2021-07-16 21:40:28 +02:00
|
|
|
<?php
|
|
|
|
|
|
|
|
|
|
require_once 'includes/status_messages.php';
|
|
|
|
|
require_once 'includes/functions.php';
|
|
|
|
|
|
2021-07-20 18:13:35 +02:00
|
|
|
define('RASPAP_IPTABLES_SCRIPT',"/tmp/iptables_raspap.sh");
|
2021-07-25 15:42:46 +02:00
|
|
|
define('RASPAP_IP6TABLES_SCRIPT',"/tmp/ip6tables_raspap.sh");
|
2021-07-16 21:40:28 +02:00
|
|
|
|
|
|
|
|
function getDependson(&$rule, &$conf) {
|
|
|
|
|
if ( isset($rule["dependson"][0]) ) {
|
|
|
|
|
$don = &$rule["dependson"];
|
|
|
|
|
if ( !empty($don[0]) && isset($conf[$don[0]["var"]]) ) {
|
|
|
|
|
if ( !isset($don[0]["type"]) ) $don[0]["type"]="bool";
|
|
|
|
|
return $don;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function isRuleEnabled(&$sect, &$conf) {
|
|
|
|
|
$fw_on = isset($conf["firewall-enable"]) && $conf["firewall-enable"];
|
|
|
|
|
$active = isset($sect["fw-state"]) && $sect["fw-state"]==1;
|
|
|
|
|
$active = $fw_on ? $active : !$active;
|
|
|
|
|
$active = $active || !isset($sect["fw-state"]);
|
|
|
|
|
if ( ($don = getDependson($sect, $conf)) !== false &&
|
|
|
|
|
$don[0]["type"] == "bool" && !$conf[$don[0]["var"]] ) $active = false;
|
|
|
|
|
return $active;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function createRuleStr(&$sect, &$conf) {
|
|
|
|
|
if ( !is_array($sect["rules"]) ) return "";
|
|
|
|
|
$rules = $sect["rules"];
|
|
|
|
|
$depon = getDependson($sect,$conf);
|
|
|
|
|
$rs = array();
|
|
|
|
|
foreach ( $rules as $rule ) {
|
|
|
|
|
if ( preg_match('/\$[a-z0-9]*\$/i',$rule) ) {
|
|
|
|
|
$r = array($rule);
|
|
|
|
|
foreach ( $depon as $dep ) {
|
|
|
|
|
$rr = array();
|
|
|
|
|
$repl=$val="";
|
|
|
|
|
switch ( $dep["type"] ) {
|
|
|
|
|
case "list":
|
2021-07-21 16:02:21 +02:00
|
|
|
if ( isset($dep["var"]) && !empty($conf[$dep["var"]]) ) $val = explode(' ', $conf[$dep["var"]]);
|
2021-07-16 21:40:28 +02:00
|
|
|
if ( !empty($val) && isset($dep["replace"]) ) $repl=$dep["replace"];
|
|
|
|
|
break;
|
|
|
|
|
case "string":
|
|
|
|
|
if ( isset($dep["var"]) ) $val=$conf[$dep["var"]];
|
|
|
|
|
if ( !empty($val) && isset($dep["replace"]) ) $repl=$dep["replace"];
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
if ( !empty($repl) && !empty($val) ) {
|
|
|
|
|
if ( is_array($val) ) {
|
|
|
|
|
foreach ( $val as $v ) $rr = array_merge($rr,str_replace($repl, $v, $r));
|
|
|
|
|
}
|
|
|
|
|
else $rr = array_merge($rr, str_replace($repl, $val, $r));
|
|
|
|
|
}
|
|
|
|
|
$r = !empty($rr) ? $rr : $r;
|
|
|
|
|
}
|
|
|
|
|
$rs = array_merge($rs,$rr);
|
|
|
|
|
} else {
|
|
|
|
|
$rs[] = $rule;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
$str="";
|
|
|
|
|
foreach ( $rs as $r ) {
|
2021-07-25 15:42:46 +02:00
|
|
|
if ( !preg_match('/\$[a-z0-9]*\$/i',$r) ) $str .= '$IPT '.$r."\n";
|
2021-07-16 21:40:28 +02:00
|
|
|
}
|
|
|
|
|
return $str;
|
|
|
|
|
}
|
|
|
|
|
|
2021-07-25 15:42:46 +02:00
|
|
|
function isIPv4(&$rule) {
|
|
|
|
|
return !isset($rule["ip-version"]) || strstr($rule["ip-version"],"4") !== false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function isIPv6(&$rule) {
|
|
|
|
|
return !isset($rule["ip-version"]) || strstr($rule["ip-version"],"6") !== false;
|
|
|
|
|
}
|
|
|
|
|
|
2021-07-18 22:09:59 +02:00
|
|
|
function configureFirewall() {
|
2021-07-16 21:40:28 +02:00
|
|
|
$json = file_get_contents(RASPAP_IPTABLES_CONF);
|
|
|
|
|
$ipt = json_decode($json, true);
|
|
|
|
|
$conf = ReadFirewallConf();
|
|
|
|
|
$txt = "#!/bin/bash\n";
|
|
|
|
|
file_put_contents(RASPAP_IPTABLES_SCRIPT, $txt);
|
2021-07-25 15:42:46 +02:00
|
|
|
file_put_contents(RASPAP_IP6TABLES_SCRIPT, $txt);
|
|
|
|
|
file_put_contents(RASPAP_IPTABLES_SCRIPT, 'IPT="iptables"'."\n", FILE_APPEND);
|
|
|
|
|
file_put_contents(RASPAP_IP6TABLES_SCRIPT, 'IPT="ip6tables"'."\n", FILE_APPEND);
|
|
|
|
|
$txt = "\$IPT -F\n";
|
|
|
|
|
$txt .= "\$IPT -X\n";
|
|
|
|
|
$txt .= "\$IPT -t nat -F\n";
|
|
|
|
|
file_put_contents(RASPAP_IPTABLES_SCRIPT, $txt, FILE_APPEND);
|
|
|
|
|
file_put_contents(RASPAP_IP6TABLES_SCRIPT, $txt, FILE_APPEND);
|
2021-07-16 21:40:28 +02:00
|
|
|
if ( empty($conf) || empty($ipt) ) return false;
|
|
|
|
|
$count=0;
|
|
|
|
|
foreach ( $ipt["order"] as $idx ) {
|
|
|
|
|
if ( isset($ipt[$idx]) ) {
|
|
|
|
|
foreach ( $ipt[$idx] as $i => $sect ) {
|
|
|
|
|
if ( isRuleEnabled($sect, $conf) ) {
|
|
|
|
|
$str_rules= createRuleStr($sect, $conf);
|
|
|
|
|
if ( !empty($str_rules) ) {
|
2021-07-25 15:42:46 +02:00
|
|
|
if ( isIPv4($sect) ) file_put_contents(RASPAP_IPTABLES_SCRIPT, $str_rules, FILE_APPEND);
|
|
|
|
|
if ( isIPv6($sect) ) file_put_contents(RASPAP_IP6TABLES_SCRIPT, $str_rules, FILE_APPEND);
|
2021-07-16 21:40:28 +02:00
|
|
|
++$count;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if ( $count > 0 ) {
|
|
|
|
|
exec("chmod +x ".RASPAP_IPTABLES_SCRIPT);
|
|
|
|
|
exec("sudo ".RASPAP_IPTABLES_SCRIPT);
|
|
|
|
|
// exec("sudo iptables-save > /etc/iptables/rules.v4");
|
|
|
|
|
// unlink(RASPAP_IPTABLES_SCRIPT);
|
2021-07-25 15:42:46 +02:00
|
|
|
exec("chmod +x ".RASPAP_IP6TABLES_SCRIPT);
|
|
|
|
|
exec("sudo ".RASPAP_IP6TABLES_SCRIPT);
|
|
|
|
|
// exec("sudo iptables-save > /etc/iptables/rules.v6");
|
|
|
|
|
// unlink(RASPAP_IP6TABLES_SCRIPT);
|
2021-07-16 21:40:28 +02:00
|
|
|
}
|
|
|
|
|
return ($count > 0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function WriteFirewallConf($conf) {
|
2021-07-21 16:02:21 +02:00
|
|
|
$ret = false;
|
|
|
|
|
if ( is_array($conf) ) write_php_ini($conf,RASPAP_FIREWALL_CONF);
|
|
|
|
|
return $ret;
|
2021-07-16 21:40:28 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
function ReadFirewallConf() {
|
|
|
|
|
if ( file_exists(RASPAP_FIREWALL_CONF) ) {
|
|
|
|
|
$conf = parse_ini_file(RASPAP_FIREWALL_CONF);
|
|
|
|
|
} else {
|
|
|
|
|
$conf = array();
|
|
|
|
|
$conf["firewall-enable"] = false;
|
|
|
|
|
$conf["ssh-enable"] = false;
|
|
|
|
|
$conf["http-enable"] = false;
|
|
|
|
|
$conf["excl-devices"] = "";
|
|
|
|
|
$conf["excluded-ips"] = "";
|
|
|
|
|
$conf["ap-device"] = "";
|
|
|
|
|
$conf["client-device"] = "";
|
|
|
|
|
$conf["restricted-ips"] = "";
|
|
|
|
|
}
|
2021-07-21 16:02:21 +02:00
|
|
|
return $conf;
|
|
|
|
|
}
|
2021-07-20 21:56:00 +02:00
|
|
|
|
2021-07-21 16:02:21 +02:00
|
|
|
function getVPN_IPs() {
|
|
|
|
|
$ips = "";
|
|
|
|
|
# get openvpn server IPs for UDP (if existing)
|
|
|
|
|
if ( RASPI_OPENVPN_ENABLED && ($fconf = glob(RASPI_OPENVPN_CLIENT_PATH ."/*.conf")) !== false && !empty($fconf) ) {
|
|
|
|
|
foreach ( $fconf as $f ) {
|
2021-07-21 17:56:01 +02:00
|
|
|
unset($result);
|
2021-07-21 16:02:21 +02:00
|
|
|
exec('cat '.$f.' | sed -rn "s/^remote\s*([a-z0-9\.\-\_]*)\s*([0-9]*).*$/\1/ip" ', $result);
|
|
|
|
|
$ip = (isset($result[0])) ? $result[0] : "";
|
|
|
|
|
unset($result);
|
|
|
|
|
exec('cat '.$f.' | sed -rn "s/^proto\s*([a-z]*).*$/\1/ip" ', $result);
|
|
|
|
|
$proto = (isset($result[0])) ? $result[0] : "";
|
|
|
|
|
if ( !empty($ip) && trim(strtolower($proto)) === "udp" ) {
|
|
|
|
|
$ip = gethostbyname($ip);
|
|
|
|
|
if ( filter_var($ip,FILTER_VALIDATE_IP) && strpos($ips, $ip) === false ) $ips .= " $ip";
|
|
|
|
|
}
|
2021-07-18 22:09:59 +02:00
|
|
|
}
|
2021-07-19 17:28:49 +02:00
|
|
|
}
|
2021-07-21 16:02:21 +02:00
|
|
|
# get wireguard server IPs for UDP (if existing)
|
|
|
|
|
if ( RASPI_WIREGUARD_ENABLED && ($fconf = glob(RASPI_WIREGUARD_PATH ."/*.conf")) !== false && !empty($fconf) ) {
|
2021-07-18 22:09:59 +02:00
|
|
|
}
|
2021-07-21 16:02:21 +02:00
|
|
|
return trim($ips);
|
2021-07-16 21:40:28 +02:00
|
|
|
}
|
|
|
|
|
|
2021-07-21 16:02:21 +02:00
|
|
|
|
2021-07-16 21:40:28 +02:00
|
|
|
function DisplayFirewallConfig()
|
|
|
|
|
{
|
|
|
|
|
|
|
|
|
|
$status = new StatusMessages();
|
|
|
|
|
|
|
|
|
|
$json = file_get_contents(RASPAP_IPTABLES_CONF);
|
|
|
|
|
$ipt_rules = json_decode($json, true);
|
|
|
|
|
getWifiInterface();
|
|
|
|
|
$ap_device = $_SESSION['ap_interface'];
|
|
|
|
|
$clients = getClients();
|
2021-07-20 21:56:00 +02:00
|
|
|
$str_clients = "";
|
|
|
|
|
foreach( $clients["device"] as $dev ) {
|
|
|
|
|
if ( !$dev["isAP"] ) {
|
|
|
|
|
if ( !empty($str_clients) ) $str_clients .= ", ";
|
|
|
|
|
$str_clients .= $dev["name"];
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-07-16 21:40:28 +02:00
|
|
|
$fw_conf = ReadFirewallConf();
|
|
|
|
|
$fw_conf["ap-device"] = $ap_device;
|
|
|
|
|
$id=findCurrentClientIndex($clients);
|
|
|
|
|
if ( $id >= 0 ) $fw_conf["client-device"] = $clients["device"][$id]["name"];
|
|
|
|
|
if (!empty($_POST)) {
|
|
|
|
|
$fw_conf["ssh-enable"] = isset($_POST['ssh-enable']);
|
|
|
|
|
$fw_conf["http-enable"] = isset($_POST['http-enable']);
|
|
|
|
|
$fw_conf["firewall-enable"] = isset($_POST['firewall-enable']) || isset($_POST['apply-firewall']);
|
|
|
|
|
if ( isset($_POST['firewall-enable']) ) $status->addMessage(_('Firewall is now enabled'), 'success');
|
|
|
|
|
if ( isset($_POST['apply-firewall']) ) $status->addMessage(_('Firewall settings changed'), 'success');
|
|
|
|
|
if ( isset($_POST['firewall-disable']) ) $status->addMessage(_('Firewall is now disabled'), 'warning');
|
|
|
|
|
if ( isset($_POST['save-firewall']) ) $status->addMessage(_('Firewall settings saved. Firewall is still disabled.'), 'success');
|
2021-07-20 21:56:00 +02:00
|
|
|
if ( isset($_POST['excl-devices']) ) {
|
|
|
|
|
$excl = filter_var($_POST['excl-devices'], FILTER_SANITIZE_STRING);
|
2021-07-21 16:02:21 +02:00
|
|
|
$excl = str_replace(',', ' ', $excl);
|
|
|
|
|
$excl = trim(preg_replace('/\s+/', ' ', $excl));
|
|
|
|
|
if ( $fw_conf["excl-devices"] != $excl ) {
|
2021-07-20 21:56:00 +02:00
|
|
|
$status->addMessage(_('Exclude devices '. $excl), 'success');
|
|
|
|
|
$fw_conf["excl-devices"] = $excl;
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-07-21 16:02:21 +02:00
|
|
|
if ( isset($_POST['excluded-ips']) ) {
|
|
|
|
|
$excl = filter_var($_POST['excluded-ips'], FILTER_SANITIZE_STRING);
|
|
|
|
|
$excl = str_replace(',', ' ', $excl);
|
|
|
|
|
$excl = trim(preg_replace('/\s+/', ' ', $excl));
|
|
|
|
|
if ( !empty($excl) ) {
|
|
|
|
|
$excl = explode(' ',$excl);
|
|
|
|
|
$str_excl = "";
|
|
|
|
|
foreach ( $excl as $ip ) {
|
|
|
|
|
if ( filter_var($ip,FILTER_VALIDATE_IP) ) $str_excl .= "$ip ";
|
|
|
|
|
else $status->addMessage(_('Exclude IP address '. $ip . ' failed - not a valid IP address'), 'warning');
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
$str_excl = trim($str_excl);
|
|
|
|
|
if ( $fw_conf["excluded-ips"] != $str_excl ) {
|
|
|
|
|
$status->addMessage(_('Exclude IP address(es) '. $str_excl ), 'success');
|
|
|
|
|
$fw_conf["excluded-ips"] = $str_excl;
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-07-16 21:40:28 +02:00
|
|
|
WriteFirewallConf($fw_conf);
|
2021-07-18 22:09:59 +02:00
|
|
|
configureFirewall();
|
2021-07-16 21:40:28 +02:00
|
|
|
}
|
2021-07-21 16:02:21 +02:00
|
|
|
$vpn_ips = getVPN_IPs();
|
2021-07-16 21:40:28 +02:00
|
|
|
echo renderTemplate("firewall", compact(
|
|
|
|
|
"status",
|
|
|
|
|
"ap_device",
|
2021-07-20 21:56:00 +02:00
|
|
|
"str_clients",
|
2021-07-16 21:40:28 +02:00
|
|
|
"fw_conf",
|
2021-07-21 16:02:21 +02:00
|
|
|
"ipt_rules",
|
|
|
|
|
"vpn_ips")
|
2021-07-16 21:40:28 +02:00
|
|
|
);
|
|
|
|
|
}
|
