- foreach my $a (sort keys %sourcehash){
- foreach my $b (sort keys %targethash){
- if(! $sourcehash{$a}[0] || ! $targethash{$b}[0] || ($natip eq '-d ' && $$hash{$key}[28] eq 'ON') || (!$natip && $$hash{$key}[28] eq 'ON')){
- #Skip rules when no RED IP is set (DHCP,DSL)
- next;
- }
- next if ($targethash{$b}[0] eq 'none');
- $STAG='';
- if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
- if($DPROT ne ''){
- if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
- #Process ICMP RULE
- if(substr($DPORT, 2, 4) eq 'icmp'){
- my @icmprule= split(",",substr($DPORT, 12,));
- foreach (@icmprule){
- $icmptype="--icmp-type ";
- if ($_ eq "BLANK") {
- $icmptype="";
- $_="";
- }
- if ($$hash{$key}[17] eq 'ON'){
- run("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG");
- }
- run("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]");
- }
- #PROCESS DNAT RULE (Portforward)
- }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
- $natchain='NAT_DESTINATION';
- if ($$hash{$key}[17] eq 'ON'){
- run("$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT'");
- }
- my ($ip,$sub) =split("/",$targethash{$b}[0]);
- #Process NAT with servicegroup used
- if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[14] eq 'cust_srvgrp'){
- run("$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to-destination $ip $DPORT");
- $fwaccessdport=$DPORT;
- }else{
- run("$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to-destination $ip$DPORT");
- $DPORT =~ s/\-/:/g;
- if ($DPORT){
- $fwaccessdport="--dport ".substr($DPORT,1,);
- }elsif(! $DPORT && $$hash{$key}[30] ne ''){
- if ($$hash{$key}[30]=~m/|/i){
- $$hash{$key}[30] =~ s/\|/,/g;
- $fwaccessdport="-m multiport --dport $$hash{$key}[30]";
- }else{
- $fwaccessdport="--dport $$hash{$key}[30]";
- }
- }
- }
- run("iptables --wait -A FORWARDFW $PROT $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]");
- next;
- #PROCESS SNAT RULE
- }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
- $natchain='NAT_SOURCE';
- if ($$hash{$key}[17] eq 'ON' ){
- run("$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT'");
- }
- run("$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to-source $natip");
- }
- #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double)
- if ($PROT ne '-p ICMP'){
- if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){
- run("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
- }
- run("iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
+
+ foreach my $dst (@destinations) {
+ # Skip invalid rules.
+ next if (!$dst || ($dst eq "none"));
+
+ # Sanitize destination.
+ my $destination = $dst;
+ if ($destination ~~ @ANY_ADDRESSES) {
+ $destination = "";
+ }
+
+ # Array with iptables arguments.
+ my @options = ();
+
+ # Append protocol.
+ if ($protocol ne "all") {
+ push(@options, @protocol_options);
+ }
+
+ # Prepare source options.
+ my @source_options = ();
+ if ($source =~ /mac/) {
+ push(@source_options, $source);
+ } elsif ($source) {
+ push(@source_options, ("-s", $source));
+ }
+
+ # Prepare destination options.
+ my @destination_options = ();
+ if ($destination) {
+ push(@destination_options, ("-d", $destination));
+ }
+
+ # Add time constraint options.
+ push(@options, @time_options);
+
+ my $firewall_is_in_source_subnet = 0;
+ if ($source) {
+ $firewall_is_in_source_subnet = &firewall_is_in_subnet($source);
+ }
+
+ # Process NAT rules.
+ if ($NAT) {
+ my $nat_address = &fwlib::get_nat_address($$hash{$key}[29], $source);
+
+ # Skip NAT rules if the NAT address is unknown
+ # (i.e. no internet connection has been established, yet).
+ next unless ($nat_address);
+
+ # Destination NAT
+ if ($NAT_MODE eq "DNAT") {
+ # Make port-forwardings useable from the internal networks.
+ my @internal_addresses = &fwlib::get_internal_firewall_ip_addresses(1);
+ unless ($nat_address ~~ @internal_addresses) {
+ &add_dnat_mangle_rules($nat_address, @options);
+ }
+
+ my @nat_options = ();
+ if ($protocol ne "all") {
+ my @nat_protocol_options = &get_protocol_options($hash, $key, $protocol, 1);
+ push(@nat_options, @nat_protocol_options);
+ }
+ push(@nat_options, @source_options);
+ push(@nat_options, ("-d", $nat_address));
+ push(@nat_options, @time_options);
+
+ my $dnat_port;
+ if ($protocol_has_ports) {
+ $dnat_port = &get_dnat_target_port($hash, $key);
+ }
+
+ my @nat_action_options = ();
+
+ # Use iptables REDIRECT
+ my $use_redirect = ($destination_is_firewall && !$destination && $protocol_has_ports && $dnat_port);
+ if ($use_redirect) {
+ push(@nat_action_options, ("-j", "REDIRECT", "--to-ports", $dnat_port));
+
+ # Use iptables DNAT
+ } else {
+ if ($destination_is_firewall && !$destination) {
+ $destination = &fwlib::get_external_address();