1
0
mirror of https://github.com/billz/raspap-webgui.git synced 2023-10-10 13:37:24 +02:00

Add IPv6 to Firewall

This commit is contained in:
Christian Zeitnitz 2021-07-25 15:42:46 +02:00
parent 1855f40f9d
commit 2f1a6af0ba
2 changed files with 39 additions and 5 deletions

View File

@ -44,12 +44,23 @@
{ {
"name": "ping", "name": "ping",
"fw-state": true, "fw-state": true,
"ip-version": 4,
"comment": "allow ping request and echo", "comment": "allow ping request and echo",
"rules": [ "rules": [
"-A INPUT -p icmp --icmp-type 8/0 -j ACCEPT", "-A INPUT -p icmp --icmp-type 8/0 -j ACCEPT",
"-A INPUT -p icmp --icmp-type 0/0 -j ACCEPT" "-A INPUT -p icmp --icmp-type 0/0 -j ACCEPT"
] ]
}, },
{
"name": "ping IPv6",
"fw-state": true,
"ip-version": 6,
"comment": "allow ping request and echo for IPv6",
"rules": [
"-A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT",
"-A INPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT"
]
},
{ {
"name": "ntp", "name": "ntp",
"fw-state": true, "fw-state": true,
@ -99,6 +110,7 @@
{ {
"name": "openvpn", "name": "openvpn",
"comment": "Rules for tunnel device (tun)", "comment": "Rules for tunnel device (tun)",
"ip-version": 4,
"dependson": [ "dependson": [
{ "var": "openvpn-enable", "type": "bool" }, { "var": "openvpn-enable", "type": "bool" },
{ "var": "openvpn-serverip", "type": "string", "replace": "$IPADDRESS$" }, { "var": "openvpn-serverip", "type": "string", "replace": "$IPADDRESS$" },
@ -114,6 +126,7 @@
{ {
"name": "wireguard", "name": "wireguard",
"comment": "Rules for wireguard device (wg)", "comment": "Rules for wireguard device (wg)",
"ip-version": 4,
"dependson": [ "dependson": [
{ "var": "wireguard-enable", "type": "bool" }, { "var": "wireguard-enable", "type": "bool" },
{ "var": "wireguard-serverip", "type": "string", "replace": "$IPADDRESS$" }, { "var": "wireguard-serverip", "type": "string", "replace": "$IPADDRESS$" },
@ -164,6 +177,7 @@
{ {
"name": "ipaddress", "name": "ipaddress",
"fw-state": true, "fw-state": true,
"ip-version": 4,
"comment": "allow access from/to IP", "comment": "allow access from/to IP",
"dependson": [ "dependson": [
{ "var": "excluded-ips", "type": "list", "replace": "$IPADDRESS$" } { "var": "excluded-ips", "type": "list", "replace": "$IPADDRESS$" }
@ -178,6 +192,7 @@
{ {
"name": "ipaddress", "name": "ipaddress",
"fw-state": true, "fw-state": true,
"ip-version": 4,
"dependson": [ "dependson": [
{ "var": "restricted-ips", "type": "list", "replace": "$IPADDRESS$" } { "var": "restricted-ips", "type": "list", "replace": "$IPADDRESS$" }
], ],

View File

@ -4,6 +4,7 @@ require_once 'includes/status_messages.php';
require_once 'includes/functions.php'; require_once 'includes/functions.php';
define('RASPAP_IPTABLES_SCRIPT',"/tmp/iptables_raspap.sh"); define('RASPAP_IPTABLES_SCRIPT',"/tmp/iptables_raspap.sh");
define('RASPAP_IP6TABLES_SCRIPT',"/tmp/ip6tables_raspap.sh");
function getDependson(&$rule, &$conf) { function getDependson(&$rule, &$conf) {
if ( isset($rule["dependson"][0]) ) { if ( isset($rule["dependson"][0]) ) {
@ -64,20 +65,33 @@ function createRuleStr(&$sect, &$conf) {
} }
$str=""; $str="";
foreach ( $rs as $r ) { foreach ( $rs as $r ) {
if ( !preg_match('/\$[a-z0-9]*\$/i',$r) ) $str .= "iptables ".$r."\n"; if ( !preg_match('/\$[a-z0-9]*\$/i',$r) ) $str .= '$IPT '.$r."\n";
} }
return $str; return $str;
} }
function isIPv4(&$rule) {
return !isset($rule["ip-version"]) || strstr($rule["ip-version"],"4") !== false;
}
function isIPv6(&$rule) {
return !isset($rule["ip-version"]) || strstr($rule["ip-version"],"6") !== false;
}
function configureFirewall() { function configureFirewall() {
$json = file_get_contents(RASPAP_IPTABLES_CONF); $json = file_get_contents(RASPAP_IPTABLES_CONF);
$ipt = json_decode($json, true); $ipt = json_decode($json, true);
$conf = ReadFirewallConf(); $conf = ReadFirewallConf();
$txt = "#!/bin/bash\n"; $txt = "#!/bin/bash\n";
$txt .= "iptables -F\n";
$txt .= "iptables -X\n";
$txt .= "iptables -t nat -F\n";
file_put_contents(RASPAP_IPTABLES_SCRIPT, $txt); file_put_contents(RASPAP_IPTABLES_SCRIPT, $txt);
file_put_contents(RASPAP_IP6TABLES_SCRIPT, $txt);
file_put_contents(RASPAP_IPTABLES_SCRIPT, 'IPT="iptables"'."\n", FILE_APPEND);
file_put_contents(RASPAP_IP6TABLES_SCRIPT, 'IPT="ip6tables"'."\n", FILE_APPEND);
$txt = "\$IPT -F\n";
$txt .= "\$IPT -X\n";
$txt .= "\$IPT -t nat -F\n";
file_put_contents(RASPAP_IPTABLES_SCRIPT, $txt, FILE_APPEND);
file_put_contents(RASPAP_IP6TABLES_SCRIPT, $txt, FILE_APPEND);
if ( empty($conf) || empty($ipt) ) return false; if ( empty($conf) || empty($ipt) ) return false;
$count=0; $count=0;
foreach ( $ipt["order"] as $idx ) { foreach ( $ipt["order"] as $idx ) {
@ -86,7 +100,8 @@ function configureFirewall() {
if ( isRuleEnabled($sect, $conf) ) { if ( isRuleEnabled($sect, $conf) ) {
$str_rules= createRuleStr($sect, $conf); $str_rules= createRuleStr($sect, $conf);
if ( !empty($str_rules) ) { if ( !empty($str_rules) ) {
file_put_contents(RASPAP_IPTABLES_SCRIPT, $str_rules, FILE_APPEND); if ( isIPv4($sect) ) file_put_contents(RASPAP_IPTABLES_SCRIPT, $str_rules, FILE_APPEND);
if ( isIPv6($sect) ) file_put_contents(RASPAP_IP6TABLES_SCRIPT, $str_rules, FILE_APPEND);
++$count; ++$count;
} }
} }
@ -98,6 +113,10 @@ function configureFirewall() {
exec("sudo ".RASPAP_IPTABLES_SCRIPT); exec("sudo ".RASPAP_IPTABLES_SCRIPT);
// exec("sudo iptables-save > /etc/iptables/rules.v4"); // exec("sudo iptables-save > /etc/iptables/rules.v4");
// unlink(RASPAP_IPTABLES_SCRIPT); // unlink(RASPAP_IPTABLES_SCRIPT);
exec("chmod +x ".RASPAP_IP6TABLES_SCRIPT);
exec("sudo ".RASPAP_IP6TABLES_SCRIPT);
// exec("sudo iptables-save > /etc/iptables/rules.v6");
// unlink(RASPAP_IP6TABLES_SCRIPT);
} }
return ($count > 0); return ($count > 0);
} }