X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=blobdiff_plain;f=config%2Fforwardfw%2Frules.pl;h=b3be47da03506e0bfbcfd673408bff389a113808;hp=2547e474f7bf3ee4eb20adb697a0e6d290764fcd;hb=f0befbc3782b2a68fa96bb2e6534f0f6fa6af7f3;hpb=ddcec9d339162ee49d7973f815e03d8da5e973cd diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 2547e474f..b3be47da0 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2012 # +# Copyright (C) 2013 Alexander Marx # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -18,11 +18,6 @@ # along with this program. If not, see . # # # ############################################################################### -# # -# Hi folks! I hope this code is useful for all. I needed something to handle # -# my VPN Connections in a comfortable way. # -# This script builds firewallrules from the webinterface # -############################################################################### use strict; use Time::Local; @@ -44,7 +39,7 @@ our %targethash=(); my @timeframe=(); my %configinputfw=(); my %configoutgoingfw=(); -my %configdmzfw=(); +my %confignatfw=(); my %aliases=(); my @DPROT=(); my @p2ps=(); @@ -52,24 +47,25 @@ require '/var/ipfire/general-functions.pl'; require "${General::swroot}/lang.pl"; require "${General::swroot}/forward/bin/firewall-lib.pl"; -my $configdmz = "${General::swroot}/forward/dmz"; my $configfwdfw = "${General::swroot}/forward/config"; my $configinput = "${General::swroot}/forward/input"; my $configoutgoing = "${General::swroot}/forward/outgoing"; my $p2pfile = "${General::swroot}/forward/p2protocols"; my $configgrp = "${General::swroot}/fwhosts/customgroups"; my $netsettings = "${General::swroot}/ethernet/settings"; -my $errormessage=''; -my $orange; -my $green; -my $blue; +my $errormessage = ''; +my $orange = ''; +my $green = ''; +my $blue = ''; my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT); -my $CHAIN="FORWARDFW"; -my $conexists='off'; +my $CHAIN = "FORWARDFW"; +my $conexists = 'off'; +my $command = 'iptables -A'; +my $dnat =''; +my $snat =''; &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings); &General::readhash("$netsettings", \%defaultNetworks); -&General::readhasharray($configdmz, \%configdmzfw); &General::readhasharray($configfwdfw, \%configfwdfw); &General::readhasharray($configinput, \%configinputfw); &General::readhasharray($configoutgoing, \%configoutgoingfw); @@ -83,14 +79,16 @@ close(CONN); if (-f "/var/ipfire/red/active"){ $conexists='on'; } - -################################ -# DEBUG/TEST # -################################ -my $MODE=1; # 0 - normal operation - # 1 - print configline and rules to console - # -################################ +open (CONN1,"/var/ipfire/red/local-ipaddress"); +my $redip = ; +close(CONN1); +################# +# DEBUG/TEST # +################# +my $MODE=0; # 0 - normal operation + # 1 - print configline and rules to console + # +################# my $param=shift; if($param eq 'flush'){ @@ -110,28 +108,12 @@ if($param eq 'flush'){ if($MODE eq '0'){ if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ &p2pblock; - system ("/usr/sbin/firewall-policy"); + system ("/usr/sbin/firewall-policy"); }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){ - $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'}); - $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}"; - if ($defaultNetworks{'BLUE_DEV'}){ - $defaultNetworks{'BLUE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'BLUE_NETMASK'}); - $blue="$defaultNetworks{'BLUE_ADDRESS'}/$defaultNetworks{'BLUE_NETMASK'}"; - #set default rules for BLUE - system ("iptables -A $CHAIN -s $blue -d $green -j RETURN"); - } - if ($defaultNetworks{'ORANGE_DEV'}){ - $defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'}); - $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}"; - #set default rules for DMZ - system ("iptables -A $CHAIN -s $orange -d $green -j RETURN"); - if ($defaultNetworks{'BLUE_DEV'}){ - system ("iptables -A $CHAIN -s $orange -d $blue -j RETURN"); - } - } &p2pblock; - system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT"); + system ("iptables -A $CHAIN -m conntrack --ctstate NEW -j ACCEPT"); system ("/usr/sbin/firewall-policy"); + system ("/etc/sysconfig/firewall.local reload"); } } } @@ -140,12 +122,11 @@ sub flush system ("iptables -F FORWARDFW"); system ("iptables -F INPUTFW"); system ("iptables -F OUTGOINGFW"); -} + system ("iptables -t nat -F NAT_DESTINATION"); + system ("iptables -t nat -F NAT_SOURCE"); +} sub preparerules { - if (! -z "${General::swroot}/forward/dmz"){ - &buildrules(\%configdmzfw); - } if (! -z "${General::swroot}/forward/config"){ &buildrules(\%configfwdfw); } @@ -160,8 +141,31 @@ sub buildrules { my $hash=shift; my $STAG; + my $natip; + my $snatport; + my $fireport; + my $nat; + my $fwaccessdport; + my $natchain; + my $icmptype; foreach my $key (sort {$a <=> $b} keys %$hash){ - next if ($$hash{$key}[6] eq 'RED' && $conexists eq 'off' ); + next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' ); + $command="iptables -A"; + if ($$hash{$key}[28] eq 'ON'){ + $command='iptables -t nat -A'; + $natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]); + if($$hash{$key}[31] eq 'dnat'){ + $nat='DNAT'; + if ($$hash{$key}[30] =~ /\|/){ + $$hash{$key}[30]=~ tr/|/,/; + $fireport='-m multiport --dport '.$$hash{$key}[30]; + }else{ + $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0); + } + }else{ + $nat='SNAT'; + } + } $STAG=''; if($$hash{$key}[2] eq 'ON'){ #get source ip's @@ -181,9 +185,21 @@ sub buildrules &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt"); } } - }elsif($$hash{$key}[5] eq 'ipfire'){ - if($$hash{$key}[6] eq 'Default IP'){ - open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.'; + }elsif($$hash{$key}[5] eq 'ipfire' ){ + if($$hash{$key}[6] eq 'GREEN'){ + $targethash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'}; + } + if($$hash{$key}[6] eq 'BLUE'){ + $targethash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'}; + } + if($$hash{$key}[6] eq 'ORANGE'){ + $targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'}; + } + if($$hash{$key}[6] eq 'ALL'){ + $targethash{$key}[0]='0.0.0.0/0'; + } + if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){ + open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress"; $targethash{$key}[0]= ; close(FILE); }else{ @@ -198,14 +214,13 @@ sub buildrules } ##get source prot and port $SRC_TGT='SRC'; - $SPROT = &get_prot($hash,$key); $SPORT = &get_port($hash,$key); $SRC_TGT=''; ##get target prot and port $DPROT=&get_prot($hash,$key); - if ($DPROT eq ''){$DPROT=' ';} + if ($DPROT eq ''){$DPROT=' ';} @DPROT=split(",",$DPROT); #get time if defined @@ -222,12 +237,12 @@ sub buildrules if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");} if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");} $TIME=join(",",@timeframe); - + $TIMEFROM="--timestart $time1 "; $TIMETILL="--timestop $time2 "; $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL"; } - if ($MODE eq '1'){ + if ($MODE eq '1'){ print "NR:$key "; foreach my $i (0 .. $#{$$hash{$key}}){ print "$i: $$hash{$key}[$i] "; @@ -237,28 +252,66 @@ sub buildrules #print rules to console foreach my $DPROT (@DPROT){ $DPORT = &get_port($hash,$key,$DPROT); - if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;} + $PROT=$DPROT; $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); foreach my $a (sort keys %sourcehash){ foreach my $b (sort keys %targethash){ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ - if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){ + if($DPROT ne ''){ if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} if(substr($DPORT, 2, 4) eq 'icmp'){ my @icmprule= split(",",substr($DPORT, 12,)); foreach (@icmprule){ + $icmptype="--icmp-type "; + if ($_ eq "BLANK") { + $icmptype=""; + $_=""; + } if ($$hash{$key}[17] eq 'ON'){ - print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j LOG\n"; + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG\n"; } - print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n"; + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]\n"; } - }else{ + }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ + $natchain='NAT_DESTINATION'; if ($$hash{$key}[17] eq 'ON'){ - print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; + print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; } - print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + my ($ip,$sub) =split("/",$targethash{$b}[0]); + #Process NAT with servicegroup used + if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[14] eq 'cust_srvgrp'){ + print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip $DPORT\n"; + $fwaccessdport=$DPORT; + }else{ + print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; + $DPORT =~ s/\-/:/g; + if ($DPORT){ + $fwaccessdport="--dport ".substr($DPORT,1,); + }elsif(! $DPORT && $$hash{$key}[30] ne ''){ + if ($$hash{$key}[30]=~m/|/i){ + $$hash{$key}[30] =~ s/\|/,/g; + $fwaccessdport="-m multiport --dport $$hash{$key}[30]"; + }else{ + $fwaccessdport="--dport $$hash{$key}[30]"; + } + } + } + print "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; + next; + }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ + $natchain='NAT_SOURCE'; + print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; + } + if ($$hash{$key}[17] eq 'ON' ){ + print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; + } + if ($PROT ne '-p ICMP'){ + print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + } + if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){ + print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; } - } + } } } } @@ -267,28 +320,71 @@ sub buildrules }elsif($MODE eq '0'){ foreach my $DPROT (@DPROT){ $DPORT = &get_port($hash,$key,$DPROT); - if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;} + $PROT=$DPROT; $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); foreach my $a (sort keys %sourcehash){ foreach my $b (sort keys %targethash){ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ - if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){ + if($DPROT ne ''){ if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} + #Process ICMP RULE if(substr($DPORT, 2, 4) eq 'icmp'){ my @icmprule= split(",",substr($DPORT, 12,)); foreach (@icmprule){ + $icmptype="--icmp-type "; + if ($_ eq "BLANK") { + $icmptype=""; + $_=""; + } if ($$hash{$key}[17] eq 'ON'){ - system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] -- icmp-type $_ $TIME -j LOG"); + system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG"); } - system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]"); + system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]"); } - }else{ + #PROCESS DNAT RULE (Portforward) + }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ + $natchain='NAT_DESTINATION'; if ($$hash{$key}[17] eq 'ON'){ - system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG"); + system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; + } + my ($ip,$sub) =split("/",$targethash{$b}[0]); + #Process NAT with servicegroup used + if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[14] eq 'cust_srvgrp'){ + system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip $DPORT\n"; + $fwaccessdport=$DPORT; + }else{ + system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n"; + $DPORT =~ s/\-/:/g; + if ($DPORT){ + $fwaccessdport="--dport ".substr($DPORT,1,); + }elsif(! $DPORT && $$hash{$key}[30] ne ''){ + if ($$hash{$key}[30]=~m/|/i){ + $$hash{$key}[30] =~ s/\|/,/g; + $fwaccessdport="-m multiport --dport $$hash{$key}[30]"; + }else{ + $fwaccessdport="--dport $$hash{$key}[30]"; + } + } } - system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]"); + system "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; + next; + #PROCESS SNAT RULE + }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ + $natchain='NAT_SOURCE'; + system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; + } + if ($$hash{$key}[17] eq 'ON' && substr($DPORT, 2, 4) ne 'icmp'){ + system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; } - } + #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double) + if ($PROT ne '-p ICMP'){ + system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + } + #PROCESS Prot ICMP and type = All ICMP-Types + if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){ + system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + } + } } } } @@ -300,7 +396,32 @@ sub buildrules undef $TIME; undef $TIMEFROM; undef $TIMETILL; + undef $fireport; + } +} +sub get_nat_ip +{ + my $val=shift; + my $type=shift; + my $result; + if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){ + $result=$defaultNetworks{$val.'_ADDRESS'}; + }elsif($val eq 'ALL'){ + $result='-i '.$con; + }elsif($val eq 'Default IP' && $type eq 'dnat'){ + $result='-d '.$redip; + }elsif($val eq 'Default IP' && $type eq 'snat'){ + $result=$redip; + }else{ + foreach my $al (sort keys %aliases){ + if($val eq $al && $type eq 'dnat'){ + $result='-d '.$aliases{$al}{'IPT'}; + }elsif($val eq $al && $type eq 'snat'){ + $result=$aliases{$al}{'IPT'}; + } + } } + return $result; } sub get_time { @@ -364,7 +485,6 @@ sub p2pblock } } } - sub get_address { my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey @@ -372,7 +492,7 @@ sub get_address my $type=shift; #src or tgt my $hash; if ($type eq 'src'){ - $hash=\%sourcehash; + $hash=\%sourcehash; }else{ $hash=\%targethash; } @@ -394,39 +514,63 @@ sub get_address }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){ $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33); }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){ - $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,27); + $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,11); }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){ $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11); + }elsif($base eq 'ipfire_src' ){ + if($base2 eq 'GREEN'){ + $$hash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'}; + } + if($base2 eq 'BLUE'){ + $$hash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'}; + } + if($base2 eq 'ORANGE'){ + $$hash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'}; + } + if($base2 eq 'ALL'){ + $$hash{$key}[0]='0.0.0.0/0'; + } + if($base2 eq 'RED' || $base2 eq 'RED1'){ + open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress"; + $$hash{$key}[0]= ; + close(FILE); + }else{ + foreach my $alias (sort keys %aliases){ + if ($base2 eq $alias){ + $$hash{$key}[0]=$aliases{$alias}{'IPT'}; + } + } + } } } sub get_prot { my $hash=shift; my $key=shift; - if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){ - if ($$hash{$key}[10] ne ''){ - return"$$hash{$key}[8]"; - }elsif($$hash{$key}[9] ne ''){ - return"$$hash{$key}[8]"; - }else{ - return "$$hash{$key}[8]"; - } - }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){ - if ($$hash{$key}[14] eq 'TGT_PORT'){ - if ($$hash{$key}[15] ne ''){ - return "$$hash{$key}[12]"; - }elsif($$hash{$key}[13] ne ''){ - return "$$hash{$key}[12]"; - }else{ - return "$$hash{$key}[12]"; - } - }elsif($$hash{$key}[14] eq 'cust_srv'){ + #check AH,GRE,ESP or ICMP + if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON'){ + return "$$hash{$key}[8]"; + } + if ($$hash{$key}[7] eq 'ON' || $$hash{$key}[11] eq 'ON'){ + #check if servicegroup or service + if($$hash{$key}[14] eq 'cust_srv'){ return &fwlib::get_srv_prot($$hash{$key}[15]); - }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ return &fwlib::get_srvgrp_prot($$hash{$key}[15]); + }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && $$hash{$key}[8] eq ''){ #when ports are used and prot set to "all" + return "TCP,UDP"; + }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && ($$hash{$key}[8] eq 'TCP' || $$hash{$key}[8] eq 'UDP')){ #when ports are used and prot set to "tcp" or "udp" + return "$$hash{$key}[8]"; + }elsif (($$hash{$key}[10] eq '' && $$hash{$key}[15] eq '') && $$hash{$key}[8] ne 'ICMP'){ #when ports are NOT used and prot NOT set to "ICMP" + return "$$hash{$key}[8]"; + }else{ + return "$$hash{$key}[8]"; } } + #DNAT + if ($SRC_TGT eq '' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[11] eq '' && $$hash{$key}[12] ne ''){ + return "$$hash{$key}[8]"; + } } sub get_port { @@ -439,35 +583,37 @@ sub get_port if(index($$hash{$key}[10],",") > 0){ return "-m multiport --sport $$hash{$key}[10] "; }else{ - return "--sport $$hash{$key}[10] "; + if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ||($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat') ){ + return "--sport $$hash{$key}[10] "; + }else{ + return ":$$hash{$key}[10]"; + } } - }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){ - return "--icmp-type $$hash{$key}[9] "; - }elsif($$hash{$key}[9] eq 'All ICMP-Types'){ - return; } }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){ - if($$hash{$key}[14] eq 'TGT_PORT'){ if ($$hash{$key}[15] ne ''){ $$hash{$key}[15] =~ s/\|/,/g; if(index($$hash{$key}[15],",") > 0){ return "-m multiport --dport $$hash{$key}[15] "; }else{ - return "--dport $$hash{$key}[15] "; + if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){ + return "--dport $$hash{$key}[15] "; + }else{ + $$hash{$key}[15] =~ s/\:/-/g; + return ":$$hash{$key}[15]"; + } } - }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){ - return "--icmp-type $$hash{$key}[13] "; - }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){ - return; } }elsif($$hash{$key}[14] eq 'cust_srv'){ if ($prot ne 'ICMP'){ - return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); - }elsif($prot eq 'ICMP' && $$hash{$key}[15] ne 'All ICMP-Types'){ + if($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){ + return ":".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); + }else{ + return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); + } + }elsif($prot eq 'ICMP' && $$hash{$key}[11] eq 'ON'){ #When PROT is ICMP and "use targetport is checked, this is an icmp-service return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot); - }elsif($prot eq 'ICMP' && $$hash{$key}[15] eq 'All ICMP-Types'){ - return; } }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ if ($prot ne 'ICMP'){ @@ -478,4 +624,12 @@ sub get_port } } } + #CHECK ICMP + if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON' && $SRC_TGT eq ''){ + if($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){ + return "--icmp-type $$hash{$key}[9] "; + }elsif($$hash{$key}[9] eq 'All ICMP-Types'){ + return; + } + } }