use Time::Local;
no warnings 'uninitialized';
-# enable only the following on debugging purpose
-#use warnings;
-#use CGI::Carp 'fatalsToBrowser';
+require '/var/ipfire/general-functions.pl';
+require "${General::swroot}/lang.pl";
+require "/usr/lib/firewall/firewall-lib.pl";
+
+# Set to one to enable debugging mode.
+my $DEBUG = 0;
my %fwdfwsettings=();
my %defaultNetworks=();
my %aliases=();
my @DPROT=();
my @p2ps=();
-require '/var/ipfire/general-functions.pl';
-require "${General::swroot}/lang.pl";
-require "${General::swroot}/firewall/bin/firewall-lib.pl";
my $configfwdfw = "${General::swroot}/firewall/config";
my $configinput = "${General::swroot}/firewall/input";
my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
my $CHAIN = "FORWARDFW";
my $conexists = 'off';
-my $command = 'iptables -A';
+my $command = 'iptables --wait -A';
my $dnat ='';
my $snat ='';
open (CONN,"/var/ipfire/red/iface");
my $con = <CONN>;
close(CONN);
+
if (-f "/var/ipfire/red/active"){
$conexists='on';
}
+
open (CONN1,"/var/ipfire/red/local-ipaddress");
my $redip = <CONN1>;
close(CONN1);
-#################
-# DEBUG/TEST #
-#################
-my $MODE=0; # 0 - normal operation
- # 1 - print configline and rules to console
- #
-#################
-my $param=shift;
-
-if($param eq 'flush'){
- if ($MODE eq '1'){
- print " Flushing chains...\n";
- }
- &flush;
-}else{
- if ($MODE eq '1'){
- print " Flushing chains...\n";
- }
- &flush;
- if ($MODE eq '1'){
- print " Preparing rules...\n";
- }
- &preparerules;
- if($MODE eq '0'){
- if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
- &p2pblock;
- system ("/usr/sbin/firewall-policy");
- }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
- &p2pblock;
- system ("iptables -A $CHAIN -m conntrack --ctstate NEW -j ACCEPT");
- system ("/usr/sbin/firewall-policy");
- system ("/etc/sysconfig/firewall.local reload");
- }
+
+# MAIN
+&main();
+
+sub main {
+ # Flush all chains.
+ &flush();
+
+ # Reload firewall rules.
+ &preparerules();
+
+ # Load P2P block rules.
+ &p2pblock();
+
+ # Reload firewall policy.
+ run("/usr/sbin/firewall-policy");
+}
+
+sub run {
+ # Executes or prints the given shell command.
+ my $command = shift;
+
+ if ($DEBUG) {
+ print "$command\n";
+ } else {
+ system "$command";
}
}
-sub flush
-{
- system ("iptables -F FORWARDFW");
- system ("iptables -F INPUTFW");
- system ("iptables -F OUTGOINGFW");
- system ("iptables -t nat -F NAT_DESTINATION");
- system ("iptables -t nat -F NAT_SOURCE");
+
+sub flush {
+ run("iptables --wait -F FORWARDFW");
+ run("iptables --wait -F INPUTFW");
+ run("iptables --wait -F OUTGOINGFW");
+ run("iptables --wait -t nat -F NAT_DESTINATION");
+ run("iptables --wait -t nat -F NAT_SOURCE");
}
-sub preparerules
-{
+
+sub preparerules {
if (! -z "${General::swroot}/firewall/config"){
&buildrules(\%configfwdfw);
}
&buildrules(\%configoutgoingfw);
}
}
-sub buildrules
-{
+
+sub buildrules {
my $hash=shift;
my $STAG;
my $natip;
my $icmptype;
foreach my $key (sort {$a <=> $b} keys %$hash){
next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' );
- $command="iptables -A";
+ $command="iptables --wait -A";
if ($$hash{$key}[28] eq 'ON'){
- $command='iptables -t nat -A';
+ $command='iptables --wait -t nat -A';
$natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]);
if($$hash{$key}[31] eq 'dnat'){
$nat='DNAT';
$TIMETILL="--timestop $time2 ";
$TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
}
- if ($MODE eq '1'){
- print "NR:$key ";
- foreach my $i (0 .. $#{$$hash{$key}}){
- print "$i: $$hash{$key}[$i] ";
+ foreach my $DPROT (@DPROT){
+ $DPORT = &get_port($hash,$key,$DPROT);
+ $PROT=$DPROT;
+ $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
+ if ($DPROT ne 'TCP' && $DPROT ne'UDP' && $DPROT ne 'ICMP' ){
+ $DPORT='';
}
- print "\n";
- print"##################################\n";
- #print rules to console
- foreach my $DPROT (@DPROT){
- $DPORT = &get_port($hash,$key,$DPROT);
- $PROT=$DPROT;
- $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
- foreach my $a (sort keys %sourcehash){
- foreach my $b (sort keys %targethash){
- if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
- if($DPROT ne ''){
- if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
- if(substr($DPORT, 2, 4) eq 'icmp'){
- my @icmprule= split(",",substr($DPORT, 12,));
- foreach (@icmprule){
- $icmptype="--icmp-type ";
- if ($_ eq "BLANK") {
- $icmptype="";
- $_="";
- }
- if ($$hash{$key}[17] eq 'ON'){
- print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG\n";
- }
- print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]\n";
+ foreach my $a (sort keys %sourcehash){
+ foreach my $b (sort keys %targethash){
+ if(! $sourcehash{$a}[0] || ! $targethash{$b}[0] || ($natip eq '-d ' && $$hash{$key}[28] eq 'ON') || (!$natip && $$hash{$key}[28] eq 'ON')){
+ #Skip rules when no RED IP is set (DHCP,DSL)
+ next;
+ }
+ next if ($targethash{$b}[0] eq 'none');
+ $STAG='';
+ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
+ if($DPROT ne ''){
+ if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
+ #Process ICMP RULE
+ if(substr($DPORT, 2, 4) eq 'icmp'){
+ my @icmprule= split(",",substr($DPORT, 12,));
+ foreach (@icmprule){
+ $icmptype="--icmp-type ";
+ if ($_ eq "BLANK") {
+ $icmptype="";
+ $_="";
}
- }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
- $natchain='NAT_DESTINATION';
if ($$hash{$key}[17] eq 'ON'){
- print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
+ run("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG");
}
- my ($ip,$sub) =split("/",$targethash{$b}[0]);
- #Process NAT with servicegroup used
- if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[14] eq 'cust_srvgrp'){
- print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip $DPORT\n";
- $fwaccessdport=$DPORT;
- }else{
- print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
- $DPORT =~ s/\-/:/g;
- if ($DPORT){
- $fwaccessdport="--dport ".substr($DPORT,1,);
- }elsif(! $DPORT && $$hash{$key}[30] ne ''){
- if ($$hash{$key}[30]=~m/|/i){
- $$hash{$key}[30] =~ s/\|/,/g;
- $fwaccessdport="-m multiport --dport $$hash{$key}[30]";
- }else{
- $fwaccessdport="--dport $$hash{$key}[30]";
- }
- }
- }
- print "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
- next;
- }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
- $natchain='NAT_SOURCE';
- print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
+ run("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]");
}
- if ($$hash{$key}[17] eq 'ON' ){
- print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
+ #PROCESS DNAT RULE (Portforward)
+ }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
+ $natchain='NAT_DESTINATION';
+ if ($$hash{$key}[17] eq 'ON'){
+ run("$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT'");
}
- if ($PROT ne '-p ICMP'){
- print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
- }
- if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){
- print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
- }
- }
- }
- }
- }
- print"\n";
- }
- }elsif($MODE eq '0'){
- foreach my $DPROT (@DPROT){
- $DPORT = &get_port($hash,$key,$DPROT);
- $PROT=$DPROT;
- $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
- foreach my $a (sort keys %sourcehash){
- foreach my $b (sort keys %targethash){
- if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
- if($DPROT ne ''){
- if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
- #Process ICMP RULE
- if(substr($DPORT, 2, 4) eq 'icmp'){
- my @icmprule= split(",",substr($DPORT, 12,));
- foreach (@icmprule){
- $icmptype="--icmp-type ";
- if ($_ eq "BLANK") {
- $icmptype="";
- $_="";
+ my ($ip,$sub) =split("/",$targethash{$b}[0]);
+ #Process NAT with servicegroup used
+ if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[14] eq 'cust_srvgrp'){
+ run("$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to-destination $ip $DPORT");
+ $fwaccessdport=$DPORT;
+ }else{
+ run("$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to-destination $ip$DPORT");
+ $DPORT =~ s/\-/:/g;
+ if ($DPORT){
+ $fwaccessdport="--dport ".substr($DPORT,1,);
+ }elsif(! $DPORT && $$hash{$key}[30] ne ''){
+ if ($$hash{$key}[30]=~m/|/i){
+ $$hash{$key}[30] =~ s/\|/,/g;
+ $fwaccessdport="-m multiport --dport $$hash{$key}[30]";
+ }else{
+ $fwaccessdport="--dport $$hash{$key}[30]";
}
- if ($$hash{$key}[17] eq 'ON'){
- system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG");
- }
- system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]");
- }
- #PROCESS DNAT RULE (Portforward)
- }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
- $natchain='NAT_DESTINATION';
- if ($$hash{$key}[17] eq 'ON'){
- system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
}
- my ($ip,$sub) =split("/",$targethash{$b}[0]);
- #Process NAT with servicegroup used
- if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[14] eq 'cust_srvgrp'){
- system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip $DPORT\n";
- $fwaccessdport=$DPORT;
- }else{
- system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
- $DPORT =~ s/\-/:/g;
- if ($DPORT){
- $fwaccessdport="--dport ".substr($DPORT,1,);
- }elsif(! $DPORT && $$hash{$key}[30] ne ''){
- if ($$hash{$key}[30]=~m/|/i){
- $$hash{$key}[30] =~ s/\|/,/g;
- $fwaccessdport="-m multiport --dport $$hash{$key}[30]";
- }else{
- $fwaccessdport="--dport $$hash{$key}[30]";
- }
- }
- }
- system "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
- next;
- #PROCESS SNAT RULE
- }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
- $natchain='NAT_SOURCE';
- system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
}
- if ($$hash{$key}[17] eq 'ON' && substr($DPORT, 2, 4) ne 'icmp'){
- system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
+ run("iptables --wait -A FORWARDFW $PROT $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]");
+ next;
+ #PROCESS SNAT RULE
+ }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
+ $natchain='NAT_SOURCE';
+ if ($$hash{$key}[17] eq 'ON' ){
+ run("$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT'");
}
- #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double)
- if ($PROT ne '-p ICMP'){
- system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+ run("$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to-source $natip");
+ }
+ #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double)
+ if ($PROT ne '-p ICMP'){
+ if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){
+ run("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
}
- #PROCESS Prot ICMP and type = All ICMP-Types
- if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){
- system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+ run("iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
+ }
+ #PROCESS Prot ICMP and type = All ICMP-Types
+ if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){
+ if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){
+ run("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
}
+ run("iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
}
}
}
undef $fireport;
}
}
-sub get_nat_ip
-{
+
+sub get_nat_ip {
my $val=shift;
my $type=shift;
my $result;
}
return $result;
}
-sub get_time
-{
+
+sub get_time {
my $val=shift;
my $val1=shift;
my $time;
$time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60;
return $time;
}
-sub time_get_utc
-{
+
+sub time_get_utc {
# Calculates the UTCtime from a given time
my $val=shift;
my @localtime=localtime(time);
my $diff = ($gmtime[2]*60+$gmtime[1]%60)-($localtime[2]*60+$localtime[1]%60);
return $diff;
}
-sub utcmin
-{
+
+sub utcmin {
my $ruletime=shift;
my ($hrs,$min) = split(":",$ruletime);
my $newtime = $hrs*60+$min;
return $newtime;
}
-sub p2pblock
-{
+
+sub p2pblock {
my $P2PSTRING;
my $DO;
open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
}
}
}
- if ($MODE eq 1){
- if($P2PSTRING){
- print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n";
- }
- }else{
- if($P2PSTRING){
- system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO");
- }
+
+ if($P2PSTRING) {
+ run("/sbin/iptables --wait -A FORWARDFW $CMD $P2PSTRING -j $DO");
}
}
-sub get_address
-{
+
+sub get_address {
my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
my $base2=shift;
my $type=shift; #src or tgt
$$hash{$key}[0]='0.0.0.0/0';
}
if($base2 eq 'RED' || $base2 eq 'RED1'){
- open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress";
+ open(FILE, "/var/ipfire/red/local-ipaddress");
$$hash{$key}[0]= <FILE>;
close(FILE);
}else{
}
}
}
-sub get_prot
-{
+
+sub get_prot {
my $hash=shift;
my $key=shift;
#check AH,GRE,ESP or ICMP
return "$$hash{$key}[8]";
}
}
-sub get_port
-{
+
+sub get_port {
my $hash=shift;
my $key=shift;
my $prot=shift;
+ #Get manual defined Ports from SOURCE
if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
if ($$hash{$key}[10] ne ''){
$$hash{$key}[10] =~ s/\|/,/g;
}
}
}
+ #Get manual ports from TARGET
}elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
if($$hash{$key}[14] eq 'TGT_PORT'){
if ($$hash{$key}[15] ne ''){
}
}
}
+ #Get ports defined in custom Service (firewall-groups)
}elsif($$hash{$key}[14] eq 'cust_srv'){
if ($prot ne 'ICMP'){
if($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){
- return ":".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
+ my $ports =&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
+ $ports =~ s/\:/-/g;
+ return ":".$ports
}else{
return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
}
}elsif($prot eq 'ICMP' && $$hash{$key}[11] eq 'ON'){ #When PROT is ICMP and "use targetport is checked, this is an icmp-service
return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot);
}
+ #Get ports from services which are used in custom servicegroups (firewall-groups)
}elsif($$hash{$key}[14] eq 'cust_srvgrp'){
if ($prot ne 'ICMP'){
return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
projects / people / teissler / ipfire-2.x.git / blobdiff