]>
git.ipfire.org Git - people/teissler/ipfire-2.x.git/blob - config/forwardfw/rules.pl
2 ###############################################################################
4 # IPFire.org - A linux based firewall #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
22 # Hi folks! I hope this code is useful for all. I needed something to handle #
23 # my VPN Connections in a comfortable way. #
24 # This script builds firewallrules from the webinterface #
25 ###############################################################################
28 no warnings
'uninitialized';
30 # enable only the following on debugging purpose
32 #use CGI::Carp 'fatalsToBrowser';
35 my %defaultNetworks=();
45 my %configoutgoingfw=();
49 require '/var/ipfire/general-functions.pl';
50 require "${General::swroot}/lang.pl";
51 require "${General::swroot}/forward/bin/firewall-lib.pl";
53 my $configfwdfw = "${General::swroot}/forward/config";
54 my $configinput = "${General::swroot}/forward/input";
55 my $configoutgoing = "${General::swroot}/forward/outgoing";
56 my $p2pfile = "${General::swroot}/forward/p2protocols";
57 my $configgrp = "${General::swroot}/fwhosts/customgroups";
58 my $netsettings = "${General::swroot}/ethernet/settings";
63 my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
64 my $CHAIN="FORWARDFW";
67 &General
::readhash
("${General::swroot}/forward/settings", \
%fwdfwsettings);
68 &General
::readhash
("$netsettings", \
%defaultNetworks);
69 &General
::readhasharray
($configfwdfw, \
%configfwdfw);
70 &General
::readhasharray
($configinput, \
%configinputfw);
71 &General
::readhasharray
($configoutgoing, \
%configoutgoingfw);
72 &General
::readhasharray
($configgrp, \
%customgrp);
73 &General
::get_aliases
(\
%aliases);
75 ################################
77 ################################
78 my $MODE=1; # 0 - normal operation
79 # 1 - print configline and rules to console
81 ################################
84 if($param eq 'flush'){
86 print " Flushing chains...\n";
91 print " Flushing chains...\n";
95 print " Preparing rules...\n";
99 if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
101 system ("/usr/sbin/firewall-policy");
102 }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
103 $defaultNetworks{'GREEN_NETMASK'}=&General
::iporsubtocidr
($defaultNetworks{'GREEN_NETMASK'});
104 $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
105 if ($defaultNetworks{'BLUE_DEV'}){
106 $defaultNetworks{'BLUE_NETMASK'}=&General
::iporsubtocidr
($defaultNetworks{'BLUE_NETMASK'});
107 $blue="$defaultNetworks{'BLUE_ADDRESS'}/$defaultNetworks{'BLUE_NETMASK'}";
108 #set default rules for BLUE
109 system ("iptables -A $CHAIN -s $blue -d $green -j RETURN");
111 if ($defaultNetworks{'ORANGE_DEV'}){
112 $defaultNetworks{'ORANGE_NETMASK'}=&General
::iporsubtocidr
($defaultNetworks{'ORANGE_NETMASK'});
113 $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}";
114 #set default rules for DMZ
115 system ("iptables -A $CHAIN -s $orange -d $green -j RETURN");
116 if ($defaultNetworks{'BLUE_DEV'}){
117 system ("iptables -A $CHAIN -s $orange -d $blue -j RETURN");
122 system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
123 system ("/usr/sbin/firewall-policy");
129 system ("iptables -F FORWARDFW");
130 system ("iptables -F INPUTFW");
131 system ("iptables -F OUTGOINGFW");
135 if (! -z
"${General::swroot}/forward/config"){
136 &buildrules
(\
%configfwdfw);
138 if (! -z
"${General::swroot}/forward/input"){
139 &buildrules
(\
%configinputfw);
141 if (! -z
"${General::swroot}/forward/outgoing"){
142 &buildrules
(\
%configoutgoingfw);
149 foreach my $key (sort {$a <=> $b} keys %$hash){
151 if($$hash{$key}[2] eq 'ON'){
153 if ($$hash{$key}[3] eq 'cust_grp_src'){
154 foreach my $grp (sort {$a <=> $b} keys %customgrp){
155 if($customgrp{$grp}[0] eq $$hash{$key}[4]){
156 &get_address
($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
160 &get_address
($$hash{$key}[3],$$hash{$key}[4],"src");
163 if ($$hash{$key}[5] eq 'cust_grp_tgt'){
164 foreach my $grp (sort {$a <=> $b} keys %customgrp){
165 if($customgrp{$grp}[0] eq $$hash{$key}[6]){
166 &get_address
($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
169 }elsif($$hash{$key}[5] eq 'ipfire'){
170 if($$hash{$key}[6] eq 'Default IP'){
171 open(FILE
, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.';
172 $targethash{$key}[0]= <FILE
>;
175 foreach my $alias (sort keys %aliases){
176 if ($$hash{$key}[6] eq $alias){
177 $targethash{$key}[0]=$aliases{$alias}{'IPT'};
182 &get_address
($$hash{$key}[5],$$hash{$key}[6],"tgt");
184 ##get source prot and port
186 $SPROT = &get_prot
($hash,$key);
187 $SPORT = &get_port
($hash,$key);
190 ##get target prot and port
191 $DPROT=&get_prot
($hash,$key);
193 if ($DPROT eq ''){$DPROT=' ';}
194 @DPROT=split(",",$DPROT);
197 if($$hash{$key}[18] eq 'ON'){
198 if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
199 if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");}
200 if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");}
201 if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");}
202 if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");}
203 if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");}
204 if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");}
205 $TIME=join(",",@timeframe);
206 $TIMEFROM="--timestart $$hash{$key}[26] ";
207 $TIMETILL="--timestop $$hash{$key}[27] ";
208 $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
212 foreach my $i (0 .. $#{$$hash{$key}}){
213 print "$i: $$hash{$key}[$i] ";
216 print"##################################\n";
217 #print rules to console
218 foreach my $DPROT (@DPROT){
219 $DPORT = &get_port
($hash,$key,$DPROT);
220 if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
221 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
222 foreach my $a (sort keys %sourcehash){
223 foreach my $b (sort keys %targethash){
224 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
225 if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
226 if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
227 if ($$hash{$key}[17] eq 'ON'){
228 print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
230 print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
237 }elsif($MODE eq '0'){
238 foreach my $DPROT (@DPROT){
239 $DPORT = &get_port
($hash,$key,$DPROT);
240 if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
241 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
242 foreach my $a (sort keys %sourcehash){
243 foreach my $b (sort keys %targethash){
244 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
245 if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
246 if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
247 if ($$hash{$key}[17] eq 'ON'){
248 system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
250 system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
269 open( FILE
, "< $p2pfile" ) or die "Unable to read $p2pfile";
272 my $CMD = "-m ipp2p";
273 foreach my $p2pentry (sort @p2ps) {
274 my @p2pline = split( /\;/, $p2pentry );
275 if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) {
277 if ("$p2pline[2]" eq "on") {
278 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
282 if ("$p2pline[2]" eq "off") {
283 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
289 print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n";
293 system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO");
300 my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
302 my $type=shift; #src or tgt
309 my $key = &General
::findhasharraykey
($hash);
310 if($base eq 'src_addr' || $base eq 'tgt_addr' ){
311 if (&General
::validmac
($base2)){
312 $$hash{$key}[0] = "-m mac --mac-source $base2";
314 $$hash{$key}[0] = $base2;
316 }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){
317 $$hash{$key}[0]=&fwlib
::get_std_net_ip
($base2);
318 }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){
319 $$hash{$key}[0]=&fwlib
::get_net_ip
($base2);
320 }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){
321 $$hash{$key}[0]=&fwlib
::get_host_ip
($base2,$type);
322 }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){
323 $$hash{$key}[0]=&fwlib
::get_ovpn_net_ip
($base2,1);
324 }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){
325 $$hash{$key}[0]=&fwlib
::get_ovpn_host_ip
($base2,33);
326 }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){
327 $$hash{$key}[0]=&fwlib
::get_ovpn_n2n_ip
($base2,27);
328 }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){
329 $$hash{$key}[0]=&fwlib
::get_ipsec_net_ip
($base2,11);
336 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
337 if ($$hash{$key}[10] ne ''){
338 return"$$hash{$key}[8]";
339 }elsif($$hash{$key}[9] ne ''){
340 return"$$hash{$key}[8]";
342 return "$$hash{$key}[8]";
344 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
345 if ($$hash{$key}[14] eq 'TGT_PORT'){
346 if ($$hash{$key}[15] ne ''){
347 return "$$hash{$key}[12]";
348 }elsif($$hash{$key}[13] ne ''){
349 return "$$hash{$key}[12]";
351 return "$$hash{$key}[12]";
353 }elsif($$hash{$key}[14] eq 'cust_srv'){
354 return &fwlib
::get_srv_prot
($$hash{$key}[15]);
356 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
357 return &fwlib
::get_srvgrp_prot
($$hash{$key}[15]);
366 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
367 if ($$hash{$key}[10] ne ''){
368 $$hash{$key}[10] =~ s/\|/,/g;
369 if(index($$hash{$key}[10],",") > 0){
370 return "-m multiport --sport $$hash{$key}[10] ";
372 return "--sport $$hash{$key}[10] ";
374 }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
375 return "--icmp-type $$hash{$key}[9] ";
376 }elsif($$hash{$key}[9] eq 'All ICMP-Types'){
379 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
381 if($$hash{$key}[14] eq 'TGT_PORT'){
382 if ($$hash{$key}[15] ne ''){
383 $$hash{$key}[15] =~ s/\|/,/g;
384 if(index($$hash{$key}[15],",") > 0){
385 return "-m multiport --dport $$hash{$key}[15] ";
387 return "--dport $$hash{$key}[15] ";
389 }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){
390 return "--icmp-type $$hash{$key}[13] ";
391 }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){
394 }elsif($$hash{$key}[14] eq 'cust_srv'){
395 if ($prot ne 'ICMP'){
396 return "--dport ".&fwlib
::get_srv_port
($$hash{$key}[15],1,$prot);
397 }elsif($prot eq 'ICMP' && $$hash{$key}[15] ne 'All ICMP-Types'){
398 return "--icmp-type ".&fwlib
::get_srv_port
($$hash{$key}[15],3,$prot);
399 }elsif($prot eq 'ICMP' && $$hash{$key}[15] eq 'All ICMP-Types'){
402 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
403 if ($prot ne 'ICMP'){
404 return &fwlib
::get_srvgrp_port
($$hash{$key}[15],$prot);
406 elsif($prot eq 'ICMP'){
407 return &fwlib
::get_srvgrp_port
($$hash{$key}[15],$prot);