###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2012 #
+# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
-# #
-# Hi folks! I hope this code is useful for all. I needed something to handle #
-# my VPN Connections in a comfortable way. #
-# This script builds firewallrules from the webinterface #
-###############################################################################
use strict;
use Time::Local;
my @timeframe=();
my %configinputfw=();
my %configoutgoingfw=();
-my %configdmzfw=();
+my %confignatfw=();
my %aliases=();
my @DPROT=();
my @p2ps=();
require "${General::swroot}/lang.pl";
require "${General::swroot}/forward/bin/firewall-lib.pl";
-my $configdmz = "${General::swroot}/forward/dmz";
my $configfwdfw = "${General::swroot}/forward/config";
my $configinput = "${General::swroot}/forward/input";
my $configoutgoing = "${General::swroot}/forward/outgoing";
my $p2pfile = "${General::swroot}/forward/p2protocols";
my $configgrp = "${General::swroot}/fwhosts/customgroups";
my $netsettings = "${General::swroot}/ethernet/settings";
-my $errormessage='';
-my $orange;
-my $green;
-my $blue;
+my $errormessage = '';
+my $orange = '';
+my $green = '';
+my $blue = '';
my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
-my $CHAIN="FORWARDFW";
-my $conexists='off';
+my $CHAIN = "FORWARDFW";
+my $conexists = 'off';
+my $command = 'iptables -A';
+my $dnat ='';
+my $snat ='';
&General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
&General::readhash("$netsettings", \%defaultNetworks);
-&General::readhasharray($configdmz, \%configdmzfw);
&General::readhasharray($configfwdfw, \%configfwdfw);
&General::readhasharray($configinput, \%configinputfw);
&General::readhasharray($configoutgoing, \%configoutgoingfw);
if (-f "/var/ipfire/red/active"){
$conexists='on';
}
-
-################################
-# DEBUG/TEST #
-################################
-my $MODE=1; # 0 - normal operation
- # 1 - print configline and rules to console
- #
-################################
+open (CONN1,"/var/ipfire/red/local-ipaddress");
+my $redip = <CONN1>;
+close(CONN1);
+#################
+# DEBUG/TEST #
+#################
+my $MODE=0; # 0 - normal operation
+ # 1 - print configline and rules to console
+ #
+#################
my $param=shift;
if($param eq 'flush'){
if($MODE eq '0'){
if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
&p2pblock;
- system ("/usr/sbin/firewall-policy");
+ system ("/usr/sbin/firewall-policy");
}elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
- $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'});
- $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
- if ($defaultNetworks{'BLUE_DEV'}){
- $defaultNetworks{'BLUE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'BLUE_NETMASK'});
- $blue="$defaultNetworks{'BLUE_ADDRESS'}/$defaultNetworks{'BLUE_NETMASK'}";
- #set default rules for BLUE
- system ("iptables -A $CHAIN -s $blue -d $green -j RETURN");
- }
- if ($defaultNetworks{'ORANGE_DEV'}){
- $defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'});
- $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}";
- #set default rules for DMZ
- system ("iptables -A $CHAIN -s $orange -d $green -j RETURN");
- if ($defaultNetworks{'BLUE_DEV'}){
- system ("iptables -A $CHAIN -s $orange -d $blue -j RETURN");
- }
- }
&p2pblock;
- system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
+ system ("iptables -A $CHAIN -m conntrack --ctstate NEW -j ACCEPT");
system ("/usr/sbin/firewall-policy");
+ system ("/etc/sysconfig/firewall.local reload");
}
}
}
system ("iptables -F FORWARDFW");
system ("iptables -F INPUTFW");
system ("iptables -F OUTGOINGFW");
-}
+ system ("iptables -t nat -F NAT_DESTINATION");
+ system ("iptables -t nat -F NAT_SOURCE");
+}
sub preparerules
{
- if (! -z "${General::swroot}/forward/dmz"){
- &buildrules(\%configdmzfw);
- }
if (! -z "${General::swroot}/forward/config"){
&buildrules(\%configfwdfw);
}
{
my $hash=shift;
my $STAG;
+ my $natip;
+ my $snatport;
+ my $fireport;
+ my $nat;
+ my $fwaccessdport;
+ my $natchain;
+ my $icmptype;
foreach my $key (sort {$a <=> $b} keys %$hash){
- next if ($$hash{$key}[6] eq 'RED' && $conexists eq 'off' );
+ next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' );
+ $command="iptables -A";
+ if ($$hash{$key}[28] eq 'ON'){
+ $command='iptables -t nat -A';
+ $natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]);
+ if($$hash{$key}[31] eq 'dnat'){
+ $nat='DNAT';
+ if ($$hash{$key}[30] =~ /\|/){
+ $$hash{$key}[30]=~ tr/|/,/;
+ $fireport='-m multiport --dport '.$$hash{$key}[30];
+ }else{
+ $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0);
+ }
+ }else{
+ $nat='SNAT';
+ }
+ }
$STAG='';
if($$hash{$key}[2] eq 'ON'){
#get source ip's
&get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
}
}
- }elsif($$hash{$key}[5] eq 'ipfire'){
- if($$hash{$key}[6] eq 'Default IP'){
- open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.';
+ }elsif($$hash{$key}[5] eq 'ipfire' ){
+ if($$hash{$key}[6] eq 'GREEN'){
+ $targethash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'};
+ }
+ if($$hash{$key}[6] eq 'BLUE'){
+ $targethash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'};
+ }
+ if($$hash{$key}[6] eq 'ORANGE'){
+ $targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
+ }
+ if($$hash{$key}[6] eq 'ALL'){
+ $targethash{$key}[0]='0.0.0.0/0';
+ }
+ if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){
+ open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress";
$targethash{$key}[0]= <FILE>;
close(FILE);
}else{
}
##get source prot and port
$SRC_TGT='SRC';
- $SPROT = &get_prot($hash,$key);
$SPORT = &get_port($hash,$key);
$SRC_TGT='';
##get target prot and port
$DPROT=&get_prot($hash,$key);
- if ($DPROT eq ''){$DPROT=' ';}
+ if ($DPROT eq ''){$DPROT=' ';}
@DPROT=split(",",$DPROT);
#get time if defined
if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");}
if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");}
$TIME=join(",",@timeframe);
-
+
$TIMEFROM="--timestart $time1 ";
$TIMETILL="--timestop $time2 ";
$TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
}
- if ($MODE eq '1'){
+ if ($MODE eq '1'){
print "NR:$key ";
foreach my $i (0 .. $#{$$hash{$key}}){
print "$i: $$hash{$key}[$i] ";
#print rules to console
foreach my $DPROT (@DPROT){
$DPORT = &get_port($hash,$key,$DPROT);
- if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
+ $PROT=$DPROT;
$PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
foreach my $a (sort keys %sourcehash){
foreach my $b (sort keys %targethash){
if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
- if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
+ if($DPROT ne ''){
if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
if(substr($DPORT, 2, 4) eq 'icmp'){
my @icmprule= split(",",substr($DPORT, 12,));
foreach (@icmprule){
+ $icmptype="--icmp-type ";
+ if ($_ eq "BLANK") {
+ $icmptype="";
+ $_="";
+ }
if ($$hash{$key}[17] eq 'ON'){
- print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j LOG\n";
+ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG\n";
}
- print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n";
+ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]\n";
}
- }else{
+ }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
+ $natchain='NAT_DESTINATION';
if ($$hash{$key}[17] eq 'ON'){
- print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
+ print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
}
- print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+ my ($ip,$sub) =split("/",$targethash{$b}[0]);
+ #Process NAT with servicegroup used
+ if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[14] eq 'cust_srvgrp'){
+ print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip $DPORT\n";
+ $fwaccessdport=$DPORT;
+ }else{
+ print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
+ $DPORT =~ s/\-/:/g;
+ if ($DPORT){
+ $fwaccessdport="--dport ".substr($DPORT,1,);
+ }elsif(! $DPORT && $$hash{$key}[30] ne ''){
+ if ($$hash{$key}[30]=~m/|/i){
+ $$hash{$key}[30] =~ s/\|/,/g;
+ $fwaccessdport="-m multiport --dport $$hash{$key}[30]";
+ }else{
+ $fwaccessdport="--dport $$hash{$key}[30]";
+ }
+ }
+ }
+ print "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
+ next;
+ }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
+ $natchain='NAT_SOURCE';
+ print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
+ }
+ if ($$hash{$key}[17] eq 'ON' ){
+ print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
+ }
+ if ($PROT ne '-p ICMP'){
+ print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+ }
+ if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){
+ print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
}
- }
+ }
}
}
}
}elsif($MODE eq '0'){
foreach my $DPROT (@DPROT){
$DPORT = &get_port($hash,$key,$DPROT);
- if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
+ $PROT=$DPROT;
$PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
foreach my $a (sort keys %sourcehash){
foreach my $b (sort keys %targethash){
if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
- if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
+ if($DPROT ne ''){
if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
+ #Process ICMP RULE
if(substr($DPORT, 2, 4) eq 'icmp'){
my @icmprule= split(",",substr($DPORT, 12,));
foreach (@icmprule){
+ $icmptype="--icmp-type ";
+ if ($_ eq "BLANK") {
+ $icmptype="";
+ $_="";
+ }
if ($$hash{$key}[17] eq 'ON'){
- system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] -- icmp-type $_ $TIME -j LOG");
+ system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG");
}
- system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]");
+ system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]");
}
- }else{
+ #PROCESS DNAT RULE (Portforward)
+ }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
+ $natchain='NAT_DESTINATION';
if ($$hash{$key}[17] eq 'ON'){
- system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
+ system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
+ }
+ my ($ip,$sub) =split("/",$targethash{$b}[0]);
+ #Process NAT with servicegroup used
+ if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[14] eq 'cust_srvgrp'){
+ system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip $DPORT\n";
+ $fwaccessdport=$DPORT;
+ }else{
+ system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
+ $DPORT =~ s/\-/:/g;
+ if ($DPORT){
+ $fwaccessdport="--dport ".substr($DPORT,1,);
+ }elsif(! $DPORT && $$hash{$key}[30] ne ''){
+ if ($$hash{$key}[30]=~m/|/i){
+ $$hash{$key}[30] =~ s/\|/,/g;
+ $fwaccessdport="-m multiport --dport $$hash{$key}[30]";
+ }else{
+ $fwaccessdport="--dport $$hash{$key}[30]";
+ }
+ }
}
- system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
+ system "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
+ next;
+ #PROCESS SNAT RULE
+ }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
+ $natchain='NAT_SOURCE';
+ system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
+ }
+ if ($$hash{$key}[17] eq 'ON' && substr($DPORT, 2, 4) ne 'icmp'){
+ system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
}
- }
+ #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double)
+ if ($PROT ne '-p ICMP'){
+ system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+ }
+ #PROCESS Prot ICMP and type = All ICMP-Types
+ if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){
+ system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+ }
+ }
}
}
}
undef $TIME;
undef $TIMEFROM;
undef $TIMETILL;
+ undef $fireport;
+ }
+}
+sub get_nat_ip
+{
+ my $val=shift;
+ my $type=shift;
+ my $result;
+ if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){
+ $result=$defaultNetworks{$val.'_ADDRESS'};
+ }elsif($val eq 'ALL'){
+ $result='-i '.$con;
+ }elsif($val eq 'Default IP' && $type eq 'dnat'){
+ $result='-d '.$redip;
+ }elsif($val eq 'Default IP' && $type eq 'snat'){
+ $result=$redip;
+ }else{
+ foreach my $al (sort keys %aliases){
+ if($val eq $al && $type eq 'dnat'){
+ $result='-d '.$aliases{$al}{'IPT'};
+ }elsif($val eq $al && $type eq 'snat'){
+ $result=$aliases{$al}{'IPT'};
+ }
+ }
}
+ return $result;
}
sub get_time
{
}
}
}
-
sub get_address
{
my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
my $type=shift; #src or tgt
my $hash;
if ($type eq 'src'){
- $hash=\%sourcehash;
+ $hash=\%sourcehash;
}else{
$hash=\%targethash;
}
}elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){
$$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33);
}elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){
- $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,27);
+ $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,11);
}elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){
$$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11);
+ }elsif($base eq 'ipfire_src' ){
+ if($base2 eq 'GREEN'){
+ $$hash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'};
+ }
+ if($base2 eq 'BLUE'){
+ $$hash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'};
+ }
+ if($base2 eq 'ORANGE'){
+ $$hash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
+ }
+ if($base2 eq 'ALL'){
+ $$hash{$key}[0]='0.0.0.0/0';
+ }
+ if($base2 eq 'RED' || $base2 eq 'RED1'){
+ open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress";
+ $$hash{$key}[0]= <FILE>;
+ close(FILE);
+ }else{
+ foreach my $alias (sort keys %aliases){
+ if ($base2 eq $alias){
+ $$hash{$key}[0]=$aliases{$alias}{'IPT'};
+ }
+ }
+ }
}
}
sub get_prot
{
my $hash=shift;
my $key=shift;
- if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
- if ($$hash{$key}[10] ne ''){
- return"$$hash{$key}[8]";
- }elsif($$hash{$key}[9] ne ''){
- return"$$hash{$key}[8]";
- }else{
- return "$$hash{$key}[8]";
- }
- }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
- if ($$hash{$key}[14] eq 'TGT_PORT'){
- if ($$hash{$key}[15] ne ''){
- return "$$hash{$key}[12]";
- }elsif($$hash{$key}[13] ne ''){
- return "$$hash{$key}[12]";
- }else{
- return "$$hash{$key}[12]";
- }
- }elsif($$hash{$key}[14] eq 'cust_srv'){
+ #check AH,GRE,ESP or ICMP
+ if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON'){
+ return "$$hash{$key}[8]";
+ }
+ if ($$hash{$key}[7] eq 'ON' || $$hash{$key}[11] eq 'ON'){
+ #check if servicegroup or service
+ if($$hash{$key}[14] eq 'cust_srv'){
return &fwlib::get_srv_prot($$hash{$key}[15]);
-
}elsif($$hash{$key}[14] eq 'cust_srvgrp'){
return &fwlib::get_srvgrp_prot($$hash{$key}[15]);
+ }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && $$hash{$key}[8] eq ''){ #when ports are used and prot set to "all"
+ return "TCP,UDP";
+ }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && ($$hash{$key}[8] eq 'TCP' || $$hash{$key}[8] eq 'UDP')){ #when ports are used and prot set to "tcp" or "udp"
+ return "$$hash{$key}[8]";
+ }elsif (($$hash{$key}[10] eq '' && $$hash{$key}[15] eq '') && $$hash{$key}[8] ne 'ICMP'){ #when ports are NOT used and prot NOT set to "ICMP"
+ return "$$hash{$key}[8]";
+ }else{
+ return "$$hash{$key}[8]";
}
}
+ #DNAT
+ if ($SRC_TGT eq '' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[11] eq '' && $$hash{$key}[12] ne ''){
+ return "$$hash{$key}[8]";
+ }
}
sub get_port
{
if(index($$hash{$key}[10],",") > 0){
return "-m multiport --sport $$hash{$key}[10] ";
}else{
- return "--sport $$hash{$key}[10] ";
+ if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ||($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat') ){
+ return "--sport $$hash{$key}[10] ";
+ }else{
+ return ":$$hash{$key}[10]";
+ }
}
- }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
- return "--icmp-type $$hash{$key}[9] ";
- }elsif($$hash{$key}[9] eq 'All ICMP-Types'){
- return;
}
}elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
-
if($$hash{$key}[14] eq 'TGT_PORT'){
if ($$hash{$key}[15] ne ''){
$$hash{$key}[15] =~ s/\|/,/g;
if(index($$hash{$key}[15],",") > 0){
return "-m multiport --dport $$hash{$key}[15] ";
}else{
- return "--dport $$hash{$key}[15] ";
+ if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){
+ return "--dport $$hash{$key}[15] ";
+ }else{
+ $$hash{$key}[15] =~ s/\:/-/g;
+ return ":$$hash{$key}[15]";
+ }
}
- }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){
- return "--icmp-type $$hash{$key}[13] ";
- }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){
- return;
}
}elsif($$hash{$key}[14] eq 'cust_srv'){
if ($prot ne 'ICMP'){
- return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
- }elsif($prot eq 'ICMP' && $$hash{$key}[15] ne 'All ICMP-Types'){
+ if($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){
+ return ":".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
+ }else{
+ return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
+ }
+ }elsif($prot eq 'ICMP' && $$hash{$key}[11] eq 'ON'){ #When PROT is ICMP and "use targetport is checked, this is an icmp-service
return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot);
- }elsif($prot eq 'ICMP' && $$hash{$key}[15] eq 'All ICMP-Types'){
- return;
}
}elsif($$hash{$key}[14] eq 'cust_srvgrp'){
if ($prot ne 'ICMP'){
}
}
}
+ #CHECK ICMP
+ if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON' && $SRC_TGT eq ''){
+ if($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
+ return "--icmp-type $$hash{$key}[9] ";
+ }elsif($$hash{$key}[9] eq 'All ICMP-Types'){
+ return;
+ }
+ }
}
projects / people / teissler / ipfire-2.x.git / blobdiff