Implement firewall

- settings in iptables_rules.json
- creates a script under /tmp/iptables_raspap.sh and executes it
- no installer yet
- to do: deal with Bridge and VPN settings

config/iptables_rules.json

@@ -0,0 +1,168 @@
+{
+    "info": "IPTABLES rules. $...$ expressions will be replaces automatically ($INTERFACE$, $PORT$, $IPADDRESS$)",
+    "rules_v4_file": "/etc/iptables/rules.v4",
+    "rules_v6_file": "/etc/iptables/rules.v6",
+    "order": [ "pre_rules", "restriction_rules", "main_rules", "exception_rules" ],
+    "pre_rules": [
+        {
+            "name": "firewall policies",
+            "fw-state": true,
+            "comment": "Policy rules (firewall)",
+            "rules": [
+                "-P INPUT DROP",
+                "-P FORWARD ACCEPT",
+                "-P OUTPUT ACCEPT",
+                "-t nat -P PREROUTING ACCEPT",
+                "-t nat -P POSTROUTING ACCEPT",
+                "-t nat -P INPUT ACCEPT",
+                "-t nat -P OUTPUT ACCEPT"
+            ]
+        },
+        {
+            "name": "policies",
+            "fw-state": false,
+            "comment": "Policy rules",
+            "rules": [
+                "-P INPUT ACCEPT",
+                "-P FORWARD ACCEPT",
+                "-P OUTPUT ACCEPT",
+                "-t nat -P PREROUTING ACCEPT",
+                "-t nat -P POSTROUTING ACCEPT",
+                "-t nat -P INPUT ACCEPT",
+                "-t nat -P OUTPUT ACCEPT"
+            ]
+        },
+        {
+            "name": "loopback",
+            "fw-state": true,
+            "comment": "allow loopback device",
+            "rules": [
+                "-A INPUT -i lo -j ACCEPT",
+                "-A OUTPUT -o lo -j ACCEPT"
+            ]
+        },
+        {
+            "name": "ping",
+            "fw-state": true,
+            "comment": "allow ping request and echo",
+            "rules": [
+                "-A INPUT -p icmp --icmp-type 8/0 -j ACCEPT",
+                "-A INPUT -p icmp --icmp-type 0/0 -j ACCEPT"
+            ]
+        },
+        {
+            "name": "ntp",
+            "fw-state": true,
+            "comment": "allow ntp request via udp (tcp should work w/o rule)",
+            "rules": [
+                "-A INPUT -p udp --sport 123 -j ACCEPT"
+            ]
+        },
+        {
+            "name": "dns",
+            "fw-state": true,
+            "comment": "allow dns request via tcp and udp",
+            "rules": [
+                "-A INPUT -p udp -m multiport --sport 53,853 -j ACCEPT",
+                "-A INPUT -p tcp -m multiport --sport 53,853 -j ACCEPT"
+            ]
+        }
+    ],
+    "main_rules": [
+        {
+            "name": "accesspoint",
+            "fw-state": true,
+            "comment": "Access point interface by default no restrictions",
+            "dependson": [
+                    { "var": "ap-device", "type": "string", "replace": "$INTERFACE$" }
+            ],
+            "rules": [
+                    "-A INPUT -i $INTERFACE$ -j ACCEPT",
+                    "-A OUTPUT -o $INTERFACE$ -j ACCEPT"
+            ]
+        },
+        {
+            "name": "clients",
+            "fw-state": true,
+            "comment": "Rules for client interfaces (includes tun device)",
+            "rules": [
+                "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT"
+            ]
+        },
+        {
+            "name": "openvpn",
+            "comment": "Rules for tunnel device (tun)",
+            "dependson": [
+                  { "var": "openvpn-enable", "type": "bool" },
+                  { "var": "openvpn-serverip", "type": "string", "replace": "$IPADDRESS$" },
+                  { "var": "client-device", "type": "string", "replace": "$INTERFACE$" }
+            ],
+            "rules": [
+                "-A FORWARD -i tun+ -o $INTERFACE$ -m state --state RELATED,ESTABLISHED -j ACCEPT",
+                "-A FORWARD -i $INTERFACE$ -o tun+ -j ACCEPT",
+                "-t nat -A POSTROUTING -o tun+ -j MASQUERADE"
+            ]
+        }
+    ],
+    "exception_rules": [
+        {
+            "name": "ssh",
+            "fw-state": true,
+            "comment": "Allow ssh access to RaspAP on port 22",
+            "dependson": [
+                { "var": "ssh-enable", "type": "bool" }
+            ],
+            "rules": [
+                "-A INPUT -p tcp --dport 22 -j ACCEPT"
+            ]
+        },
+        {
+            "name": "http",
+            "fw-state": true,
+            "comment": "Allow access to RaspAP GUI (https)",
+            "dependson": [
+                { "var": "http-enable", "type": "bool" }
+            ],
+            "rules": [
+                "-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT"
+            ]
+        },
+        {
+            "name": "interface",
+            "fw-state": true,
+            "comment": "Exclude interface from firewall",
+            "dependson": [
+                { "var": "excl-devices", "type": "list", "replace": "$INTERFACE$" }
+            ],
+            "rules": [
+                "-A INPUT -i $INTERFACE$ -j ACCEPT",
+                "-A OUTPUT -o $INTERFACE$ -j ACCEPT"
+            ]
+        },
+        {
+            "name": "ipaddress",
+            "fw-state": true,
+            "comment": "allow access from/to IP",
+            "dependson": [
+                { "var": "excluded-ips", "type": "list", "replace": "$IPADDRESS$" }
+            ],
+            "rules": [
+                "-A INPUT -s $IPADDRESS$ -j ACCEPT",
+                "-A INPUT -d $IPADDRESS$ -j ACCEPT"
+            ]
+        }
+    ],
+    "restriction_rules": [
+        {
+            "name": "ipaddress",
+            "fw-state": true,
+            "dependson": [
+                { "var": "restricted-ips", "type": "list", "replace": "$IPADDRESS$" }
+            ],
+            "comment": "Block access from IP-address",
+            "rules": [
+                "-A INPUT -s $IPADDRESS$ -j DROP"
+            ]
+        }
+    ]
+}