From 2e1781a2eb620b5956aed35c8a18f65a6e33ebf9 Mon Sep 17 00:00:00 2001
From: Christian Zeitnitz <zeitnitz@uni-wuppertal.de>
Date: Sat, 17 Jul 2021 22:26:56 +0200
Subject: [PATCH] Add installation script Add wireguard iptables rules

---
 config/iptables_rules.json             | 17 ++++++++++++++++-
 installers/install_feature_firewall.sh | 20 ++++++++++++++++++++
 2 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 installers/install_feature_firewall.sh

diff --git a/config/iptables_rules.json b/config/iptables_rules.json
index fa23d707..0e6618ec 100644
--- a/config/iptables_rules.json
+++ b/config/iptables_rules.json
@@ -95,13 +95,28 @@
             "dependson": [
                   { "var": "openvpn-enable", "type": "bool" },
                   { "var": "openvpn-serverip", "type": "string", "replace": "$IPADDRESS$" },
-                  { "var": "client-device", "type": "string", "replace": "$INTERFACE$" }
+                  { "var": "ap-device", "type": "string", "replace": "$INTERFACE$" }
             ],
             "rules": [
+                "-A INPUT -p udp -s $IPADDRESS$ -j ACCEPT",
                 "-A FORWARD -i tun+ -o $INTERFACE$ -m state --state RELATED,ESTABLISHED -j ACCEPT",
                 "-A FORWARD -i $INTERFACE$ -o tun+ -j ACCEPT",
                 "-t nat -A POSTROUTING -o tun+ -j MASQUERADE"
             ]
+        },
+        {
+            "name": "wireguard",
+            "comment": "Rules for wireguard device (wg)",
+            "dependson": [
+                  { "var": "wireguard-enable", "type": "bool" },
+                  { "var": "wireguard-serverip", "type": "string", "replace": "$IPADDRESS$" },
+                  { "var": "client-device", "type": "string", "replace": "$INTERFACE$" }
+            ],
+            "rules": [
+                "-A INPUT -p udp -s $IPADDRESS$ -j ACCEPT",
+                "-A FORWARD -i wg+ -j ACCEPT",
+                "-t nat -A POSTROUTING -o $INTERFACE$ -j MASQUERADE"
+            ]
         }
     ],
     "exception_rules": [
diff --git a/installers/install_feature_firewall.sh b/installers/install_feature_firewall.sh
new file mode 100644
index 00000000..40757e43
--- /dev/null
+++ b/installers/install_feature_firewall.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+#
+# RaspAP feature installation: Firewall
+# to be sources by the RaspAP installer script
+# Author: @zbchristian <christian@zeitnitz.eu>
+# Author URI: https://github.com/zbchristian/
+# License: GNU General Public License v3.0
+# License URI: https://github.com/raspap/raspap-webgui/blob/master/LICENSE
+
+function _install_feature_firewall() {
+    name="feature firewall"
+
+    _install_log "Install $name"
+    _install_log " - copy configuration file"
+	# create config dir
+	sudo mkdir "/etc/raspap/networking/firewall" || _install_status 1 "Unable to create firewall config directory 
+    # copy firewall configuration 
+    sudo cp "$webroot_dir/config/iptables_rules.json" "/etc/raspap/networking/" || _install_status 1 "Unable to install client configuration ($name)"
+    _install_status 0
+}