X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=blobdiff_plain;f=config%2Ffirewall%2Frules.pl;h=6b22ea378a97ef8feb7358abff923d73634c92ea;hp=f1584f3d2d4f136bebdd97938114f5e14931928d;hb=1f9e7b53b74a139cf10a95c40995f887cfb24407;hpb=0fc392d65d513df573573dec57ccf06af2c29a9f diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index f1584f3d2..6b22ea378 100755 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -23,9 +23,14 @@ use strict; use Time::Local; no warnings 'uninitialized'; -# enable only the following on debugging purpose -#use warnings; -#use CGI::Carp 'fatalsToBrowser'; +require '/var/ipfire/general-functions.pl'; +require "${General::swroot}/lang.pl"; +require "/usr/lib/firewall/firewall-lib.pl"; + +# Set to one to enable debugging mode. +my $DEBUG = 0; + +my $IPTABLES = "iptables --wait"; my %fwdfwsettings=(); my %defaultNetworks=(); @@ -43,9 +48,6 @@ my %confignatfw=(); my %aliases=(); my @DPROT=(); my @p2ps=(); -require '/var/ipfire/general-functions.pl'; -require "${General::swroot}/lang.pl"; -require "${General::swroot}/firewall/bin/firewall-lib.pl"; my $configfwdfw = "${General::swroot}/firewall/config"; my $configinput = "${General::swroot}/firewall/input"; @@ -60,7 +62,6 @@ my $blue = ''; my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT); my $CHAIN = "FORWARDFW"; my $conexists = 'off'; -my $command = 'iptables -A'; my $dnat =''; my $snat =''; @@ -76,57 +77,52 @@ my $snat =''; open (CONN,"/var/ipfire/red/iface"); my $con = ; close(CONN); + if (-f "/var/ipfire/red/active"){ $conexists='on'; } + open (CONN1,"/var/ipfire/red/local-ipaddress"); my $redip = ; close(CONN1); -################# -# DEBUG/TEST # -################# -my $MODE=0; # 0 - normal operation - # 1 - print configline and rules to console - # -################# -my $param=shift; - -if($param eq 'flush'){ - if ($MODE eq '1'){ - print " Flushing chains...\n"; - } - &flush; -}else{ - if ($MODE eq '1'){ - print " Flushing chains...\n"; - } - &flush; - if ($MODE eq '1'){ - print " Preparing rules...\n"; - } - &preparerules; - if($MODE eq '0'){ - if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ - &p2pblock; - system ("/usr/sbin/firewall-policy"); - }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){ - &p2pblock; - system ("iptables -A $CHAIN -m conntrack --ctstate NEW -j ACCEPT"); - system ("/usr/sbin/firewall-policy"); - system ("/etc/sysconfig/firewall.local reload"); - } + +# MAIN +&main(); + +sub main { + # Flush all chains. + &flush(); + + # Reload firewall rules. + &preparerules(); + + # Load P2P block rules. + &p2pblock(); + + # Reload firewall policy. + run("/usr/sbin/firewall-policy"); +} + +sub run { + # Executes or prints the given shell command. + my $command = shift; + + if ($DEBUG) { + print "$command\n"; + } else { + system "$command"; } } -sub flush -{ - system ("iptables -F FORWARDFW"); - system ("iptables -F INPUTFW"); - system ("iptables -F OUTGOINGFW"); - system ("iptables -t nat -F NAT_DESTINATION"); - system ("iptables -t nat -F NAT_SOURCE"); + +sub flush { + run("$IPTABLES -F FORWARDFW"); + run("$IPTABLES -F INPUTFW"); + run("$IPTABLES -F OUTGOINGFW"); + run("$IPTABLES -t nat -F NAT_DESTINATION"); + run("$IPTABLES -t nat -F NAT_SOURCE"); } -sub preparerules -{ + +sub preparerules { if (! -z "${General::swroot}/firewall/config"){ &buildrules(\%configfwdfw); } @@ -137,8 +133,8 @@ sub preparerules &buildrules(\%configoutgoingfw); } } -sub buildrules -{ + +sub buildrules { my $hash=shift; my $STAG; my $natip; @@ -150,9 +146,7 @@ sub buildrules my $icmptype; foreach my $key (sort {$a <=> $b} keys %$hash){ next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' ); - $command="iptables -A"; if ($$hash{$key}[28] eq 'ON'){ - $command='iptables -t nat -A'; $natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]); if($$hash{$key}[31] eq 'dnat'){ $nat='DNAT'; @@ -242,148 +236,86 @@ sub buildrules $TIMETILL="--timestop $time2 "; $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL"; } - if ($MODE eq '1'){ - print "NR:$key "; - foreach my $i (0 .. $#{$$hash{$key}}){ - print "$i: $$hash{$key}[$i] "; + foreach my $DPROT (@DPROT){ + $DPORT = &get_port($hash,$key,$DPROT); + $PROT=$DPROT; + $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); + if ($DPROT ne 'TCP' && $DPROT ne'UDP' && $DPROT ne 'ICMP' ){ + $DPORT=''; } - print "\n"; - print"##################################\n"; - #print rules to console - foreach my $DPROT (@DPROT){ - $DPORT = &get_port($hash,$key,$DPROT); - $PROT=$DPROT; - $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); - foreach my $a (sort keys %sourcehash){ - foreach my $b (sort keys %targethash){ - if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ - if($DPROT ne ''){ - if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} - if(substr($DPORT, 2, 4) eq 'icmp'){ - my @icmprule= split(",",substr($DPORT, 12,)); - foreach (@icmprule){ - $icmptype="--icmp-type "; - if ($_ eq "BLANK") { - $icmptype=""; - $_=""; - } - if ($$hash{$key}[17] eq 'ON'){ - print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG\n"; - } - print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]\n"; + foreach my $a (sort keys %sourcehash){ + foreach my $b (sort keys %targethash){ + if(! $sourcehash{$a}[0] || ! $targethash{$b}[0] || ($natip eq '-d ' && $$hash{$key}[28] eq 'ON') || (!$natip && $$hash{$key}[28] eq 'ON')){ + #Skip rules when no RED IP is set (DHCP,DSL) + next; + } + next if ($targethash{$b}[0] eq 'none'); + $STAG=''; + if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ + if($DPROT ne ''){ + if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} + #Process ICMP RULE + if(substr($DPORT, 2, 4) eq 'icmp'){ + my @icmprule= split(",",substr($DPORT, 12,)); + foreach (@icmprule){ + $icmptype="--icmp-type "; + if ($_ eq "BLANK") { + $icmptype=""; + $_=""; } - }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ - $natchain='NAT_DESTINATION'; if ($$hash{$key}[17] eq 'ON'){ - print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; - } - my ($ip,$sub) =split("/",$targethash{$b}[0]); - #Process NAT with servicegroup used - if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[14] eq 'cust_srvgrp'){ - print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip $DPORT\n"; - $fwaccessdport=$DPORT; - }else{ - print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; - $DPORT =~ s/\-/:/g; - if ($DPORT){ - $fwaccessdport="--dport ".substr($DPORT,1,); - }elsif(! $DPORT && $$hash{$key}[30] ne ''){ - if ($$hash{$key}[30]=~m/|/i){ - $$hash{$key}[30] =~ s/\|/,/g; - $fwaccessdport="-m multiport --dport $$hash{$key}[30]"; - }else{ - $fwaccessdport="--dport $$hash{$key}[30]"; - } - } + run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG"); } - print "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; - next; - }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ - $natchain='NAT_SOURCE'; - print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; + run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]"); } - if ($$hash{$key}[17] eq 'ON' ){ - print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; - } - if ($PROT ne '-p ICMP'){ - print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + #PROCESS DNAT RULE (Portforward) + }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ + $natchain='NAT_DESTINATION'; + if ($$hash{$key}[17] eq 'ON'){ + run("$IPTABLES -t nat -A $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT'"); } - if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){ - print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; - } - } - } - } - } - print"\n"; - } - }elsif($MODE eq '0'){ - foreach my $DPROT (@DPROT){ - $DPORT = &get_port($hash,$key,$DPROT); - $PROT=$DPROT; - $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); - foreach my $a (sort keys %sourcehash){ - foreach my $b (sort keys %targethash){ - if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ - if($DPROT ne ''){ - if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} - #Process ICMP RULE - if(substr($DPORT, 2, 4) eq 'icmp'){ - my @icmprule= split(",",substr($DPORT, 12,)); - foreach (@icmprule){ - $icmptype="--icmp-type "; - if ($_ eq "BLANK") { - $icmptype=""; - $_=""; - } - if ($$hash{$key}[17] eq 'ON'){ - system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG"); + my ($ip,$sub) =split("/",$targethash{$b}[0]); + #Process NAT with servicegroup used + if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[14] eq 'cust_srvgrp'){ + run("$IPTABLES -t nat -A $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to-destination $ip $DPORT"); + $fwaccessdport=$DPORT; + }else{ + run("$IPTABLES -t nat -A $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to-destination $ip$DPORT"); + $DPORT =~ s/\-/:/g; + if ($DPORT){ + $fwaccessdport="--dport ".substr($DPORT,1,); + }elsif(! $DPORT && $$hash{$key}[30] ne ''){ + if ($$hash{$key}[30]=~m/|/i){ + $$hash{$key}[30] =~ s/\|/,/g; + $fwaccessdport="-m multiport --dport $$hash{$key}[30]"; + }else{ + $fwaccessdport="--dport $$hash{$key}[30]"; } - system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]"); - } - #PROCESS DNAT RULE (Portforward) - }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ - $natchain='NAT_DESTINATION'; - if ($$hash{$key}[17] eq 'ON'){ - system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; } - my ($ip,$sub) =split("/",$targethash{$b}[0]); - #Process NAT with servicegroup used - if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[14] eq 'cust_srvgrp'){ - system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip $DPORT\n"; - $fwaccessdport=$DPORT; - }else{ - system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; - $DPORT =~ s/\-/:/g; - if ($DPORT){ - $fwaccessdport="--dport ".substr($DPORT,1,); - }elsif(! $DPORT && $$hash{$key}[30] ne ''){ - if ($$hash{$key}[30]=~m/|/i){ - $$hash{$key}[30] =~ s/\|/,/g; - $fwaccessdport="-m multiport --dport $$hash{$key}[30]"; - }else{ - $fwaccessdport="--dport $$hash{$key}[30]"; - } - } - } - system "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; - next; - #PROCESS SNAT RULE - }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ - $natchain='NAT_SOURCE'; - system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; } - if ($$hash{$key}[17] eq 'ON' && substr($DPORT, 2, 4) ne 'icmp'){ - system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; + run("$IPTABLES -A FORWARDFW $PROT $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]"); + next; + #PROCESS SNAT RULE + }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ + $natchain='NAT_SOURCE'; + if ($$hash{$key}[17] eq 'ON' ){ + run("$IPTABLES -t nat -A $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT'"); } - #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double) - if ($PROT ne '-p ICMP'){ - system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + run("$IPTABLES -t nat -A $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to-source $natip"); + } + #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double) + if ($PROT ne '-p ICMP'){ + if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){ + run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG"); } - #PROCESS Prot ICMP and type = All ICMP-Types - if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){ - system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]"); + } + #PROCESS Prot ICMP and type = All ICMP-Types + if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){ + if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){ + run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG"); } + run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]"); } } } @@ -399,8 +331,8 @@ sub buildrules undef $fireport; } } -sub get_nat_ip -{ + +sub get_nat_ip { my $val=shift; my $type=shift; my $result; @@ -423,8 +355,8 @@ sub get_nat_ip } return $result; } -sub get_time -{ + +sub get_time { my $val=shift; my $val1=shift; my $time; @@ -437,8 +369,8 @@ sub get_time $time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60; return $time; } -sub time_get_utc -{ + +sub time_get_utc { # Calculates the UTCtime from a given time my $val=shift; my @localtime=localtime(time); @@ -446,15 +378,15 @@ sub time_get_utc my $diff = ($gmtime[2]*60+$gmtime[1]%60)-($localtime[2]*60+$localtime[1]%60); return $diff; } -sub utcmin -{ + +sub utcmin { my $ruletime=shift; my ($hrs,$min) = split(":",$ruletime); my $newtime = $hrs*60+$min; return $newtime; } -sub p2pblock -{ + +sub p2pblock { my $P2PSTRING; my $DO; open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; @@ -475,18 +407,13 @@ sub p2pblock } } } - if ($MODE eq 1){ - if($P2PSTRING){ - print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n"; - } - }else{ - if($P2PSTRING){ - system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO"); - } + + if($P2PSTRING) { + run("$IPTABLES -A FORWARDFW $CMD $P2PSTRING -j $DO"); } } -sub get_address -{ + +sub get_address { my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey my $base2=shift; my $type=shift; #src or tgt @@ -531,7 +458,7 @@ sub get_address $$hash{$key}[0]='0.0.0.0/0'; } if($base2 eq 'RED' || $base2 eq 'RED1'){ - open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress"; + open(FILE, "/var/ipfire/red/local-ipaddress"); $$hash{$key}[0]= ; close(FILE); }else{ @@ -543,8 +470,8 @@ sub get_address } } } -sub get_prot -{ + +sub get_prot { my $hash=shift; my $key=shift; #check AH,GRE,ESP or ICMP @@ -572,8 +499,8 @@ sub get_prot return "$$hash{$key}[8]"; } } -sub get_port -{ + +sub get_port { my $hash=shift; my $key=shift; my $prot=shift;