From d07fd0a3279d17d6bf6abfe11c4d89dcece7ebd7 Mon Sep 17 00:00:00 2001 From: zbchristian <33725910+zbchristian@users.noreply.github.com> Date: Wed, 8 Sep 2021 10:59:58 +0200 Subject: [PATCH] Implement update firewall function - cleanup firewall.php - add function updateFirewall - add standalone script update_firewall.sh to update the firewall rules --- includes/firewall.php | 80 +++++++++++++++++++++++------------ installers/raspap.sudoers | 4 ++ installers/update_firewall.sh | 29 +++++++++++++ 3 files changed, 86 insertions(+), 27 deletions(-) create mode 100644 installers/update_firewall.sh diff --git a/includes/firewall.php b/includes/firewall.php index 4fbfad2c..f44833c3 100644 --- a/includes/firewall.php +++ b/includes/firewall.php @@ -8,9 +8,9 @@ define('RASPAP_IP6TABLES_SCRIPT', "/tmp/ip6tables_raspap.sh"); /** * - * @param string $rule - * @param string $conf - * @return string $don + * @param array $rule + * @param array $conf + * @return array $don */ function getDependson(&$rule, &$conf) { @@ -27,9 +27,9 @@ function getDependson(&$rule, &$conf) /** * - * @param string $sect - * @param string $conf - * @return string $active + * @param array $sect + * @param array $conf + * @return boolean $active */ function isRuleEnabled(&$sect, &$conf) { @@ -46,8 +46,8 @@ function isRuleEnabled(&$sect, &$conf) /** * - * @param string $sect - * @param string $conf + * @param array $sect + * @param array $conf * @return string $str */ function createRuleStr(&$sect, &$conf) @@ -105,8 +105,8 @@ function createRuleStr(&$sect, &$conf) /** * - * @param string $rule - * @return string boolean + * @param array $rule + * @return boolean */ function isIPv4(&$rule) { @@ -115,7 +115,7 @@ function isIPv4(&$rule) /** * - * @param string $rule + * @param array $rule * @return boolean */ function isIPv6(&$rule) @@ -125,7 +125,7 @@ function isIPv6(&$rule) /** * - * @return string $count + * @return boolean */ function configureFirewall() { @@ -164,19 +164,19 @@ function configureFirewall() if ($count > 0 ) { exec("chmod +x ".RASPAP_IPTABLES_SCRIPT); exec("sudo ".RASPAP_IPTABLES_SCRIPT); - // exec("sudo iptables-save > /etc/iptables/rules.v4"); - // unlink(RASPAP_IPTABLES_SCRIPT); + exec("sudo iptables-save | sudo tee /etc/iptables/rules.v4"); + unlink(RASPAP_IPTABLES_SCRIPT); exec("chmod +x ".RASPAP_IP6TABLES_SCRIPT); exec("sudo ".RASPAP_IP6TABLES_SCRIPT); - // exec("sudo iptables-save > /etc/iptables/rules.v6"); - // unlink(RASPAP_IP6TABLES_SCRIPT); + exec("sudo ip6tables-save | sudo tee /etc/iptables/rules.v6"); + unlink(RASPAP_IP6TABLES_SCRIPT); } return ($count > 0); } /** * - * @param string $conf + * @param array $conf * @return string $ret */ function WriteFirewallConf($conf) @@ -189,14 +189,15 @@ function WriteFirewallConf($conf) /** * - * @return string $conf + * @return array $conf */ function ReadFirewallConf() { + $conf = array(); if (file_exists(RASPI_FIREWALL_CONF) ) { $conf = parse_ini_file(RASPI_FIREWALL_CONF); - } else { - $conf = array(); + } + if ( !isset($conf["firewall-enable"]) ) { $conf["firewall-enable"] = false; $conf["ssh-enable"] = false; $conf["http-enable"] = false; @@ -260,14 +261,13 @@ function getVPN_IPs() /** * + * @return array $fw_conf */ -function DisplayFirewallConfig() +function getFirewallConfiguration() { - - $status = new StatusMessages(); - + $fw_conf = ReadFirewallConf(); + $json = file_get_contents(RASPI_IPTABLES_CONF); - $ipt_rules = json_decode($json, true); getWifiInterface(); $ap_device = $_SESSION['ap_interface']; $clients = getClients(); @@ -279,11 +279,38 @@ function DisplayFirewallConfig() $str_clients .= $dev["name"]; } } - $fw_conf = ReadFirewallConf(); $fw_conf["ap-device"] = $ap_device; + $fw_conf["client-list"] = $str_clients; $id=findCurrentClientIndex($clients); if ($id >= 0 ) { $fw_conf["client-device"] = $clients["device"][$id]["name"]; } + return $fw_conf; +} + +/** + * + */ +function updateFirewall() +{ + $fw_conf = getFirewallConfiguration(); + if ( isset($fw_conf["firewall-enable"]) ) { + WriteFirewallConf($fw_conf); + configureFirewall(); + } + return; +} + +/** + * + */ +function DisplayFirewallConfig() +{ + $status = new StatusMessages(); + + $fw_conf = getFirewallConfiguration(); + $ap_device = $fw_conf["ap-device"]; + $str_clients = $fw_conf["client-list"]; + if (!empty($_POST)) { $fw_conf["ssh-enable"] = isset($_POST['ssh-enable']); $fw_conf["http-enable"] = isset($_POST['http-enable']); @@ -334,7 +361,6 @@ function DisplayFirewallConfig() "ap_device", "str_clients", "fw_conf", - "ipt_rules", "vpn_ips" ) ); diff --git a/installers/raspap.sudoers b/installers/raspap.sudoers index b85fe487..c7bbac5c 100644 --- a/installers/raspap.sudoers +++ b/installers/raspap.sudoers @@ -64,3 +64,7 @@ www-data ALL=(ALL) NOPASSWD:/bin/rm /etc/wireguard/*.conf www-data ALL=(ALL) NOPASSWD:/bin/rm /etc/wireguard/wg-*.key www-data ALL=(ALL) NOPASSWD:/tmp/iptables_raspap.sh www-data ALL=(ALL) NOPASSWD:/tmp/ip6tables_raspap.sh +www-data ALL=(ALL) NOPASSWD:/usr/sbin/iptables-save +www-data ALL=(ALL) NOPASSWD:/usr/sbin/ip6tables-save +www-data ALL=(ALL) NOPASSWD:/usr/bin/tee /etc/iptables/rules.v4 +www-data ALL=(ALL) NOPASSWD:/usr/bin/tee /etc/iptables/rules.v6 diff --git a/installers/update_firewall.sh b/installers/update_firewall.sh new file mode 100644 index 00000000..2a7d9212 --- /dev/null +++ b/installers/update_firewall.sh @@ -0,0 +1,29 @@ +#!/bin/bash +# include the raspap helper functions +source /usr/local/sbin/raspap_helpers.sh + +_getWebRoot + +echo -n "Update firewall ... " + +cat << EOF > /tmp/updateFirewall.php + +EOF + +sudo php -d include_path=$raspap_webroot /tmp/updateFirewall.php +rm /tmp/updateFirewall.php +echo "done."