]> git.ipfire.org Git - people/teissler/ipfire-2.x.git/blob - config/forwardfw/rules.pl
projects / people / teissler / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Forward Firewall: added a customservices file with default values
[people/teissler/ipfire-2.x.git] / config / forwardfw / rules.pl
1 #!/usr/bin/perl
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2012 #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21 # #
22 # Hi folks! I hope this code is useful for all. I needed something to handle #
23 # my VPN Connections in a comfortable way. #
24 # This script builds firewallrules from the webinterface #
25 ###############################################################################
26
27
28 use strict;
29 no warnings 'uninitialized';
30
31 # enable only the following on debugging purpose
32 #use warnings;
33 #use CGI::Carp 'fatalsToBrowser';
34
35 my %fwdfwsettings=();
36 my %defaultNetworks=();
37 my %configfwdfw=();
38 my %color=();
39 my %icmptypes=();
40 my %ovpnSettings=();
41 my %customgrp=();
42 our %sourcehash=();
43 our %targethash=();
44 my @timeframe=();
45 my %configinputfw=();
46 my %aliases=();
47 my @DPROT=();
48 require '/var/ipfire/general-functions.pl';
49 require "${General::swroot}/lang.pl";
50 require "${General::swroot}/forward/bin/firewall-lib.pl";
51
52 my $configfwdfw = "${General::swroot}/forward/config";
53 my $configinput = "${General::swroot}/forward/input";
54 my $configgrp = "${General::swroot}/fwhosts/customgroups";
55 my $errormessage='';
56 my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
57 my $CHAIN="FORWARDFW";
58
59
60 &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
61 &General::readhasharray($configfwdfw, \%configfwdfw);
62 &General::readhasharray($configinput, \%configinputfw);
63 &General::readhasharray($configgrp, \%customgrp);
64 &General::get_aliases(\%aliases);
65
66 ################################
67 # DEBUG/TEST #
68 ################################
69 my $MODE=0; # 0 - normal operation
70 # 1 - print configline and rules to console
71 #
72 ################################
73 my $param=shift;
74
75 if($param eq 'flush'){
76 if ($MODE eq '1'){
77 print " Flushing chains...\n";
78 }
79 &flush;
80 }else{
81 if ($MODE eq '1'){
82 print " Flushing chains...\n";
83 }
84 &flush;
85 if ($MODE eq '1'){
86 print " Preparing rules...\n";
87 }
88 &preparerules;
89 if($MODE eq '0'){
90 if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
91 #system ("iptables -A $CHAIN -j DROP");
92 }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
93 #system ("iptables -A $CHAIN -j ACCEPT");
94 }elsif($fwdfwsettings{'POLICY'} eq 'MODE0' || $fwdfwsettings{'POLICY'} eq 'MODE2'){
95 system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
96 }
97 }
98 }
99
100 sub flush
101 {
102 system ("iptables -F FORWARDFW");
103 system ("iptables -F INPUTFW");
104 }
105 sub preparerules
106 {
107 if (! -z "${General::swroot}/forward/config"){
108 &buildrules(\%configfwdfw);
109 }
110 if (! -z "${General::swroot}/forward/input"){
111 &buildrules(\%configinputfw);
112 }
113 }
114 sub buildrules
115 {
116
117 my $hash=shift;
118
119 foreach my $key (sort keys %$hash){
120 if($$hash{$key}[2] eq 'ON'){
121 #get source ip's
122 if ($$hash{$key}[3] eq 'cust_grp_src'){
123 foreach my $grp (sort keys %customgrp){
124 if($customgrp{$grp}[0] eq $$hash{$key}[4]){
125 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
126 }
127 }
128 }else{
129 &get_address($$hash{$key}[3],$$hash{$key}[4],"src");
130 }
131 #get target ip's
132 if ($$hash{$key}[5] eq 'cust_grp_tgt'){
133 foreach my $grp (sort keys %customgrp){
134 if($customgrp{$grp}[0] eq $$hash{$key}[6]){
135 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
136 }
137 }
138 }elsif($$hash{$key}[5] eq 'ipfire'){
139
140 if($$hash{$key}[6] eq 'Default IP'){
141 open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.';
142 $targethash{$key}[0]= <FILE>;
143 close(FILE);
144 }else{
145 foreach my $alias (sort keys %aliases){
146 if ($$hash{$key}[6] eq $alias){
147 $targethash{$key}[0]=$aliases{$alias}{'IPT'};
148 }
149 }
150 }
151 }else{
152 &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt");
153 }
154 ##get source prot and port
155 $SRC_TGT='SRC';
156 $SPROT = &get_prot($hash,$key);
157 $SPORT = &get_port($hash,$key);
158 $SRC_TGT='';
159
160 ##get target prot and port
161 $DPROT=&get_prot($hash,$key);
162
163 if ($DPROT eq ''){$DPROT=' ';}
164 @DPROT=split(",",$DPROT);
165
166
167 #get time if defined
168 if($$hash{$key}[18] eq 'ON'){
169 if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
170 if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");}
171 if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");}
172 if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");}
173 if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");}
174 if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");}
175 if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");}
176 $TIME=join(",",@timeframe);
177 $TIMEFROM="--timestart $$hash{$key}[26] ";
178 $TIMETILL="--timestop $$hash{$key}[27] ";
179 $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
180 }
181
182 if ($MODE eq '1'){
183 print "NR:$key ";
184 foreach my $i (0 .. $#{$$hash{$key}}){
185 print "$i: $$hash{$key}[$i] ";
186 }
187 print "\n";
188 print"##################################\n";
189 #print rules to console
190
191 foreach my $DPROT (@DPROT){
192 $DPORT = &get_port($hash,$key,$DPROT);
193 if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
194 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
195 foreach my $a (sort keys %sourcehash){
196 foreach my $b (sort keys %targethash){
197 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none'){
198 if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
199 if ($$hash{$key}[17] eq 'ON'){
200 print "iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
201 }
202 print "iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
203 }
204 }
205 }
206 }
207 print"\n";
208 }
209
210 }elsif($MODE eq '0'){
211 foreach my $DPROT (@DPROT){
212 $DPORT = &get_port($hash,$key,$DPROT);
213 if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
214 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
215 foreach my $a (sort keys %sourcehash){
216 foreach my $b (sort keys %targethash){
217 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none'){
218 if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
219 if ($$hash{$key}[17] eq 'ON'){
220 system ("iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
221 }
222 system ("iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
223 }
224 }
225 }
226 }
227 print"\n";
228 }
229 }
230 }
231 %sourcehash=();
232 %targethash=();
233 undef $TIME;
234 undef $TIMEFROM;
235 undef $TIMETILL;
236 }
237 }
238 sub get_address
239 {
240 my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
241 my $base2=shift;
242 my $type=shift; #src or tgt
243 my $hash;
244 if ($type eq 'src'){
245 $hash=\%sourcehash;
246 }else{
247 $hash=\%targethash;
248 }
249 my $key = &General::findhasharraykey($hash);
250 if($base eq 'src_addr' || $base eq 'tgt_addr' ){
251 $$hash{$key}[0] = $base2;
252 }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){
253 $$hash{$key}[0]=&fwlib::get_std_net_ip($base2);
254 }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){
255 $$hash{$key}[0]=&fwlib::get_net_ip($base2);
256 }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){
257 $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type);
258 }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){
259 $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1);
260 }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){
261 $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33);
262 }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){
263 $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,27);
264 }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){
265 $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11);
266 }
267 }
268 sub get_prot
269 {
270 my $hash=shift;
271 my $key=shift;
272 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
273 if ($$hash{$key}[10] ne ''){
274 return"$$hash{$key}[8]";
275 }elsif($$hash{$key}[9] ne ''){
276 return"$$hash{$key}[8]";
277 }else{
278 return "$$hash{$key}[8]";
279 }
280 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
281 if ($$hash{$key}[14] eq 'TGT_PORT'){
282 if ($$hash{$key}[15] ne ''){
283 return "$$hash{$key}[12]";
284 }elsif($$hash{$key}[13] ne ''){
285 return "$$hash{$key}[12]";
286 }else{
287 return "$$hash{$key}[12]";
288 }
289 }elsif($$hash{$key}[14] eq 'cust_srv'){
290 return &fwlib::get_srv_prot($$hash{$key}[15]);
291
292 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
293 return &fwlib::get_srvgrp_prot($$hash{$key}[15]);
294 }
295 }
296 }
297 sub get_port
298 {
299 my $hash=shift;
300 my $key=shift;
301 my $prot=shift;
302 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
303 if ($$hash{$key}[10] ne ''){
304 return "--sport $$hash{$key}[10] ";
305 }elsif($$hash{$key}[9] ne ''){
306 return "--icmp-type $$hash{$key}[9] ";
307 }
308 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
309
310 if($$hash{$key}[14] eq 'TGT_PORT'){
311 if ($$hash{$key}[15] ne ''){
312 return "--dport $$hash{$key}[15] ";
313 }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){
314 return "--icmp-type $$hash{$key}[13] ";
315 }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){
316 return;
317 }
318 }elsif($$hash{$key}[14] eq 'cust_srv'){
319 if ($prot ne 'ICMP'){
320 return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
321 }elsif($prot eq 'ICMP' && $$hash{$key}[15] ne 'All ICMP-Types'){
322 return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot);
323 }elsif($prot eq 'ICMP' && $$hash{$key}[15] eq 'All ICMP-Types'){
324 return;
325 }
326 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
327 if ($prot ne 'ICMP'){
328 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
329 }
330 elsif($prot eq 'ICMP'){
331 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
332 }
333
334
335 }
336 }
337 }
Timo's tree of IPFire 2.x