]> git.ipfire.org Git - people/teissler/ipfire-2.x.git/blob - config/forwardfw/rules.pl
projects / people / teissler / ipfire-2.x.git / blob
? search:


9332c9bec3e5a03f1816d6aab4acfe6041af3ca6
[people/teissler/ipfire-2.x.git] / config / forwardfw / rules.pl
1 #!/usr/bin/perl
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2012 #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21 # #
22 # Hi folks! I hope this code is useful for all. I needed something to handle #
23 # my VPN Connections in a comfortable way. #
24 # This script builds firewallrules from the webinterface #
25 ###############################################################################
26
27 use strict;
28 use Time::Local;
29 no warnings 'uninitialized';
30
31 # enable only the following on debugging purpose
32 #use warnings;
33 #use CGI::Carp 'fatalsToBrowser';
34
35 my %fwdfwsettings=();
36 my %defaultNetworks=();
37 my %configfwdfw=();
38 my %color=();
39 my %icmptypes=();
40 my %ovpnSettings=();
41 my %customgrp=();
42 our %sourcehash=();
43 our %targethash=();
44 my @timeframe=();
45 my %configinputfw=();
46 my %configoutgoingfw=();
47 my %configdmzfw=();
48 my %aliases=();
49 my @DPROT=();
50 my @p2ps=();
51 require '/var/ipfire/general-functions.pl';
52 require "${General::swroot}/lang.pl";
53 require "${General::swroot}/forward/bin/firewall-lib.pl";
54
55 my $configdmz = "${General::swroot}/forward/dmz";
56 my $configfwdfw = "${General::swroot}/forward/config";
57 my $configinput = "${General::swroot}/forward/input";
58 my $configoutgoing = "${General::swroot}/forward/outgoing";
59 my $p2pfile = "${General::swroot}/forward/p2protocols";
60 my $configgrp = "${General::swroot}/fwhosts/customgroups";
61 my $netsettings = "${General::swroot}/ethernet/settings";
62 my $errormessage='';
63 my $orange;
64 my $green;
65 my $blue;
66 my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
67 my $CHAIN="FORWARDFW";
68
69
70 &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
71 &General::readhash("$netsettings", \%defaultNetworks);
72 &General::readhasharray($configdmz, \%configdmzfw);
73 &General::readhasharray($configfwdfw, \%configfwdfw);
74 &General::readhasharray($configinput, \%configinputfw);
75 &General::readhasharray($configoutgoing, \%configoutgoingfw);
76 &General::readhasharray($configgrp, \%customgrp);
77 &General::get_aliases(\%aliases);
78
79 ################################
80 # DEBUG/TEST #
81 ################################
82 my $MODE=1; # 0 - normal operation
83 # 1 - print configline and rules to console
84 #
85 ################################
86 my $param=shift;
87
88 if($param eq 'flush'){
89 if ($MODE eq '1'){
90 print " Flushing chains...\n";
91 }
92 &flush;
93 }else{
94 if ($MODE eq '1'){
95 print " Flushing chains...\n";
96 }
97 &flush;
98 if ($MODE eq '1'){
99 print " Preparing rules...\n";
100 }
101 &preparerules;
102 if($MODE eq '0'){
103 if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
104 &p2pblock;
105 system ("/usr/sbin/firewall-policy");
106 }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
107 $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'});
108 $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
109 if ($defaultNetworks{'BLUE_DEV'}){
110 $defaultNetworks{'BLUE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'BLUE_NETMASK'});
111 $blue="$defaultNetworks{'BLUE_ADDRESS'}/$defaultNetworks{'BLUE_NETMASK'}";
112 #set default rules for BLUE
113 system ("iptables -A $CHAIN -s $blue -d $green -j RETURN");
114 }
115 if ($defaultNetworks{'ORANGE_DEV'}){
116 $defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'});
117 $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}";
118 #set default rules for DMZ
119 system ("iptables -A $CHAIN -s $orange -d $green -j RETURN");
120 if ($defaultNetworks{'BLUE_DEV'}){
121 system ("iptables -A $CHAIN -s $orange -d $blue -j RETURN");
122 }
123 }
124 &p2pblock;
125 system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
126 system ("/usr/sbin/firewall-policy");
127 }
128 }
129 }
130 sub flush
131 {
132 system ("iptables -F FORWARDFW");
133 system ("iptables -F INPUTFW");
134 system ("iptables -F OUTGOINGFW");
135 }
136 sub preparerules
137 {
138 if (! -z "${General::swroot}/forward/dmz"){
139 &buildrules(\%configdmzfw);
140 }
141 if (! -z "${General::swroot}/forward/config"){
142 &buildrules(\%configfwdfw);
143 }
144 if (! -z "${General::swroot}/forward/input"){
145 &buildrules(\%configinputfw);
146 }
147 if (! -z "${General::swroot}/forward/outgoing"){
148 &buildrules(\%configoutgoingfw);
149 }
150 }
151 sub buildrules
152 {
153 my $hash=shift;
154 my $STAG;
155 foreach my $key (sort {$a <=> $b} keys %$hash){
156 $STAG='';
157 if($$hash{$key}[2] eq 'ON'){
158 #get source ip's
159 if ($$hash{$key}[3] eq 'cust_grp_src'){
160 foreach my $grp (sort {$a <=> $b} keys %customgrp){
161 if($customgrp{$grp}[0] eq $$hash{$key}[4]){
162 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
163 }
164 }
165 }else{
166 &get_address($$hash{$key}[3],$$hash{$key}[4],"src");
167 }
168 #get target ip's
169 if ($$hash{$key}[5] eq 'cust_grp_tgt'){
170 foreach my $grp (sort {$a <=> $b} keys %customgrp){
171 if($customgrp{$grp}[0] eq $$hash{$key}[6]){
172 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
173 }
174 }
175 }elsif($$hash{$key}[5] eq 'ipfire'){
176 if($$hash{$key}[6] eq 'Default IP'){
177 open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.';
178 $targethash{$key}[0]= <FILE>;
179 close(FILE);
180 }else{
181 foreach my $alias (sort keys %aliases){
182 if ($$hash{$key}[6] eq $alias){
183 $targethash{$key}[0]=$aliases{$alias}{'IPT'};
184 }
185 }
186 }
187 }else{
188 &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt");
189 }
190 ##get source prot and port
191 $SRC_TGT='SRC';
192 $SPROT = &get_prot($hash,$key);
193 $SPORT = &get_port($hash,$key);
194 $SRC_TGT='';
195
196 ##get target prot and port
197 $DPROT=&get_prot($hash,$key);
198
199 if ($DPROT eq ''){$DPROT=' ';}
200 @DPROT=split(",",$DPROT);
201
202 #get time if defined
203 if($$hash{$key}[18] eq 'ON'){
204 my ($time1,$time2,$daylight);
205 my $daylight=$$hash{$key}[28];
206 $time1=&get_time($$hash{$key}[26],$daylight);
207 $time2=&get_time($$hash{$key}[27],$daylight);
208 if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
209 if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");}
210 if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");}
211 if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");}
212 if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");}
213 if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");}
214 if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");}
215 $TIME=join(",",@timeframe);
216
217 $TIMEFROM="--timestart $time1 ";
218 $TIMETILL="--timestop $time2 ";
219 $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
220 }
221 if ($MODE eq '1'){
222 print "NR:$key ";
223 foreach my $i (0 .. $#{$$hash{$key}}){
224 print "$i: $$hash{$key}[$i] ";
225 }
226 print "\n";
227 print"##################################\n";
228 #print rules to console
229 foreach my $DPROT (@DPROT){
230 $DPORT = &get_port($hash,$key,$DPROT);
231 if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
232 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
233 foreach my $a (sort keys %sourcehash){
234 foreach my $b (sort keys %targethash){
235 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
236 if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
237 if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
238 if(substr($DPORT, 2, 4) eq 'icmp'){
239 my @icmprule= split(",",substr($DPORT, 12,));
240 foreach (@icmprule){
241 if ($$hash{$key}[17] eq 'ON'){
242 print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j LOG\n";
243 }
244 print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n";
245 }
246 }else{
247 if ($$hash{$key}[17] eq 'ON'){
248 print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
249 }
250 print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
251 }
252 }
253 }
254 }
255 }
256 print"\n";
257 }
258 }elsif($MODE eq '0'){
259 foreach my $DPROT (@DPROT){
260 $DPORT = &get_port($hash,$key,$DPROT);
261 if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
262 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
263 foreach my $a (sort keys %sourcehash){
264 foreach my $b (sort keys %targethash){
265 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
266 if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
267 if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
268 if(substr($DPORT, 2, 4) eq 'icmp'){
269 my @icmprule= split(",",substr($DPORT, 12,));
270 foreach (@icmprule){
271 if ($$hash{$key}[17] eq 'ON'){
272 system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] -- icmp-type $_ $TIME -j LOG");
273 }
274 system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]");
275 }
276 }else{
277 if ($$hash{$key}[17] eq 'ON'){
278 system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
279 }
280 system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
281 }
282 }
283 }
284 }
285 }
286 }
287 }
288 }
289 %sourcehash=();
290 %targethash=();
291 undef $TIME;
292 undef $TIMEFROM;
293 undef $TIMETILL;
294 }
295 }
296 sub get_time
297 {
298 my $val=shift;
299 my $val1=shift;
300 my $time;
301 my $minutes;
302 my $ruletime;
303 $minutes = &utcmin($val);
304 $ruletime = $minutes + &time_get_utc($val);
305 if ($ruletime < 0){$ruletime +=1440;}
306 if ($ruletime > 1440){$ruletime -=1440;}
307 $time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60;
308 return $time;
309 }
310 sub time_get_utc
311 {
312 # Calculates the UTCtime from a given time
313 my $val=shift;
314 my @localtime=localtime(time);
315 my @gmtime=gmtime(time);
316 my $diff = ($gmtime[2]*60+$gmtime[1]%60)-($localtime[2]*60+$localtime[1]%60);
317 return $diff;
318 }
319 sub utcmin
320 {
321 my $ruletime=shift;
322 my ($hrs,$min) = split(":",$ruletime);
323 my $newtime = $hrs*60+$min;
324 return $newtime;
325 }
326 sub p2pblock
327 {
328 my $P2PSTRING;
329 my $DO;
330 open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
331 @p2ps = <FILE>;
332 close FILE;
333 my $CMD = "-m ipp2p";
334 foreach my $p2pentry (sort @p2ps) {
335 my @p2pline = split( /\;/, $p2pentry );
336 if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) {
337 $DO = "ACCEPT";
338 if ("$p2pline[2]" eq "on") {
339 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
340 }
341 }else {
342 $DO = "RETURN";
343 if ("$p2pline[2]" eq "off") {
344 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
345 }
346 }
347 }
348 if ($MODE eq 1){
349 if($P2PSTRING){
350 print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n";
351 }
352 }else{
353 if($P2PSTRING){
354 system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO");
355 }
356 }
357 }
358
359 sub get_address
360 {
361 my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
362 my $base2=shift;
363 my $type=shift; #src or tgt
364 my $hash;
365 if ($type eq 'src'){
366 $hash=\%sourcehash;
367 }else{
368 $hash=\%targethash;
369 }
370 my $key = &General::findhasharraykey($hash);
371 if($base eq 'src_addr' || $base eq 'tgt_addr' ){
372 if (&General::validmac($base2)){
373 $$hash{$key}[0] = "-m mac --mac-source $base2";
374 }else{
375 $$hash{$key}[0] = $base2;
376 }
377 }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){
378 $$hash{$key}[0]=&fwlib::get_std_net_ip($base2);
379 }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){
380 $$hash{$key}[0]=&fwlib::get_net_ip($base2);
381 }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){
382 $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type);
383 }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){
384 $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1);
385 }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){
386 $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33);
387 }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){
388 $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,27);
389 }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){
390 $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11);
391 }
392 }
393 sub get_prot
394 {
395 my $hash=shift;
396 my $key=shift;
397 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
398 if ($$hash{$key}[10] ne ''){
399 return"$$hash{$key}[8]";
400 }elsif($$hash{$key}[9] ne ''){
401 return"$$hash{$key}[8]";
402 }else{
403 return "$$hash{$key}[8]";
404 }
405 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
406 if ($$hash{$key}[14] eq 'TGT_PORT'){
407 if ($$hash{$key}[15] ne ''){
408 return "$$hash{$key}[12]";
409 }elsif($$hash{$key}[13] ne ''){
410 return "$$hash{$key}[12]";
411 }else{
412 return "$$hash{$key}[12]";
413 }
414 }elsif($$hash{$key}[14] eq 'cust_srv'){
415 return &fwlib::get_srv_prot($$hash{$key}[15]);
416
417 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
418 return &fwlib::get_srvgrp_prot($$hash{$key}[15]);
419 }
420 }
421 }
422 sub get_port
423 {
424 my $hash=shift;
425 my $key=shift;
426 my $prot=shift;
427 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
428 if ($$hash{$key}[10] ne ''){
429 $$hash{$key}[10] =~ s/\|/,/g;
430 if(index($$hash{$key}[10],",") > 0){
431 return "-m multiport --sport $$hash{$key}[10] ";
432 }else{
433 return "--sport $$hash{$key}[10] ";
434 }
435 }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
436 return "--icmp-type $$hash{$key}[9] ";
437 }elsif($$hash{$key}[9] eq 'All ICMP-Types'){
438 return;
439 }
440 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
441
442 if($$hash{$key}[14] eq 'TGT_PORT'){
443 if ($$hash{$key}[15] ne ''){
444 $$hash{$key}[15] =~ s/\|/,/g;
445 if(index($$hash{$key}[15],",") > 0){
446 return "-m multiport --dport $$hash{$key}[15] ";
447 }else{
448 return "--dport $$hash{$key}[15] ";
449 }
450 }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){
451 return "--icmp-type $$hash{$key}[13] ";
452 }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){
453 return;
454 }
455 }elsif($$hash{$key}[14] eq 'cust_srv'){
456 if ($prot ne 'ICMP'){
457 return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
458 }elsif($prot eq 'ICMP' && $$hash{$key}[15] ne 'All ICMP-Types'){
459 return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot);
460 }elsif($prot eq 'ICMP' && $$hash{$key}[15] eq 'All ICMP-Types'){
461 return;
462 }
463 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
464 if ($prot ne 'ICMP'){
465 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
466 }
467 elsif($prot eq 'ICMP'){
468 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
469 }
470 }
471 }
472 }
Timo's tree of IPFire 2.x