$sect ) { if (isRuleEnabled($sect, $conf) ) { $str_rules= createRuleStr($sect, $conf); if (!empty($str_rules) ) { if (isIPv4($sect) ) { file_put_contents(RASPAP_IPTABLES_SCRIPT, $str_rules, FILE_APPEND); } if (isIPv6($sect) ) { file_put_contents(RASPAP_IP6TABLES_SCRIPT, $str_rules, FILE_APPEND); } ++$count; } } } } } if ($count > 0 ) { exec("chmod +x ".RASPAP_IPTABLES_SCRIPT); exec("sudo ".RASPAP_IPTABLES_SCRIPT); exec("sudo iptables-save | sudo tee /etc/iptables/rules.v4"); unlink(RASPAP_IPTABLES_SCRIPT); exec("chmod +x ".RASPAP_IP6TABLES_SCRIPT); exec("sudo ".RASPAP_IP6TABLES_SCRIPT); exec("sudo ip6tables-save | sudo tee /etc/iptables/rules.v6"); unlink(RASPAP_IP6TABLES_SCRIPT); } return ($count > 0); } /** * * @param array $conf * @return string $ret */ function WriteFirewallConf($conf) { $ret = false; if (is_array($conf) ) { write_php_ini($conf, RASPI_FIREWALL_CONF); } return $ret; } /** * * @return array $conf */ function ReadFirewallConf() { $conf = array(); if (file_exists(RASPI_FIREWALL_CONF) ) { $conf = parse_ini_file(RASPI_FIREWALL_CONF); } if ( !isset($conf["firewall-enable"]) ) { $conf["firewall-enable"] = false; $conf["ssh-enable"] = false; $conf["http-enable"] = false; $conf["excl-devices"] = ""; $conf["excluded-ips"] = ""; $conf["ap-device"] = ""; $conf["client-device"] = ""; $conf["restricted-ips"] = ""; } exec('ifconfig | grep -E -i "^tun[0-9]"', $ret); $conf["openvpn-enable"] = !empty($ret); unset($ret); exec('ifconfig | grep -E -i "^wg[0-9]"', $ret); $conf["wireguard-enable"] = !empty($ret); return $conf; } /** * * @return string $ips */ function getVPN_IPs() { $ips = ""; // get openvpn and wireguard server IPs if (RASPI_OPENVPN_ENABLED && ($fconf = glob(RASPI_OPENVPN_CLIENT_PATH ."/*.conf")) !== false && !empty($fconf) ) { foreach ( $fconf as $f ) { unset($result); exec('cat '.$f.' | sed -rn "s/^remote\s*([a-z0-9\.\-\_:]*)\s*([0-9]*)\s*$/\1 \2/ip" ', $result); if (!empty($result) ) { $result = explode(" ", $result[0]); $ip = (isset($result[0])) ? $result[0] : ""; $port = (isset($result[1])) ? $result[1] : ""; if (!empty($ip) ) { $ip = gethostbyname($ip); if (filter_var($ip, FILTER_VALIDATE_IP) && strpos($ips, $ip) === false ) { $ips .= " $ip"; } } } } } // get wireguard server IPs if (RASPI_WIREGUARD_ENABLED && ($fconf = glob(RASPI_WIREGUARD_PATH ."/*.conf")) !== false && !empty($fconf) ) { foreach ( $fconf as $f ) { unset($result); exec('sudo /bin/cat '.$f.' | sed -rn "s/^endpoint\s*=\s*\[?([a-z0-9\.\-\_:]*)\]?:([0-9]*)\s*$/\1 \2/ip" ', $result); if (!empty($result) ) { $result = explode(" ", $result[0]); $ip = (isset($result[0])) ? $result[0] : ""; $port = (isset($result[1])) ? $result[1] : ""; if (!empty($ip) ) { $ip = gethostbyname($ip); if (filter_var($ip, FILTER_VALIDATE_IP) && strpos($ips, $ip) === false ) { $ips .= " $ip"; } } } } } return trim($ips); } /** * * @return array $fw_conf */ function getFirewallConfiguration() { $fw_conf = ReadFirewallConf(); $json = file_get_contents(RASPI_IPTABLES_CONF); getWifiInterface(); $ap_device = $_SESSION['ap_interface']; $clients = getClients(); $str_clients = ""; foreach( $clients["device"] as $dev ) { if (!$dev["isAP"] ) { if (!empty($str_clients) ) { $str_clients .= ", "; } $str_clients .= $dev["name"]; } } $fw_conf["ap-device"] = $ap_device; $fw_conf["client-list"] = $str_clients; $id=findCurrentClientIndex($clients); if ($id >= 0 ) { $fw_conf["client-device"] = $clients["device"][$id]["name"]; } return $fw_conf; } /** * */ function updateFirewall() { $fw_conf = getFirewallConfiguration(); if ( isset($fw_conf["firewall-enable"]) ) { WriteFirewallConf($fw_conf); configureFirewall(); } return; } /** * */ function DisplayFirewallConfig() { $status = new StatusMessages(); $fw_conf = getFirewallConfiguration(); $ap_device = $fw_conf["ap-device"]; $str_clients = $fw_conf["client-list"]; if (!empty($_POST)) { $fw_conf["ssh-enable"] = isset($_POST['ssh-enable']); $fw_conf["http-enable"] = isset($_POST['http-enable']); $fw_conf["firewall-enable"] = isset($_POST['firewall-enable']) || isset($_POST['apply-firewall']); if (isset($_POST['firewall-enable']) ) { $status->addMessage(_('Firewall is now enabled'), 'success'); } if (isset($_POST['apply-firewall']) ) { $status->addMessage(_('Firewall settings changed'), 'success'); } if (isset($_POST['firewall-disable']) ) { $status->addMessage(_('Firewall is now disabled'), 'warning'); } if (isset($_POST['save-firewall']) ) { $status->addMessage(_('Firewall settings saved. Firewall is still disabled.'), 'success'); } if (isset($_POST['excl-devices']) ) { $excl = filter_var($_POST['excl-devices'], FILTER_SANITIZE_STRING); $excl = str_replace(',', ' ', $excl); $excl = trim(preg_replace('/\s+/', ' ', $excl)); if ($fw_conf["excl-devices"] != $excl ) { $status->addMessage(_('Exclude devices '. $excl), 'success'); $fw_conf["excl-devices"] = $excl; } } if (isset($_POST['excluded-ips']) ) { $excl = filter_var($_POST['excluded-ips'], FILTER_SANITIZE_STRING); $excl = str_replace(',', ' ', $excl); $excl = trim(preg_replace('/\s+/', ' ', $excl)); if (!empty($excl) ) { $excl = explode(' ', $excl); $str_excl = ""; foreach ( $excl as $ip ) { if (filter_var($ip, FILTER_VALIDATE_IP) ) { $str_excl .= "$ip "; } else { $status->addMessage(_('Exclude IP address '. $ip . ' failed - not a valid IP address'), 'warning'); } } } $str_excl = trim($str_excl); if ($fw_conf["excluded-ips"] != $str_excl ) { $status->addMessage(_('Exclude IP address(es) '. $str_excl), 'success'); $fw_conf["excluded-ips"] = $str_excl; } } WriteFirewallConf($fw_conf); configureFirewall(); } $vpn_ips = getVPN_IPs(); echo renderTemplate( "firewall", compact( "status", "ap_device", "str_clients", "fw_conf", "vpn_ips" ) ); }