d8ca67dd8e7df129e52c4c19dc6db863dca539c4
[people/teissler/ipfire-2.x.git] / config / firewall / rules.pl
1 #!/usr/bin/perl
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21
22 use strict;
23 use Time::Local;
24 no warnings 'uninitialized';
25
26 require '/var/ipfire/general-functions.pl';
27 require "${General::swroot}/lang.pl";
28 require "/usr/lib/firewall/firewall-lib.pl";
29
30 # Set to one to enable debugging mode.
31 my $DEBUG = 0;
32
33 my %fwdfwsettings=();
34 my %defaultNetworks=();
35 my %configfwdfw=();
36 my %color=();
37 my %icmptypes=();
38 my %ovpnSettings=();
39 my %customgrp=();
40 our %sourcehash=();
41 our %targethash=();
42 my @timeframe=();
43 my %configinputfw=();
44 my %configoutgoingfw=();
45 my %confignatfw=();
46 my %aliases=();
47 my @DPROT=();
48 my @p2ps=();
49
50 my $configfwdfw = "${General::swroot}/firewall/config";
51 my $configinput = "${General::swroot}/firewall/input";
52 my $configoutgoing = "${General::swroot}/firewall/outgoing";
53 my $p2pfile = "${General::swroot}/firewall/p2protocols";
54 my $configgrp = "${General::swroot}/fwhosts/customgroups";
55 my $netsettings = "${General::swroot}/ethernet/settings";
56 my $errormessage = '';
57 my $orange = '';
58 my $green = '';
59 my $blue = '';
60 my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
61 my $CHAIN = "FORWARDFW";
62 my $conexists = 'off';
63 my $command = 'iptables --wait -A';
64 my $dnat ='';
65 my $snat ='';
66
67 &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings);
68 &General::readhash("$netsettings", \%defaultNetworks);
69 &General::readhasharray($configfwdfw, \%configfwdfw);
70 &General::readhasharray($configinput, \%configinputfw);
71 &General::readhasharray($configoutgoing, \%configoutgoingfw);
72 &General::readhasharray($configgrp, \%customgrp);
73 &General::get_aliases(\%aliases);
74
75 #check if we have an internetconnection
76 open (CONN,"/var/ipfire/red/iface");
77 my $con = <CONN>;
78 close(CONN);
79
80 if (-f "/var/ipfire/red/active"){
81 $conexists='on';
82 }
83
84 open (CONN1,"/var/ipfire/red/local-ipaddress");
85 my $redip = <CONN1>;
86 close(CONN1);
87
88 # MAIN
89 &main();
90
91 sub main {
92 # Flush all chains.
93 &flush();
94
95 # Reload firewall rules.
96 &preparerules();
97
98 # Load P2P block rules.
99 &p2pblock();
100
101 # Reload firewall policy.
102 run("/usr/sbin/firewall-policy");
103 }
104
105 sub run {
106 # Executes or prints the given shell command.
107 my $command = shift;
108
109 if ($DEBUG) {
110 print "$command\n";
111 } else {
112 system "$command";
113 }
114 }
115
116 sub flush {
117 run("iptables --wait -F FORWARDFW");
118 run("iptables --wait -F INPUTFW");
119 run("iptables --wait -F OUTGOINGFW");
120 run("iptables --wait -t nat -F NAT_DESTINATION");
121 run("iptables --wait -t nat -F NAT_SOURCE");
122 }
123
124 sub preparerules {
125 if (! -z "${General::swroot}/firewall/config"){
126 &buildrules(\%configfwdfw);
127 }
128 if (! -z "${General::swroot}/firewall/input"){
129 &buildrules(\%configinputfw);
130 }
131 if (! -z "${General::swroot}/firewall/outgoing"){
132 &buildrules(\%configoutgoingfw);
133 }
134 }
135
136 sub buildrules {
137 my $hash=shift;
138 my $STAG;
139 my $natip;
140 my $snatport;
141 my $fireport;
142 my $nat;
143 my $fwaccessdport;
144 my $natchain;
145 my $icmptype;
146 foreach my $key (sort {$a <=> $b} keys %$hash){
147 next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' );
148 $command="iptables --wait -A";
149 if ($$hash{$key}[28] eq 'ON'){
150 $command='iptables --wait -t nat -A';
151 $natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]);
152 if($$hash{$key}[31] eq 'dnat'){
153 $nat='DNAT';
154 if ($$hash{$key}[30] =~ /\|/){
155 $$hash{$key}[30]=~ tr/|/,/;
156 $fireport='-m multiport --dport '.$$hash{$key}[30];
157 }else{
158 $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0);
159 }
160 }else{
161 $nat='SNAT';
162 }
163 }
164 $STAG='';
165 if($$hash{$key}[2] eq 'ON'){
166 #get source ip's
167 if ($$hash{$key}[3] eq 'cust_grp_src'){
168 foreach my $grp (sort {$a <=> $b} keys %customgrp){
169 if($customgrp{$grp}[0] eq $$hash{$key}[4]){
170 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
171 }
172 }
173 }else{
174 &get_address($$hash{$key}[3],$$hash{$key}[4],"src");
175 }
176 #get target ip's
177 if ($$hash{$key}[5] eq 'cust_grp_tgt'){
178 foreach my $grp (sort {$a <=> $b} keys %customgrp){
179 if($customgrp{$grp}[0] eq $$hash{$key}[6]){
180 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
181 }
182 }
183 }elsif($$hash{$key}[5] eq 'ipfire' ){
184 if($$hash{$key}[6] eq 'GREEN'){
185 $targethash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'};
186 }
187 if($$hash{$key}[6] eq 'BLUE'){
188 $targethash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'};
189 }
190 if($$hash{$key}[6] eq 'ORANGE'){
191 $targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
192 }
193 if($$hash{$key}[6] eq 'ALL'){
194 $targethash{$key}[0]='0.0.0.0/0';
195 }
196 if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){
197 open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress";
198 $targethash{$key}[0]= <FILE>;
199 close(FILE);
200 }else{
201 foreach my $alias (sort keys %aliases){
202 if ($$hash{$key}[6] eq $alias){
203 $targethash{$key}[0]=$aliases{$alias}{'IPT'};
204 }
205 }
206 }
207 }else{
208 &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt");
209 }
210 ##get source prot and port
211 $SRC_TGT='SRC';
212 $SPORT = &get_port($hash,$key);
213 $SRC_TGT='';
214
215 ##get target prot and port
216 $DPROT=&get_prot($hash,$key);
217
218 if ($DPROT eq ''){$DPROT=' ';}
219 @DPROT=split(",",$DPROT);
220
221 #get time if defined
222 if($$hash{$key}[18] eq 'ON'){
223 my ($time1,$time2,$daylight);
224 my $daylight=$$hash{$key}[28];
225 $time1=&get_time($$hash{$key}[26],$daylight);
226 $time2=&get_time($$hash{$key}[27],$daylight);
227 if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
228 if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");}
229 if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");}
230 if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");}
231 if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");}
232 if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");}
233 if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");}
234 $TIME=join(",",@timeframe);
235
236 $TIMEFROM="--timestart $time1 ";
237 $TIMETILL="--timestop $time2 ";
238 $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
239 }
240 foreach my $DPROT (@DPROT){
241 $DPORT = &get_port($hash,$key,$DPROT);
242 $PROT=$DPROT;
243 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
244 if ($DPROT ne 'TCP' && $DPROT ne'UDP' && $DPROT ne 'ICMP' ){
245 $DPORT='';
246 }
247 foreach my $a (sort keys %sourcehash){
248 foreach my $b (sort keys %targethash){
249 if(! $sourcehash{$a}[0] || ! $targethash{$b}[0] || ($natip eq '-d ' && $$hash{$key}[28] eq 'ON') || (!$natip && $$hash{$key}[28] eq 'ON')){
250 #Skip rules when no RED IP is set (DHCP,DSL)
251 next;
252 }
253 next if ($targethash{$b}[0] eq 'none');
254 $STAG='';
255 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
256 if($DPROT ne ''){
257 if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
258 #Process ICMP RULE
259 if(substr($DPORT, 2, 4) eq 'icmp'){
260 my @icmprule= split(",",substr($DPORT, 12,));
261 foreach (@icmprule){
262 $icmptype="--icmp-type ";
263 if ($_ eq "BLANK") {
264 $icmptype="";
265 $_="";
266 }
267 if ($$hash{$key}[17] eq 'ON'){
268 run("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG");
269 }
270 run("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]");
271 }
272 #PROCESS DNAT RULE (Portforward)
273 }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
274 $natchain='NAT_DESTINATION';
275 if ($$hash{$key}[17] eq 'ON'){
276 run("$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT'");
277 }
278 my ($ip,$sub) =split("/",$targethash{$b}[0]);
279 #Process NAT with servicegroup used
280 if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[14] eq 'cust_srvgrp'){
281 run("$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to-destination $ip $DPORT");
282 $fwaccessdport=$DPORT;
283 }else{
284 run("$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to-destination $ip$DPORT");
285 $DPORT =~ s/\-/:/g;
286 if ($DPORT){
287 $fwaccessdport="--dport ".substr($DPORT,1,);
288 }elsif(! $DPORT && $$hash{$key}[30] ne ''){
289 if ($$hash{$key}[30]=~m/|/i){
290 $$hash{$key}[30] =~ s/\|/,/g;
291 $fwaccessdport="-m multiport --dport $$hash{$key}[30]";
292 }else{
293 $fwaccessdport="--dport $$hash{$key}[30]";
294 }
295 }
296 }
297 run("iptables --wait -A FORWARDFW $PROT $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]");
298 next;
299 #PROCESS SNAT RULE
300 }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
301 $natchain='NAT_SOURCE';
302 if ($$hash{$key}[17] eq 'ON' ){
303 run("$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT'");
304 }
305 run("$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to-source $natip");
306 }
307 #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double)
308 if ($PROT ne '-p ICMP'){
309 if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){
310 run("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
311 }
312 run("iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
313 }
314 #PROCESS Prot ICMP and type = All ICMP-Types
315 if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){
316 if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){
317 run("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
318 }
319 run("iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
320 }
321 }
322 }
323 }
324 }
325 }
326 }
327 %sourcehash=();
328 %targethash=();
329 undef $TIME;
330 undef $TIMEFROM;
331 undef $TIMETILL;
332 undef $fireport;
333 }
334 }
335
336 sub get_nat_ip {
337 my $val=shift;
338 my $type=shift;
339 my $result;
340 if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){
341 $result=$defaultNetworks{$val.'_ADDRESS'};
342 }elsif($val eq 'ALL'){
343 $result='-i '.$con;
344 }elsif($val eq 'Default IP' && $type eq 'dnat'){
345 $result='-d '.$redip;
346 }elsif($val eq 'Default IP' && $type eq 'snat'){
347 $result=$redip;
348 }else{
349 foreach my $al (sort keys %aliases){
350 if($val eq $al && $type eq 'dnat'){
351 $result='-d '.$aliases{$al}{'IPT'};
352 }elsif($val eq $al && $type eq 'snat'){
353 $result=$aliases{$al}{'IPT'};
354 }
355 }
356 }
357 return $result;
358 }
359
360 sub get_time {
361 my $val=shift;
362 my $val1=shift;
363 my $time;
364 my $minutes;
365 my $ruletime;
366 $minutes = &utcmin($val);
367 $ruletime = $minutes + &time_get_utc($val);
368 if ($ruletime < 0){$ruletime +=1440;}
369 if ($ruletime > 1440){$ruletime -=1440;}
370 $time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60;
371 return $time;
372 }
373
374 sub time_get_utc {
375 # Calculates the UTCtime from a given time
376 my $val=shift;
377 my @localtime=localtime(time);
378 my @gmtime=gmtime(time);
379 my $diff = ($gmtime[2]*60+$gmtime[1]%60)-($localtime[2]*60+$localtime[1]%60);
380 return $diff;
381 }
382
383 sub utcmin {
384 my $ruletime=shift;
385 my ($hrs,$min) = split(":",$ruletime);
386 my $newtime = $hrs*60+$min;
387 return $newtime;
388 }
389
390 sub p2pblock {
391 my $P2PSTRING;
392 my $DO;
393 open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
394 @p2ps = <FILE>;
395 close FILE;
396 my $CMD = "-m ipp2p";
397 foreach my $p2pentry (sort @p2ps) {
398 my @p2pline = split( /\;/, $p2pentry );
399 if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) {
400 $DO = "ACCEPT";
401 if ("$p2pline[2]" eq "on") {
402 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
403 }
404 }else {
405 $DO = "RETURN";
406 if ("$p2pline[2]" eq "off") {
407 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
408 }
409 }
410 }
411
412 if($P2PSTRING) {
413 run("/sbin/iptables --wait -A FORWARDFW $CMD $P2PSTRING -j $DO");
414 }
415 }
416
417 sub get_address {
418 my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
419 my $base2=shift;
420 my $type=shift; #src or tgt
421 my $hash;
422 if ($type eq 'src'){
423 $hash=\%sourcehash;
424 }else{
425 $hash=\%targethash;
426 }
427 my $key = &General::findhasharraykey($hash);
428 if($base eq 'src_addr' || $base eq 'tgt_addr' ){
429 if (&General::validmac($base2)){
430 $$hash{$key}[0] = "-m mac --mac-source $base2";
431 }else{
432 $$hash{$key}[0] = $base2;
433 }
434 }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){
435 $$hash{$key}[0]=&fwlib::get_std_net_ip($base2,$con);
436 }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){
437 $$hash{$key}[0]=&fwlib::get_net_ip($base2);
438 }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){
439 $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type);
440 }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){
441 $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1);
442 }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){
443 $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33);
444 }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){
445 $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,11);
446 }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){
447 $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11);
448 }elsif($base eq 'ipfire_src' ){
449 if($base2 eq 'GREEN'){
450 $$hash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'};
451 }
452 if($base2 eq 'BLUE'){
453 $$hash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'};
454 }
455 if($base2 eq 'ORANGE'){
456 $$hash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
457 }
458 if($base2 eq 'ALL'){
459 $$hash{$key}[0]='0.0.0.0/0';
460 }
461 if($base2 eq 'RED' || $base2 eq 'RED1'){
462 open(FILE, "/var/ipfire/red/local-ipaddress");
463 $$hash{$key}[0]= <FILE>;
464 close(FILE);
465 }else{
466 foreach my $alias (sort keys %aliases){
467 if ($base2 eq $alias){
468 $$hash{$key}[0]=$aliases{$alias}{'IPT'};
469 }
470 }
471 }
472 }
473 }
474
475 sub get_prot {
476 my $hash=shift;
477 my $key=shift;
478 #check AH,GRE,ESP or ICMP
479 if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON'){
480 return "$$hash{$key}[8]";
481 }
482 if ($$hash{$key}[7] eq 'ON' || $$hash{$key}[11] eq 'ON'){
483 #check if servicegroup or service
484 if($$hash{$key}[14] eq 'cust_srv'){
485 return &fwlib::get_srv_prot($$hash{$key}[15]);
486 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
487 return &fwlib::get_srvgrp_prot($$hash{$key}[15]);
488 }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && $$hash{$key}[8] eq ''){ #when ports are used and prot set to "all"
489 return "TCP,UDP";
490 }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && ($$hash{$key}[8] eq 'TCP' || $$hash{$key}[8] eq 'UDP')){ #when ports are used and prot set to "tcp" or "udp"
491 return "$$hash{$key}[8]";
492 }elsif (($$hash{$key}[10] eq '' && $$hash{$key}[15] eq '') && $$hash{$key}[8] ne 'ICMP'){ #when ports are NOT used and prot NOT set to "ICMP"
493 return "$$hash{$key}[8]";
494 }else{
495 return "$$hash{$key}[8]";
496 }
497 }
498 #DNAT
499 if ($SRC_TGT eq '' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[11] eq '' && $$hash{$key}[12] ne ''){
500 return "$$hash{$key}[8]";
501 }
502 }
503
504 sub get_port {
505 my $hash=shift;
506 my $key=shift;
507 my $prot=shift;
508 #Get manual defined Ports from SOURCE
509 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
510 if ($$hash{$key}[10] ne ''){
511 $$hash{$key}[10] =~ s/\|/,/g;
512 if(index($$hash{$key}[10],",") > 0){
513 return "-m multiport --sport $$hash{$key}[10] ";
514 }else{
515 if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ||($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat') ){
516 return "--sport $$hash{$key}[10] ";
517 }else{
518 return ":$$hash{$key}[10]";
519 }
520 }
521 }
522 #Get manual ports from TARGET
523 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
524 if($$hash{$key}[14] eq 'TGT_PORT'){
525 if ($$hash{$key}[15] ne ''){
526 $$hash{$key}[15] =~ s/\|/,/g;
527 if(index($$hash{$key}[15],",") > 0){
528 return "-m multiport --dport $$hash{$key}[15] ";
529 }else{
530 if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){
531 return "--dport $$hash{$key}[15] ";
532 }else{
533 $$hash{$key}[15] =~ s/\:/-/g;
534 return ":$$hash{$key}[15]";
535 }
536 }
537 }
538 #Get ports defined in custom Service (firewall-groups)
539 }elsif($$hash{$key}[14] eq 'cust_srv'){
540 if ($prot ne 'ICMP'){
541 if($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){
542 my $ports =&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
543 $ports =~ s/\:/-/g;
544 return ":".$ports
545 }else{
546 return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
547 }
548 }elsif($prot eq 'ICMP' && $$hash{$key}[11] eq 'ON'){ #When PROT is ICMP and "use targetport is checked, this is an icmp-service
549 return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot);
550 }
551 #Get ports from services which are used in custom servicegroups (firewall-groups)
552 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
553 if ($prot ne 'ICMP'){
554 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
555 }
556 elsif($prot eq 'ICMP'){
557 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
558 }
559 }
560 }
561 #CHECK ICMP
562 if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON' && $SRC_TGT eq ''){
563 if($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
564 return "--icmp-type $$hash{$key}[9] ";
565 }elsif($$hash{$key}[9] eq 'All ICMP-Types'){
566 return;
567 }
568 }
569 }