my $nat;
my $fwaccessdport;
my $natchain;
+ my $icmptype;
foreach my $key (sort {$a <=> $b} keys %$hash){
next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' );
+ $command="iptables -A";
if ($$hash{$key}[28] eq 'ON'){
$command='iptables -t nat -A';
$natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]);
if(substr($DPORT, 2, 4) eq 'icmp'){
my @icmprule= split(",",substr($DPORT, 12,));
foreach (@icmprule){
+ $icmptype="--icmp-type ";
+ if ($_ eq "BLANK") {
+ $icmptype="";
+ $_="";
+ }
if ($$hash{$key}[17] eq 'ON'){
- print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j LOG\n";
+ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG\n";
}
- print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n";
+ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]\n";
}
}elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
$natchain='NAT_DESTINATION';
$natchain='NAT_SOURCE';
print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
}
- if ($$hash{$key}[17] eq 'ON'){
+ if ($$hash{$key}[17] eq 'ON' ){
print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
}
if ($PROT ne '-p ICMP'){
if(substr($DPORT, 2, 4) eq 'icmp'){
my @icmprule= split(",",substr($DPORT, 12,));
foreach (@icmprule){
+ $icmptype="--icmp-type ";
+ if ($_ eq "BLANK") {
+ $icmptype="";
+ $_="";
+ }
if ($$hash{$key}[17] eq 'ON'){
- system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] -- icmp-type $_ $TIME -j LOG");
+ system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG");
}
- system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]");
+ system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]");
}
#PROCESS DNAT RULE (Portforward)
}elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
$natchain='NAT_SOURCE';
system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
}
- if ($$hash{$key}[17] eq 'ON'){
+ if ($$hash{$key}[17] eq 'ON' && substr($DPORT, 2, 4) ne 'icmp'){
system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
}
#PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double)
}
}elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
if ($$hash{$key}[14] eq 'TGT_PORT'){
- if ($$hash{$key}[15] ne ''){
- return "$$hash{$key}[12]";
+ if ($$hash{$key}[15] ne '' && $$hash{$key}[8] eq ''){
+ return "TCP,UDP";
}elsif($$hash{$key}[13] ne ''){
- return "$$hash{$key}[12]";
+ return "$$hash{$key}[8]";
+ }elsif($$hash{$key}[15] ne ''){
+ return "$$hash{$key}[8]";
}else{
- return "$$hash{$key}[12]";
+ return "$$hash{$key}[8]";
}
}elsif($$hash{$key}[14] eq 'cust_srv'){
return &fwlib::get_srv_prot($$hash{$key}[15]);
}
#DNAT
if ($SRC_TGT eq '' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[11] eq '' && $$hash{$key}[12] ne ''){
- return "$$hash{$key}[12]";
+ return "$$hash{$key}[8]";
}
}
sub get_port