frodovdr/raspap-webgui
1
0
Fork 0
mirror of https://github.com/billz/raspap-webgui.git synced 2025-03-01 10:31:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add IPv6 to Firewall

Browse Source
This commit is contained in:
Christian Zeitnitz
2021-07-25 15:42:46 +02:00
parent 1855f40f9d
commit 2f1a6af0ba
2 changed files with 39 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
config/iptables_rules.json
View File

@@ -44,12 +44,23 @@
{
"name": "ping",
"fw-state": true,
"ip-version": 4,
"comment": "allow ping request and echo",
"rules": [
"-A INPUT -p icmp --icmp-type 8/0 -j ACCEPT",
"-A INPUT -p icmp --icmp-type 0/0 -j ACCEPT"
]
},
{
"name": "ping IPv6",
"fw-state": true,
"ip-version": 6,
"comment": "allow ping request and echo for IPv6",
"rules": [
"-A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT",
"-A INPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT"
]
},
{
"name": "ntp",
"fw-state": true,
@@ -99,6 +110,7 @@
{
"name": "openvpn",
"comment": "Rules for tunnel device (tun)",
"ip-version": 4,
"dependson": [
{ "var": "openvpn-enable", "type": "bool" },
{ "var": "openvpn-serverip", "type": "string", "replace": "$IPADDRESS$" },
@@ -114,6 +126,7 @@
{
"name": "wireguard",
"comment": "Rules for wireguard device (wg)",
"ip-version": 4,
"dependson": [
{ "var": "wireguard-enable", "type": "bool" },
{ "var": "wireguard-serverip", "type": "string", "replace": "$IPADDRESS$" },
@@ -164,6 +177,7 @@
{
"name": "ipaddress",
"fw-state": true,
"ip-version": 4,
"comment": "allow access from/to IP",
"dependson": [
{ "var": "excluded-ips", "type": "list", "replace": "$IPADDRESS$" }
@@ -178,6 +192,7 @@
{
"name": "ipaddress",
"fw-state": true,
"ip-version": 4,
"dependson": [
{ "var": "restricted-ips", "type": "list", "replace": "$IPADDRESS$" }
],

29
includes/firewall.php
View File

@@ -4,6 +4,7 @@ require_once 'includes/status_messages.php';
require_once 'includes/functions.php';
define('RASPAP_IPTABLES_SCRIPT',"/tmp/iptables_raspap.sh");
define('RASPAP_IP6TABLES_SCRIPT',"/tmp/ip6tables_raspap.sh");
function getDependson(&$rule, &$conf) {
if ( isset($rule["dependson"][0]) ) {
@@ -64,20 +65,33 @@ function createRuleStr(&$sect, &$conf) {
}
$str="";
foreach ( $rs as $r ) {
if ( !preg_match('/\$[a-z0-9]*\$/i',$r) ) $str .= "iptables ".$r."\n";
if ( !preg_match('/\$[a-z0-9]*\$/i',$r) ) $str .= '$IPT '.$r."\n";
}
return $str;
}
function isIPv4(&$rule) {
return !isset($rule["ip-version"]) || strstr($rule["ip-version"],"4") !== false;
}
function isIPv6(&$rule) {
return !isset($rule["ip-version"]) || strstr($rule["ip-version"],"6") !== false;
}
function configureFirewall() {
$json = file_get_contents(RASPAP_IPTABLES_CONF);
$ipt = json_decode($json, true);
$conf = ReadFirewallConf();
$txt = "#!/bin/bash\n";
$txt .= "iptables -F\n";
$txt .= "iptables -X\n";
$txt .= "iptables -t nat -F\n";
file_put_contents(RASPAP_IPTABLES_SCRIPT, $txt);
file_put_contents(RASPAP_IP6TABLES_SCRIPT, $txt);
file_put_contents(RASPAP_IPTABLES_SCRIPT, 'IPT="iptables"'."\n", FILE_APPEND);
file_put_contents(RASPAP_IP6TABLES_SCRIPT, 'IPT="ip6tables"'."\n", FILE_APPEND);
$txt = "\$IPT -F\n";
$txt .= "\$IPT -X\n";
$txt .= "\$IPT -t nat -F\n";
file_put_contents(RASPAP_IPTABLES_SCRIPT, $txt, FILE_APPEND);
file_put_contents(RASPAP_IP6TABLES_SCRIPT, $txt, FILE_APPEND);
if ( empty($conf) || empty($ipt) ) return false;
$count=0;
foreach ( $ipt["order"] as $idx ) {
@@ -86,7 +100,8 @@ function configureFirewall() {
if ( isRuleEnabled($sect, $conf) ) {
$str_rules= createRuleStr($sect, $conf);
if ( !empty($str_rules) ) {
file_put_contents(RASPAP_IPTABLES_SCRIPT, $str_rules, FILE_APPEND);
if ( isIPv4($sect) ) file_put_contents(RASPAP_IPTABLES_SCRIPT, $str_rules, FILE_APPEND);
if ( isIPv6($sect) ) file_put_contents(RASPAP_IP6TABLES_SCRIPT, $str_rules, FILE_APPEND);
++$count;
}
}
@@ -98,6 +113,10 @@ function configureFirewall() {
exec("sudo ".RASPAP_IPTABLES_SCRIPT);
// exec("sudo iptables-save > /etc/iptables/rules.v4");
// unlink(RASPAP_IPTABLES_SCRIPT);
exec("chmod +x ".RASPAP_IP6TABLES_SCRIPT);
exec("sudo ".RASPAP_IP6TABLES_SCRIPT);
// exec("sudo iptables-save > /etc/iptables/rules.v6");
// unlink(RASPAP_IP6TABLES_SCRIPT);
}
return ($count > 0);
}