"; // print_r($ipt); $txt = "#!/bin/bash\n"; $txt .= "iptables -F\n"; $txt .= "iptables -X\n"; $txt .= "iptables -t nat -F\n"; file_put_contents(RASPAP_IPTABLES_SCRIPT, $txt); if ( empty($conf) || empty($ipt) ) return false; $count=0; foreach ( $ipt["order"] as $idx ) { if ( isset($ipt[$idx]) ) { // echo "Handle $idx \n"; foreach ( $ipt[$idx] as $i => $sect ) { if ( isRuleEnabled($sect, $conf) ) { // echo " rule $i name ".$sect["name"]."\n"; $str_rules= createRuleStr($sect, $conf); if ( !empty($str_rules) ) { file_put_contents(RASPAP_IPTABLES_SCRIPT, $str_rules, FILE_APPEND); ++$count; } } } } } // echo "Firewall ON"; //echo ""; if ( $count > 0 ) { exec("chmod +x ".RASPAP_IPTABLES_SCRIPT); exec("sudo ".RASPAP_IPTABLES_SCRIPT); // exec("sudo iptables-save > /etc/iptables/rules.v4"); // unlink(RASPAP_IPTABLES_SCRIPT); } return ($count > 0); } function WriteFirewallConf($conf) { if ( is_array($conf) ) write_php_ini($conf,RASPAP_FIREWALL_CONF); } function ReadFirewallConf() { if ( file_exists(RASPAP_FIREWALL_CONF) ) { $conf = parse_ini_file(RASPAP_FIREWALL_CONF); } else { $conf = array(); $conf["firewall-enable"] = false; $conf["openvpn-enable"] = false; $conf["openvpn-serverip"] = ""; $conf["wireguard-enable"] = false; $conf["wireguard-serverip"] = ""; $conf["ssh-enable"] = false; $conf["http-enable"] = false; $conf["excl-devices"] = ""; $conf["excluded-ips"] = ""; $conf["ap-device"] = ""; $conf["client-device"] = ""; $conf["restricted-ips"] = ""; } # get openvpn server IP (if existing) if ( RASPI_OPENVPN_ENABLED && file_exists(RASPI_OPENVPN_CLIENT_CONFIG) ) { exec('cat '.RASPI_OPENVPN_CLIENT_CONFIG.' | sed -rn "s/^remote\s*([a-z0-9\.\-\_]*)\s*([0-9]*).*$/\1/ip" ', $ret); if ( !empty($ret) ) { $ip = $ret[0]; $ip = ( filter_var($ip, FILTER_VALIDATE_IP) !== false ) ? $ip : gethostbyname($ip); if ( !empty($ip) ) { $conf["openvpn-serverip"] = "$ip"; $conf["openvpn-enable"] = true; } } } # get wireguard server IP (if existing) if ( RASPI_WIREGUARD_ENABLED && file_exists(RASPI_WIREGUARD_CONFIG) ) { # search for endpoint } return $conf; } function DisplayFirewallConfig() { $status = new StatusMessages(); $json = file_get_contents(RASPAP_IPTABLES_CONF); $ipt_rules = json_decode($json, true); getWifiInterface(); $ap_device = $_SESSION['ap_interface']; $clients = getClients(); $fw_conf = ReadFirewallConf(); $fw_conf["ap-device"] = $ap_device; $id=findCurrentClientIndex($clients); if ( $id >= 0 ) $fw_conf["client-device"] = $clients["device"][$id]["name"]; if (!empty($_POST)) { $fw_conf["ssh-enable"] = isset($_POST['ssh-enable']); $fw_conf["http-enable"] = isset($_POST['http-enable']); $fw_conf["firewall-enable"] = isset($_POST['firewall-enable']) || isset($_POST['apply-firewall']); if ( isset($_POST['firewall-enable']) ) $status->addMessage(_('Firewall is now enabled'), 'success'); if ( isset($_POST['apply-firewall']) ) $status->addMessage(_('Firewall settings changed'), 'success'); if ( isset($_POST['firewall-disable']) ) $status->addMessage(_('Firewall is now disabled'), 'warning'); if ( isset($_POST['save-firewall']) ) $status->addMessage(_('Firewall settings saved. Firewall is still disabled.'), 'success'); WriteFirewallConf($fw_conf); configureFirewall(); } echo renderTemplate("firewall", compact( "status", "ap_device", "clients", "fw_conf", "ipt_rules") ); }