{
    "info": "IPTABLES rules. $...$ expressions will be replaces automatically ($INTERFACE$, $PORT$, $IPADDRESS$)",
    "rules_v4_file": "/etc/iptables/rules.v4",
    "rules_v6_file": "/etc/iptables/rules.v6",
    "order": [ "pre_rules", "restriction_rules", "main_rules", "exception_rules" ],
    "pre_rules": [
        {
            "name": "firewall policies",
            "fw-state": true,
            "comment": "Policy rules (firewall)",
            "rules": [
                "-P INPUT DROP",
                "-P FORWARD ACCEPT",
                "-P OUTPUT ACCEPT",
                "-t nat -P PREROUTING ACCEPT",
                "-t nat -P POSTROUTING ACCEPT",
                "-t nat -P INPUT ACCEPT",
                "-t nat -P OUTPUT ACCEPT"
            ]
        },
        {
            "name": "policies",
            "fw-state": false,
            "comment": "Policy rules",
            "rules": [
                "-P INPUT ACCEPT",
                "-P FORWARD ACCEPT",
                "-P OUTPUT ACCEPT",
                "-t nat -P PREROUTING ACCEPT",
                "-t nat -P POSTROUTING ACCEPT",
                "-t nat -P INPUT ACCEPT",
                "-t nat -P OUTPUT ACCEPT"
            ]
        },
        {
            "name": "loopback",
            "fw-state": true,
            "comment": "allow loopback device",
            "rules": [
                "-A INPUT -i lo -j ACCEPT",
                "-A OUTPUT -o lo -j ACCEPT"
            ]
        },
        {
            "name": "ping",
            "fw-state": true,
            "ip-version": 4,
            "comment": "allow ping request and echo",
            "rules": [
                "-A INPUT -p icmp --icmp-type 8/0 -j ACCEPT",
                "-A INPUT -p icmp --icmp-type 0/0 -j ACCEPT"
            ]
        },
        {
            "name": "ping IPv6",
            "fw-state": true,
            "ip-version": 6,
            "comment": "allow ping request and echo for IPv6",
            "rules": [
                "-A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT",
                "-A INPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT"
            ]
        },
        {
            "name": "ntp",
            "fw-state": true,
            "comment": "allow ntp request via udp (tcp should work w/o rule)",
            "rules": [
                "-A INPUT -p udp --sport 123 -j ACCEPT"
            ]
        },
        {
            "name": "dns",
            "fw-state": true,
            "comment": "allow dns request via tcp and udp",
            "rules": [
                "-A INPUT -p udp -m multiport --sport 53,853 -j ACCEPT",
                "-A INPUT -p tcp -m multiport --sport 53,853 -j ACCEPT"
            ]
        }
    ],
    "main_rules": [
        {
            "name": "accesspoint",
            "fw-state": true,
            "comment": "Access point interface by default no restrictions",
            "dependson": [
                    { "var": "ap-device", "type": "string", "replace": "$INTERFACE$" }
            ],
            "rules": [
                    "-A INPUT -i $INTERFACE$ -j ACCEPT",
                    "-A OUTPUT -o $INTERFACE$ -j ACCEPT"
            ]
        },
        {
            "name": "NAT for access point",
            "comment": "Masquerading needed for access point",
            "rules": [
                "-t nat -A POSTROUTING -j MASQUERADE"
            ]
        },
        {
            "name": "clients",
            "fw-state": true,
            "comment": "Rules for client interfaces (includes tun device)",
            "rules": [
                "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT"
            ]
        },
        {
            "name": "openvpn",
            "comment": "Rules for tunnel device (tun)",
            "ip-version": 4,
            "dependson": [
                  { "var": "openvpn-enable", "type": "bool" },
                  { "var": "openvpn-serverip", "type": "string", "replace": "$IPADDRESS$" },
                  { "var": "ap-device", "type": "string", "replace": "$INTERFACE$" }
            ],
            "rules": [
                "-A INPUT -p udp -s $IPADDRESS$ -j ACCEPT",
                "-A FORWARD -i tun+ -o $INTERFACE$ -m state --state RELATED,ESTABLISHED -j ACCEPT",
                "-A FORWARD -i $INTERFACE$ -o tun+ -j ACCEPT",
                "-t nat -A POSTROUTING -o tun+ -j MASQUERADE"
            ]
        },
        {
            "name": "wireguard",
            "comment": "Rules for wireguard device (wg)",
            "ip-version": 4,
            "dependson": [
                  { "var": "wireguard-enable", "type": "bool" },
                  { "var": "wireguard-serverip", "type": "string", "replace": "$IPADDRESS$" },
                  { "var": "client-device", "type": "string", "replace": "$INTERFACE$" }
            ],
            "rules": [
                "-A INPUT -p udp -s $IPADDRESS$ -j ACCEPT",
                "-A FORWARD -i wg+ -j ACCEPT",
                "-t nat -A POSTROUTING -o $INTERFACE$ -j MASQUERADE"
            ]
        }
    ],
    "exception_rules": [
        {
            "name": "ssh",
            "fw-state": true,
            "comment": "Allow ssh access to RaspAP on port 22",
            "dependson": [
                { "var": "ssh-enable", "type": "bool" }
            ],
            "rules": [
                "-A INPUT -p tcp --dport 22 -j ACCEPT"
            ]
        },
        {
            "name": "http",
            "fw-state": true,
            "comment": "Allow access to RaspAP GUI (https)",
            "dependson": [
                { "var": "http-enable", "type": "bool" }
            ],
            "rules": [
                "-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT"
            ]
        },
        {
            "name": "interface",
            "fw-state": true,
            "comment": "Exclude interface from firewall",
            "dependson": [
                { "var": "excl-devices", "type": "list", "replace": "$INTERFACE$" }
            ],
            "rules": [
                "-A INPUT -i $INTERFACE$ -j ACCEPT",
                "-A OUTPUT -o $INTERFACE$ -j ACCEPT"
            ]
        },
        {
            "name": "ipaddress",
            "fw-state": true,
            "ip-version": 4,
            "comment": "allow access from/to IP",
            "dependson": [
                { "var": "excluded-ips", "type": "list", "replace": "$IPADDRESS$" }
            ],
            "rules": [
                "-A INPUT -s $IPADDRESS$ -j ACCEPT",
                "-A INPUT -d $IPADDRESS$ -j ACCEPT"
            ]
        }
    ],
    "restriction_rules": [
        {
            "name": "ipaddress",
            "fw-state": true,
            "ip-version": 4,
            "dependson": [
                { "var": "restricted-ips", "type": "list", "replace": "$IPADDRESS$" }
            ],
            "comment": "Block access from IP-address",
            "rules": [
                "-A INPUT -s $IPADDRESS$ -j DROP"
            ]
        }
    ]
}