my @timeframe=();
my %configinputfw=();
my %configoutgoingfw=();
-my %configdmzfw=();
my %confignatfw=();
my %aliases=();
my @DPROT=();
require "${General::swroot}/lang.pl";
require "${General::swroot}/forward/bin/firewall-lib.pl";
-my $configdmz = "${General::swroot}/forward/dmz";
my $configfwdfw = "${General::swroot}/forward/config";
my $configinput = "${General::swroot}/forward/input";
my $configoutgoing = "${General::swroot}/forward/outgoing";
my $snat='';
&General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
&General::readhash("$netsettings", \%defaultNetworks);
-&General::readhasharray($configdmz, \%configdmzfw);
&General::readhasharray($configfwdfw, \%configfwdfw);
&General::readhasharray($configinput, \%configinputfw);
&General::readhasharray($configoutgoing, \%configoutgoingfw);
&p2pblock;
system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
system ("/usr/sbin/firewall-policy");
+ system ("/etc/sysconfig/firewall.local reload");
}
}
}
system ("iptables -F FORWARDFW");
system ("iptables -F INPUTFW");
system ("iptables -F OUTGOINGFW");
- system ("iptables -F PORTFWACCESS");
system ("iptables -t nat -F NAT_DESTINATION");
system ("iptables -t nat -F NAT_SOURCE");
}
sub preparerules
{
- if (! -z "${General::swroot}/forward/dmz"){
- &buildrules(\%configdmzfw);
- }
if (! -z "${General::swroot}/forward/config"){
&buildrules(\%configfwdfw);
}
my $fireport;
my $nat;
my $fwaccessdport;
+ my $natchain;
foreach my $key (sort {$a <=> $b} keys %$hash){
- next if ($$hash{$key}[6] eq 'RED' && $conexists eq 'off' );
+ next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' );
if ($$hash{$key}[28] eq 'ON'){
$command='iptables -t nat -A';
$natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]);
$targethash{$key}[0]='0.0.0.0/0';
}
if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){
- open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.';
+ open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress";
$targethash{$key}[0]= <FILE>;
close(FILE);
}else{
}
print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n";
}
- }elsif($$hash{$key}[28] ne 'ON'){
- if ($$hash{$key}[17] eq 'ON'){
- print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
- }
- print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
}elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
+ $natchain='NAT_DESTINATION';
if ($$hash{$key}[17] eq 'ON'){
- print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
+ print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
}
my ($ip,$sub) =split("/",$targethash{$b}[0]);
- print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
+ print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
$DPORT =~ s/\-/:/g;
if ($DPORT){
$fwaccessdport="--dport ".substr($DPORT,1,);
$fwaccessdport="--dport $$hash{$key}[30]";
}
}
- print "iptables -A PORTFWACCESS $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
+ print "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
+ next;
}elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
- print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
+ $natchain='NAT_SOURCE';
+ print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
}
+ if ($$hash{$key}[17] eq 'ON'){
+ print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
+ }
+ print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
}
}
}
}
system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]");
}
- }elsif($$hash{$key}[28] ne 'ON'){
- if ($$hash{$key}[17] eq 'ON'){
- system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
- }
- system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
}elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
+ $natchain='NAT_DESTINATION';
if ($$hash{$key}[17] eq 'ON'){
- system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
+ system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
}
my ($ip,$sub) =split("/",$targethash{$b}[0]);
- system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
+ system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
$DPORT =~ s/\-/:/g;
if ($DPORT){
$fwaccessdport="--dport ".substr($DPORT,1,);
$fwaccessdport="--dport $$hash{$key}[30]";
}
}
- system "iptables -A PORTFWACCESS $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
+ system "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
+ next;
}elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
- if ($$hash{$key}[17] eq 'ON'){
- system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT '\n";
- }
- system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip$fireport\n";
+ $natchain='NAT_SOURCE';
+ system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
+ }
+ if ($$hash{$key}[17] eq 'ON'){
+ system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
}
+ system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
}
}
}