# iptables chains
my $CHAIN_INPUT = "INPUTFW";
my $CHAIN_FORWARD = "FORWARDFW";
-my $CHAIN_OUTPUT = "OUTPUTFW";
+my $CHAIN_OUTPUT = "OUTGOINGFW";
my $CHAIN = $CHAIN_FORWARD;
my $CHAIN_NAT_SOURCE = "NAT_SOURCE";
my $CHAIN_NAT_DESTINATION = "NAT_DESTINATION";
my $CHAIN_MANGLE_NAT_DESTINATION_FIX = "NAT_DESTINATION";
my @VALID_CHAINS = ($CHAIN_INPUT, $CHAIN_FORWARD, $CHAIN_OUTPUT);
+my @ANY_ADDRESSES = ("0.0.0.0/0.0.0.0", "0.0.0.0/0", "0/0");
my @PROTOCOLS = ("tcp", "udp", "icmp", "igmp", "ah", "esp", "gre", "ipv6", "ipip");
my @PROTOCOLS_WITH_PORTS = ("tcp", "udp");
&General::readhasharray($configgrp, \%customgrp);
&General::get_aliases(\%aliases);
+my @log_limit_options = &make_log_limit_options();
+
# MAIN
&main();
}
sub flush {
- run("$IPTABLES -F FORWARDFW");
- run("$IPTABLES -F INPUTFW");
- run("$IPTABLES -F OUTGOINGFW");
- run("$IPTABLES -t nat -F NAT_DESTINATION");
- run("$IPTABLES -t nat -F NAT_SOURCE");
+ run("$IPTABLES -F $CHAIN_INPUT");
+ run("$IPTABLES -F $CHAIN_FORWARD");
+ run("$IPTABLES -F $CHAIN_OUTPUT");
+ run("$IPTABLES -t nat -F $CHAIN_NAT_SOURCE");
+ run("$IPTABLES -t nat -F $CHAIN_NAT_DESTINATION");
run("$IPTABLES -t mangle -F $CHAIN_MANGLE_NAT_DESTINATION_FIX");
}
# Collect all destinations.
my @destinations = &get_addresses($hash, $key, "tgt");
- my $time_constraints = "";
-
# Check if logging should be enabled.
my $LOG = ($$hash{$key}[17] eq 'ON');
}
# Prepare protocol options (like ICMP types, ports, etc...).
- my @protocol_options = &get_protocol_options($hash, $key, $protocol);
+ my @protocol_options = &get_protocol_options($hash, $key, $protocol, 0);
# Check if this protocol knows ports.
my $protocol_has_ports = ($protocol ~~ @PROTOCOLS_WITH_PORTS);
# Skip invalid rules.
next if (!$source || !$destination || ($destination eq "none"));
+ # Sanitize source.
+ if ($source ~~ @ANY_ADDRESSES) {
+ $source = "";
+ }
+
+ # Sanitize destination.
+ if ($destination ~~ @ANY_ADDRESSES) {
+ $destination = "";
+ }
+
# Array with iptables arguments.
my @options = ();
# Append protocol.
if ($protocol ne "all") {
- push(@options, ("-p", $protocol));
push(@options, @protocol_options);
}
my @source_options = ();
if ($source =~ /mac/) {
push(@source_options, $source);
- } else {
+ } elsif ($source) {
push(@source_options, ("-s", $source));
}
# Prepare destination options.
- my @destination_options = ("-d", $destination);
+ my @destination_options = ();
+ if ($destination) {
+ push(@destination_options, ("-d", $destination));
+ }
# Add time constraint options.
push(@options, @time_options);
+ my $firewall_is_in_source_subnet = 0;
+ if ($source) {
+ $firewall_is_in_source_subnet = &firewall_is_in_subnet($source);
+ }
+
# Process NAT rules.
if ($NAT) {
- my $nat_address = &get_nat_address($$hash{$key}[29]);
+ my $nat_address = &get_nat_address($$hash{$key}[29], $source);
# Skip NAT rules if the NAT address is unknown
# (i.e. no internet connection has been established, yet).
# Destination NAT
if ($NAT_MODE eq "DNAT") {
# Make port-forwardings useable from the internal networks.
- &add_dnat_mangle_rules($nat_address, @options);
+ my @internal_addresses = &get_internal_firewall_ip_addresses(1);
+ unless ($nat_address ~~ @internal_addresses) {
+ &add_dnat_mangle_rules($nat_address, @options);
+ }
- my @nat_options = @options;
+ my @nat_options = ();
+ if ($protocol ne "all") {
+ my @nat_protocol_options = &get_protocol_options($hash, $key, $protocol, 1);
+ push(@nat_options, @nat_protocol_options);
+ }
push(@nat_options, @source_options);
push(@nat_options, ("-d", $nat_address));
if ($dnat_port) {
$dnat_address .= ":$dnat_port";
-
- # Replace --dport with the translated one.
- my @new_nat_options = ();
- my $skip_count = 0;
- foreach my $option (@nat_options) {
- next if ($skip_count-- > 0);
-
- if ($option eq "--dport") {
- push(@new_nat_options, ("--dport", $dnat_port));
- $skip_count = 1;
- next;
- }
-
- push(@new_nat_options, $option);
- }
- @nat_options = @new_nat_options;
}
}
if ($LOG) {
- run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options -j LOG --log-prefix 'DNAT'");
+ run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options @log_limit_options -j LOG --log-prefix 'DNAT '");
}
run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options -j DNAT --to-destination $dnat_address");
push(@nat_options, @destination_options);
if ($LOG) {
- run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options -j LOG --log-prefix 'SNAT'");
+ run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @log_limit_options -j LOG --log-prefix 'SNAT '");
}
run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options -j SNAT --to-source $nat_address");
}
}
push(@options, @source_options);
+
+ if ($firewall_is_in_source_subnet && ($fwdfwsettings{"POLICY"} eq "MODE1") && ($chain eq $CHAIN_FORWARD)) {
+ if ($LOG && !$NAT) {
+ run("$IPTABLES -A $CHAIN_INPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '");
+ }
+ run("$IPTABLES -A $CHAIN_INPUT @options -j $target");
+ }
+
push(@options, @destination_options);
# Insert firewall rule.
if ($LOG && !$NAT) {
- run("$IPTABLES -A $chain @options -j LOG");
+ run("$IPTABLES -A $chain @options @log_limit_options -j LOG --log-prefix '$chain '");
}
run("$IPTABLES -A $chain @options -j $target");
}
sub get_nat_address {
my $zone = shift;
+ my $source = shift;
# Any static address of any zone.
- if ($zone eq "RED" || $zone eq "GREEN" || $zone eq "ORANGE" || $zone eq "BLUE") {
+ if ($zone eq "AUTO") {
+ if ($source) {
+ my $firewall_ip = &get_internal_firewall_ip_address($source, 1);
+ if ($firewall_ip) {
+ return $firewall_ip;
+ }
+
+ $firewall_ip = &get_matching_firewall_address($source, 1);
+ if ($firewall_ip) {
+ return $firewall_ip;
+ }
+ }
+
+ return &get_external_address();
+
+ } elsif ($zone eq "RED" || $zone eq "GREEN" || $zone eq "ORANGE" || $zone eq "BLUE") {
return $defaultNetworks{$zone . "_ADDRESS"};
} elsif ($zone eq "Default IP") {
my $hash = shift;
my $key = shift;
my $protocol = shift;
+ my $nat_options_wanted = shift;
my @options = ();
+ # Nothing to do if no protocol is specified.
+ if ($protocol eq "all") {
+ return @options;
+ } else {
+ push(@options, ("-p", $protocol));
+ }
+
# Process source ports.
my $use_src_ports = ($$hash{$key}[7] eq "ON");
my $src_ports = $$hash{$key}[10];
if ($use_dst_ports) {
my $dst_ports_mode = $$hash{$key}[14];
my $dst_ports = $$hash{$key}[15];
- if ($use_dnat && $$hash{$key}[30]) {
- $dst_ports = $$hash{$key}[30];
- }
if (($dst_ports_mode eq "TGT_PORT") && $dst_ports) {
+ if ($nat_options_wanted && $use_dnat && $$hash{$key}[30]) {
+ $dst_ports = $$hash{$key}[30];
+ }
push(@options, &format_ports($dst_ports, "dst"));
} elsif ($dst_ports_mode eq "cust_srv") {
push(@options, ("-m", "multiport"));
}
- push(@options, ($arg, $ports));
+ if ($ports) {
+ push(@options, ($arg, $ports));
+ }
return @options;
}
my $key = shift;
if ($$hash{$key}[14] eq "TGT_PORT") {
- return $$hash{$key}[15];
+ my $port = $$hash{$key}[15];
+ my $external_port = $$hash{$key}[30];
+
+ if ($external_port && ($port ne $external_port)) {
+ return $$hash{$key}[15];
+ }
}
}
run("$IPTABLES -t mangle -A $CHAIN_MANGLE_NAT_DESTINATION_FIX @mangle_options");
}
}
+
+sub make_log_limit_options {
+ my @options = ("-m", "limit");
+
+ # Maybe we should get this from the configuration.
+ my $limit = 10;
+
+ # We limit log messages to $limit messages per minute.
+ push(@options, ("--limit", "$limit/min"));
+
+ # And we allow bursts of 2x $limit.
+ push(@options, ("--limit-burst", $limit * 2));
+
+ return @options;
+}
+
+sub get_internal_firewall_ip_addresses {
+ my $use_orange = shift;
+
+ my @zones = ("GREEN", "BLUE");
+ if ($use_orange) {
+ push(@zones, "ORANGE");
+ }
+
+ my @addresses = ();
+ for my $zone (@zones) {
+ next unless (exists $defaultNetworks{$zone . "_ADDRESS"});
+
+ my $zone_address = $defaultNetworks{$zone . "_ADDRESS"};
+ push(@addresses, $zone_address);
+ }
+
+ return @addresses;
+}
+
+sub get_internal_firewall_ip_address {
+ my $subnet = shift;
+ my $use_orange = shift;
+
+ my ($net_address, $net_mask) = split("/", $subnet);
+ if ((!$net_mask) || ($net_mask ~~ ["32", "255.255.255.255"])) {
+ return 0;
+ }
+
+ my @addresses = &get_internal_firewall_ip_addresses($use_orange);
+ foreach my $zone_address (@addresses) {
+ if (&General::IpInSubnet($zone_address, $net_address, $net_mask)) {
+ return $zone_address;
+ }
+ }
+
+ return 0;
+}
+
+sub firewall_is_in_subnet {
+ my $subnet = shift;
+
+ # ORANGE is missing here, because nothing may ever access
+ # the firewall from this network.
+ my $address = &get_internal_firewall_ip_address($subnet, 0);
+
+ if ($address) {
+ return 1;
+ }
+
+ return 0;
+}
+
+sub get_matching_firewall_address {
+ my $addr = shift;
+ my $use_orange = shift;
+
+ my ($address, $netmask) = split("/", $addr);
+
+ my @zones = ("GREEN", "BLUE");
+ if ($use_orange) {
+ push(@zones, "ORANGE");
+ }
+
+ foreach my $zone (@zones) {
+ next unless (exists $defaultNetworks{$zone . "_ADDRESS"});
+
+ my $zone_subnet = $defaultNetworks{$zone . "_NETADDRESS"};
+ my $zone_mask = $defaultNetworks{$zone . "_NETMASK"};
+
+ if (&General::IpInSubnet($address, $zone_subnet, $zone_mask)) {
+ return $defaultNetworks{$zone . "_ADDRESS"};
+ }
+ }
+
+ return 0;
+}