X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=blobdiff_plain;f=config%2Fforwardfw%2Frules.pl;h=9f23c54e0a5b0fc47472919b9d2d34726f5fdbea;hp=c7acd122b5d98fcc75f8ae8c538288748f550dd4;hb=653a71b9514dc8a88e7d2247d1d709245afe748c;hpb=bc912c6e0c34bfd81a915b3f2774fc6b848990ff diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index c7acd122b..9f23c54e0 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -44,7 +44,6 @@ our %targethash=(); my @timeframe=(); my %configinputfw=(); my %configoutgoingfw=(); -my %configdmzfw=(); my %confignatfw=(); my %aliases=(); my @DPROT=(); @@ -53,11 +52,9 @@ require '/var/ipfire/general-functions.pl'; require "${General::swroot}/lang.pl"; require "${General::swroot}/forward/bin/firewall-lib.pl"; -my $configdmz = "${General::swroot}/forward/dmz"; my $configfwdfw = "${General::swroot}/forward/config"; my $configinput = "${General::swroot}/forward/input"; my $configoutgoing = "${General::swroot}/forward/outgoing"; -my $confignat = "${General::swroot}/forward/nat"; my $p2pfile = "${General::swroot}/forward/p2protocols"; my $configgrp = "${General::swroot}/fwhosts/customgroups"; my $netsettings = "${General::swroot}/ethernet/settings"; @@ -73,11 +70,9 @@ my $dnat=''; my $snat=''; &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings); &General::readhash("$netsettings", \%defaultNetworks); -&General::readhasharray($configdmz, \%configdmzfw); &General::readhasharray($configfwdfw, \%configfwdfw); &General::readhasharray($configinput, \%configinputfw); &General::readhasharray($configoutgoing, \%configoutgoingfw); -&General::readhasharray($confignat, \%confignatfw); &General::readhasharray($configgrp, \%customgrp); &General::get_aliases(\%aliases); @@ -119,26 +114,10 @@ if($param eq 'flush'){ &p2pblock; system ("/usr/sbin/firewall-policy"); }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){ - $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'}); - $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}"; - if ($defaultNetworks{'BLUE_DEV'}){ - $defaultNetworks{'BLUE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'BLUE_NETMASK'}); - $blue="$defaultNetworks{'BLUE_ADDRESS'}/$defaultNetworks{'BLUE_NETMASK'}"; - #set default rules for BLUE - system ("iptables -A $CHAIN -s $blue -d $green -j RETURN"); - } - if ($defaultNetworks{'ORANGE_DEV'}){ - $defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'}); - $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}"; - #set default rules for DMZ - system ("iptables -A $CHAIN -s $orange -d $green -j RETURN"); - if ($defaultNetworks{'BLUE_DEV'}){ - system ("iptables -A $CHAIN -s $orange -d $blue -j RETURN"); - } - } &p2pblock; - system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT"); + system ("iptables -A $CHAIN -m conntrack --ctstate NEW -j ACCEPT"); system ("/usr/sbin/firewall-policy"); + system ("/etc/sysconfig/firewall.local reload"); } } } @@ -147,15 +126,11 @@ sub flush system ("iptables -F FORWARDFW"); system ("iptables -F INPUTFW"); system ("iptables -F OUTGOINGFW"); - system ("iptables -F PORTFWACCESS"); system ("iptables -t nat -F NAT_DESTINATION"); system ("iptables -t nat -F NAT_SOURCE"); } sub preparerules { - if (! -z "${General::swroot}/forward/dmz"){ - &buildrules(\%configdmzfw); - } if (! -z "${General::swroot}/forward/config"){ &buildrules(\%configfwdfw); } @@ -165,9 +140,6 @@ sub preparerules if (! -z "${General::swroot}/forward/outgoing"){ &buildrules(\%configoutgoingfw); } - if (! -z "${General::swroot}/forward/nat"){ - &buildrules(\%confignatfw); - } } sub buildrules { @@ -177,14 +149,21 @@ sub buildrules my $snatport; my $fireport; my $nat; + my $fwaccessdport; + my $natchain; foreach my $key (sort {$a <=> $b} keys %$hash){ - next if ($$hash{$key}[6] eq 'RED' && $conexists eq 'off' ); + next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' ); if ($$hash{$key}[28] eq 'ON'){ $command='iptables -t nat -A'; - $natip=&get_nat_ip($$hash{$key}[29]); + $natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]); if($$hash{$key}[31] eq 'dnat'){ $nat='DNAT'; - $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0); + if ($$hash{$key}[30] =~ /\|/){ + $$hash{$key}[30]=~ tr/|/,/; + $fireport='-m multiport --dport '.$$hash{$key}[30]; + }else{ + $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0); + } }else{ $nat='SNAT'; } @@ -208,9 +187,21 @@ sub buildrules &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt"); } } - }elsif($$hash{$key}[5] eq 'ipfire'){ - if($$hash{$key}[6] eq 'Default IP'){ - open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.'; + }elsif($$hash{$key}[5] eq 'ipfire' ){ + if($$hash{$key}[6] eq 'GREEN'){ + $targethash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'}; + } + if($$hash{$key}[6] eq 'BLUE'){ + $targethash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'}; + } + if($$hash{$key}[6] eq 'ORANGE'){ + $targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'}; + } + if($$hash{$key}[6] eq 'ALL'){ + $targethash{$key}[0]='0.0.0.0/0'; + } + if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){ + open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress"; $targethash{$key}[0]= ; close(FILE); }else{ @@ -279,23 +270,34 @@ sub buildrules } print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n"; } - }elsif($$hash{$key}[28] ne 'ON'){ - if ($$hash{$key}[17] eq 'ON'){ - print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; - } - print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ + $natchain='NAT_DESTINATION'; if ($$hash{$key}[17] eq 'ON'){ - print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; + print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; } my ($ip,$sub) =split("/",$targethash{$b}[0]); - print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; + print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; $DPORT =~ s/\-/:/g; - my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT); - print "iptables -A PORTFWACCESS $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; - }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[32] eq 'snat'){ - print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip$fireport\n"; + if ($DPORT){ + $fwaccessdport="--dport ".substr($DPORT,1,); + }elsif(! $DPORT && $$hash{$key}[30] ne ''){ + if ($$hash{$key}[30]=~m/|/i){ + $$hash{$key}[30] =~ s/\|/,/g; + $fwaccessdport="-m multiport --dport $$hash{$key}[30]"; + }else{ + $fwaccessdport="--dport $$hash{$key}[30]"; + } + } + print "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; + next; + }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ + $natchain='NAT_SOURCE'; + print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; + } + if ($$hash{$key}[17] eq 'ON'){ + print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; } + print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; } } } @@ -320,27 +322,34 @@ sub buildrules } system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]"); } - }elsif($$hash{$key}[28] ne 'ON'){ - if ($$hash{$key}[17] eq 'ON'){ - system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; - } - system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ + $natchain='NAT_DESTINATION'; if ($$hash{$key}[17] eq 'ON'){ - system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; + system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; } my ($ip,$sub) =split("/",$targethash{$b}[0]); - system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; + system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; $DPORT =~ s/\-/:/g; - my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT); - system "iptables -A PORTFWACCESS $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; - - }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ - if ($$hash{$key}[17] eq 'ON'){ - system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT '\n"; + if ($DPORT){ + $fwaccessdport="--dport ".substr($DPORT,1,); + }elsif(! $DPORT && $$hash{$key}[30] ne ''){ + if ($$hash{$key}[30]=~m/|/i){ + $$hash{$key}[30] =~ s/\|/,/g; + $fwaccessdport="-m multiport --dport $$hash{$key}[30]"; + }else{ + $fwaccessdport="--dport $$hash{$key}[30]"; + } } - system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip$fireport\n"; + system "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; + next; + }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ + $natchain='NAT_SOURCE'; + system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; } + if ($$hash{$key}[17] eq 'ON'){ + system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; + } + system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; } } } @@ -359,17 +368,22 @@ sub buildrules sub get_nat_ip { my $val=shift; + my $type=shift; my $result; if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){ $result=$defaultNetworks{$val.'_ADDRESS'}; }elsif($val eq 'ALL'){ $result='-i '.$con; - }elsif($val eq 'Default IP'){ + }elsif($val eq 'Default IP' && $type eq 'dnat'){ $result='-d '.$redip; + }elsif($val eq 'Default IP' && $type eq 'snat'){ + $result=$redip; }else{ foreach my $al (sort keys %aliases){ - if($val eq $al){ + if($val eq $al && $type eq 'dnat'){ $result='-d '.$aliases{$al}{'IPT'}; + }elsif($val eq $al && $type eq 'snat'){ + $result=$aliases{$al}{'IPT'}; } } } @@ -466,9 +480,33 @@ sub get_address }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){ $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33); }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){ - $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,27); + $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,11); }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){ $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11); + }elsif($base eq 'ipfire_src' ){ + if($base2 eq 'GREEN'){ + $$hash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'}; + } + if($base2 eq 'BLUE'){ + $$hash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'}; + } + if($base2 eq 'ORANGE'){ + $$hash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'}; + } + if($base2 eq 'ALL'){ + $$hash{$key}[0]='0.0.0.0/0'; + } + if($base2 eq 'RED' || $base2 eq 'RED1'){ + open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress"; + $$hash{$key}[0]= ; + close(FILE); + }else{ + foreach my $alias (sort keys %aliases){ + if ($base2 eq $alias){ + $$hash{$key}[0]=$aliases{$alias}{'IPT'}; + } + } + } } } sub get_prot @@ -499,6 +537,10 @@ sub get_prot return &fwlib::get_srvgrp_prot($$hash{$key}[15]); } } + #DNAT + if ($SRC_TGT eq '' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[11] eq '' && $$hash{$key}[12] ne ''){ + return "$$hash{$key}[12]"; + } } sub get_port { @@ -533,7 +575,7 @@ sub get_port return "--dport $$hash{$key}[15] "; }else{ $$hash{$key}[15] =~ s/\:/-/g; - return ":$$hash{$key}[15]"; + return ":$$hash{$key}[15]"; } } }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){ @@ -543,7 +585,7 @@ sub get_port } }elsif($$hash{$key}[14] eq 'cust_srv'){ if ($prot ne 'ICMP'){ - if($$hash{$key}[31] eq 'dnat'){ + if($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){ return ":".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); }else{ return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);