eq 'cust_srvgrp') {
339 run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $time_constraints -j DNAT --to-destination $ip $DPORT");
340 $fwaccessdport=$DPORT;
341 } else {
342 run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $time_constraints -j DNAT --to-destination $ip$DPORT");
343 $DPORT =~ s/\-/:/g;
344 if ($DPORT){
345 $fwaccessdport="--dport ".substr($DPORT,1,);
346 }elsif(! $DPORT && $$hash{$key}[30] ne ''){
347 if ($$hash{$key}[30]=~m/|/i){
348 $$hash{$key}[30] =~ s/\|/,/g;
349 $fwaccessdport="-m multiport --dport $$hash{$key}[30]";
350 }else{
351 $fwaccessdport="--dport $$hash{$key}[30]";
352 }
353 }
354 }
355 run("$IPTABLES -A FORWARDFW $PROT $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $time_constraints -j $$hash{$key}[0]");
356 next;
357 #PROCESS SNAT RULE
358 } elsif ($NAT && $NAT_MODE eq "SNAT") {
359 if ($LOG) {
360 run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $time_constraints -j LOG --log-prefix 'SNAT'");
361 }
362 run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $time_constraints -j SNAT --to-source $natip");
363 }
364 #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double)
365 if ($PROT ne '-p ICMP'){
366 if ($LOG && !$NAT) {
367 run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $time_constraints -j LOG");
368 }
369 run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $time_constraints -j $$hash{$key}[0]");
370 }
371 #PROCESS Prot ICMP and type = All ICMP-Types
372 if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){
373 if ($LOG && !$NAT) {
374 run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $time_constraints -j LOG");
375 }
376 run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $time_constraints -j $$hash{$key}[0]");
377 }
378 }
379 }
380 }
381 }
382 }
383 }
384 %sourcehash=();
385 %targethash=();
386 undef $fireport;
387 }
388 }
389
390 sub get_nat_ip {
391 my $val=shift;
392 my $type=shift;
393 my $result;
394 if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){
395 $result=$defaultNetworks{$val.'_ADDRESS'};
396 }elsif($val eq 'ALL'){
397 $result='-i '.$con;
398 }elsif($val eq 'Default IP' && $type eq "DNAT"){
399 $result='-d '.$redip;
400 }elsif($val eq 'Default IP' && $type eq "SNAT"){
401 $result=$redip;
402 }else{
403 foreach my $al (sort keys %aliases){
404 if($val eq $al && $type eq "DNAT"){
405 $result='-d '.$aliases{$al}{'IPT'};
406 }elsif($val eq $al && $type eq "SNAT"){
407 $result=$aliases{$al}{'IPT'};
408 }
409 }
410 }
411 return $result;
412 }
413
414 # Formats the given timestamp into the iptables format which is "hh:mm" UTC.
415 sub format_time {
416 my $val = shift;
417
418 # Convert the given time into minutes.
419 my $minutes = &time_convert_to_minutes($val);
420
421 # Move the timestamp into UTC.
422 $minutes += &time_utc_offset();
423
424 # Make sure $minutes is between 00:00 and 23:59.
425 if ($minutes < 0) {
426 $minutes += 1440;
427 }
428
429 if ($minutes > 1440) {
430 $minutes -= 1440;
431 }
432
433 # Format as hh:mm.
434 return sprintf("%02d:%02d", $minutes / 60, $minutes % 60);
435 }
436
437 # Calculates the offsets in minutes from the local timezone to UTC.
438 sub time_utc_offset {
439 my @localtime = localtime(time);
440 my @gmtime = gmtime(time);
441
442 return ($gmtime[2] * 60 + $gmtime[1] % 60) - ($localtime[2] * 60 + $localtime[1] % 60);
443 }
444
445 # Takes a timestamp like "14:00" and converts it into minutes since midnight.
446 sub time_convert_to_minutes {
447 my ($hrs, $min) = split(":", shift);
448
449 return ($hrs * 60) + $min;
450 }
451
452 sub p2pblock {
453 my $P2PSTRING = "";
454 my $DO;
455 open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
456 @p2ps = <FILE>;
457 close FILE;
458 my $CMD = "-m ipp2p";
459 foreach my $p2pentry (sort @p2ps) {
460 my @p2pline = split( /\;/, $p2pentry );
461 if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) {
462 $DO = "ACCEPT";
463 if ("$p2pline[2]" eq "on") {
464 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
465 }
466 }else {
467 $DO = "RETURN";
468 if ("$p2pline[2]" eq "off") {
469 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
470 }
471 }
472 }
473
474 if($P2PSTRING) {
475 run("$IPTABLES -A FORWARDFW $CMD $P2PSTRING -j $DO");
476 }
477 }
478
479 sub get_address {
480 my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
481 my $base2=shift;
482 my $type=shift; #src or tgt
483 my $hash;
484 if ($type eq 'src'){
485 $hash=\%sourcehash;
486 }else{
487 $hash=\%targethash;
488 }
489 my $key = &General::findhasharraykey($hash);
490 if($base eq 'src_addr' || $base eq 'tgt_addr' ){
491 if (&General::validmac($base2)){
492 $$hash{$key}[0] = "-m mac --mac-source $base2";
493 }else{
494 $$hash{$key}[0] = $base2;
495 }
496 }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){
497 $$hash{$key}[0]=&fwlib::get_std_net_ip($base2,$con);
498 }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){
499 $$hash{$key}[0]=&fwlib::get_net_ip($base2);
500 }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){
501 $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type);
502 }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){
503 $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1);
504 }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){
505 $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33);
506 }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){
507 $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,11);
508 }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){
509 $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11);
510 }elsif($base eq 'ipfire_src' ){
511 if($base2 eq 'GREEN'){
512 $$hash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'};
513 }
514 if($base2 eq 'BLUE'){
515 $$hash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'};
516 }
517 if($base2 eq 'ORANGE'){
518 $$hash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
519 }
520 if($base2 eq 'ALL'){
521 $$hash{$key}[0]='0.0.0.0/0';
522 }
523 if($base2 eq 'RED' || $base2 eq 'RED1'){
524 open(FILE, "/var/ipfire/red/local-ipaddress");
525 $$hash{$key}[0]= <FILE>;
526 close(FILE);
527 }else{
528 foreach my $alias (sort keys %aliases){
529 if ($base2 eq $alias){
530 $$hash{$key}[0]=$aliases{$alias}{'IPT'};
531 }
532 }
533 }
534 }
535 }
536
537 sub get_prot {
538 my $hash=shift;
539 my $key=shift;
540 #check AH,GRE,ESP or ICMP
541 if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON'){
542 return "$$hash{$key}[8]";
543 }
544 if ($$hash{$key}[7] eq 'ON' || $$hash{$key}[11] eq 'ON'){
545 #check if servicegroup or service
546 if($$hash{$key}[14] eq 'cust_srv'){
547 return &fwlib::get_srv_prot($$hash{$key}[15]);
548 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
549 return &fwlib::get_srvgrp_prot($$hash{$key}[15]);
550 }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && $$hash{$key}[8] eq ''){ #when ports are used and prot set to "all"
551 return "TCP,UDP";
552 }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && ($$hash{$key}[8] eq 'TCP' || $$hash{$key}[8] eq 'UDP')){ #when ports are used and prot set to "tcp" or "udp"
553 return "$$hash{$key}[8]";
554 }elsif (($$hash{$key}[10] eq '' && $$hash{$key}[15] eq '') && $$hash{$key}[8] ne 'ICMP'){ #when ports are NOT used and prot NOT set to "ICMP"
555 return "$$hash{$key}[8]";
556 }else{
557 return "$$hash{$key}[8]";
558 }
559 }
560 #DNAT
561 if ($SRC_TGT eq '' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[11] eq '' && $$hash{$key}[12] ne ''){
562 return "$$hash{$key}[8]";
563 }
564 }
565
566 sub get_port {
567 my $hash=shift;
568 my $key=shift;
569 my $prot=shift;
570 #Get manual defined Ports from SOURCE
571 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
572 if ($$hash{$key}[10] ne ''){
573 $$hash{$key}[10] =~ s/\|/,/g;
574 if(index($$hash{$key}[10],",") > 0){
575 return "-m multiport --sport $$hash{$key}[10] ";
576 }else{
577 if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ||($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat') ){
578 return "--sport $$hash{$key}[10] ";
579 }else{
580 return ":$$hash{$key}[10]";
581 }
582 }
583 }
584 #Get manual ports from TARGET
585 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
586 if($$hash{$key}[14] eq 'TGT_PORT'){
587 if ($$hash{$key}[15] ne ''){
588 $$hash{$key}[15] =~ s/\|/,/g;
589 if(index($$hash{$key}[15],",") > 0){
590 return "-m multiport --dport $$hash{$key}[15] ";
591 }else{
592 if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){
593 return "--dport $$hash{$key}[15] ";
594 }else{
595 $$hash{$key}[15] =~ s/\:/-/g;
596 return ":$$hash{$key}[15]";
597 }
598 }
599 }
600 #Get ports defined in custom Service (firewall-groups)
601 }elsif($$hash{$key}[14] eq 'cust_srv'){
602 if ($prot ne 'ICMP'){
603 if($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){
604 my $ports =&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
605 $ports =~ s/\:/-/g;
606 return ":".$ports
607 }else{
608 return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
609 }
610 }elsif($prot eq 'ICMP' && $$hash{$key}[11] eq 'ON'){ #When PROT is ICMP and "use targetport is checked, this is an icmp-service
611 return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot);
612 }
613 #Get ports from services which are used in custom servicegroups (firewall-groups)
614 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
615 if ($prot ne 'ICMP'){
616 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
617 }
618 elsif($prot eq 'ICMP'){
619 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
620 }
621 }
622 }
623 #CHECK ICMP
624 if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON' && $SRC_TGT eq ''){
625 if($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
626 return "--icmp-type $$hash{$key}[9] ";
627 }elsif($$hash{$key}[9] eq 'All ICMP-Types'){
628 return;
629 }
630 }
631 }