mirror of
https://github.com/billz/raspap-webgui.git
synced 2023-10-10 13:37:24 +02:00
Add IPv6 to Firewall
This commit is contained in:
parent
1855f40f9d
commit
2f1a6af0ba
@ -44,12 +44,23 @@
|
|||||||
{
|
{
|
||||||
"name": "ping",
|
"name": "ping",
|
||||||
"fw-state": true,
|
"fw-state": true,
|
||||||
|
"ip-version": 4,
|
||||||
"comment": "allow ping request and echo",
|
"comment": "allow ping request and echo",
|
||||||
"rules": [
|
"rules": [
|
||||||
"-A INPUT -p icmp --icmp-type 8/0 -j ACCEPT",
|
"-A INPUT -p icmp --icmp-type 8/0 -j ACCEPT",
|
||||||
"-A INPUT -p icmp --icmp-type 0/0 -j ACCEPT"
|
"-A INPUT -p icmp --icmp-type 0/0 -j ACCEPT"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"name": "ping IPv6",
|
||||||
|
"fw-state": true,
|
||||||
|
"ip-version": 6,
|
||||||
|
"comment": "allow ping request and echo for IPv6",
|
||||||
|
"rules": [
|
||||||
|
"-A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT",
|
||||||
|
"-A INPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT"
|
||||||
|
]
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"name": "ntp",
|
"name": "ntp",
|
||||||
"fw-state": true,
|
"fw-state": true,
|
||||||
@ -99,6 +110,7 @@
|
|||||||
{
|
{
|
||||||
"name": "openvpn",
|
"name": "openvpn",
|
||||||
"comment": "Rules for tunnel device (tun)",
|
"comment": "Rules for tunnel device (tun)",
|
||||||
|
"ip-version": 4,
|
||||||
"dependson": [
|
"dependson": [
|
||||||
{ "var": "openvpn-enable", "type": "bool" },
|
{ "var": "openvpn-enable", "type": "bool" },
|
||||||
{ "var": "openvpn-serverip", "type": "string", "replace": "$IPADDRESS$" },
|
{ "var": "openvpn-serverip", "type": "string", "replace": "$IPADDRESS$" },
|
||||||
@ -114,6 +126,7 @@
|
|||||||
{
|
{
|
||||||
"name": "wireguard",
|
"name": "wireguard",
|
||||||
"comment": "Rules for wireguard device (wg)",
|
"comment": "Rules for wireguard device (wg)",
|
||||||
|
"ip-version": 4,
|
||||||
"dependson": [
|
"dependson": [
|
||||||
{ "var": "wireguard-enable", "type": "bool" },
|
{ "var": "wireguard-enable", "type": "bool" },
|
||||||
{ "var": "wireguard-serverip", "type": "string", "replace": "$IPADDRESS$" },
|
{ "var": "wireguard-serverip", "type": "string", "replace": "$IPADDRESS$" },
|
||||||
@ -164,6 +177,7 @@
|
|||||||
{
|
{
|
||||||
"name": "ipaddress",
|
"name": "ipaddress",
|
||||||
"fw-state": true,
|
"fw-state": true,
|
||||||
|
"ip-version": 4,
|
||||||
"comment": "allow access from/to IP",
|
"comment": "allow access from/to IP",
|
||||||
"dependson": [
|
"dependson": [
|
||||||
{ "var": "excluded-ips", "type": "list", "replace": "$IPADDRESS$" }
|
{ "var": "excluded-ips", "type": "list", "replace": "$IPADDRESS$" }
|
||||||
@ -178,6 +192,7 @@
|
|||||||
{
|
{
|
||||||
"name": "ipaddress",
|
"name": "ipaddress",
|
||||||
"fw-state": true,
|
"fw-state": true,
|
||||||
|
"ip-version": 4,
|
||||||
"dependson": [
|
"dependson": [
|
||||||
{ "var": "restricted-ips", "type": "list", "replace": "$IPADDRESS$" }
|
{ "var": "restricted-ips", "type": "list", "replace": "$IPADDRESS$" }
|
||||||
],
|
],
|
||||||
|
@ -4,6 +4,7 @@ require_once 'includes/status_messages.php';
|
|||||||
require_once 'includes/functions.php';
|
require_once 'includes/functions.php';
|
||||||
|
|
||||||
define('RASPAP_IPTABLES_SCRIPT',"/tmp/iptables_raspap.sh");
|
define('RASPAP_IPTABLES_SCRIPT',"/tmp/iptables_raspap.sh");
|
||||||
|
define('RASPAP_IP6TABLES_SCRIPT',"/tmp/ip6tables_raspap.sh");
|
||||||
|
|
||||||
function getDependson(&$rule, &$conf) {
|
function getDependson(&$rule, &$conf) {
|
||||||
if ( isset($rule["dependson"][0]) ) {
|
if ( isset($rule["dependson"][0]) ) {
|
||||||
@ -64,20 +65,33 @@ function createRuleStr(&$sect, &$conf) {
|
|||||||
}
|
}
|
||||||
$str="";
|
$str="";
|
||||||
foreach ( $rs as $r ) {
|
foreach ( $rs as $r ) {
|
||||||
if ( !preg_match('/\$[a-z0-9]*\$/i',$r) ) $str .= "iptables ".$r."\n";
|
if ( !preg_match('/\$[a-z0-9]*\$/i',$r) ) $str .= '$IPT '.$r."\n";
|
||||||
}
|
}
|
||||||
return $str;
|
return $str;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function isIPv4(&$rule) {
|
||||||
|
return !isset($rule["ip-version"]) || strstr($rule["ip-version"],"4") !== false;
|
||||||
|
}
|
||||||
|
|
||||||
|
function isIPv6(&$rule) {
|
||||||
|
return !isset($rule["ip-version"]) || strstr($rule["ip-version"],"6") !== false;
|
||||||
|
}
|
||||||
|
|
||||||
function configureFirewall() {
|
function configureFirewall() {
|
||||||
$json = file_get_contents(RASPAP_IPTABLES_CONF);
|
$json = file_get_contents(RASPAP_IPTABLES_CONF);
|
||||||
$ipt = json_decode($json, true);
|
$ipt = json_decode($json, true);
|
||||||
$conf = ReadFirewallConf();
|
$conf = ReadFirewallConf();
|
||||||
$txt = "#!/bin/bash\n";
|
$txt = "#!/bin/bash\n";
|
||||||
$txt .= "iptables -F\n";
|
|
||||||
$txt .= "iptables -X\n";
|
|
||||||
$txt .= "iptables -t nat -F\n";
|
|
||||||
file_put_contents(RASPAP_IPTABLES_SCRIPT, $txt);
|
file_put_contents(RASPAP_IPTABLES_SCRIPT, $txt);
|
||||||
|
file_put_contents(RASPAP_IP6TABLES_SCRIPT, $txt);
|
||||||
|
file_put_contents(RASPAP_IPTABLES_SCRIPT, 'IPT="iptables"'."\n", FILE_APPEND);
|
||||||
|
file_put_contents(RASPAP_IP6TABLES_SCRIPT, 'IPT="ip6tables"'."\n", FILE_APPEND);
|
||||||
|
$txt = "\$IPT -F\n";
|
||||||
|
$txt .= "\$IPT -X\n";
|
||||||
|
$txt .= "\$IPT -t nat -F\n";
|
||||||
|
file_put_contents(RASPAP_IPTABLES_SCRIPT, $txt, FILE_APPEND);
|
||||||
|
file_put_contents(RASPAP_IP6TABLES_SCRIPT, $txt, FILE_APPEND);
|
||||||
if ( empty($conf) || empty($ipt) ) return false;
|
if ( empty($conf) || empty($ipt) ) return false;
|
||||||
$count=0;
|
$count=0;
|
||||||
foreach ( $ipt["order"] as $idx ) {
|
foreach ( $ipt["order"] as $idx ) {
|
||||||
@ -86,7 +100,8 @@ function configureFirewall() {
|
|||||||
if ( isRuleEnabled($sect, $conf) ) {
|
if ( isRuleEnabled($sect, $conf) ) {
|
||||||
$str_rules= createRuleStr($sect, $conf);
|
$str_rules= createRuleStr($sect, $conf);
|
||||||
if ( !empty($str_rules) ) {
|
if ( !empty($str_rules) ) {
|
||||||
file_put_contents(RASPAP_IPTABLES_SCRIPT, $str_rules, FILE_APPEND);
|
if ( isIPv4($sect) ) file_put_contents(RASPAP_IPTABLES_SCRIPT, $str_rules, FILE_APPEND);
|
||||||
|
if ( isIPv6($sect) ) file_put_contents(RASPAP_IP6TABLES_SCRIPT, $str_rules, FILE_APPEND);
|
||||||
++$count;
|
++$count;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -98,6 +113,10 @@ function configureFirewall() {
|
|||||||
exec("sudo ".RASPAP_IPTABLES_SCRIPT);
|
exec("sudo ".RASPAP_IPTABLES_SCRIPT);
|
||||||
// exec("sudo iptables-save > /etc/iptables/rules.v4");
|
// exec("sudo iptables-save > /etc/iptables/rules.v4");
|
||||||
// unlink(RASPAP_IPTABLES_SCRIPT);
|
// unlink(RASPAP_IPTABLES_SCRIPT);
|
||||||
|
exec("chmod +x ".RASPAP_IP6TABLES_SCRIPT);
|
||||||
|
exec("sudo ".RASPAP_IP6TABLES_SCRIPT);
|
||||||
|
// exec("sudo iptables-save > /etc/iptables/rules.v6");
|
||||||
|
// unlink(RASPAP_IP6TABLES_SCRIPT);
|
||||||
}
|
}
|
||||||
return ($count > 0);
|
return ($count > 0);
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user