mirror of
https://github.com/billz/raspap-webgui.git
synced 2023-10-10 13:37:24 +02:00
2e1781a2eb
Add wireguard iptables rules
184 lines
6.2 KiB
JSON
184 lines
6.2 KiB
JSON
{
|
|
"info": "IPTABLES rules. $...$ expressions will be replaces automatically ($INTERFACE$, $PORT$, $IPADDRESS$)",
|
|
"rules_v4_file": "/etc/iptables/rules.v4",
|
|
"rules_v6_file": "/etc/iptables/rules.v6",
|
|
"order": [ "pre_rules", "restriction_rules", "main_rules", "exception_rules" ],
|
|
"pre_rules": [
|
|
{
|
|
"name": "firewall policies",
|
|
"fw-state": true,
|
|
"comment": "Policy rules (firewall)",
|
|
"rules": [
|
|
"-P INPUT DROP",
|
|
"-P FORWARD ACCEPT",
|
|
"-P OUTPUT ACCEPT",
|
|
"-t nat -P PREROUTING ACCEPT",
|
|
"-t nat -P POSTROUTING ACCEPT",
|
|
"-t nat -P INPUT ACCEPT",
|
|
"-t nat -P OUTPUT ACCEPT"
|
|
]
|
|
},
|
|
{
|
|
"name": "policies",
|
|
"fw-state": false,
|
|
"comment": "Policy rules",
|
|
"rules": [
|
|
"-P INPUT ACCEPT",
|
|
"-P FORWARD ACCEPT",
|
|
"-P OUTPUT ACCEPT",
|
|
"-t nat -P PREROUTING ACCEPT",
|
|
"-t nat -P POSTROUTING ACCEPT",
|
|
"-t nat -P INPUT ACCEPT",
|
|
"-t nat -P OUTPUT ACCEPT"
|
|
]
|
|
},
|
|
{
|
|
"name": "loopback",
|
|
"fw-state": true,
|
|
"comment": "allow loopback device",
|
|
"rules": [
|
|
"-A INPUT -i lo -j ACCEPT",
|
|
"-A OUTPUT -o lo -j ACCEPT"
|
|
]
|
|
},
|
|
{
|
|
"name": "ping",
|
|
"fw-state": true,
|
|
"comment": "allow ping request and echo",
|
|
"rules": [
|
|
"-A INPUT -p icmp --icmp-type 8/0 -j ACCEPT",
|
|
"-A INPUT -p icmp --icmp-type 0/0 -j ACCEPT"
|
|
]
|
|
},
|
|
{
|
|
"name": "ntp",
|
|
"fw-state": true,
|
|
"comment": "allow ntp request via udp (tcp should work w/o rule)",
|
|
"rules": [
|
|
"-A INPUT -p udp --sport 123 -j ACCEPT"
|
|
]
|
|
},
|
|
{
|
|
"name": "dns",
|
|
"fw-state": true,
|
|
"comment": "allow dns request via tcp and udp",
|
|
"rules": [
|
|
"-A INPUT -p udp -m multiport --sport 53,853 -j ACCEPT",
|
|
"-A INPUT -p tcp -m multiport --sport 53,853 -j ACCEPT"
|
|
]
|
|
}
|
|
],
|
|
"main_rules": [
|
|
{
|
|
"name": "accesspoint",
|
|
"fw-state": true,
|
|
"comment": "Access point interface by default no restrictions",
|
|
"dependson": [
|
|
{ "var": "ap-device", "type": "string", "replace": "$INTERFACE$" }
|
|
],
|
|
"rules": [
|
|
"-A INPUT -i $INTERFACE$ -j ACCEPT",
|
|
"-A OUTPUT -o $INTERFACE$ -j ACCEPT"
|
|
]
|
|
},
|
|
{
|
|
"name": "clients",
|
|
"fw-state": true,
|
|
"comment": "Rules for client interfaces (includes tun device)",
|
|
"rules": [
|
|
"-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT"
|
|
]
|
|
},
|
|
{
|
|
"name": "openvpn",
|
|
"comment": "Rules for tunnel device (tun)",
|
|
"dependson": [
|
|
{ "var": "openvpn-enable", "type": "bool" },
|
|
{ "var": "openvpn-serverip", "type": "string", "replace": "$IPADDRESS$" },
|
|
{ "var": "ap-device", "type": "string", "replace": "$INTERFACE$" }
|
|
],
|
|
"rules": [
|
|
"-A INPUT -p udp -s $IPADDRESS$ -j ACCEPT",
|
|
"-A FORWARD -i tun+ -o $INTERFACE$ -m state --state RELATED,ESTABLISHED -j ACCEPT",
|
|
"-A FORWARD -i $INTERFACE$ -o tun+ -j ACCEPT",
|
|
"-t nat -A POSTROUTING -o tun+ -j MASQUERADE"
|
|
]
|
|
},
|
|
{
|
|
"name": "wireguard",
|
|
"comment": "Rules for wireguard device (wg)",
|
|
"dependson": [
|
|
{ "var": "wireguard-enable", "type": "bool" },
|
|
{ "var": "wireguard-serverip", "type": "string", "replace": "$IPADDRESS$" },
|
|
{ "var": "client-device", "type": "string", "replace": "$INTERFACE$" }
|
|
],
|
|
"rules": [
|
|
"-A INPUT -p udp -s $IPADDRESS$ -j ACCEPT",
|
|
"-A FORWARD -i wg+ -j ACCEPT",
|
|
"-t nat -A POSTROUTING -o $INTERFACE$ -j MASQUERADE"
|
|
]
|
|
}
|
|
],
|
|
"exception_rules": [
|
|
{
|
|
"name": "ssh",
|
|
"fw-state": true,
|
|
"comment": "Allow ssh access to RaspAP on port 22",
|
|
"dependson": [
|
|
{ "var": "ssh-enable", "type": "bool" }
|
|
],
|
|
"rules": [
|
|
"-A INPUT -p tcp --dport 22 -j ACCEPT"
|
|
]
|
|
},
|
|
{
|
|
"name": "http",
|
|
"fw-state": true,
|
|
"comment": "Allow access to RaspAP GUI (https)",
|
|
"dependson": [
|
|
{ "var": "http-enable", "type": "bool" }
|
|
],
|
|
"rules": [
|
|
"-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT"
|
|
]
|
|
},
|
|
{
|
|
"name": "interface",
|
|
"fw-state": true,
|
|
"comment": "Exclude interface from firewall",
|
|
"dependson": [
|
|
{ "var": "excl-devices", "type": "list", "replace": "$INTERFACE$" }
|
|
],
|
|
"rules": [
|
|
"-A INPUT -i $INTERFACE$ -j ACCEPT",
|
|
"-A OUTPUT -o $INTERFACE$ -j ACCEPT"
|
|
]
|
|
},
|
|
{
|
|
"name": "ipaddress",
|
|
"fw-state": true,
|
|
"comment": "allow access from/to IP",
|
|
"dependson": [
|
|
{ "var": "excluded-ips", "type": "list", "replace": "$IPADDRESS$" }
|
|
],
|
|
"rules": [
|
|
"-A INPUT -s $IPADDRESS$ -j ACCEPT",
|
|
"-A INPUT -d $IPADDRESS$ -j ACCEPT"
|
|
]
|
|
}
|
|
],
|
|
"restriction_rules": [
|
|
{
|
|
"name": "ipaddress",
|
|
"fw-state": true,
|
|
"dependson": [
|
|
{ "var": "restricted-ips", "type": "list", "replace": "$IPADDRESS$" }
|
|
],
|
|
"comment": "Block access from IP-address",
|
|
"rules": [
|
|
"-A INPUT -s $IPADDRESS$ -j DROP"
|
|
]
|
|
}
|
|
]
|
|
}
|