From 2f1a6af0baad75be9bc880b58412569e3d7aafbd Mon Sep 17 00:00:00 2001 From: Christian Zeitnitz Date: Sun, 25 Jul 2021 15:42:46 +0200 Subject: [PATCH] Add IPv6 to Firewall --- config/iptables_rules.json | 15 +++++++++++++++ includes/firewall.php | 29 ++++++++++++++++++++++++----- 2 files changed, 39 insertions(+), 5 deletions(-) diff --git a/config/iptables_rules.json b/config/iptables_rules.json index df2b126b..d9b6f5f9 100644 --- a/config/iptables_rules.json +++ b/config/iptables_rules.json @@ -44,12 +44,23 @@ { "name": "ping", "fw-state": true, + "ip-version": 4, "comment": "allow ping request and echo", "rules": [ "-A INPUT -p icmp --icmp-type 8/0 -j ACCEPT", "-A INPUT -p icmp --icmp-type 0/0 -j ACCEPT" ] }, + { + "name": "ping IPv6", + "fw-state": true, + "ip-version": 6, + "comment": "allow ping request and echo for IPv6", + "rules": [ + "-A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT", + "-A INPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT" + ] + }, { "name": "ntp", "fw-state": true, @@ -99,6 +110,7 @@ { "name": "openvpn", "comment": "Rules for tunnel device (tun)", + "ip-version": 4, "dependson": [ { "var": "openvpn-enable", "type": "bool" }, { "var": "openvpn-serverip", "type": "string", "replace": "$IPADDRESS$" }, @@ -114,6 +126,7 @@ { "name": "wireguard", "comment": "Rules for wireguard device (wg)", + "ip-version": 4, "dependson": [ { "var": "wireguard-enable", "type": "bool" }, { "var": "wireguard-serverip", "type": "string", "replace": "$IPADDRESS$" }, @@ -164,6 +177,7 @@ { "name": "ipaddress", "fw-state": true, + "ip-version": 4, "comment": "allow access from/to IP", "dependson": [ { "var": "excluded-ips", "type": "list", "replace": "$IPADDRESS$" } @@ -178,6 +192,7 @@ { "name": "ipaddress", "fw-state": true, + "ip-version": 4, "dependson": [ { "var": "restricted-ips", "type": "list", "replace": "$IPADDRESS$" } ], diff --git a/includes/firewall.php b/includes/firewall.php index 90713d34..1b763622 100644 --- a/includes/firewall.php +++ b/includes/firewall.php @@ -4,6 +4,7 @@ require_once 'includes/status_messages.php'; require_once 'includes/functions.php'; define('RASPAP_IPTABLES_SCRIPT',"/tmp/iptables_raspap.sh"); +define('RASPAP_IP6TABLES_SCRIPT',"/tmp/ip6tables_raspap.sh"); function getDependson(&$rule, &$conf) { if ( isset($rule["dependson"][0]) ) { @@ -64,20 +65,33 @@ function createRuleStr(&$sect, &$conf) { } $str=""; foreach ( $rs as $r ) { - if ( !preg_match('/\$[a-z0-9]*\$/i',$r) ) $str .= "iptables ".$r."\n"; + if ( !preg_match('/\$[a-z0-9]*\$/i',$r) ) $str .= '$IPT '.$r."\n"; } return $str; } +function isIPv4(&$rule) { + return !isset($rule["ip-version"]) || strstr($rule["ip-version"],"4") !== false; +} + +function isIPv6(&$rule) { + return !isset($rule["ip-version"]) || strstr($rule["ip-version"],"6") !== false; +} + function configureFirewall() { $json = file_get_contents(RASPAP_IPTABLES_CONF); $ipt = json_decode($json, true); $conf = ReadFirewallConf(); $txt = "#!/bin/bash\n"; - $txt .= "iptables -F\n"; - $txt .= "iptables -X\n"; - $txt .= "iptables -t nat -F\n"; file_put_contents(RASPAP_IPTABLES_SCRIPT, $txt); + file_put_contents(RASPAP_IP6TABLES_SCRIPT, $txt); + file_put_contents(RASPAP_IPTABLES_SCRIPT, 'IPT="iptables"'."\n", FILE_APPEND); + file_put_contents(RASPAP_IP6TABLES_SCRIPT, 'IPT="ip6tables"'."\n", FILE_APPEND); + $txt = "\$IPT -F\n"; + $txt .= "\$IPT -X\n"; + $txt .= "\$IPT -t nat -F\n"; + file_put_contents(RASPAP_IPTABLES_SCRIPT, $txt, FILE_APPEND); + file_put_contents(RASPAP_IP6TABLES_SCRIPT, $txt, FILE_APPEND); if ( empty($conf) || empty($ipt) ) return false; $count=0; foreach ( $ipt["order"] as $idx ) { @@ -86,7 +100,8 @@ function configureFirewall() { if ( isRuleEnabled($sect, $conf) ) { $str_rules= createRuleStr($sect, $conf); if ( !empty($str_rules) ) { - file_put_contents(RASPAP_IPTABLES_SCRIPT, $str_rules, FILE_APPEND); + if ( isIPv4($sect) ) file_put_contents(RASPAP_IPTABLES_SCRIPT, $str_rules, FILE_APPEND); + if ( isIPv6($sect) ) file_put_contents(RASPAP_IP6TABLES_SCRIPT, $str_rules, FILE_APPEND); ++$count; } } @@ -98,6 +113,10 @@ function configureFirewall() { exec("sudo ".RASPAP_IPTABLES_SCRIPT); // exec("sudo iptables-save > /etc/iptables/rules.v4"); // unlink(RASPAP_IPTABLES_SCRIPT); + exec("chmod +x ".RASPAP_IP6TABLES_SCRIPT); + exec("sudo ".RASPAP_IP6TABLES_SCRIPT); +// exec("sudo iptables-save > /etc/iptables/rules.v6"); +// unlink(RASPAP_IP6TABLES_SCRIPT); } return ($count > 0); }