]>
git.ipfire.org Git - people/teissler/ipfire-2.x.git/blob - config/forwardfw/rules.pl
2 ###############################################################################
4 # IPFire.org - A linux based firewall #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
22 # Hi folks! I hope this code is useful for all. I needed something to handle #
23 # my VPN Connections in a comfortable way. #
24 # This script builds firewallrules from the webinterface #
25 ###############################################################################
29 no warnings
'uninitialized';
31 # enable only the following on debugging purpose
33 #use CGI::Carp 'fatalsToBrowser';
36 my %defaultNetworks=();
48 require '/var/ipfire/general-functions.pl';
49 require "${General::swroot}/lang.pl";
50 require "${General::swroot}/forward/bin/firewall-lib.pl";
52 my $configfwdfw = "${General::swroot}/forward/config";
53 my $configinput = "${General::swroot}/forward/input";
54 my $configgrp = "${General::swroot}/fwhosts/customgroups";
56 my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
57 my $CHAIN="FORWARDFW";
60 &General
::readhash
("${General::swroot}/forward/settings", \
%fwdfwsettings);
61 &General
::readhasharray
($configfwdfw, \
%configfwdfw);
62 &General
::readhasharray
($configinput, \
%configinputfw);
63 &General
::readhasharray
($configgrp, \
%customgrp);
64 &General
::get_aliases
(\
%aliases);
66 ################################
68 ################################
69 my $MODE=0; # 0 - normal operation
70 # 1 - print configline and rules to console
72 ################################
75 if($param eq 'flush'){
77 print " Flushing chains...\n";
82 print " Flushing chains...\n";
86 print " Preparing rules...\n";
90 if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
91 system ("iptables -A $CHAIN -j DROP");
92 }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
93 system ("iptables -A $CHAIN -j ACCEPT");
100 system ("iptables -F FORWARDFW");
101 system ("iptables -F INPUTFW");
105 if (! -z
"${General::swroot}/forward/config"){
106 &buildrules
(\
%configfwdfw);
108 if (! -z
"${General::swroot}/forward/input"){
109 &buildrules
(\
%configinputfw);
115 foreach my $key (sort keys %$hash){
116 if($$hash{$key}[2] eq 'ON'){
118 if ($$hash{$key}[3] eq 'cust_grp_src'){
119 foreach my $grp (sort keys %customgrp){
120 if($customgrp{$grp}[0] eq $$hash{$key}[4]){
121 &get_address
($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
125 &get_address
($$hash{$key}[3],$$hash{$key}[4],"src");
128 if ($$hash{$key}[5] eq 'cust_grp_tgt'){
129 foreach my $grp (sort keys %customgrp){
130 if($customgrp{$grp}[0] eq $$hash{$key}[6]){
131 &get_address
($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
134 }elsif($$hash{$key}[5] eq 'ipfire'){
136 if($$hash{$key}[6] eq 'Default IP'){
137 open(FILE
, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.';
138 $targethash{$key}[0]= <FILE
>;
141 foreach my $alias (sort keys %aliases){
142 if ($$hash{$key}[6] eq $alias){
143 $targethash{$key}[0]=$aliases{$alias}{'IPT'};
148 &get_address
($$hash{$key}[5],$$hash{$key}[6],"tgt");
151 ##get source prot and port
153 $SPROT = &get_prot
($hash,$key);
154 $SPORT = &get_port
($hash,$key);
157 ##get target prot and port
158 $DPROT=&get_prot
($hash,$key);
160 if ($DPROT eq ''){$DPROT=' ';}
161 @DPROT=split(",",$DPROT);
165 if($$hash{$key}[18] eq 'ON'){
166 if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
167 if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");}
168 if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");}
169 if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");}
170 if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");}
171 if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");}
172 if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");}
173 $TIME=join(",",@timeframe);
174 $TIMEFROM="--timestart $$hash{$key}[26] ";
175 $TIMETILL="--timestop $$hash{$key}[27] ";
176 $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
181 foreach my $i (0 .. $#{$$hash{$key}}){
182 print "$i: $$hash{$key}[$i] ";
185 print"##################################\n";
186 #print rules to console
188 foreach my $DPROT (@DPROT){
189 $DPORT = &get_port
($hash,$key,$DPROT);
190 if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
191 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
192 foreach my $a (sort keys %sourcehash){
193 foreach my $b (sort keys %targethash){
194 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none'){
195 if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
196 if ($$hash{$key}[17] eq 'ON'){
197 print "iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
199 print "iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
207 }elsif($MODE eq '0'){
208 foreach my $DPROT (@DPROT){
209 $DPORT = &get_port
($hash,$key,$DPROT);
210 if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
211 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
212 foreach my $a (sort keys %sourcehash){
213 foreach my $b (sort keys %targethash){
214 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none'){
215 if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
216 if ($$hash{$key}[17] eq 'ON'){
217 system ("iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
219 system ("iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
237 my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
239 my $type=shift; #src or tgt
246 my $key = &General
::findhasharraykey
($hash);
247 if($base eq 'src_addr' || $base eq 'tgt_addr' ){
248 $$hash{$key}[0] = $configfwdfw{$key}[4];
249 }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){
250 $$hash{$key}[0]=&fwlib
::get_std_net_ip
($base2);
251 }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){
252 $$hash{$key}[0]=&fwlib
::get_net_ip
($base2);
253 }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){
254 $$hash{$key}[0]=&fwlib
::get_host_ip
($base2,$type);
255 }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){
256 $$hash{$key}[0]=&fwlib
::get_ovpn_net_ip
($base2,1);
257 }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){
258 $$hash{$key}[0]=&fwlib
::get_ovpn_host_ip
($base2,33);
259 }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){
260 $$hash{$key}[0]=&fwlib
::get_ovpn_n2n_ip
($base2,27);
261 }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){
262 $$hash{$key}[0]=&fwlib
::get_ipsec_net_ip
($base2,11);
269 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
270 if ($$hash{$key}[10] ne ''){
271 return"$$hash{$key}[8]";
272 }elsif($$hash{$key}[9] ne ''){
273 return"$$hash{$key}[8]";
275 return "$$hash{$key}[8]";
277 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
278 if ($$hash{$key}[14] eq 'TGT_PORT'){
279 if ($$hash{$key}[15] ne ''){
280 return "$$hash{$key}[12]";
281 }elsif($$hash{$key}[13] ne ''){
282 return "$$hash{$key}[12]";
284 return "$$hash{$key}[12]";
286 }elsif($$hash{$key}[14] eq 'cust_srv'){
287 return &fwlib
::get_srv_prot
($$hash{$key}[15]);
289 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
290 return &fwlib
::get_srvgrp_prot
($$hash{$key}[15]);
299 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
300 if ($$hash{$key}[10] ne ''){
301 return "--sport $$hash{$key}[10] ";
302 }elsif($$hash{$key}[9] ne ''){
303 return "--icmp-type $$hash{$key}[9] ";
305 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
307 if($$hash{$key}[14] eq 'TGT_PORT'){
308 if ($$hash{$key}[15] ne ''){
309 return "--dport $$hash{$key}[15] ";
310 }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){
311 return "--icmp-type $$hash{$key}[13] ";
312 }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){
315 }elsif($$hash{$key}[14] eq 'cust_srv'){
316 if ($prot ne 'ICMP'){
317 return "--dport ".&fwlib
::get_srv_port
($$hash{$key}[15],1,$prot);
318 }elsif($prot eq 'ICMP' && $$hash{$key}[15] ne 'All ICMP-Types'){
319 return "--icmp-type ".&fwlib
::get_srv_port
($$hash{$key}[15],3,$prot);
320 }elsif($prot eq 'ICMP' && $$hash{$key}[15] eq 'All ICMP-Types'){
323 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
324 if ($prot ne 'ICMP'){
325 return &fwlib
::get_srvgrp_port
($$hash{$key}[15],$prot);
327 elsif($prot eq 'ICMP'){
328 return &fwlib
::get_srvgrp_port
($$hash{$key}[15],$prot);