turtlefirewall

linux环境下的一个防火墙程序的源代码

#!/usr/bin/perl

#
# TurtleFw: Turtle Firewall
#
# Software per la configurazione di un firewall linux (iptables)
#
#   2001/11/23 13:25:00
#
#======================================================================
# Copyright (c) 2001-2004 Andrea Frigido <andrea@frisoft.it>
# You may distribute under the terms of either the GNU General Public
# License
#======================================================================
#
# Changelog:
# 05-12-2001 v.0.91
#            - Modificato il nome da fwconf in Turtle Firewall (turtlefw)
#
# 10-01-2002 v.0.92
#            - Inserite le regole di accesso da/verso interfaccia lo
#              che precedentemente impedivano l'accesso a se stesso.
#            - Impostati i diritti sul file sh generato per l'esecuzione.
#            - Corretta la definizione delle lan nei file di configurazione
#              di esempio (samples).
# 19-03-2002 v.0.93
#            - Aggiunto l'uso del modulo turtlefirewall.pm (/usr/lib)
#
# 22-03-2002 v.0.94
#            - Aggiunto supporto dell'attributo ACTIVE delle rule.
# 02-04-2002 v.0.95
#            - Aggiunto il file setup al tarball.
# 17-04-2002 v.0.96
#            - Add webmin module languages files for English and Italian.
#            - Fix Masquerade and NAT bug.
# 17-05-2002 v.0.97
#            - Add franch webmin language file.
#            - Fix bugs.
# 23-05-2002 v.0.98	Giampaolo Tomassoni <g.tomassoni@ar-tel.it>
#            - Do you need port-based natting? Here it is...
#            - Fixed the I-Wanna-Reply-To-Pings-But-It-Doesn't bug: when
#              the fw accepts pings on a <somewere> => FIREWALL base,
#              don't turn the /proc/sys/net/ipv4/icmp_echo_ignore_all
#              kernel flag on...
#            - Applied few ahestetic make-ups
# 14-06-2002 v.0.99
#            - Fix turtlefirewall privileges bug.
#            - Use iptables from PATH (iptables directory need to be in PATH env. var.)
#            - PreLoad modules for ftp connections and NAT.
#            - Add CVS, NNTP services.
# 20-06-2002 v.1.00
#            - Change SystemV service start/stop order from 00/99 to 08/92.
#            - Change TurtleFirewall package file name.
#            - Check if XML::Parser perl module is installed.
#            - Add Telnet service.
# 26-06-2002 v.1.10
#            - Add description field for rules and items.
#            - Add experimental H.323 service.
#            - Fix bugs.
# 08-07-2002 v.1.11
#            - Setup procedure into webmin module, now Turtle Firewall installation is very easy.
#            - Removed chkconfig command for setup, it isn't availabe in all GNU/Linux distributions.
#            - Fix bug in "Create Nat" web interface.
#            - Other minor changes.
# 09-07-2002 v.1.12
#            - Fix bug in XML::Parser module checking.
# 03-09-2002 v.1.13
#            - Add NAT from a zone interface to a real host (etc. modem interface ip to my pc host).
#            - Add Redirect module (For Transparent Proxy).
#            - Fix security hole with INVALID packets filter code by Mark Francis.
#            - Enhanced Log.
#            - Add firewall rules for IPsec VPN service.
#            - Add firewall rules for Webmin service.
# 10-09-2002 v.1.14
#            - The configurable options contains now the option to select the logfile (Karl Lovink)
#            - The dutch language has been added (Karl Lovink).
# 13-09-2002 v.1.15
#            - Fix "DROP INVALID unclean" bug.
# 26-09-2002 v.1.16
#            - Change webmin category from System to Networking.
#            - Fix a bug on tcp/udp Local Redirection (Soep).
# 16-10-2002 v.1.17
#            - Fix bug with "--log-level info" iptables option.
#            - Enhanced log report.
#            - Enhanced interface.
#            - Add afp-over-tcp service: AFP (Apple Filing Protocol) over TCP.
#                  (Alain Terriault)
#            - Add nfs (experimental)
# 13-11-2002 v.1.18
#            - Add Firewall Configuration Options.
#            - Now you can change firewall rules order (more readable).
#            - Add fwuserdefservices.xml file for userdefined services. With this file you can write your own
#              services filter without changing official fwservices.xml file.
#              The structure of this new file is identical of fwservices.xml file structure.
#              If you write a service with a name used by fwservices.xml, this new service definition overwrite
#              the original service definition so, if you want, you can rewrite all services.
#              IMPORTANT: I invite all to send me your userdefined service filter definitions, so I can add them into
#              the predefined services list (fwservices.xml) for all Turtle Firewall users.
# 26-11-2002 v.1.19
#            - Fix bug in Zone deletion.
#            - Fix a bug using aliased interfaces (signaled by Torsten)
#            - Add German translation (Jimmy Collins)
#            - Add mysql and kazaa services (Jimmy Collins)
#            - Add pptp (vpn) and rdp services (Joe MacDonald)
#            - Add PC-Anyware service (Chris Carter)
#            - Change setup script for Slackware Linux distribution (A.Frigido, Patrik)
# 15-01-2003 v.1.20
#            - Add optional MAC address field in host edit form.
#            - Add target field (ACCEPT/DROP/REJECT) in rule edit form.
#            - Fix bug in Log prefix string, it must be up to 29 chars length.
#            - Add x11: X Window System service.
#            - Use numerical notation for ports in fwservices.xml.
#            - Add Active flag to NAT, Masquerade and Redirect rules.
# 16-01-2003 v.1.21
#            - Fix a bug in Redirection.
# 12-02-2003 v.1.22
#            - Firewall and NAT rules with multiple services.
#            - Change LOG prefix from "TFW DROP" to "TFW".
#            - Add --start, --stop and --status options to turtlefirewall main script.
#            - Add stop button in the webmin turtlefirewall index page.
#            - Translate error messages (english and italian).
#            - Add icmp_all service for all messages (request+reply).
#            - Add all icmp messages in the special service "all".
# 18-02-2003 v.1.23
#            - Add proxy, ssh21, dhcp, snmptrap, socks and eDonkey services (Karl Lovink).
#            - Fix a bug into log viewer (Fredrik Tuomas).
#            - Add Configuration Backup/Restore.
# 31-03-2003 v.1.24
#            - Change Turtle Firewall stop process, ping will be reenabled.
#            - Add AIM/ICQ and Soulseek std services (Frank F鰎ster).
#            - Add Oracle, VNC, VNC-http services.
#            - Add rip, syslog, icecast, icp, irc (Karl Lovink).
#            - Local Redirection Improved.
#            - Now you can rename all firewall items.
#            - More options.
# 02-04-2003 v.1.25
#            - Fix bugs.
# 07-05-2003 v.1.26
#            - Fix "de" language file (Frank F鰎ster).
#            - NAT Improved, now you can change rules order.
#            - NAT rules bugfix.
#            - Configuration backup download bugfix.
# 14-05-2003 v.1.27
#            - Small Bug-fix.
# 15-07-2004 v.1.28
#            - Add port 445 to netbios service.
#            - Add jabber and jabber-s2s (server to server) services.
#            - Add lpr Line Printer Protocol.
#            - Add rdp - Windows Remote Desktop Protocol.
#            - Fix bugs.
# 19-11-2004 v.1.29
#            - Set icmp_echo_ignore_all flag to 0. Turtle Firewall use iptables 
#              rules for drop or allow icmp echo packets. This fix a bug in tfw ping.
#            - Disable tcp_ecn flag.
#            - In masquerading configuration now you can specify source,destinatio,service,
#              port and action (masquerade or not masquerade).
# 21-11-2004 v.1.30
#            - Add * option in source and destination field of a firewall rule: all zones except FIREWALL.
# 30-11-2004 v.1.31
#            - Change rules display in turtlefirewall startup. 
#            - Fix bugs.
# 17-02-2005 v.1.32
#            - Use iptables-restore command to speed up firewall start up.
# ??-??-2005 v.1.33
#            - Add source and destination option to the NAT rules.
#            - Bugfix on rules with target REJECT (from v.1.32).
# 31-11-2005 v.1.34
#            - Add mangle mark rule attribute for QoS (iproute2).
#            - Bugfix on turtlefirewall stop procedure (signaled by Ulf Seltmann).
# 11-01-2006 v.1.36
#            - Add multisources and multidestinations in firewall rules.
#            - Add service attribute in filter xml tag of services definition files.
#            - Eliminate drop_unclean option, doesn't work with kernel 2.6.x
#            - Bugsfix.
# 02-02-2006 v.1.37
#            - New service definitions was added:
#                igmp (Internet Group Management Protocol).
#                bpalogin (BPALogin).
#                  Thanks to Rene Cunningham for this two services.
#                openvpn (OpenVPN protocolo, www.openvpn.net).
#            - Bugs were fixed.

if( -f 'TurtleFirewall.pm' ) {
	require 'TurtleFirewall.pm';
} else {
	require '/usr/lib/TurtleFirewall.pm';
}

$firewall = new TurtleFirewall();

print "\nTurtle Firewall ".$firewall->Version()."\n";
print "Copyright 2001-2006 Andrea Frigido - www.frisoft.it (GPL)\n\n";


# parsing dei parametri
my $outputFile;
my $fwFile;
my $servicesFile;
my $userdefServicesFile;
foreach my $arg (@ARGV) {
	if( $arg =~ /^(-o|--output)\=(.*)/ ) {
		$outputFile = $2;
	} elsif( $arg =~ /^(-f|--firewall)\=(.*)/ ) {
		$fwFile = $2;
	} elsif( $arg =~ /^(-s|--services)\=(.*)/ ) {
		$servicesFile = $2;
	} elsif( $arg =~ /^--userdefservices\=(.*)/ ) {
		$userdefServicesFile = $2;
	} elsif( $arg eq '--start' ) {
		# Start Firewall (optional)
	} elsif( $arg eq '--stop' ) {
		# Stop Firewall
		$firewall->stopFirewall();
		print "Firewall Stopped.\n\n";
		exit(0);
	} elsif( $arg eq '--status' ) {
		# Status
		firewallStatus();
	} else {
		if( $arg ne '--help' ) {
			print "Wrong parameters...\n";
		}

		print "Use: turtlefirewall [--start|--stop|--status] [--output=outputfile] [--firewall=firewallfile] [--services=servicesfile] [--userdefservices=file]\n";
		print "or turtlefirewall [--start|--stop|--status] [-o=outputfile] [-f=firewallfile] [-s=servicesfile]\n";
		print "Example: turtlefirewall --start -o=fw.sh -f=fw.xml -s=services.xml\n";
		exit(1);
	}
}

if( $fwFile eq '' )	  { $fwFile = "/etc/turtlefirewall/fw.xml"; }
if( $servicesFile eq '' ) { $servicesFile = "/etc/turtlefirewall/fwservices.xml"; }
if( $userdefServicesFile eq '' ) { $userdefServicesFile = "/etc/turtlefirewall/fwuserdefservices.xml"; }

#===================================
# Carico le regole del firewall

$firewall->LoadFirewall( $fwFile );
$firewall->LoadServices( $servicesFile, $userdefServicesFile );

####
# Nuovo 
$firewall->startFirewall();

# FINE :)

sub firewallStatus {
	#
	# Print "Firewall ON" and return 0 or "Fireall OFF" and return 1
	#
	if( $firewall->GetStatus() ) {
		print "Firewall ON\n\n";
		exit( 0 );
	} else {
		print "Firewall OFF\n\n";
		exit( 1 );
	}
}