X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=blobdiff_plain;f=config%2Fforwardfw%2Frules.pl;h=1cbbee7a58b77e4358cfaf74253c0ceda8cb09b9;hp=6532a201f4743dd7a1b63c4bc4d5eed82d4de422;hb=08e1c65d856ef4931dd641cdffe75ff75238e286;hpb=f38e0c4de02235f31fbff715af6dde0fcd62a78f diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 6532a201f..1cbbee7a5 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -25,6 +25,7 @@ ############################################################################### use strict; +use Time::Local; no warnings 'uninitialized'; # enable only the following on debugging purpose @@ -44,6 +45,7 @@ my @timeframe=(); my %configinputfw=(); my %configoutgoingfw=(); my %configdmzfw=(); +my %confignatfw=(); my %aliases=(); my @DPROT=(); my @p2ps=(); @@ -55,6 +57,7 @@ my $configdmz = "${General::swroot}/forward/dmz"; my $configfwdfw = "${General::swroot}/forward/config"; my $configinput = "${General::swroot}/forward/input"; my $configoutgoing = "${General::swroot}/forward/outgoing"; +my $confignat = "${General::swroot}/forward/nat"; my $p2pfile = "${General::swroot}/forward/p2protocols"; my $configgrp = "${General::swroot}/fwhosts/customgroups"; my $netsettings = "${General::swroot}/ethernet/settings"; @@ -64,17 +67,30 @@ my $green; my $blue; my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT); my $CHAIN="FORWARDFW"; - - +my $conexists='off'; +my $command = 'iptables -A'; +my $dnat=''; +my $snat=''; &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings); &General::readhash("$netsettings", \%defaultNetworks); &General::readhasharray($configdmz, \%configdmzfw); &General::readhasharray($configfwdfw, \%configfwdfw); &General::readhasharray($configinput, \%configinputfw); &General::readhasharray($configoutgoing, \%configoutgoingfw); +&General::readhasharray($confignat, \%confignatfw); &General::readhasharray($configgrp, \%customgrp); &General::get_aliases(\%aliases); +#check if we have an internetconnection +open (CONN,"/var/ipfire/red/iface"); +my $con = ; +close(CONN); +if (-f "/var/ipfire/red/active"){ + $conexists='on'; +} +open (CONN1,"/var/ipfire/red/local-ipaddress"); +my $redip = ; +close(CONN1); ################################ # DEBUG/TEST # ################################ @@ -131,6 +147,9 @@ sub flush system ("iptables -F FORWARDFW"); system ("iptables -F INPUTFW"); system ("iptables -F OUTGOINGFW"); + system ("iptables -F PORTFWACCESS"); + system ("iptables -t nat -F NAT_DESTINATION"); + system ("iptables -t nat -F NAT_SOURCE"); } sub preparerules { @@ -146,12 +165,36 @@ sub preparerules if (! -z "${General::swroot}/forward/outgoing"){ &buildrules(\%configoutgoingfw); } + if (! -z "${General::swroot}/forward/nat"){ + &buildrules(\%confignatfw); + } } sub buildrules { my $hash=shift; my $STAG; + my $natip; + my $snatport; + my $fireport; + my $nat; + my $fwaccessdport; foreach my $key (sort {$a <=> $b} keys %$hash){ + next if ($$hash{$key}[6] eq 'RED' && $conexists eq 'off' ); + if ($$hash{$key}[28] eq 'ON'){ + $command='iptables -t nat -A'; + $natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]); + if($$hash{$key}[31] eq 'dnat'){ + $nat='DNAT'; + if ($$hash{$key}[30] =~ /\|/){ + $$hash{$key}[30]=~ tr/|/,/; + $fireport='-m multiport --dport '.$$hash{$key}[30]; + }else{ + $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0); + } + }else{ + $nat='SNAT'; + } + } $STAG=''; if($$hash{$key}[2] eq 'ON'){ #get source ip's @@ -200,6 +243,10 @@ sub buildrules #get time if defined if($$hash{$key}[18] eq 'ON'){ + my ($time1,$time2,$daylight); + my $daylight=$$hash{$key}[28]; + $time1=&get_time($$hash{$key}[26],$daylight); + $time2=&get_time($$hash{$key}[27],$daylight); if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");} if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");} if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");} @@ -208,9 +255,10 @@ sub buildrules if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");} if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");} $TIME=join(",",@timeframe); - $TIMEFROM="--timestart $$hash{$key}[26] "; - $TIMETILL="--timestop $$hash{$key}[27] "; - $TIME="-m time --kerneltz --weekdays $TIME $TIMEFROM $TIMETILL"; + + $TIMEFROM="--timestart $time1 "; + $TIMETILL="--timestop $time2 "; + $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL"; } if ($MODE eq '1'){ print "NR:$key "; @@ -233,15 +281,35 @@ sub buildrules my @icmprule= split(",",substr($DPORT, 12,)); foreach (@icmprule){ if ($$hash{$key}[17] eq 'ON'){ - print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j LOG\n"; + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j LOG\n"; } - print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n"; + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n"; } - }else{ + }elsif($$hash{$key}[28] ne 'ON'){ if ($$hash{$key}[17] eq 'ON'){ - print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; } - print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ + if ($$hash{$key}[17] eq 'ON'){ + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; + } + my ($ip,$sub) =split("/",$targethash{$b}[0]); + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; + $DPORT =~ s/\-/:/g; + if ($DPORT){ + $fwaccessdport="--dport ".substr($DPORT,1,); + }elsif(! $DPORT && $$hash{$key}[30] ne ''){ + if ($$hash{$key}[30]=~m/|/i){ + $$hash{$key}[30] =~ s/\|/,/g; + $fwaccessdport="-m multiport --dport $$hash{$key}[30]"; + }else{ + $fwaccessdport="--dport $$hash{$key}[30]"; + } + } + print "iptables -A PORTFWACCESS $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; + }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; } } } @@ -263,15 +331,38 @@ sub buildrules my @icmprule= split(",",substr($DPORT, 12,)); foreach (@icmprule){ if ($$hash{$key}[17] eq 'ON'){ - system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] -- icmp-type $_ $TIME -j LOG"); + system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] -- icmp-type $_ $TIME -j LOG"); + } + system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]"); + } + }elsif($$hash{$key}[28] ne 'ON'){ + if ($$hash{$key}[17] eq 'ON'){ + system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; + } + system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ + if ($$hash{$key}[17] eq 'ON'){ + system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; + } + my ($ip,$sub) =split("/",$targethash{$b}[0]); + system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; + $DPORT =~ s/\-/:/g; + if ($DPORT){ + $fwaccessdport="--dport ".substr($DPORT,1,); + }elsif(! $DPORT && $$hash{$key}[30] ne ''){ + if ($$hash{$key}[30]=~m/|/i){ + $$hash{$key}[30] =~ s/\|/,/g; + $fwaccessdport="-m multiport --dport $$hash{$key}[30]"; + }else{ + $fwaccessdport="--dport $$hash{$key}[30]"; } - system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]"); } - }else{ + system "iptables -A PORTFWACCESS $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; + }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ if ($$hash{$key}[17] eq 'ON'){ - system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG"); + system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT '\n"; } - system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]"); + system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip$fireport\n"; } } } @@ -285,8 +376,63 @@ sub buildrules undef $TIME; undef $TIMEFROM; undef $TIMETILL; + undef $fireport; } } +sub get_nat_ip +{ + my $val=shift; + my $type=shift; + my $result; + if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){ + $result=$defaultNetworks{$val.'_ADDRESS'}; + }elsif($val eq 'ALL'){ + $result='-i '.$con; + }elsif($val eq 'Default IP' && $type eq 'dnat'){ + $result='-d '.$redip; + }elsif($val eq 'Default IP' && $type eq 'snat'){ + $result=$redip; + }else{ + foreach my $al (sort keys %aliases){ + if($val eq $al && $type eq 'dnat'){ + $result='-d '.$aliases{$al}{'IPT'}; + }elsif($val eq $al && $type eq 'snat'){ + $result=$aliases{$al}{'IPT'}; + } + } + } + return $result; +} +sub get_time +{ + my $val=shift; + my $val1=shift; + my $time; + my $minutes; + my $ruletime; + $minutes = &utcmin($val); + $ruletime = $minutes + &time_get_utc($val); + if ($ruletime < 0){$ruletime +=1440;} + if ($ruletime > 1440){$ruletime -=1440;} + $time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60; + return $time; +} +sub time_get_utc +{ + # Calculates the UTCtime from a given time + my $val=shift; + my @localtime=localtime(time); + my @gmtime=gmtime(time); + my $diff = ($gmtime[2]*60+$gmtime[1]%60)-($localtime[2]*60+$localtime[1]%60); + return $diff; +} +sub utcmin +{ + my $ruletime=shift; + my ($hrs,$min) = split(":",$ruletime); + my $newtime = $hrs*60+$min; + return $newtime; +} sub p2pblock { my $P2PSTRING; @@ -319,7 +465,6 @@ sub p2pblock } } } - sub get_address { my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey @@ -339,7 +484,7 @@ sub get_address $$hash{$key}[0] = $base2; } }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){ - $$hash{$key}[0]=&fwlib::get_std_net_ip($base2); + $$hash{$key}[0]=&fwlib::get_std_net_ip($base2,$con); }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){ $$hash{$key}[0]=&fwlib::get_net_ip($base2); }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){ @@ -382,6 +527,10 @@ sub get_prot return &fwlib::get_srvgrp_prot($$hash{$key}[15]); } } + #DNAT + if ($SRC_TGT eq '' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[11] eq '' && $$hash{$key}[12] ne ''){ + return "$$hash{$key}[12]"; + } } sub get_port { @@ -394,7 +543,11 @@ sub get_port if(index($$hash{$key}[10],",") > 0){ return "-m multiport --sport $$hash{$key}[10] "; }else{ - return "--sport $$hash{$key}[10] "; + if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ||($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat') ){ + return "--sport $$hash{$key}[10] "; + }else{ + return ":$$hash{$key}[10]"; + } } }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){ return "--icmp-type $$hash{$key}[9] "; @@ -402,14 +555,18 @@ sub get_port return; } }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){ - if($$hash{$key}[14] eq 'TGT_PORT'){ if ($$hash{$key}[15] ne ''){ $$hash{$key}[15] =~ s/\|/,/g; if(index($$hash{$key}[15],",") > 0){ return "-m multiport --dport $$hash{$key}[15] "; }else{ - return "--dport $$hash{$key}[15] "; + if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){ + return "--dport $$hash{$key}[15] "; + }else{ + $$hash{$key}[15] =~ s/\:/-/g; + return ":$$hash{$key}[15]"; + } } }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){ return "--icmp-type $$hash{$key}[13] "; @@ -418,7 +575,11 @@ sub get_port } }elsif($$hash{$key}[14] eq 'cust_srv'){ if ($prot ne 'ICMP'){ - return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); + if($$hash{$key}[31] eq 'dnat'){ + return ":".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); + }else{ + return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); + } }elsif($prot eq 'ICMP' && $$hash{$key}[15] ne 'All ICMP-Types'){ return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot); }elsif($prot eq 'ICMP' && $$hash{$key}[15] eq 'All ICMP-Types'){