]> git.ipfire.org Git - people/teissler/ipfire-2.x.git/blob - config/forwardfw/rules.pl
projects / people / teissler / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Forward Firewall: Added versionnumber on bottom right of firewall.
[people/teissler/ipfire-2.x.git] / config / forwardfw / rules.pl
1 #!/usr/bin/perl
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2012 #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21 # #
22 # Hi folks! I hope this code is useful for all. I needed something to handle #
23 # my VPN Connections in a comfortable way. #
24 # This script builds firewallrules from the webinterface #
25 ###############################################################################
26
27 use strict;
28 no warnings 'uninitialized';
29
30 # enable only the following on debugging purpose
31 #use warnings;
32 #use CGI::Carp 'fatalsToBrowser';
33
34 my %fwdfwsettings=();
35 my %defaultNetworks=();
36 my %configfwdfw=();
37 my %color=();
38 my %icmptypes=();
39 my %ovpnSettings=();
40 my %customgrp=();
41 our %sourcehash=();
42 our %targethash=();
43 my @timeframe=();
44 my %configinputfw=();
45 my %configoutgoingfw=();
46 my %configdmzfw=();
47 my %aliases=();
48 my @DPROT=();
49 my @p2ps=();
50 require '/var/ipfire/general-functions.pl';
51 require "${General::swroot}/lang.pl";
52 require "${General::swroot}/forward/bin/firewall-lib.pl";
53
54 my $configdmz = "${General::swroot}/forward/dmz";
55 my $configfwdfw = "${General::swroot}/forward/config";
56 my $configinput = "${General::swroot}/forward/input";
57 my $configoutgoing = "${General::swroot}/forward/outgoing";
58 my $p2pfile = "${General::swroot}/forward/p2protocols";
59 my $configgrp = "${General::swroot}/fwhosts/customgroups";
60 my $netsettings = "${General::swroot}/ethernet/settings";
61 my $errormessage='';
62 my $orange;
63 my $green;
64 my $blue;
65 my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
66 my $CHAIN="FORWARDFW";
67
68
69 &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
70 &General::readhash("$netsettings", \%defaultNetworks);
71 &General::readhasharray($configdmz, \%configdmzfw);
72 &General::readhasharray($configfwdfw, \%configfwdfw);
73 &General::readhasharray($configinput, \%configinputfw);
74 &General::readhasharray($configoutgoing, \%configoutgoingfw);
75 &General::readhasharray($configgrp, \%customgrp);
76 &General::get_aliases(\%aliases);
77
78 ################################
79 # DEBUG/TEST #
80 ################################
81 my $MODE=1; # 0 - normal operation
82 # 1 - print configline and rules to console
83 #
84 ################################
85 my $param=shift;
86
87 if($param eq 'flush'){
88 if ($MODE eq '1'){
89 print " Flushing chains...\n";
90 }
91 &flush;
92 }else{
93 if ($MODE eq '1'){
94 print " Flushing chains...\n";
95 }
96 &flush;
97 if ($MODE eq '1'){
98 print " Preparing rules...\n";
99 }
100 &preparerules;
101 if($MODE eq '0'){
102 if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
103 &p2pblock;
104 system ("/usr/sbin/firewall-policy");
105 }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
106 $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'});
107 $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
108 if ($defaultNetworks{'BLUE_DEV'}){
109 $defaultNetworks{'BLUE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'BLUE_NETMASK'});
110 $blue="$defaultNetworks{'BLUE_ADDRESS'}/$defaultNetworks{'BLUE_NETMASK'}";
111 #set default rules for BLUE
112 system ("iptables -A $CHAIN -s $blue -d $green -j RETURN");
113 }
114 if ($defaultNetworks{'ORANGE_DEV'}){
115 $defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'});
116 $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}";
117 #set default rules for DMZ
118 system ("iptables -A $CHAIN -s $orange -d $green -j RETURN");
119 if ($defaultNetworks{'BLUE_DEV'}){
120 system ("iptables -A $CHAIN -s $orange -d $blue -j RETURN");
121 }
122 }
123
124 &p2pblock;
125 system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
126 system ("/usr/sbin/firewall-policy");
127 }
128 }
129 }
130 sub flush
131 {
132 system ("iptables -F FORWARDFW");
133 system ("iptables -F INPUTFW");
134 system ("iptables -F OUTGOINGFW");
135 }
136 sub preparerules
137 {
138 if (! -z "${General::swroot}/forward/dmz"){
139 &buildrules(\%configdmzfw);
140 }
141 if (! -z "${General::swroot}/forward/config"){
142 &buildrules(\%configfwdfw);
143 }
144 if (! -z "${General::swroot}/forward/input"){
145 &buildrules(\%configinputfw);
146 }
147 if (! -z "${General::swroot}/forward/outgoing"){
148 &buildrules(\%configoutgoingfw);
149 }
150 }
151 sub buildrules
152 {
153 my $hash=shift;
154 my $STAG;
155 foreach my $key (sort {$a <=> $b} keys %$hash){
156 $STAG='';
157 if($$hash{$key}[2] eq 'ON'){
158 #get source ip's
159 if ($$hash{$key}[3] eq 'cust_grp_src'){
160 foreach my $grp (sort {$a <=> $b} keys %customgrp){
161 if($customgrp{$grp}[0] eq $$hash{$key}[4]){
162 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
163 }
164 }
165 }else{
166 &get_address($$hash{$key}[3],$$hash{$key}[4],"src");
167 }
168 #get target ip's
169 if ($$hash{$key}[5] eq 'cust_grp_tgt'){
170 foreach my $grp (sort {$a <=> $b} keys %customgrp){
171 if($customgrp{$grp}[0] eq $$hash{$key}[6]){
172 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
173 }
174 }
175 }elsif($$hash{$key}[5] eq 'ipfire'){
176 if($$hash{$key}[6] eq 'Default IP'){
177 open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.';
178 $targethash{$key}[0]= <FILE>;
179 close(FILE);
180 }else{
181 foreach my $alias (sort keys %aliases){
182 if ($$hash{$key}[6] eq $alias){
183 $targethash{$key}[0]=$aliases{$alias}{'IPT'};
184 }
185 }
186 }
187 }else{
188 &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt");
189 }
190 ##get source prot and port
191 $SRC_TGT='SRC';
192 $SPROT = &get_prot($hash,$key);
193 $SPORT = &get_port($hash,$key);
194 $SRC_TGT='';
195
196 ##get target prot and port
197 $DPROT=&get_prot($hash,$key);
198
199 if ($DPROT eq ''){$DPROT=' ';}
200 @DPROT=split(",",$DPROT);
201
202 #get time if defined
203 if($$hash{$key}[18] eq 'ON'){
204 if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
205 if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");}
206 if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");}
207 if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");}
208 if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");}
209 if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");}
210 if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");}
211 $TIME=join(",",@timeframe);
212 $TIMEFROM="--timestart $$hash{$key}[26] ";
213 $TIMETILL="--timestop $$hash{$key}[27] ";
214 $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
215 }
216 if ($MODE eq '1'){
217 print "NR:$key ";
218 foreach my $i (0 .. $#{$$hash{$key}}){
219 print "$i: $$hash{$key}[$i] ";
220 }
221 print "\n";
222 print"##################################\n";
223 #print rules to console
224 foreach my $DPROT (@DPROT){
225 $DPORT = &get_port($hash,$key,$DPROT);
226 if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
227 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
228 foreach my $a (sort keys %sourcehash){
229 foreach my $b (sort keys %targethash){
230 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
231 if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
232 if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
233 if ($$hash{$key}[17] eq 'ON'){
234 print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
235 }
236 print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
237 }
238 }
239 }
240 }
241 print"\n";
242 }
243 }elsif($MODE eq '0'){
244 foreach my $DPROT (@DPROT){
245 $DPORT = &get_port($hash,$key,$DPROT);
246 if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
247 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
248 foreach my $a (sort keys %sourcehash){
249 foreach my $b (sort keys %targethash){
250 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
251 if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
252 if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
253 if ($$hash{$key}[17] eq 'ON'){
254 system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
255 }
256 system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
257 }
258 }
259 }
260 }
261 }
262 }
263 }
264 %sourcehash=();
265 %targethash=();
266 undef $TIME;
267 undef $TIMEFROM;
268 undef $TIMETILL;
269 }
270 }
271 sub p2pblock
272 {
273 my $P2PSTRING;
274 my $DO;
275 open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
276 @p2ps = <FILE>;
277 close FILE;
278 my $CMD = "-m ipp2p";
279 foreach my $p2pentry (sort @p2ps) {
280 my @p2pline = split( /\;/, $p2pentry );
281 if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) {
282 $DO = "ACCEPT";
283 if ("$p2pline[2]" eq "on") {
284 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
285 }
286 }else {
287 $DO = "RETURN";
288 if ("$p2pline[2]" eq "off") {
289 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
290 }
291 }
292 }
293 if ($MODE eq 1){
294 if($P2PSTRING){
295 print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n";
296 }
297 }else{
298 if($P2PSTRING){
299 system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO");
300 }
301 }
302 }
303
304 sub get_address
305 {
306 my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
307 my $base2=shift;
308 my $type=shift; #src or tgt
309 my $hash;
310 if ($type eq 'src'){
311 $hash=\%sourcehash;
312 }else{
313 $hash=\%targethash;
314 }
315 my $key = &General::findhasharraykey($hash);
316 if($base eq 'src_addr' || $base eq 'tgt_addr' ){
317 if (&General::validmac($base2)){
318 $$hash{$key}[0] = "-m mac --mac-source $base2";
319 }else{
320 $$hash{$key}[0] = $base2;
321 }
322 }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){
323 $$hash{$key}[0]=&fwlib::get_std_net_ip($base2);
324 }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){
325 $$hash{$key}[0]=&fwlib::get_net_ip($base2);
326 }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){
327 $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type);
328 }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){
329 $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1);
330 }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){
331 $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33);
332 }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){
333 $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,27);
334 }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){
335 $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11);
336 }
337 }
338 sub get_prot
339 {
340 my $hash=shift;
341 my $key=shift;
342 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
343 if ($$hash{$key}[10] ne ''){
344 return"$$hash{$key}[8]";
345 }elsif($$hash{$key}[9] ne ''){
346 return"$$hash{$key}[8]";
347 }else{
348 return "$$hash{$key}[8]";
349 }
350 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
351 if ($$hash{$key}[14] eq 'TGT_PORT'){
352 if ($$hash{$key}[15] ne ''){
353 return "$$hash{$key}[12]";
354 }elsif($$hash{$key}[13] ne ''){
355 return "$$hash{$key}[12]";
356 }else{
357 return "$$hash{$key}[12]";
358 }
359 }elsif($$hash{$key}[14] eq 'cust_srv'){
360 return &fwlib::get_srv_prot($$hash{$key}[15]);
361
362 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
363 return &fwlib::get_srvgrp_prot($$hash{$key}[15]);
364 }
365 }
366 }
367 sub get_port
368 {
369 my $hash=shift;
370 my $key=shift;
371 my $prot=shift;
372 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
373 if ($$hash{$key}[10] ne ''){
374 $$hash{$key}[10] =~ s/\|/,/g;
375 if(index($$hash{$key}[10],",") > 0){
376 return "-m multiport --sport $$hash{$key}[10] ";
377 }else{
378 return "--sport $$hash{$key}[10] ";
379 }
380 }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
381 return "--icmp-type $$hash{$key}[9] ";
382 }elsif($$hash{$key}[9] eq 'All ICMP-Types'){
383 return;
384 }
385 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
386
387 if($$hash{$key}[14] eq 'TGT_PORT'){
388 if ($$hash{$key}[15] ne ''){
389 $$hash{$key}[15] =~ s/\|/,/g;
390 if(index($$hash{$key}[15],",") > 0){
391 return "-m multiport --dport $$hash{$key}[15] ";
392 }else{
393 return "--dport $$hash{$key}[15] ";
394 }
395 }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){
396 return "--icmp-type $$hash{$key}[13] ";
397 }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){
398 return;
399 }
400 }elsif($$hash{$key}[14] eq 'cust_srv'){
401 if ($prot ne 'ICMP'){
402 return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
403 }elsif($prot eq 'ICMP' && $$hash{$key}[15] ne 'All ICMP-Types'){
404 return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot);
405 }elsif($prot eq 'ICMP' && $$hash{$key}[15] eq 'All ICMP-Types'){
406 return;
407 }
408 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
409 if ($prot ne 'ICMP'){
410 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
411 }
412 elsif($prot eq 'ICMP'){
413 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
414 }
415 }
416 }
417 }
Timo's tree of IPFire 2.x