From 9efd8d1c7eb134c71465396a1bdcc5ae52497d80 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 19 Mar 2013 05:15:20 +0100 Subject: [PATCH] Forward Firewall: delete old portforwarding from system and fix for wlan-firewall part 1 (loop) --- config/rootfiles/common/misc-progs | 1 - html/cgi-bin/portfw.cgi | 1177 ---------------------------- lfs/initscripts | 2 - src/initscripts/init.d/firewall | 16 +- src/misc-progs/Makefile | 6 +- src/misc-progs/setportfw.c | 369 --------- src/misc-progs/wirelessctrl.c | 6 +- 7 files changed, 11 insertions(+), 1566 deletions(-) delete mode 100644 html/cgi-bin/portfw.cgi delete mode 100644 src/misc-progs/setportfw.c diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs index 5102d8931..2463ba2aa 100644 --- a/config/rootfiles/common/misc-progs +++ b/config/rootfiles/common/misc-progs @@ -24,7 +24,6 @@ usr/local/bin/rebuildroutes usr/local/bin/redctrl #usr/local/bin/sambactrl usr/local/bin/setaliases -usr/local/bin/setportfw usr/local/bin/smartctrl usr/local/bin/snortctrl usr/local/bin/squidctrl diff --git a/html/cgi-bin/portfw.cgi b/html/cgi-bin/portfw.cgi deleted file mode 100644 index 199682f44..000000000 --- a/html/cgi-bin/portfw.cgi +++ /dev/null @@ -1,1177 +0,0 @@ -#!/usr/bin/perl -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2007 Michael Tremer & Christian Schmidt # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see . # -# # -############################################################################### - -use strict; - -# enable only the following on debugging purpose -#use warnings; -#use CGI::Carp 'fatalsToBrowser'; - -require '/var/ipfire/general-functions.pl'; -require "${General::swroot}/lang.pl"; -require "${General::swroot}/header.pl"; - -#workaround to suppress a warning when a variable is used only once -my @dummy = ( ${Header::colouryellow} ); -undef (@dummy); - -my %color = (); -my %mainsettings = (); -&General::readhash("${General::swroot}/main/settings", \%mainsettings); -&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); - -my %cgiparams=(); -my %selected=(); -my %checked=(); -my $prtrange1=0; -my $prtrange2=0; -my $errormessage = ''; -my $filename = "${General::swroot}/portfw/config"; -my $aliasfile = "${General::swroot}/ethernet/aliases"; - -&Header::showhttpheaders(); - -$cgiparams{'ENABLED'} = 'off'; -$cgiparams{'KEY1'} = '0'; -$cgiparams{'KEY2'} = '0'; -$cgiparams{'PROTOCOL'} = ''; -$cgiparams{'SRC_PORT'} = ''; -$cgiparams{'DEST_IP'} = ''; -$cgiparams{'DEST_PORT'} = ''; -$cgiparams{'SRC_IP'} = ''; -$cgiparams{'ORIG_IP'} = ''; -$cgiparams{'REMARK'} = ''; -$cgiparams{'OVERRIDE'} = 'off'; -$cgiparams{'ACTION'} = ''; - -&Header::getcgihash(\%cgiparams); - -my $disable_all = "0"; -my $enable_all = "0"; - -if ($cgiparams{'ACTION'} eq $Lang::tr{'add'}) -{ - &valaddupdate(); - - # Darren Critchley - if there is an error, don't waste any more time processing - if ($errormessage) { goto ERROR; } - - open(FILE, $filename) or die 'Unable to open config file.'; - my @current = ; - close(FILE); - my $key1 = 0; # used for finding last sequence number used - foreach my $line (@current) - { - my @temp = split(/\,/,$line); - - chomp ($temp[8]); - if ($cgiparams{'KEY2'} eq "0"){ # if key2 is 0 then it is a portfw addition - if ( $cgiparams{'SRC_PORT'} eq $temp[3] && - $cgiparams{'PROTOCOL'} eq $temp[2] && - $cgiparams{'SRC_IP'} eq $temp[7]) - { - $errormessage = - "$Lang::tr{'source port in use'} $cgiparams{'SRC_PORT'}"; - } - # Check if key2 = 0, if it is then it is a port forward entry and we want the sequence number - if ( $temp[1] eq "0") { - $key1=$temp[0]; - } - # Darren Critchley - Duplicate or overlapping Port range check - if ($temp[1] eq "0" && - $cgiparams{'PROTOCOL'} eq $temp[2] && - $cgiparams{'SRC_IP'} eq $temp[7] && - $errormessage eq '') - { - &portchecks($temp[3], $temp[5]); - } - } else { - if ( $cgiparams{'KEY1'} eq $temp[0] && - $cgiparams{'ORIG_IP'} eq $temp[8]) - { - $errormessage = - "$Lang::tr{'source ip in use'} $cgiparams{'ORIG_IP'}"; - } - } - } - -ERROR: - unless ($errormessage) - { - # Darren Critchley - we only want to store ranges with Colons - $cgiparams{'SRC_PORT'} =~ tr/-/:/; - $cgiparams{'DEST_PORT'} =~ tr/-/:/; - - if ($cgiparams{'KEY1'} eq "0") { # 0 in KEY1 indicates it is a portfw add - $key1++; # Add one to last sequence number - open(FILE,">>$filename") or die 'Unable to open config file.'; - flock FILE, 2; - if ($cgiparams{'ORIG_IP'} eq '0.0.0.0/0') { - # if the default/all is taken, then write it to the rule - print FILE "$key1,0,$cgiparams{'PROTOCOL'},$cgiparams{'SRC_PORT'},$cgiparams{'DEST_IP'},$cgiparams{'DEST_PORT'},$cgiparams{'ENABLED'},$cgiparams{'SRC_IP'},$cgiparams{'ORIG_IP'},$cgiparams{'REMARK'}\n"; - } else { # else create an extra record so it shows up - print FILE "$key1,0,$cgiparams{'PROTOCOL'},$cgiparams{'SRC_PORT'},$cgiparams{'DEST_IP'},$cgiparams{'DEST_PORT'},$cgiparams{'ENABLED'},$cgiparams{'SRC_IP'},0,$cgiparams{'REMARK'}\n"; - print FILE "$key1,1,$cgiparams{'PROTOCOL'},0,$cgiparams{'DEST_IP'},$cgiparams{'DEST_PORT'},$cgiparams{'ENABLED'},0,$cgiparams{'ORIG_IP'},$cgiparams{'REMARK'}\n"; - } - close(FILE); - undef %cgiparams; - &General::log($Lang::tr{'forwarding rule added'}); - system('/usr/local/bin/setportfw'); - } else { # else key1 eq 0 - my $insertpoint = ($cgiparams{'KEY2'} - 1); - open(FILE, ">$filename") or die 'Unable to open config file.'; - flock FILE, 2; - foreach my $line (@current) { - chomp($line); - my @temp = split(/\,/,$line); - if ($cgiparams{'KEY1'} eq $temp[0] && $insertpoint eq $temp[1]) { - if ($temp[1] eq "0") { # this is the first xtaccess rule, therefore modify the portfw rule - $temp[8] = '0'; - } - print FILE "$temp[0],$temp[1],$temp[2],$temp[3],$temp[4],$temp[5],$temp[6],$temp[7],$temp[8],$temp[9]\n"; - print FILE "$cgiparams{'KEY1'},$cgiparams{'KEY2'},$cgiparams{'PROTOCOL'},0,$cgiparams{'DEST_IP'},$cgiparams{'DEST_PORT'},$cgiparams{'ENABLED'},0,$cgiparams{'ORIG_IP'},$cgiparams{'REMARK'}\n"; - } else { - print FILE "$line\n"; - } - } - close(FILE); - undef %cgiparams; - &General::log($Lang::tr{'external access rule added'}); - system('/usr/local/bin/setportfw'); - } # end if if KEY1 eq 0 - } # end unless($errormessage) -} - -if ($cgiparams{'ACTION'} eq $Lang::tr{'update'}) -{ - &valaddupdate(); - - # Darren Critchley - If there is an error don't waste any more processing time - if ($errormessage) { $cgiparams{'ACTION'} = $Lang::tr{'edit'}; goto UPD_ERROR; } - - open(FILE, $filename) or die 'Unable to open config file.'; - my @current = ; - close(FILE); - my $disabledpfw = '0'; - my $lastpfw = ''; - my $xtaccessdel = '0'; - - foreach my $line (@current) - { - my @temp = split(/\,/,$line); - if ( $temp[1] eq "0" ) { # keep track of the last portfw and if it is enabled - $disabledpfw = $temp[6]; - $lastpfw = $temp[0]; - } - chomp ($temp[8]); - if ( $cgiparams{'SRC_PORT'} eq $temp[3] && - $cgiparams{'PROTOCOL'} eq $temp[2] && - $cgiparams{'SRC_IP'} eq $temp[7]) - { - if ($cgiparams{'KEY1'} ne $temp[0] && $cgiparams{'KEY2'} eq "0") - { - $errormessage = - "$Lang::tr{'source port in use'} $cgiparams{'SRC_PORT'}"; - } - } - if ($cgiparams{'ORIG_IP'} eq $temp[8]) - { - if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} ne $temp[1]) - # If we have the same source ip within a portfw group, then we have a problem! - { - $errormessage = "$Lang::tr{'source ip in use'} $cgiparams{'ORIG_IP'}"; - $cgiparams{'ACTION'} = $Lang::tr{'edit'}; - } - } - - # Darren Critchley - Flag when a user disables an xtaccess - if ($cgiparams{'KEY1'} eq $temp[0] && - $cgiparams{'KEY2'} eq $temp[1] && - $cgiparams{'KEY2'} ne "0" && # if KEY2 is 0 then it is a portfw - $cgiparams{'ENABLED'} eq "off" && - $temp[6] eq "on") { # we have determined that someone has turned an xtaccess off - $xtaccessdel = "1"; - } - - # Darren Critchley - Portfw enabled, then enable xtaccess for all associated xtaccess records - if ($cgiparams{'ENABLED'} eq "on" && $cgiparams{'KEY2'} eq "0" && $cgiparams{'ENABLED'} ne $temp[6]) - { - $enable_all = "1"; - } else { - $enable_all = "0"; - } - # Darren Critchley - Portfw disabled, then disable xtaccess for all associated xtaccess records - if ($cgiparams{'ENABLED'} eq "off" && $cgiparams{'KEY2'} eq "0") - { - $disable_all = "1"; - } else { - $disable_all = "0"; - } - - # Darren Critchley - if we are enabling an xtaccess, only allow if the associated Portfw is enabled - if ($cgiparams{'KEY1'} eq $lastpfw && $cgiparams{'KEY2'} ne "0") { # identifies an xtaccess record in the group - if ($cgiparams{'ENABLED'} eq "on" && $cgiparams{'ENABLED'} ne $temp[6] ){ # a change has been made - if ($disabledpfw eq "off") - { - $errormessage = "$Lang::tr{'cant enable xtaccess'}"; - $cgiparams{'ACTION'} = $Lang::tr{'edit'}; - } - } - } - - # Darren Critchley - rule to stop someone from entering ALL into a external access rule, - # the portfw is the only place that ALL can be specified - if ($cgiparams{'KEY2'} ne "0" && $cgiparams{'ORIG_IP'} eq "0.0.0.0/0") { - $errormessage = "$Lang::tr{'xtaccess all error'}"; - $cgiparams{'ACTION'} = $Lang::tr{'edit'}; - } - - # Darren Critchley - Duplicate or overlapping Port range check - if ($temp[1] eq "0" && - $cgiparams{'KEY1'} ne $temp[0] && - $cgiparams{'PROTOCOL'} eq $temp[2] && - $cgiparams{'SRC_IP'} eq $temp[7] && - $errormessage eq '') - { - &portchecks($temp[3], $temp[5]); - } # end port testing - - } - - # Darren Critchley - if an xtaccess was disabled, now we need to check to see if it was the only xtaccess - if($xtaccessdel eq "1") { - my $xctr = 0; - foreach my $line (@current) - { - my @temp = split(/\,/,$line); - if($temp[0] eq $cgiparams{'KEY1'} && - $temp[6] eq "on") { # we only want to count the enabled xtaccess's - $xctr++; - } - } - if ($xctr == 2){ - $disable_all = "1"; - } - } - -UPD_ERROR: - unless ($errormessage) - { - # Darren Critchley - we only want to store ranges with Colons - $cgiparams{'SRC_PORT'} =~ tr/-/:/; - $cgiparams{'DEST_PORT'} =~ tr/-/:/; - - open(FILE, ">$filename") or die 'Unable to open config file.'; - flock FILE, 2; - foreach my $line (@current) { - chomp($line); - my @temp = split(/\,/,$line); - if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1]) { - print FILE "$cgiparams{'KEY1'},$cgiparams{'KEY2'},$cgiparams{'PROTOCOL'},$cgiparams{'SRC_PORT'},$cgiparams{'DEST_IP'},$cgiparams{'DEST_PORT'},$cgiparams{'ENABLED'},$cgiparams{'SRC_IP'},$cgiparams{'ORIG_IP'},$cgiparams{'REMARK'}\n"; - } else { - # Darren Critchley - If it is a port forward record, then chances are good that a change was made to - # Destination Ip or Port, and we need to update all the associated external access records - if ($cgiparams{'KEY2'} eq "0" && $cgiparams{'KEY1'} eq $temp[0]) { - $temp[4] = $cgiparams{'DEST_IP'}; - $temp[5] = $cgiparams{'DEST_PORT'}; - $temp[2] = $cgiparams{'PROTOCOL'}; - } - - # Darren Critchley - If a Portfw has been disabled, then set all associated xtaccess as disabled - if ( $disable_all eq "1" && $cgiparams{'KEY1'} eq $temp[0] ) { - $temp[6] = 'off'; - } - if ( $enable_all eq "1" && $cgiparams{'KEY1'} eq $temp[0] ) { - $temp[6] = 'on'; - } - # Darren Critchley - Deal with the override to allow ALL - if ( $cgiparams{'OVERRIDE'} eq "on" && $temp[1] ne "0" && $cgiparams{'KEY1'} eq $temp[0] ) { - $temp[6] = 'off'; - } - print FILE "$temp[0],$temp[1],$temp[2],$temp[3],$temp[4],$temp[5],$temp[6],$temp[7],$temp[8],$temp[9]\n"; - } - } - close(FILE); - undef %cgiparams; - &General::log($Lang::tr{'forwarding rule updated'}); - system('/usr/local/bin/setportfw'); - } - if ($errormessage) { - $cgiparams{'ACTION'} = $Lang::tr{'edit'}; - } -} - -# Darren Critchley - Allows rules to be enabled and disabled -if ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) -{ - open(FILE, $filename) or die 'Unable to open config file.'; - my @current = ; - close(FILE); - my $disabledpfw = '0'; - my $lastpfw = ''; - my $xtaccessdel = '0'; - - foreach my $line (@current) - { - my @temp = split(/\,/,$line); - if ( $temp[1] eq "0" ) { # keep track of the last portfw and if it is enabled - $disabledpfw = $temp[6]; - $lastpfw = $temp[0]; - } - # Darren Critchley - Flag when a user disables an xtaccess - if ($cgiparams{'KEY1'} eq $temp[0] && - $cgiparams{'KEY2'} eq $temp[1] && - $cgiparams{'KEY2'} ne "0" && # if KEY2 is 0 then it is a portfw - $cgiparams{'ENABLED'} eq "off" && - $temp[6] eq "on") { # we have determined that someone has turned an xtaccess off - $xtaccessdel = "1"; - } - - # Darren Critchley - Portfw enabled, then enable xtaccess for all associated xtaccess records - if ($cgiparams{'ENABLED'} eq "on" && $cgiparams{'KEY2'} eq "0" && $cgiparams{'ENABLED'} ne $temp[6]) - { - $enable_all = "1"; - } else { - $enable_all = "0"; - } - # Darren Critchley - Portfw disabled, then disable xtaccess for all associated xtaccess records - if ($cgiparams{'ENABLED'} eq "off" && $cgiparams{'KEY2'} eq "0") - { - $disable_all = "1"; - } else { - $disable_all = "0"; - } - - # Darren Critchley - if we are enabling an xtaccess, only allow if the associated Portfw is enabled - if ($cgiparams{'KEY1'} eq $lastpfw && $cgiparams{'KEY2'} ne "0") { # identifies an xtaccess record in the group - if ($cgiparams{'ENABLED'} eq "on" && $cgiparams{'ENABLED'} ne $temp[6] ){ # a change has been made - if ($disabledpfw eq "off") - { - $errormessage = "$Lang::tr{'cant enable xtaccess'}"; - goto TOGGLEEXIT; - } - } - } - } - - # Darren Critchley - if an xtaccess was disabled, now we need to check to see if it was the only xtaccess - if($xtaccessdel eq "1") { - my $xctr = 0; - foreach my $line (@current) - { - my @temp = split(/\,/,$line); - if($temp[0] eq $cgiparams{'KEY1'} && - $temp[6] eq "on") { # we only want to count the enabled xtaccess's - $xctr++; - } - } - if ($xctr == 2){ - $disable_all = "1"; - } - } - - open(FILE, ">$filename") or die 'Unable to open config file.'; - flock FILE, 2; - foreach my $line (@current) { - chomp($line); - my @temp = split(/\,/,$line); - if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1]) { - print FILE "$cgiparams{'KEY1'},$cgiparams{'KEY2'},$temp[2],$temp[3],$temp[4],$temp[5],$cgiparams{'ENABLED'},$temp[7],$temp[8],$temp[9]\n"; - } else { - # Darren Critchley - If a Portfw has been disabled, then set all associated xtaccess as disabled - if ( $disable_all eq "1" && $cgiparams{'KEY1'} eq $temp[0] ) { - $temp[6] = 'off'; - } - if ( $enable_all eq "1" && $cgiparams{'KEY1'} eq $temp[0] ) { - $temp[6] = 'on'; - } - print FILE "$temp[0],$temp[1],$temp[2],$temp[3],$temp[4],$temp[5],$temp[6],$temp[7],$temp[8],$temp[9]\n"; - } - } - close(FILE); - &General::log($Lang::tr{'forwarding rule updated'}); - system('/usr/local/bin/setportfw'); -TOGGLEEXIT: - undef %cgiparams; -} - - -# Darren Critchley - broke out Edit routine from the delete routine - Edit routine now just puts values in fields -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) -{ - open(FILE, "$filename") or die 'Unable to open config file.'; - my @current = ; - close(FILE); - - unless ($errormessage) - { - foreach my $line (@current) - { - chomp($line); - my @temp = split(/\,/,$line); - if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1] ) { - $cgiparams{'PROTOCOL'} = $temp[2]; - $cgiparams{'SRC_PORT'} = $temp[3]; - $cgiparams{'DEST_IP'} = $temp[4]; - $cgiparams{'DEST_PORT'} = $temp[5]; - $cgiparams{'ENABLED'} = $temp[6]; - $cgiparams{'SRC_IP'} = $temp[7]; - $cgiparams{'ORIG_IP'} = $temp[8]; - $cgiparams{'REMARK'} = $temp[9]; - } - - } - } -} - -# Darren Critchley - broke out Remove routine as the logic is getting too complex to be combined with the Edit -if ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) -{ - open(FILE, "$filename") or die 'Unable to open config file.'; - my @current = ; - close(FILE); - - # If the record being deleted is an xtaccess record, and it is the only one for a portfw record - # then we need to adjust the portfw record to be open to ALL ip addressess or an error will occur - # in setportfw.c - my $fixportfw = '0'; - if ($cgiparams{'KEY2'} ne "0") { - my $counter = 0; - foreach my $line (@current) - { - chomp($line); - my @temp = split(/\,/,$line); - if ($temp[0] eq $cgiparams{'KEY1'}) { - $counter++; - } - } - if ($counter eq 2) { - $fixportfw = '1'; - } - } - - unless ($errormessage) - { - open(FILE, ">$filename") or die 'Unable to open config file.'; - flock FILE, 2; - my $linedeleted = 0; - foreach my $line (@current) - { - chomp($line); - my @temp = split(/\,/,$line); - - if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1] || - $cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq "0" ) - { - $linedeleted = 1; - } else { - if ($temp[0] eq $cgiparams{'KEY1'} && $temp[1] eq "0" && $fixportfw eq "1") { - $temp[8] = '0.0.0.0/0'; - } - print FILE "$temp[0],$temp[1],$temp[2],$temp[3],$temp[4],$temp[5],$temp[6],$temp[7],$temp[8],$temp[9]\n"; -# print FILE "$line\n"; - } - } - close(FILE); - if ($linedeleted == 1) { - &General::log($Lang::tr{'forwarding rule removed'}); - undef %cgiparams; - } - system('/usr/local/bin/setportfw'); - } -} - -# Darren Critchley - Added routine to allow external access rules to be added -if ($cgiparams{'ACTION'} eq $Lang::tr{'add xtaccess'}) -{ - open(FILE, $filename) or die 'Unable to open config file.'; - my @current = ; - close(FILE); - my $key = 0; # used for finding last sequence number used - foreach my $line (@current) - { - my @temp = split(/\,/,$line); - if ($temp[0] eq $cgiparams{'KEY1'}) { - $key = $temp[1] - } - if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1] ) { - $cgiparams{'PROTOCOL'} = $temp[2]; - $cgiparams{'SRC_PORT'} = $temp[3]; - $cgiparams{'DEST_IP'} = $temp[4]; - $cgiparams{'DEST_PORT'} = $temp[5]; - $cgiparams{'ENABLED'} = $temp[6]; - $cgiparams{'SRC_IP'} = $temp[7]; - $cgiparams{'ORIG_IP'} = ''; - $cgiparams{'REMARK'} = $temp[9]; - } - } - $key++; - $cgiparams{'KEY2'} = $key; - # Until the ADD button is hit, there needs to be no change to portfw rules -} - -if ($cgiparams{'ACTION'} eq $Lang::tr{'reset'}) -{ - undef %cgiparams; -} - -if ($cgiparams{'ACTION'} eq '') -{ - $cgiparams{'PROTOCOL'} = 'tcp'; - $cgiparams{'ENABLED'} = 'on'; - $cgiparams{'SRC_IP'} = '0.0.0.0'; -} - -$selected{'PROTOCOL'}{'udp'} = ''; -$selected{'PROTOCOL'}{'tcp'} = ''; -$selected{'PROTOCOL'}{'gre'} = ''; -$selected{'PROTOCOL'}{$cgiparams{'PROTOCOL'}} = "selected='selected'"; - -$selected{'SRC_IP'}{$cgiparams{'SRC_IP'}} = "selected='selected'"; - -$checked{'ENABLED'}{'off'} = ''; -$checked{'ENABLED'}{'on'} = ''; -$checked{'ENABLED'}{$cgiparams{'ENABLED'}} = "checked='checked'"; - -&Header::openpage($Lang::tr{'port forwarding configuration'}, 1, ''); - -&Header::openbigbox('100%', 'left', '', $errormessage); - -if ($errormessage) { - &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); - print "$errormessage\n"; - print " \n"; - &Header::closebox(); -} - -print "
\n"; - -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}){ - &Header::openbox('100%', 'left', $Lang::tr{'edit a rule'}); -} else { - &Header::openbox('100%', 'left', $Lang::tr{'add a new rule'}); -} - -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'} && $cgiparams{'KEY2'} ne "0" || $cgiparams{'ACTION'} eq $Lang::tr{'add xtaccess'}){ -# if it is not a port forward record, don't validate as the fields are disabled - my $PROT = "\U$cgiparams{'PROTOCOL'}\E"; - # Darren Critchley - Format the source and destination ports - my $dstprt = $cgiparams{'DEST_PORT'}; - $dstprt =~ s/-/ - /; - $dstprt =~ s/:/ - /; - -print < - - $Lang::tr{'protocol'}: $PROT -   - $Lang::tr{'destination ip'}:  - $cgiparams{'DEST_IP'} -   - $Lang::tr{'destination port'}:  - $dstprt - - - - - - - - -END -; -} else { -print < - - $Lang::tr{'protocol'}:  - - - - $Lang::tr{'alias ip'}: - - - - -   -   - $Lang::tr{'destination ip'}: - - $Lang::tr{'destination port'}: - - - -END -; -} - -print < - - $Lang::tr{'remark title'} *  - -END -; -unless ($cgiparams{'ACTION'} eq $Lang::tr{'add xtaccess'} && $cgiparams{'ENABLED'} eq "off") { - print " "; - print "$Lang::tr{'enabled'} \n"; -} -print < - -END -; - -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'} && $cgiparams{'KEY2'} eq "0" && ($cgiparams{'ORIG_IP'} eq "0" || $cgiparams{'ORIG_IP'} eq "0.0.0.0/0")){ -# if it is a port forward rule with a 0 in the orig_port field, this means there are xtaccess records, and we -# don't want to allow a person to change the orig_ip field as it will mess other logic up - print "\n"; -} else { -print < - - $Lang::tr{'source network'} *  - - - -END -; -} - -print < -
- - * $Lang::tr{'this field may be blank'} -END -; - - -if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}){ - if($cgiparams{'KEY2'} eq "0"){ - print "$Lang::tr{'open to all'}: \n"; - } else { - print " \n"; - } - print ""; - print ""; - print ""; - print ""; - # on an edit and an xtaccess add, for some reason the "Reset" button stops working, so I make it a submit button -} else { - print " \n"; - print ""; - if ($cgiparams{'ACTION'} eq $Lang::tr{'add xtaccess'}) { - print ""; - print ""; - print ""; - } elsif ($errormessage ne '') { - print ""; - } else { - print ""; - } -} -print <  - - -END -; -&Header::closebox(); - -print "\n"; - -&Header::openbox('100%', 'left', $Lang::tr{'current rules'}); -print < - -$Lang::tr{'proto'} -$Lang::tr{'source'} -  -$Lang::tr{'destination'} -$Lang::tr{'remark'} -$Lang::tr{'action'} - -END -; - -my $id = 0; -my $xtaccesscolor = '#F6F4F4'; -open(RULES, "$filename") or die 'Unable to open config file.'; -while () -{ - my $protocol = ''; - my $gif = ''; - my $gdesc = ''; - my $toggle = ''; - chomp($_); - my @temp = split(/\,/,$_); - $temp[9] ='' unless defined $temp[9];# Glles ESpinasse : suppress warning on page init - if ($temp[2] eq 'udp') { - $protocol = 'UDP'; } - elsif ($temp[2] eq 'gre') { - $protocol = 'GRE' } - else { - $protocol = 'TCP' } - # Change bgcolor when a new portfw rule is added - if ($temp[1] eq "0"){ - $id++; - } - # Darren Critchley highlight the row we are editing - if ( $cgiparams{'ACTION'} eq $Lang::tr{'edit'} && $cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1] ) { - print "\n"; - } else { - if ($id % 2) { - print "\n"; - } - else { - print "\n"; - } - } - - if ($temp[6] eq 'on') { $gif = 'on.gif'; $toggle='off'; $gdesc=$Lang::tr{'click to disable'};} - else { $gif = 'off.gif'; $toggle='on'; $gdesc=$Lang::tr{'click to enable'}; } - - # Darren Critchley - this code no longer works - should we remove? - # catch for 'old-style' rules file - assume default ip if - # none exists - if (!&General::validip($temp[7]) || $temp[7] eq '0.0.0.0') { - $temp[7] = 'DEFAULT IP'; } - if ($temp[1] eq '0') { # Port forwarding entry - - # Darren Critchley - Format the source and destintation ports - my $srcprt = $temp[3]; - $srcprt =~ s/-/ - /; - $srcprt =~ s/:/ - /; - my $dstprt = $temp[5]; - $dstprt =~ s/-/ - /; - $dstprt =~ s/:/ - /; - - # Darren Critchley - Get Port Service Name if we can - code borrowed from firewalllog.dat - $_=$temp[3]; - if (/^\d+$/) { - my $servi = uc(getservbyport($temp[3], lc($temp[2]))); - if ($servi ne '' && $temp[3] < 1024) { - $srcprt = "$srcprt($servi)"; } - } - $_=$temp[5]; - if (/^\d+$/) { - my $servi = uc(getservbyport($temp[5], lc($temp[2]))); - if ($servi ne '' && $temp[5] < 1024) { - $dstprt = "$dstprt($servi)"; } - } - - # Darren Critchley - If the line is too long, wrap the port numbers - my $srcaddr = "$temp[7] : $srcprt"; - if (length($srcaddr) > 22) { - $srcaddr = "$temp[7] :
$srcprt"; - } - my $dstaddr = "$temp[4] : $dstprt"; - if (length($dstaddr) > 26) { - $dstaddr = "$temp[4] :
$dstprt"; - } -print <$protocol -$srcaddr -=> -$dstaddr - $temp[9] - -
- - - - - -
- - - -
- - - - -
- - - -
- - - - -
- - - -
- - - - -
- - - -END - ; - } else { # external access entry -print <  - - $Lang::tr{'access allowed'} $temp[8]     ($temp[9]) - - -
- - - - - -
- - -  - - -
- - - - -
- - - -
- - - - -
- - - -END - ; - } -} - -close(RULES); - -print ""; - -# If the fixed lease file contains entries, print Key to action icons -if ( ! -z "$filename") { -print < - -  $Lang::tr{'legend'}:  - $Lang::tr{ - $Lang::tr{'click to disable'} -    - $Lang::tr{ - $Lang::tr{'click to enable'} -    - $Lang::tr{ - $Lang::tr{'add xtaccess'} -    - $Lang::tr{ - $Lang::tr{'edit'} -    - $Lang::tr{ - $Lang::tr{'remove'} - - -END -; -} - -&Header::closebox(); - -&Header::closebigbox(); - -&Header::closepage(); - -# Validate Field Entries -sub validateparams -{ - # Darren Critchley - Get rid of dashes in port ranges - $cgiparams{'DEST_PORT'}=~ tr/-/:/; - $cgiparams{'SRC_PORT'}=~ tr/-/:/; - - # Darren Critchley - code to substitue wildcards - if ($cgiparams{'SRC_PORT'} eq "*") { - $cgiparams{'SRC_PORT'} = "1:65535"; - } - if ($cgiparams{'SRC_PORT'} =~ /^(\D)\:(\d+)$/) { - $cgiparams{'SRC_PORT'} = "1:$2"; - } - if ($cgiparams{'SRC_PORT'} =~ /^(\d+)\:(\D)$/) { - $cgiparams{'SRC_PORT'} = "$1:65535"; - } - if ($cgiparams{'DEST_PORT'} eq "*") { - $cgiparams{'DEST_PORT'} = "1:65535"; - } - if ($cgiparams{'DEST_PORT'} =~ /^(\D)\:(\d+)$/) { - $cgiparams{'DEST_PORT'} = "1:$2"; - } - if ($cgiparams{'DEST_PORT'} =~ /^(\d+)\:(\D)$/) { - $cgiparams{'DEST_PORT'} = "$1:65535"; - } - - # Darren Critchley - Add code for GRE protocol - we want to ignore ports, but we need a place holder - if ($cgiparams{'PROTOCOL'} eq 'gre') { - $cgiparams{'SRC_PORT'} = "GRE"; - $cgiparams{'DEST_PORT'} = "GRE"; - } - - unless($cgiparams{'PROTOCOL'} =~ /^(tcp|udp|gre)$/) { $errormessage = $Lang::tr{'invalid input'}; } - # Darren Critchley - Changed how the error routine works a bit - for the validportrange check, we need to - # pass in src or dest to determine which side we are working with. - # the routine returns the complete error or '' - if ($cgiparams{'PROTOCOL'} ne 'gre') { - $errormessage = &General::validportrange($cgiparams{'SRC_PORT'}, 'src'); - } - if( ($cgiparams{'ORIG_IP'} ne "0" && $cgiparams{'KEY2'} ne "0") || $cgiparams{'ACTION'} eq $Lang::tr{'add'}) { - # if it is a port forward record with 0 in orig_ip then ignore checking this field - unless(&General::validipormask($cgiparams{'ORIG_IP'})) - { - if ($cgiparams{'ORIG_IP'} ne '') { - $errormessage = $Lang::tr{'source ip bad'}; } - else { - $cgiparams{'ORIG_IP'} = '0.0.0.0/0'; } - } - } - # Darren Critchey - New rule that sets destination same as source if dest_port is blank. - if ($cgiparams{'DEST_PORT'} eq ''){ - $cgiparams{'DEST_PORT'} = $cgiparams{'SRC_PORT'}; - } - # Darren Critchey - Just in case error message is already set, this routine would wipe it out if - # we don't do a test here - if ($cgiparams{'PROTOCOL'} ne 'gre') { - unless($errormessage) {$errormessage = &General::validportrange($cgiparams{'DEST_PORT'}, 'dest');} - } - unless(&General::validip($cgiparams{'DEST_IP'})) { $errormessage = $Lang::tr{'destination ip bad'}; } - return; -} - -# Darren Critchley - we want to make sure that a port range does not overlap another port range -sub checkportoverlap -{ - my $portrange1 = $_[0]; # New port range - my $portrange2 = $_[1]; # existing port range - my @tempr1 = split(/\:/,$portrange1); - my @tempr2 = split(/\:/,$portrange2); - - unless (&checkportinc($tempr1[0], $portrange2)){ return 0;} - unless (&checkportinc($tempr1[1], $portrange2)){ return 0;} - - unless (&checkportinc($tempr2[0], $portrange1)){ return 0;} - unless (&checkportinc($tempr2[1], $portrange1)){ return 0;} - - return 1; # Everything checks out! -} - -# Darren Critchley - we want to make sure that a port entry is not within an already existing range -sub checkportinc -{ - my $port1 = $_[0]; # Port - my $portrange2 = $_[1]; # Port range - my @tempr1 = split(/\:/,$portrange2); - - if ($port1 < $tempr1[0] || $port1 > $tempr1[1]) { - return 1; - } else { - return 0; - } -} - -# Darren Critchley - certain ports are reserved for Ipcop -# TCP 67,68,81,222,445 -# UDP 67,68 -# Params passed in -> port, rangeyn, protocol -sub disallowreserved -{ - # port 67 and 68 same for tcp and udp, don't bother putting in an array - my $msg = ""; - my @tcp_reserved = (); - my $prt = $_[0]; # the port or range - my $ryn = $_[1]; # tells us whether or not it is a port range - my $prot = $_[2]; # protocol - my $srcdst = $_[3]; # source or destination - - if ($ryn) { # disect port range - if ($srcdst eq "src") { - $msg = "$Lang::tr{'rsvd src port overlap'}"; - } else { - $msg = "$Lang::tr{'rsvd dst port overlap'}"; - } - my @tmprng = split(/\:/,$prt); - unless (67 < $tmprng[0] || 67 > $tmprng[1]) { $errormessage="$msg 67"; return; } - unless (68 < $tmprng[0] || 68 > $tmprng[1]) { $errormessage="$msg 68"; return; } - if ($prot eq "tcp") { - foreach my $prange (@tcp_reserved) { - unless ($prange < $tmprng[0] || $prange > $tmprng[1]) { $errormessage="$msg $prange"; return; } - } - } - } else { - if ($srcdst eq "src") { - $msg = "$Lang::tr{'reserved src port'}"; - } else { - $msg = "$Lang::tr{'reserved dst port'}"; - } - if ($prt == 67) { $errormessage="$msg 67"; return; } - if ($prt == 68) { $errormessage="$msg 68"; return; } - if ($prot eq "tcp") { - foreach my $prange (@tcp_reserved) { - if ($prange == $prt) { $errormessage="$msg $prange"; return; } - } - } - } - return; -} - -# Darren Critchley - Attempt to combine Add/Update validation as they are almost the same -sub valaddupdate -{ - if ($cgiparams{'KEY2'} eq "0"){ # if it is a port forward rule, then validate properly - &validateparams(); - } else { # it is an xtaccess rule, just check for a valid ip - unless(&General::validipormask($cgiparams{'ORIG_IP'})) - { - if ($cgiparams{'ORIG_IP'} ne '') { - $errormessage = $Lang::tr{'source ip bad'}; } - else { # this rule stops someone from adding an ALL xtaccess record - $errormessage = $Lang::tr{'xtaccess all error'}; - $cgiparams{'ACTION'} = $Lang::tr{'add xtaccess'}; - } - } - # Darren Critchley - check for 0.0.0.0/0 - not allowed for xtaccess - if ($cgiparams{'ORIG_IP'} eq "0.0.0.0/0" || $cgiparams{'ORIG_IP'} eq "0.0.0.0") { - $errormessage = $Lang::tr{'xtaccess all error'}; - $cgiparams{'ACTION'} = $Lang::tr{'add xtaccess'}; - } - } - # Darren Critchley - Remove commas from remarks - $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); - - # Darren Critchley - Check to see if we are working with port ranges - our ($prtrange1, $prtrange2); - $_ = $cgiparams{'SRC_PORT'}; - if ($cgiparams{'KEY2'} eq "0" && m/:/){ - $prtrange1 = 1; - } - if ($cgiparams{'SRC_IP'} eq '0.0.0.0') { # Dave Roberts - only check if using DEFAULT IP - if ($prtrange1 == 1){ # check for source ports reserved for Ipcop - &disallowreserved($cgiparams{'SRC_PORT'},1,$cgiparams{'PROTOCOL'},"src"); - if ($errormessage) { goto EXITSUB; } - } else { # check for source port reserved for Ipcop - &disallowreserved($cgiparams{'SRC_PORT'},0,$cgiparams{'PROTOCOL'},"src"); - if ($errormessage) { goto EXITSUB; } - } - } - - $_ = $cgiparams{'DEST_PORT'}; - if ($cgiparams{'KEY2'} eq "0" && m/:/){ - $prtrange2 = 1; - } - if ($cgiparams{'SRC_IP'} eq '0.0.0.0') { # Dave Roberts - only check if using DEFAULT IP - if ($prtrange2 == 1){ # check for destination ports reserved for IPFire - &disallowreserved($cgiparams{'DEST_PORT'},1,$cgiparams{'PROTOCOL'},"dst"); - if ($errormessage) { goto EXITSUB; } - } else { # check for destination port reserved for IPFire - &disallowreserved($cgiparams{'DEST_PORT'},0,$cgiparams{'PROTOCOL'},"dst"); - if ($errormessage) { goto EXITSUB; } - } - } - - -EXITSUB: - return; -} - -# Darren Critchley - Duplicate or overlapping Port range check -sub portchecks -{ - $_ = $_[0]; - our ($prtrange1, $prtrange2); - if (m/:/ && $prtrange1 == 1) { # comparing two port ranges - unless (&checkportoverlap($cgiparams{'SRC_PORT'},$_[0])) { - $errormessage = "$Lang::tr{'source port overlaps'} $_[0]"; - } - } - if (m/:/ && $prtrange1 == 0 && $errormessage eq '') { # compare one port to a range - unless (&checkportinc($cgiparams{'SRC_PORT'}, $_[0])) { - $errormessage = "$Lang::tr{'srcprt within existing'} $_[0]"; - } - } - if (! m/:/ && $prtrange1 == 1 && $errormessage eq '') { # compare one port to a range - unless (&checkportinc($_[0], $cgiparams{'SRC_PORT'})) { - $errormessage = "$Lang::tr{'srcprt range overlaps'} $_[0]"; - } - } - - if ($errormessage eq ''){ - $_ = $_[1]; - if (m/:/ && $prtrange2 == 1) { # if true then there is a port range - unless (&checkportoverlap($cgiparams{'DEST_PORT'},$_[1])) { - $errormessage = "$Lang::tr{'destination port overlaps'} $_[1]"; - } - } - if (m/:/ && $prtrange2 == 0 && $errormessage eq '') { # compare one port to a range - unless (&checkportinc($cgiparams{'DEST_PORT'}, $_[1])) { - $errormessage = "$Lang::tr{'dstprt within existing'} $_[1]"; - } - } - if (! m/:/ && $prtrange2 == 1 && $errormessage eq '') { # compare one port to a range - unless (&checkportinc($_[1], $cgiparams{'DEST_PORT'})) { - $errormessage = "$Lang::tr{'dstprt range overlaps'} $_[1]"; - } - } - } - return; -} diff --git a/lfs/initscripts b/lfs/initscripts index f78d3939e..091b61a42 100644 --- a/lfs/initscripts +++ b/lfs/initscripts @@ -185,8 +185,6 @@ $(TARGET) : /etc/rc.d/init.d/networking/red.up/24-RS-snort ln -sf ../../../../../usr/local/bin/qosctrl \ /etc/rc.d/init.d/networking/red.up/25-RS-qos - ln -sf ../../../../../usr/local/bin/setportfw \ - /etc/rc.d/init.d/networking/red.up/26-portfw ln -sf ../../../../../usr/local/bin/dialctrl.pl \ /etc/rc.d/init.d/networking/red.up/99-U-dialctrl.pl ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/28-RS-squid diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 9024a88fd..39e1dfd7b 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -223,7 +223,7 @@ case "$1" in /sbin/iptables -N WIRELESSINPUT /sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT /sbin/iptables -N WIRELESSFORWARD - /sbin/iptables -A FORWARDFW -m state --state NEW -j WIRELESSFORWARD + /sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD # PORTFWACCESS chain, used for portforwarding /sbin/iptables -N PORTFWACCESS @@ -252,19 +252,18 @@ case "$1" in # Custom prerouting chains (for transparent proxy and port forwarding) /sbin/iptables -t nat -N SQUID /sbin/iptables -t nat -A PREROUTING -j SQUID - /sbin/iptables -t nat -N PORTFW - /sbin/iptables -t nat -A PREROUTING -j PORTFW - + /sbin/iptables -t nat -N NAT_DESTINATION + /sbin/iptables -t nat -N NAT_SOURCE + /sbin/iptables -t nat -A PREROUTING -j NAT_DESTINATION + /sbin/iptables -t nat -A POSTROUTING -j NAT_SOURCE + + # upnp chain for our upnp daemon /sbin/iptables -t nat -N UPNPFW /sbin/iptables -t nat -A PREROUTING -j UPNPFW /sbin/iptables -N UPNPFW /sbin/iptables -A FORWARD -m state --state NEW -j UPNPFW - # Custom mangle chain (for port fowarding) - /sbin/iptables -t mangle -N PORTFWMANGLE - /sbin/iptables -t mangle -A PREROUTING -j PORTFWMANGLE - # Postrouting rules (for port forwarding) /sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT \ --to-source $GREEN_ADDRESS @@ -354,7 +353,6 @@ case "$1" in $0 stop $0 start /usr/local/bin/forwardfwctrl - /usr/local/bin/setportfw /usr/local/bin/openvpnctrl -s > /dev/null 2>&1 /usr/local/bin/openvpnctrl -sn2n > /dev/null 2>&1 ;; diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile index c3f3b6c2f..c748a66b4 100644 --- a/src/misc-progs/Makefile +++ b/src/misc-progs/Makefile @@ -24,8 +24,7 @@ CFLAGS=-O2 -Wall COMPILE=$(CC) $(CFLAGS) PROGS = iowrap -SUID_PROGS = setportfw \ - squidctrl sshctrl ipfirereboot \ +SUID_PROGS = squidctrl sshctrl ipfirereboot \ ipsecctrl timectrl dhcpctrl snortctrl \ applejuicectrl rebuildhosts backupctrl \ logwatch openvpnctrl forwardfwctrl \ @@ -96,9 +95,6 @@ timectrl: timectrl.c setuid.o ../install+setup/libsmooth/varval.o launch-ether-wake: launch-ether-wake.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ launch-ether-wake.c setuid.o ../install+setup/libsmooth/varval.o -o $@ -setportfw: setportfw.c setuid.o ../install+setup/libsmooth/varval.o - $(COMPILE) -I../install+setup/libsmooth/ setportfw.c setuid.o ../install+setup/libsmooth/varval.o -o $@ - rebuildhosts: rebuildhosts.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ rebuildhosts.c setuid.o ../install+setup/libsmooth/varval.o -o $@ diff --git a/src/misc-progs/setportfw.c b/src/misc-progs/setportfw.c deleted file mode 100644 index a65aebd2a..000000000 --- a/src/misc-progs/setportfw.c +++ /dev/null @@ -1,369 +0,0 @@ -/* SmoothWall helper program - setportfw - * - * This program is distributed under the terms of the GNU General Public - * Licence. See the file COPYING for details. - * - * (c) Daniel Goscomb, 2001 - * Copyright (c) 2002/04/13 Steve Bootes - Added source ip support for aliases - * - * Modifications and improvements by Lawrence Manning. - * - * 10/04/01 Aslak added protocol support - * This program reads the list of ports to forward and setups iptables - * and rules in ipmasqadm to enable them. - * - * 02/11/03 Darren Critchley modifications to allow it to open multiple - * source ip addresses - * 02/25/03 Darren Critchley modifications to allow port ranges - * 04/01/03 Darren Critchley modifications to allow gre protocol - * 20/04/03 Robert Kerr Fixed root exploit, validated all variables properly, - * tidied up the iptables logic, killed duplicated code, - * removed srciptmp (unecessary) - * - * $Id: setportfw.c,v 1.3.2.6 2005/08/24 18:44:19 gespinasse Exp $ - * - */ - -#include -#include -#include -#include "libsmooth.h" -#include "setuid.h" - -struct keyvalue *kv = NULL; -FILE *fwdfile = NULL; - -void exithandler(void) -{ - if(kv) - freekeyvalues(kv); - if (fwdfile) - fclose(fwdfile); -} - -int main(void) -{ - FILE *ipfile = NULL, *ifacefile = NULL; - int count; - char iface[STRING_SIZE] =""; - char locip[STRING_SIZE] =""; - char greenip[STRING_SIZE] ="", greenmask[STRING_SIZE] =""; - char bluedev[STRING_SIZE] ="", blueip[STRING_SIZE] ="", bluemask[STRING_SIZE] =""; - char orangedev[STRING_SIZE] ="", orangeip[STRING_SIZE] ="", orangemask[STRING_SIZE] =""; - char *protocol; - char *srcip; - char *locport; - char *remip; - char *remport; - char *origip; - char *enabled; - char s[STRING_SIZE]; - char *result; - char *key1; - char *key2; - char command[STRING_SIZE]; - - if (!(initsetuid())) - exit(1); - - atexit(exithandler); - - /* Read in and verify config */ - kv=initkeyvalues(); - - if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) - { - fprintf(stderr, "Cannot read ethernet settings\n"); - exit(1); - } - - if (!findkey(kv, "GREEN_ADDRESS", greenip)) - { - fprintf(stderr, "Cannot read GREEN_ADDRESS\n"); - exit(1); - } - - if (!VALID_IP(greenip)) - { - fprintf(stderr, "Bad GREEN_ADDRESS: %s\n", greenip); - exit(1); - } - - if (!findkey(kv, "GREEN_NETMASK", greenmask)) - { - fprintf(stderr, "Cannot read GREEN_NETMASK\n"); - exit(1); - } - - if (!VALID_IP(greenmask)) - { - fprintf(stderr, "Bad GREEN_NETMASK: %s\n", greenmask); - exit(1); - } - - /* Get the BLUE interface details */ - findkey(kv, "BLUE_DEV", bluedev); - - if (strlen(bluedev)) - { - - if (!VALID_DEVICE(bluedev)) - { - fprintf(stderr, "Bad BLUE_DEV: %s\n", bluedev); - exit(1); - } - - if (!findkey(kv, "BLUE_ADDRESS", blueip)) - { - fprintf(stderr, "Cannot read BLUE_ADDRESS\n"); - exit(1); - } - - if (!VALID_IP(blueip)) - { - fprintf(stderr, "Bad BLUE_ADDRESS: %s\n", blueip); - exit(1); - } - - if (!findkey(kv, "BLUE_NETMASK", bluemask)) - { - fprintf(stderr, "Cannot read BLUE_NETMASK\n"); - exit(1); - } - - if (!VALID_IP(bluemask)) - { - fprintf(stderr, "Bad BLUE_NETMASK: %s\n", bluemask); - exit(1); - } - - } - - /* Get the ORANGE interface details */ - findkey(kv, "ORANGE_DEV", orangedev); - - if (strlen(orangedev)) - { - - if (!VALID_DEVICE(orangedev)) - { - fprintf(stderr, "Bad ORANGE_DEV: %s\n", orangedev); - exit(1); - } - - if (!findkey(kv, "ORANGE_ADDRESS", orangeip)) - { - fprintf(stderr, "Cannot read ORANGE_ADDRESS\n"); - exit(1); - } - - if (!VALID_IP(orangeip)) - { - fprintf(stderr, "Bad ORANGE_ADDRESS: %s\n", orangeip); - exit(1); - } - - if (!findkey(kv, "ORANGE_NETMASK", orangemask)) - { - fprintf(stderr, "Cannot read ORANGE_NETMASK\n"); - exit(1); - } - - if (!VALID_IP(orangemask)) - { - fprintf(stderr, "Bad ORANGE_NETMASK: %s\n", orangemask); - exit(1); - } - - } - - - if (!(ipfile = fopen(CONFIG_ROOT "/red/local-ipaddress", "r"))) - { - fprintf(stderr, "Couldn't open local ip file\n"); - exit(1); - } - fgets(locip, STRING_SIZE, ipfile); - if (locip[strlen(locip) - 1] == '\n') - locip[strlen(locip) - 1] = '\0'; - fclose (ipfile); - if (!VALID_IP(locip)) - { - fprintf(stderr, "Bad local IP: %s\n", locip); - exit(1); - } - - if (!(ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) - { - fprintf(stderr, "Couldn't open iface file\n"); - exit(1); - } - fgets(iface, STRING_SIZE, ifacefile); - if (iface[strlen(iface) - 1] == '\n') - iface[strlen(iface) - 1] = '\0'; - fclose (ifacefile); - if (!VALID_DEVICE(iface)) - { - fprintf(stderr, "Bad iface: %s\n", iface); - exit(1); - } - - if (!(fwdfile = fopen(CONFIG_ROOT "/portfw/config", "r"))) - { - fprintf(stderr, "Couldn't open portfw settings file\n"); - exit(1); - } - - safe_system("/sbin/iptables -t nat -F PORTFW"); - safe_system("/sbin/iptables -t mangle -F PORTFWMANGLE"); - safe_system("/sbin/iptables -F PORTFWACCESS"); - - while (fgets(s, STRING_SIZE, fwdfile) != NULL) - { - if (s[strlen(s) - 1] == '\n') - s[strlen(s) - 1] = '\0'; - result = strtok(s, ","); - - count = 0; - key1 = NULL; - key2 = NULL; - protocol = NULL; - srcip = NULL; - locport = NULL; - remip = NULL; - origip = NULL; - remport = NULL; - enabled = NULL; - while (result) - { - if (count == 0) - key1 = result; - else if (count == 1) - key2 = result; - else if (count == 2) - protocol = result; - else if (count == 3) - locport = result; - else if (count == 4) - remip = result; - else if (count == 5) - remport = result; - else if (count == 6) - enabled = result; - else if (count == 7) - srcip = result; - else if (count == 8) - origip = result; - count++; - result = strtok(NULL, ","); - } - - if (!(key1 && key2 && protocol && locport && remip && remport && enabled - && srcip && origip)) - break; - - if (!VALID_PROTOCOL(protocol)) - { - fprintf(stderr, "Bad protocol: %s\n", protocol); - exit(1); - } - if (strcmp(protocol, "gre") == 0) - { - locport = "0"; - remport = "0"; - } - if (strcmp(origip,"0") && !VALID_IP_AND_MASK(origip)) - { - fprintf(stderr, "Bad IP: %s\n", origip); - exit(1); - } - if (!VALID_PORT_RANGE(locport)) - { - fprintf(stderr, "Bad local port: %s\n", locport); - exit(1); - } - if (!VALID_IP(remip)) - { - fprintf(stderr, "Bad remote IP: %s\n", remip); - exit(1); - } - if (!VALID_PORT_RANGE(remport)) - { - fprintf(stderr, "Bad remote port: %s\n", remport); - exit(1); - } - - /* check for source ip in config file. If it's there - * and it's not 0.0.0.0, use it; else use the - * local ip address. (This makes sure we can use old-style - * config files without the source ip) */ - if (!srcip || !strcmp(srcip, "0.0.0.0")) - srcip = locip; - if (strcmp(srcip,"0") && !VALID_IP(srcip)) - { - fprintf(stderr, "Bad source IP: %s\n", srcip); - exit(1); - } - - /* This may seem complicated... refer to portfw.pl for an explanation of - * the keys and their meaning in certain circumstances */ - - if (strcmp(enabled, "on") == 0) - { - - /* If key2 is a zero, then it is a portfw command, otherwise it is an - * external access command */ - if (strcmp(key2, "0") == 0) - { - memset(command, 0, STRING_SIZE); - if (strcmp(protocol, "gre") == 0) - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t nat -A PORTFW -p %s -d %s -j DNAT --to %s", protocol, srcip, remip); - else - { - char *ctr; - /* If locport contains a - we need to change it to a : */ - if ((ctr = strchr(locport, '-')) != NULL) {*ctr = ':';} - /* If remport contains a : we need to change it to a - */ - if ((ctr = strchr(remport,':')) != NULL){*ctr = '-';} - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t nat -A PORTFW -p %s -d %s --dport %s -j DNAT --to %s:%s", protocol, srcip, locport, remip, remport); - safe_system(command); - /* Now if remport contains a - we need to change it to a : */ - if ((ctr = strchr(remport,'-')) != NULL){*ctr = ':';} - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t mangle -A PORTFWMANGLE -p %s -s %s/%s -d %s --dport %s -j MARK --set-mark 1", protocol, greenip, greenmask, srcip, locport); - if (strlen(bluedev)) - { - safe_system(command); - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t mangle -A PORTFWMANGLE -p %s -s %s/%s -d %s --dport %s -j MARK --set-mark 2", protocol, blueip, bluemask, srcip, locport); - } - if (strlen(orangedev)) - { - safe_system(command); - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t mangle -A PORTFWMANGLE -p %s -s %s/%s -d %s --dport %s -j MARK --set-mark 3", protocol, orangeip, orangemask, srcip, locport); - } - } - safe_system(command); - } - - /* if key2 is not "0" then it's an external access rule, if key2 is "0" - * then the portfw rule may contain external access information if origip - * is not "0" (the only defined not 0 value seems to be 0.0.0.0 - open - * to all; again, check portfw.pl for more details) */ - if(strcmp(key2, "0") || strcmp(origip,"0") ) - { - memset(command, 0, STRING_SIZE); - if (strcmp(protocol, "gre") == 0) - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A PORTFWACCESS -i %s -p %s -s %s -d %s -j ACCEPT", iface, protocol, origip, remip); - else - { - char *ctr; - /* If remport contains a - we need to change it to a : */ - if ((ctr = strchr(remport,'-')) != NULL){*ctr = ':';} - snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A PORTFWACCESS -i %s -p %s -s %s -d %s --dport %s -j ACCEPT", iface, protocol, origip, remip, remport); - } - safe_system(command); - } - } - } - - return 0; -} diff --git a/src/misc-progs/wirelessctrl.c b/src/misc-progs/wirelessctrl.c index 90f602d5f..2a6ed0cae 100644 --- a/src/misc-progs/wirelessctrl.c +++ b/src/misc-progs/wirelessctrl.c @@ -154,7 +154,7 @@ int main(void) (VALID_IP_AND_MASK(ipaddress))) { snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev); safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s ! -o %s -j ACCEPT", macaddress, ipaddress, blue_dev, green_dev); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s ! -o %s -j RETURN", macaddress, ipaddress, blue_dev, green_dev); safe_system(command); snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j FORWARDFW", macaddress, ipaddress, blue_dev); safe_system(command); @@ -164,7 +164,7 @@ int main(void) if (strlen(macaddress) == 17) { snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev); safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s ! -o %s -j ACCEPT", macaddress, blue_dev, green_dev); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s ! -o %s -j RETURN", macaddress, blue_dev, green_dev); safe_system(command); snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j FORWARDFW", macaddress, blue_dev); safe_system(command); @@ -173,7 +173,7 @@ int main(void) if (VALID_IP_AND_MASK(ipaddress)) { snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev); safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s ! -o %s -j ACCEPT", ipaddress, blue_dev, green_dev); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s ! -o %s -j RETURN", ipaddress, blue_dev, green_dev); safe_system(command); snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j FORWARDFW", ipaddress, blue_dev); safe_system(command); -- 2.39.2