- }
- }else{
- &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt");
- }
- ##get source prot and port
- $SRC_TGT='SRC';
- $SPORT = &get_port($hash,$key);
- $SRC_TGT='';
-
- ##get target prot and port
- $DPROT=&get_prot($hash,$key);
-
- if ($DPROT eq ''){$DPROT=' ';}
- @DPROT=split(",",$DPROT);
-
- #get time if defined
- if($$hash{$key}[18] eq 'ON'){
- my ($time1,$time2,$daylight);
- my $daylight=$$hash{$key}[28];
- $time1=&get_time($$hash{$key}[26],$daylight);
- $time2=&get_time($$hash{$key}[27],$daylight);
- if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
- if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");}
- if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");}
- if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");}
- if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");}
- if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");}
- if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");}
- $TIME=join(",",@timeframe);
-
- $TIMEFROM="--timestart $time1 ";
- $TIMETILL="--timestop $time2 ";
- $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
- }
- if ($MODE eq '1'){
- print "NR:$key ";
- foreach my $i (0 .. $#{$$hash{$key}}){
- print "$i: $$hash{$key}[$i] ";
- }
- print "\n";
- print"##################################\n";
- #print rules to console
- foreach my $DPROT (@DPROT){
- $DPORT = &get_port($hash,$key,$DPROT);
- $PROT=$DPROT;
- $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
- foreach my $a (sort keys %sourcehash){
- foreach my $b (sort keys %targethash){
- if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
- if($DPROT ne ''){
- if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
- if(substr($DPORT, 2, 4) eq 'icmp'){
- my @icmprule= split(",",substr($DPORT, 12,));
- foreach (@icmprule){
- $icmptype="--icmp-type ";
- if ($_ eq "BLANK") {
- $icmptype="";
- $_="";
- }
- if ($$hash{$key}[17] eq 'ON'){
- print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG\n";
- }
- print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]\n";
- }
- }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
- $natchain='NAT_DESTINATION';
- if ($$hash{$key}[17] eq 'ON'){
- print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
- }
- my ($ip,$sub) =split("/",$targethash{$b}[0]);
- #Process NAT with servicegroup used
- if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[14] eq 'cust_srvgrp'){
- print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip $DPORT\n";
- $fwaccessdport=$DPORT;
- }else{
- print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
- $DPORT =~ s/\-/:/g;
- if ($DPORT){
- $fwaccessdport="--dport ".substr($DPORT,1,);
- }elsif(! $DPORT && $$hash{$key}[30] ne ''){
- if ($$hash{$key}[30]=~m/|/i){
- $$hash{$key}[30] =~ s/\|/,/g;
- $fwaccessdport="-m multiport --dport $$hash{$key}[30]";
- }else{
- $fwaccessdport="--dport $$hash{$key}[30]";
- }
- }
- }
- print "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
- next;
- }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
- $natchain='NAT_SOURCE';
- print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
- }
- if ($$hash{$key}[17] eq 'ON' ){
- print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
- }
- if ($PROT ne '-p ICMP'){
- print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
- }
- if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){
- print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
- }
+
+ # Prepare destination options.
+ my @destination_options = ("-d", $destination);
+
+ # Add time constraint options.
+ push(@options, @time_options);
+
+ # Process NAT rules.
+ if ($NAT) {
+ my $nat_address = &get_nat_address($$hash{$key}[29]);
+
+ # Skip NAT rules if the NAT address is unknown
+ # (i.e. no internet connection has been established, yet).
+ next unless ($nat_address);
+
+ # Destination NAT
+ if ($NAT_MODE eq "DNAT") {
+ # Make port-forwardings useable from the internal networks.
+ &add_dnat_mangle_rules($nat_address, @options);
+
+ my @nat_options = @options;
+ push(@nat_options, @source_options);
+ push(@nat_options, ("-d", $nat_address));
+
+ my ($dnat_address, $dnat_mask) = split("/", $destination);
+ @destination_options = ("-d", $dnat_address);
+
+ if ($protocol_has_ports) {
+ my $dnat_port = &get_dnat_target_port($hash, $key);
+
+ if ($dnat_port) {
+ $dnat_address .= ":$dnat_port";