]> git.ipfire.org Git - people/teissler/ipfire-2.x.git/blob - config/forwardfw/rules.pl
projects / people / teissler / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Forward Firewall: edited p2pblock call in rules.pl
[people/teissler/ipfire-2.x.git] / config / forwardfw / rules.pl
1 #!/usr/bin/perl
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2012 #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21 # #
22 # Hi folks! I hope this code is useful for all. I needed something to handle #
23 # my VPN Connections in a comfortable way. #
24 # This script builds firewallrules from the webinterface #
25 ###############################################################################
26
27 use strict;
28 no warnings 'uninitialized';
29
30 # enable only the following on debugging purpose
31 #use warnings;
32 #use CGI::Carp 'fatalsToBrowser';
33
34 my %fwdfwsettings=();
35 my %defaultNetworks=();
36 my %configfwdfw=();
37 my %color=();
38 my %icmptypes=();
39 my %ovpnSettings=();
40 my %customgrp=();
41 our %sourcehash=();
42 our %targethash=();
43 my @timeframe=();
44 my %configinputfw=();
45 my %aliases=();
46 my @DPROT=();
47 my @p2ps=();
48 require '/var/ipfire/general-functions.pl';
49 require "${General::swroot}/lang.pl";
50 require "${General::swroot}/forward/bin/firewall-lib.pl";
51
52 my $configfwdfw = "${General::swroot}/forward/config";
53 my $configinput = "${General::swroot}/forward/input";
54 my $p2pfile = "${General::swroot}/forward/p2protocols";
55 my $configgrp = "${General::swroot}/fwhosts/customgroups";
56 my $errormessage='';
57 my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
58 my $CHAIN="FORWARDFW";
59
60
61 &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
62 &General::readhasharray($configfwdfw, \%configfwdfw);
63 &General::readhasharray($configinput, \%configinputfw);
64 &General::readhasharray($configgrp, \%customgrp);
65 &General::get_aliases(\%aliases);
66
67 ################################
68 # DEBUG/TEST #
69 ################################
70 my $MODE=1; # 0 - normal operation
71 # 1 - print configline and rules to console
72 #
73 ################################
74 my $param=shift;
75
76 if($param eq 'flush'){
77 if ($MODE eq '1'){
78 print " Flushing chains...\n";
79 }
80 &flush;
81 }else{
82 if ($MODE eq '1'){
83 print " Flushing chains...\n";
84 }
85 &flush;
86 if ($MODE eq '1'){
87 print " Preparing rules...\n";
88 }
89 &preparerules;
90 if($MODE eq '0'){
91 if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
92 &p2pblock;
93 system ("/usr/sbin/firewall-forward-policy");
94 }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
95 &p2pblock;
96 system ("/usr/sbin/firewall-forward-policy");
97 system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
98 }elsif($fwdfwsettings{'POLICY'} eq 'MODE0'){
99 system ("/usr/sbin/firewall-forward-policy");
100 system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
101 }
102 }
103 }
104 sub flush
105 {
106 system ("iptables -F FORWARDFW");
107 system ("iptables -F INPUTFW");
108 }
109 sub preparerules
110 {
111 if (! -z "${General::swroot}/forward/config"){
112 &buildrules(\%configfwdfw);
113 }
114 if (! -z "${General::swroot}/forward/input"){
115 &buildrules(\%configinputfw);
116 }
117 }
118 sub buildrules
119 {
120 my $hash=shift;
121 my $STAG;
122 foreach my $key (sort {$a <=> $b} keys %$hash){
123 $STAG='';
124 if($$hash{$key}[2] eq 'ON'){
125 #get source ip's
126 if ($$hash{$key}[3] eq 'cust_grp_src'){
127 foreach my $grp (sort {$a <=> $b} keys %customgrp){
128 if($customgrp{$grp}[0] eq $$hash{$key}[4]){
129 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
130 }
131 }
132 }else{
133 &get_address($$hash{$key}[3],$$hash{$key}[4],"src");
134 }
135 #get target ip's
136 if ($$hash{$key}[5] eq 'cust_grp_tgt'){
137 foreach my $grp (sort {$a <=> $b} keys %customgrp){
138 if($customgrp{$grp}[0] eq $$hash{$key}[6]){
139 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
140 }
141 }
142 }elsif($$hash{$key}[5] eq 'ipfire'){
143
144 if($$hash{$key}[6] eq 'Default IP'){
145 open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.';
146 $targethash{$key}[0]= <FILE>;
147 close(FILE);
148 }else{
149 foreach my $alias (sort keys %aliases){
150 if ($$hash{$key}[6] eq $alias){
151 $targethash{$key}[0]=$aliases{$alias}{'IPT'};
152 }
153 }
154 }
155 }else{
156 &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt");
157 }
158 ##get source prot and port
159 $SRC_TGT='SRC';
160 $SPROT = &get_prot($hash,$key);
161 $SPORT = &get_port($hash,$key);
162 $SRC_TGT='';
163
164 ##get target prot and port
165 $DPROT=&get_prot($hash,$key);
166
167 if ($DPROT eq ''){$DPROT=' ';}
168 @DPROT=split(",",$DPROT);
169
170 #get time if defined
171 if($$hash{$key}[18] eq 'ON'){
172 if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
173 if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");}
174 if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");}
175 if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");}
176 if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");}
177 if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");}
178 if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");}
179 $TIME=join(",",@timeframe);
180 $TIMEFROM="--timestart $$hash{$key}[26] ";
181 $TIMETILL="--timestop $$hash{$key}[27] ";
182 $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
183 }
184 if ($MODE eq '1'){
185 print "NR:$key ";
186 foreach my $i (0 .. $#{$$hash{$key}}){
187 print "$i: $$hash{$key}[$i] ";
188 }
189 print "\n";
190 print"##################################\n";
191 #print rules to console
192 foreach my $DPROT (@DPROT){
193 $DPORT = &get_port($hash,$key,$DPROT);
194 if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
195 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
196 foreach my $a (sort keys %sourcehash){
197 foreach my $b (sort keys %targethash){
198 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none'){
199 if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
200 if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";}
201 if ($$hash{$key}[17] eq 'ON'){
202 print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
203 }
204 print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
205 }
206 }
207 }
208 }
209 print"\n";
210 }
211 }elsif($MODE eq '0'){
212 foreach my $DPROT (@DPROT){
213 $DPORT = &get_port($hash,$key,$DPROT);
214 if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
215 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
216 foreach my $a (sort keys %sourcehash){
217 foreach my $b (sort keys %targethash){
218 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none'){
219 if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
220 if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";}
221 if ($$hash{$key}[17] eq 'ON'){
222 system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
223 }
224 system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
225 }
226 }
227 }
228 }
229 print"\n";
230 }
231 }
232 }
233 %sourcehash=();
234 %targethash=();
235 undef $TIME;
236 undef $TIMEFROM;
237 undef $TIMETILL;
238 }
239 }
240 sub p2pblock
241 {
242 my $P2PSTRING;
243 my $DO;
244 open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
245 @p2ps = <FILE>;
246 close FILE;
247 my $CMD = "-m ipp2p";
248 foreach my $p2pentry (sort @p2ps) {
249 my @p2pline = split( /\;/, $p2pentry );
250 if ( $fwdfwsettings{'POLICY'} eq 'MODE2' ) {
251 $DO = "DROP";
252 if ("$p2pline[2]" eq "off") {
253 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
254 }
255 } else {
256 $DO = "RETURN";
257 if ("$p2pline[2]" eq "on") {
258 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
259 }
260 }
261 }
262 if ($MODE eq 1){
263 if($P2PSTRING){
264 print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n";
265 }
266 }else{
267 if($P2PSTRING){
268 system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO");
269 }
270 }
271 }
272
273 sub get_address
274 {
275 my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
276 my $base2=shift;
277 my $type=shift; #src or tgt
278 my $hash;
279 if ($type eq 'src'){
280 $hash=\%sourcehash;
281 }else{
282 $hash=\%targethash;
283 }
284 my $key = &General::findhasharraykey($hash);
285 if($base eq 'src_addr' || $base eq 'tgt_addr' ){
286 if (&General::validmac($base2)){
287 $$hash{$key}[0] = "-m mac --mac-source $base2";
288 }else{
289 $$hash{$key}[0] = $base2;
290 }
291 }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){
292 $$hash{$key}[0]=&fwlib::get_std_net_ip($base2);
293 }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){
294 $$hash{$key}[0]=&fwlib::get_net_ip($base2);
295 }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){
296 $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type);
297 }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){
298 $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1);
299 }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){
300 $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33);
301 }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){
302 $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,27);
303 }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){
304 $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11);
305 }
306 }
307 sub get_prot
308 {
309 my $hash=shift;
310 my $key=shift;
311 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
312 if ($$hash{$key}[10] ne ''){
313 return"$$hash{$key}[8]";
314 }elsif($$hash{$key}[9] ne ''){
315 return"$$hash{$key}[8]";
316 }else{
317 return "$$hash{$key}[8]";
318 }
319 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
320 if ($$hash{$key}[14] eq 'TGT_PORT'){
321 if ($$hash{$key}[15] ne ''){
322 return "$$hash{$key}[12]";
323 }elsif($$hash{$key}[13] ne ''){
324 return "$$hash{$key}[12]";
325 }else{
326 return "$$hash{$key}[12]";
327 }
328 }elsif($$hash{$key}[14] eq 'cust_srv'){
329 return &fwlib::get_srv_prot($$hash{$key}[15]);
330
331 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
332 return &fwlib::get_srvgrp_prot($$hash{$key}[15]);
333 }
334 }
335 }
336 sub get_port
337 {
338 my $hash=shift;
339 my $key=shift;
340 my $prot=shift;
341 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
342 if ($$hash{$key}[10] ne ''){
343 return "--sport $$hash{$key}[10] ";
344 }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
345 return "--icmp-type $$hash{$key}[9] ";
346 }elsif($$hash{$key}[9] eq 'All ICMP-Types'){
347 return;
348 }
349 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
350
351 if($$hash{$key}[14] eq 'TGT_PORT'){
352 if ($$hash{$key}[15] ne ''){
353 return "--dport $$hash{$key}[15] ";
354 }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){
355 return "--icmp-type $$hash{$key}[13] ";
356 }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){
357 return;
358 }
359 }elsif($$hash{$key}[14] eq 'cust_srv'){
360 if ($prot ne 'ICMP'){
361 return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
362 }elsif($prot eq 'ICMP' && $$hash{$key}[15] ne 'All ICMP-Types'){
363 return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot);
364 }elsif($prot eq 'ICMP' && $$hash{$key}[15] eq 'All ICMP-Types'){
365 return;
366 }
367 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
368 if ($prot ne 'ICMP'){
369 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
370 }
371 elsif($prot eq 'ICMP'){
372 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
373 }
374 }
375 }
376 }
Timo's tree of IPFire 2.x