{
"info": "IPTABLES rules. $...$ expressions will be replaces automatically ($INTERFACE$, $PORT$, $IPADDRESS$)",
"rules_v4_file": "/etc/iptables/rules.v4",
"rules_v6_file": "/etc/iptables/rules.v6",
"order": [ "pre_rules", "restriction_rules", "main_rules", "exception_rules" ],
"pre_rules": [
{
"name": "firewall policies",
"fw-state": true,
"comment": "Policy rules (firewall)",
"rules": [
"-P INPUT DROP",
"-P FORWARD ACCEPT",
"-P OUTPUT ACCEPT",
"-t nat -P PREROUTING ACCEPT",
"-t nat -P POSTROUTING ACCEPT",
"-t nat -P INPUT ACCEPT",
"-t nat -P OUTPUT ACCEPT"
]
},
{
"name": "policies",
"fw-state": false,
"comment": "Policy rules",
"rules": [
"-P INPUT ACCEPT",
"-P FORWARD ACCEPT",
"-P OUTPUT ACCEPT",
"-t nat -P PREROUTING ACCEPT",
"-t nat -P POSTROUTING ACCEPT",
"-t nat -P INPUT ACCEPT",
"-t nat -P OUTPUT ACCEPT"
]
},
{
"name": "loopback",
"fw-state": true,
"comment": "allow loopback device",
"rules": [
"-A INPUT -i lo -j ACCEPT",
"-A OUTPUT -o lo -j ACCEPT"
]
},
{
"name": "ping",
"fw-state": true,
"ip-version": 4,
"comment": "allow ping request and echo",
"rules": [
"-A INPUT -p icmp --icmp-type 8/0 -j ACCEPT",
"-A INPUT -p icmp --icmp-type 0/0 -j ACCEPT"
]
},
{
"name": "ping IPv6",
"fw-state": true,
"ip-version": 6,
"comment": "allow ping request and echo for IPv6",
"rules": [
"-A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT",
"-A INPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT"
]
},
{
"name": "ntp",
"fw-state": true,
"comment": "allow ntp request via udp (tcp should work w/o rule)",
"rules": [
"-A INPUT -p udp --sport 123 -j ACCEPT"
]
},
{
"name": "dns",
"fw-state": true,
"comment": "allow dns request via tcp and udp",
"rules": [
"-A INPUT -p udp -m multiport --sport 53,853 -j ACCEPT",
"-A INPUT -p tcp -m multiport --sport 53,853 -j ACCEPT"
]
}
],
"main_rules": [
{
"name": "accesspoint",
"fw-state": true,
"comment": "Access point interface by default no restrictions",
"dependson": [
{ "var": "ap-device", "type": "string", "replace": "$INTERFACE$" }
],
"rules": [
"-A INPUT -i $INTERFACE$ -j ACCEPT",
"-A OUTPUT -o $INTERFACE$ -j ACCEPT"
]
},
{
"name": "NAT for access point",
"comment": "Masquerading needed for access point",
"rules": [
"-t nat -A POSTROUTING -j MASQUERADE"
]
},
{
"name": "clients",
"fw-state": true,
"comment": "Rules for client interfaces (includes tun device)",
"rules": [
"-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT"
]
},
{
"name": "openvpn",
"comment": "Rules for tunnel device (tun)",
"ip-version": 4,
"dependson": [
{ "var": "openvpn-enable", "type": "bool" },
{ "var": "openvpn-serverip", "type": "string", "replace": "$IPADDRESS$" },
{ "var": "ap-device", "type": "string", "replace": "$INTERFACE$" }
],
"rules": [
"-A INPUT -p udp -s $IPADDRESS$ -j ACCEPT",
"-A FORWARD -i tun+ -o $INTERFACE$ -m state --state RELATED,ESTABLISHED -j ACCEPT",
"-A FORWARD -i $INTERFACE$ -o tun+ -j ACCEPT",
"-t nat -A POSTROUTING -o tun+ -j MASQUERADE"
]
},
{
"name": "wireguard",
"comment": "Rules for wireguard device (wg)",
"ip-version": 4,
"dependson": [
{ "var": "wireguard-enable", "type": "bool" },
{ "var": "wireguard-serverip", "type": "string", "replace": "$IPADDRESS$" },
{ "var": "client-device", "type": "string", "replace": "$INTERFACE$" }
],
"rules": [
"-A INPUT -p udp -s $IPADDRESS$ -j ACCEPT",
"-A FORWARD -i wg+ -j ACCEPT",
"-t nat -A POSTROUTING -o $INTERFACE$ -j MASQUERADE"
]
}
],
"exception_rules": [
{
"name": "ssh",
"fw-state": true,
"comment": "Allow ssh access to RaspAP on port 22",
"dependson": [
{ "var": "ssh-enable", "type": "bool" }
],
"rules": [
"-A INPUT -p tcp --dport 22 -j ACCEPT"
]
},
{
"name": "http",
"fw-state": true,
"comment": "Allow access to RaspAP GUI (https)",
"dependson": [
{ "var": "http-enable", "type": "bool" }
],
"rules": [
"-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT"
]
},
{
"name": "interface",
"fw-state": true,
"comment": "Exclude interface from firewall",
"dependson": [
{ "var": "excl-devices", "type": "list", "replace": "$INTERFACE$" }
],
"rules": [
"-A INPUT -i $INTERFACE$ -j ACCEPT",
"-A OUTPUT -o $INTERFACE$ -j ACCEPT"
]
},
{
"name": "ipaddress",
"fw-state": true,
"ip-version": 4,
"comment": "allow access from/to IP",
"dependson": [
{ "var": "excluded-ips", "type": "list", "replace": "$IPADDRESS$" }
],
"rules": [
"-A INPUT -s $IPADDRESS$ -j ACCEPT",
"-A INPUT -d $IPADDRESS$ -j ACCEPT"
]
}
],
"restriction_rules": [
{
"name": "ipaddress",
"fw-state": true,
"ip-version": 4,
"dependson": [
{ "var": "restricted-ips", "type": "list", "replace": "$IPADDRESS$" }
],
"comment": "Block access from IP-address",
"rules": [
"-A INPUT -s $IPADDRESS$ -j DROP"
]
}
]
}