ddcd560c1feb231d26ae17288097a956a41536c8
[people/teissler/ipfire-2.x.git] / config / forwardfw / rules.pl
1 #!/usr/bin/perl
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2012 #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21 # #
22 # Hi folks! I hope this code is useful for all. I needed something to handle #
23 # my VPN Connections in a comfortable way. #
24 # This script builds firewallrules from the webinterface #
25 ###############################################################################
26
27 use strict;
28 no warnings 'uninitialized';
29
30 # enable only the following on debugging purpose
31 #use warnings;
32 #use CGI::Carp 'fatalsToBrowser';
33
34 my %fwdfwsettings=();
35 my %defaultNetworks=();
36 my %configfwdfw=();
37 my %color=();
38 my %icmptypes=();
39 my %ovpnSettings=();
40 my %customgrp=();
41 our %sourcehash=();
42 our %targethash=();
43 my @timeframe=();
44 my %configinputfw=();
45 my %aliases=();
46 my @DPROT=();
47 my @p2ps=();
48 require '/var/ipfire/general-functions.pl';
49 require "${General::swroot}/lang.pl";
50 require "${General::swroot}/forward/bin/firewall-lib.pl";
51
52 my $configfwdfw = "${General::swroot}/forward/config";
53 my $configinput = "${General::swroot}/forward/input";
54 my $p2pfile = "${General::swroot}/forward/p2protocols";
55 my $configgrp = "${General::swroot}/fwhosts/customgroups";
56 my $netsettings = "${General::swroot}/ethernet/settings";
57 my $errormessage='';
58 my $orange;
59 my $green;
60 my $blue;
61 my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
62 my $CHAIN="FORWARDFW";
63
64
65 &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
66 &General::readhash("$netsettings", \%defaultNetworks);
67 &General::readhasharray($configfwdfw, \%configfwdfw);
68 &General::readhasharray($configinput, \%configinputfw);
69 &General::readhasharray($configgrp, \%customgrp);
70 &General::get_aliases(\%aliases);
71
72 ################################
73 # DEBUG/TEST #
74 ################################
75 my $MODE=1; # 0 - normal operation
76 # 1 - print configline and rules to console
77 #
78 ################################
79 my $param=shift;
80
81 if($param eq 'flush'){
82 if ($MODE eq '1'){
83 print " Flushing chains...\n";
84 }
85 &flush;
86 }else{
87 if ($MODE eq '1'){
88 print " Flushing chains...\n";
89 }
90 &flush;
91 if ($MODE eq '1'){
92 print " Preparing rules...\n";
93 }
94 &preparerules;
95 if($MODE eq '0'){
96 if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
97 &p2pblock;
98 system ("/usr/sbin/firewall-forward-policy");
99 }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
100 $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'});
101 $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
102 if ($defaultNetworks{'BLUE_DEV'}){
103 $defaultNetworks{'BLUE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'BLUE_NETMASK'});
104 $blue="$defaultNetworks{'BLUE_ADDRESS'}/$defaultNetworks{'BLUE_NETMASK'}";
105 #set default rules for BLUE
106 system ("iptables -A $CHAIN -s $blue -d $green -j RETURN");
107 }
108 if ($defaultNetworks{'ORANGE_DEV'}){
109 $defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'});
110 $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}";
111 #set default rules for DMZ
112 system ("iptables -A $CHAIN -s $orange -d $green -j RETURN");
113 if ($defaultNetworks{'BLUE_DEV'}){
114 system ("iptables -A $CHAIN -s $orange -d $blue -j RETURN");
115 }
116 }
117
118 &p2pblock;
119 system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
120 system ("/usr/sbin/firewall-forward-policy");
121 }
122 }
123 }
124 sub flush
125 {
126 system ("iptables -F FORWARDFW");
127 system ("iptables -F INPUTFW");
128 }
129 sub preparerules
130 {
131 if (! -z "${General::swroot}/forward/config"){
132 &buildrules(\%configfwdfw);
133 }
134 if (! -z "${General::swroot}/forward/input"){
135 &buildrules(\%configinputfw);
136 }
137 }
138 sub buildrules
139 {
140 my $hash=shift;
141 my $STAG;
142 foreach my $key (sort {$a <=> $b} keys %$hash){
143 $STAG='';
144 if($$hash{$key}[2] eq 'ON'){
145 #get source ip's
146 if ($$hash{$key}[3] eq 'cust_grp_src'){
147 foreach my $grp (sort {$a <=> $b} keys %customgrp){
148 if($customgrp{$grp}[0] eq $$hash{$key}[4]){
149 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
150 }
151 }
152 }else{
153 &get_address($$hash{$key}[3],$$hash{$key}[4],"src");
154 }
155 #get target ip's
156 if ($$hash{$key}[5] eq 'cust_grp_tgt'){
157 foreach my $grp (sort {$a <=> $b} keys %customgrp){
158 if($customgrp{$grp}[0] eq $$hash{$key}[6]){
159 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
160 }
161 }
162 }elsif($$hash{$key}[5] eq 'ipfire'){
163
164 if($$hash{$key}[6] eq 'Default IP'){
165 open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.';
166 $targethash{$key}[0]= <FILE>;
167 close(FILE);
168 }else{
169 foreach my $alias (sort keys %aliases){
170 if ($$hash{$key}[6] eq $alias){
171 $targethash{$key}[0]=$aliases{$alias}{'IPT'};
172 }
173 }
174 }
175 }else{
176 &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt");
177 }
178 ##get source prot and port
179 $SRC_TGT='SRC';
180 $SPROT = &get_prot($hash,$key);
181 $SPORT = &get_port($hash,$key);
182 $SRC_TGT='';
183
184 ##get target prot and port
185 $DPROT=&get_prot($hash,$key);
186
187 if ($DPROT eq ''){$DPROT=' ';}
188 @DPROT=split(",",$DPROT);
189
190 #get time if defined
191 if($$hash{$key}[18] eq 'ON'){
192 if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
193 if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");}
194 if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");}
195 if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");}
196 if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");}
197 if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");}
198 if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");}
199 $TIME=join(",",@timeframe);
200 $TIMEFROM="--timestart $$hash{$key}[26] ";
201 $TIMETILL="--timestop $$hash{$key}[27] ";
202 $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
203 }
204 if ($MODE eq '1'){
205 print "NR:$key ";
206 foreach my $i (0 .. $#{$$hash{$key}}){
207 print "$i: $$hash{$key}[$i] ";
208 }
209 print "\n";
210 print"##################################\n";
211 #print rules to console
212 foreach my $DPROT (@DPROT){
213 $DPORT = &get_port($hash,$key,$DPROT);
214 if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
215 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
216 foreach my $a (sort keys %sourcehash){
217 foreach my $b (sort keys %targethash){
218 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
219 if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
220 if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";}
221 if ($$hash{$key}[17] eq 'ON'){
222 print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
223 }
224 print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
225 }
226 }
227 }
228 }
229 print"\n";
230 }
231 }elsif($MODE eq '0'){
232 foreach my $DPROT (@DPROT){
233 $DPORT = &get_port($hash,$key,$DPROT);
234 if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
235 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
236 foreach my $a (sort keys %sourcehash){
237 foreach my $b (sort keys %targethash){
238 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
239 if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
240 if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";}
241 if ($$hash{$key}[17] eq 'ON'){
242 system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
243 }
244 system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
245 }
246 }
247 }
248 }
249 }
250 }
251 }
252 %sourcehash=();
253 %targethash=();
254 undef $TIME;
255 undef $TIMEFROM;
256 undef $TIMETILL;
257 }
258 }
259 sub p2pblock
260 {
261 my $P2PSTRING;
262 my $DO;
263 open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
264 @p2ps = <FILE>;
265 close FILE;
266 my $CMD = "-m ipp2p";
267 foreach my $p2pentry (sort @p2ps) {
268 my @p2pline = split( /\;/, $p2pentry );
269 if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) {
270 $DO = "ACCEPT";
271 if ("$p2pline[2]" eq "on") {
272 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
273 }
274 }else {
275 $DO = "RETURN";
276 if ("$p2pline[2]" eq "off") {
277 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
278 }
279 }
280 }
281 if ($MODE eq 1){
282 if($P2PSTRING){
283 print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n";
284 }
285 }else{
286 if($P2PSTRING){
287 system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO");
288 }
289 }
290 }
291
292 sub get_address
293 {
294 my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
295 my $base2=shift;
296 my $type=shift; #src or tgt
297 my $hash;
298 if ($type eq 'src'){
299 $hash=\%sourcehash;
300 }else{
301 $hash=\%targethash;
302 }
303 my $key = &General::findhasharraykey($hash);
304 if($base eq 'src_addr' || $base eq 'tgt_addr' ){
305 if (&General::validmac($base2)){
306 $$hash{$key}[0] = "-m mac --mac-source $base2";
307 }else{
308 $$hash{$key}[0] = $base2;
309 }
310 }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){
311 $$hash{$key}[0]=&fwlib::get_std_net_ip($base2);
312 }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){
313 $$hash{$key}[0]=&fwlib::get_net_ip($base2);
314 }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){
315 $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type);
316 }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){
317 $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1);
318 }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){
319 $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33);
320 }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){
321 $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,27);
322 }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){
323 $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11);
324 }
325 }
326 sub get_prot
327 {
328 my $hash=shift;
329 my $key=shift;
330 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
331 if ($$hash{$key}[10] ne ''){
332 return"$$hash{$key}[8]";
333 }elsif($$hash{$key}[9] ne ''){
334 return"$$hash{$key}[8]";
335 }else{
336 return "$$hash{$key}[8]";
337 }
338 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
339 if ($$hash{$key}[14] eq 'TGT_PORT'){
340 if ($$hash{$key}[15] ne ''){
341 return "$$hash{$key}[12]";
342 }elsif($$hash{$key}[13] ne ''){
343 return "$$hash{$key}[12]";
344 }else{
345 return "$$hash{$key}[12]";
346 }
347 }elsif($$hash{$key}[14] eq 'cust_srv'){
348 return &fwlib::get_srv_prot($$hash{$key}[15]);
349
350 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
351 return &fwlib::get_srvgrp_prot($$hash{$key}[15]);
352 }
353 }
354 }
355 sub get_port
356 {
357 my $hash=shift;
358 my $key=shift;
359 my $prot=shift;
360 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
361 if ($$hash{$key}[10] ne ''){
362 $$hash{$key}[10] =~ s/\|/,/g;
363 if(index($$hash{$key}[10],",") > 0){
364 return "-m multiport --sport $$hash{$key}[10] ";
365 }else{
366 return "--sport $$hash{$key}[10] ";
367 }
368 }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
369 return "--icmp-type $$hash{$key}[9] ";
370 }elsif($$hash{$key}[9] eq 'All ICMP-Types'){
371 return;
372 }
373 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
374
375 if($$hash{$key}[14] eq 'TGT_PORT'){
376 if ($$hash{$key}[15] ne ''){
377 $$hash{$key}[15] =~ s/\|/,/g;
378 if(index($$hash{$key}[15],",") > 0){
379 return "-m multiport --dport $$hash{$key}[15] ";
380 }else{
381 return "--dport $$hash{$key}[15] ";
382 }
383 }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){
384 return "--icmp-type $$hash{$key}[13] ";
385 }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){
386 return;
387 }
388 }elsif($$hash{$key}[14] eq 'cust_srv'){
389 if ($prot ne 'ICMP'){
390 return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
391 }elsif($prot eq 'ICMP' && $$hash{$key}[15] ne 'All ICMP-Types'){
392 return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot);
393 }elsif($prot eq 'ICMP' && $$hash{$key}[15] eq 'All ICMP-Types'){
394 return;
395 }
396 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
397 if ($prot ne 'ICMP'){
398 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
399 }
400 elsif($prot eq 'ICMP'){
401 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
402 }
403 }
404 }
405 }