$sect ) { if ( isRuleEnabled($sect, $conf) ) { $str_rules= createRuleStr($sect, $conf); if ( !empty($str_rules) ) { if ( isIPv4($sect) ) file_put_contents(RASPAP_IPTABLES_SCRIPT, $str_rules, FILE_APPEND); if ( isIPv6($sect) ) file_put_contents(RASPAP_IP6TABLES_SCRIPT, $str_rules, FILE_APPEND); ++$count; } } } } } if ( $count > 0 ) { exec("chmod +x ".RASPAP_IPTABLES_SCRIPT); exec("sudo ".RASPAP_IPTABLES_SCRIPT); // exec("sudo iptables-save > /etc/iptables/rules.v4"); // unlink(RASPAP_IPTABLES_SCRIPT); exec("chmod +x ".RASPAP_IP6TABLES_SCRIPT); exec("sudo ".RASPAP_IP6TABLES_SCRIPT); // exec("sudo iptables-save > /etc/iptables/rules.v6"); // unlink(RASPAP_IP6TABLES_SCRIPT); } return ($count > 0); } function WriteFirewallConf($conf) { $ret = false; if ( is_array($conf) ) write_php_ini($conf,RASPAP_FIREWALL_CONF); return $ret; } function ReadFirewallConf() { if ( file_exists(RASPAP_FIREWALL_CONF) ) { $conf = parse_ini_file(RASPAP_FIREWALL_CONF); } else { $conf = array(); $conf["firewall-enable"] = false; $conf["ssh-enable"] = false; $conf["http-enable"] = false; $conf["excl-devices"] = ""; $conf["excluded-ips"] = ""; $conf["ap-device"] = ""; $conf["client-device"] = ""; $conf["restricted-ips"] = ""; } exec('ifconfig | grep -E -i "^tun[0-9]"', $ret); $conf["openvpn-enable"] = !empty($ret); unset($ret); exec('ifconfig | grep -E -i "^wg[0-9]"', $ret); $conf["wireguard-enable"] = !empty($ret); return $conf; } function getVPN_IPs() { $ips = ""; # get openvpn and wireguard server IPs if ( RASPI_OPENVPN_ENABLED && ($fconf = glob(RASPI_OPENVPN_CLIENT_PATH ."/*.conf")) !== false && !empty($fconf) ) { foreach ( $fconf as $f ) { unset($result); exec('cat '.$f.' | sed -rn "s/^remote\s*([a-z0-9\.\-\_:]*)\s*([0-9]*)\s*$/\1 \2/ip" ', $result); if ( !empty($result) ) { $result = explode(" ",$result[0]); $ip = (isset($result[0])) ? $result[0] : ""; $port = (isset($result[1])) ? $result[1] : ""; if ( !empty($ip) ) { $ip = gethostbyname($ip); if ( filter_var($ip,FILTER_VALIDATE_IP) && strpos($ips, $ip) === false ) $ips .= " $ip"; } } } } # get wireguard server IPs if ( RASPI_WIREGUARD_ENABLED && ($fconf = glob(RASPI_WIREGUARD_PATH ."/*.conf")) !== false && !empty($fconf) ) { foreach ( $fconf as $f ) { unset($result); exec('sudo /bin/cat '.$f.' | sed -rn "s/^endpoint\s*=\s*\[?([a-z0-9\.\-\_:]*)\]?:([0-9]*)\s*$/\1 \2/ip" ', $result); if ( !empty($result) ) { $result = explode(" ",$result[0]); $ip = (isset($result[0])) ? $result[0] : ""; $port = (isset($result[1])) ? $result[1] : ""; if ( !empty($ip) ) { $ip = gethostbyname($ip); if ( filter_var($ip,FILTER_VALIDATE_IP) && strpos($ips, $ip) === false ) $ips .= " $ip"; } } } } return trim($ips); } function DisplayFirewallConfig() { $status = new StatusMessages(); $json = file_get_contents(RASPAP_IPTABLES_CONF); $ipt_rules = json_decode($json, true); getWifiInterface(); $ap_device = $_SESSION['ap_interface']; $clients = getClients(); $str_clients = ""; foreach( $clients["device"] as $dev ) { if ( !$dev["isAP"] ) { if ( !empty($str_clients) ) $str_clients .= ", "; $str_clients .= $dev["name"]; } } $fw_conf = ReadFirewallConf(); $fw_conf["ap-device"] = $ap_device; $id=findCurrentClientIndex($clients); if ( $id >= 0 ) $fw_conf["client-device"] = $clients["device"][$id]["name"]; if (!empty($_POST)) { $fw_conf["ssh-enable"] = isset($_POST['ssh-enable']); $fw_conf["http-enable"] = isset($_POST['http-enable']); $fw_conf["firewall-enable"] = isset($_POST['firewall-enable']) || isset($_POST['apply-firewall']); if ( isset($_POST['firewall-enable']) ) $status->addMessage(_('Firewall is now enabled'), 'success'); if ( isset($_POST['apply-firewall']) ) $status->addMessage(_('Firewall settings changed'), 'success'); if ( isset($_POST['firewall-disable']) ) $status->addMessage(_('Firewall is now disabled'), 'warning'); if ( isset($_POST['save-firewall']) ) $status->addMessage(_('Firewall settings saved. Firewall is still disabled.'), 'success'); if ( isset($_POST['excl-devices']) ) { $excl = filter_var($_POST['excl-devices'], FILTER_SANITIZE_STRING); $excl = str_replace(',', ' ', $excl); $excl = trim(preg_replace('/\s+/', ' ', $excl)); if ( $fw_conf["excl-devices"] != $excl ) { $status->addMessage(_('Exclude devices '. $excl), 'success'); $fw_conf["excl-devices"] = $excl; } } if ( isset($_POST['excluded-ips']) ) { $excl = filter_var($_POST['excluded-ips'], FILTER_SANITIZE_STRING); $excl = str_replace(',', ' ', $excl); $excl = trim(preg_replace('/\s+/', ' ', $excl)); if ( !empty($excl) ) { $excl = explode(' ',$excl); $str_excl = ""; foreach ( $excl as $ip ) { if ( filter_var($ip,FILTER_VALIDATE_IP) ) $str_excl .= "$ip "; else $status->addMessage(_('Exclude IP address '. $ip . ' failed - not a valid IP address'), 'warning'); } } $str_excl = trim($str_excl); if ( $fw_conf["excluded-ips"] != $str_excl ) { $status->addMessage(_('Exclude IP address(es) '. $str_excl ), 'success'); $fw_conf["excluded-ips"] = $str_excl; } } WriteFirewallConf($fw_conf); configureFirewall(); } $vpn_ips = getVPN_IPs(); echo renderTemplate("firewall", compact( "status", "ap_device", "str_clients", "fw_conf", "ipt_rules", "vpn_ips") ); }