Define firewall constants

This commit is contained in:
Christian Zeitnitz 2021-07-19 17:28:49 +02:00
parent b770b89d73
commit 3059dd1fb8
2 changed files with 12 additions and 13 deletions

View file

@ -23,7 +23,8 @@ define('RASPI_OPENVPN_CLIENT_CONFIG', '/etc/openvpn/client/client.conf');
define('RASPI_OPENVPN_CLIENT_LOGIN', '/etc/openvpn/client/login.conf'); define('RASPI_OPENVPN_CLIENT_LOGIN', '/etc/openvpn/client/login.conf');
define('RASPI_WIREGUARD_PATH', '/etc/wireguard/'); define('RASPI_WIREGUARD_PATH', '/etc/wireguard/');
define('RASPI_WIREGUARD_CONFIG', RASPI_WIREGUARD_PATH.'wg0.conf'); define('RASPI_WIREGUARD_CONFIG', RASPI_WIREGUARD_PATH.'wg0.conf');
define('RASPI_FIREWALL_ENABLED', true); define('RASPAP_FIREWALL_CONF',"/etc/raspap/networking/firewall/firewall.conf");
define('RASPAP_IPTABLES_CONF',"/etc/raspap/networking/firewall/iptables_rules.json");
define('RASPI_TORPROXY_CONFIG', '/etc/tor/torrc'); define('RASPI_TORPROXY_CONFIG', '/etc/tor/torrc');
define('RASPI_LIGHTTPD_CONFIG', '/etc/lighttpd/lighttpd.conf'); define('RASPI_LIGHTTPD_CONFIG', '/etc/lighttpd/lighttpd.conf');
define('RASPI_ACCESS_CHECK_IP', '1.1.1.1'); define('RASPI_ACCESS_CHECK_IP', '1.1.1.1');
@ -44,6 +45,7 @@ define('RASPI_DHCP_ENABLED', true);
define('RASPI_ADBLOCK_ENABLED', false); define('RASPI_ADBLOCK_ENABLED', false);
define('RASPI_OPENVPN_ENABLED', false); define('RASPI_OPENVPN_ENABLED', false);
define('RASPI_WIREGUARD_ENABLED', false); define('RASPI_WIREGUARD_ENABLED', false);
define('RASPI_FIREWALL_ENABLED', true);
define('RASPI_TORPROXY_ENABLED', false); define('RASPI_TORPROXY_ENABLED', false);
define('RASPI_CONFAUTH_ENABLED', true); define('RASPI_CONFAUTH_ENABLED', true);
define('RASPI_CHANGETHEME_ENABLED', true); define('RASPI_CHANGETHEME_ENABLED', true);

View file

@ -3,8 +3,6 @@
require_once 'includes/status_messages.php'; require_once 'includes/status_messages.php';
require_once 'includes/functions.php'; require_once 'includes/functions.php';
define(RASPAP_FIREWALL_CONF,"/tmp/iptables.conf");
define(RASPAP_IPTABLES_CONF,"/etc/raspap/networking/firewall/iptables_rules.json");
define(RASPAP_IPTABLES_SCRIPT,"/tmp/iptables_raspap.sh"); define(RASPAP_IPTABLES_SCRIPT,"/tmp/iptables_raspap.sh");
function getDependson(&$rule, &$conf) { function getDependson(&$rule, &$conf) {
@ -52,7 +50,6 @@ function createRuleStr(&$sect, &$conf) {
break; break;
} }
if ( !empty($repl) && !empty($val) ) { if ( !empty($repl) && !empty($val) ) {
//echo "replace $repl $val \n"; //print_r( $val); echo "\n";
if ( is_array($val) ) { if ( is_array($val) ) {
foreach ( $val as $v ) $rr = array_merge($rr,str_replace($repl, $v, $r)); foreach ( $val as $v ) $rr = array_merge($rr,str_replace($repl, $v, $r));
} }
@ -76,9 +73,6 @@ function configureFirewall() {
$json = file_get_contents(RASPAP_IPTABLES_CONF); $json = file_get_contents(RASPAP_IPTABLES_CONF);
$ipt = json_decode($json, true); $ipt = json_decode($json, true);
$conf = ReadFirewallConf(); $conf = ReadFirewallConf();
//echo "<pre>";
// print_r($ipt);
$txt = "#!/bin/bash\n"; $txt = "#!/bin/bash\n";
$txt .= "iptables -F\n"; $txt .= "iptables -F\n";
$txt .= "iptables -X\n"; $txt .= "iptables -X\n";
@ -88,10 +82,8 @@ function configureFirewall() {
$count=0; $count=0;
foreach ( $ipt["order"] as $idx ) { foreach ( $ipt["order"] as $idx ) {
if ( isset($ipt[$idx]) ) { if ( isset($ipt[$idx]) ) {
// echo "Handle $idx \n";
foreach ( $ipt[$idx] as $i => $sect ) { foreach ( $ipt[$idx] as $i => $sect ) {
if ( isRuleEnabled($sect, $conf) ) { if ( isRuleEnabled($sect, $conf) ) {
// echo " rule $i name ".$sect["name"]."\n";
$str_rules= createRuleStr($sect, $conf); $str_rules= createRuleStr($sect, $conf);
if ( !empty($str_rules) ) { if ( !empty($str_rules) ) {
file_put_contents(RASPAP_IPTABLES_SCRIPT, $str_rules, FILE_APPEND); file_put_contents(RASPAP_IPTABLES_SCRIPT, $str_rules, FILE_APPEND);
@ -101,8 +93,6 @@ function configureFirewall() {
} }
} }
} }
// echo "Firewall ON";
//echo "</pre>";
if ( $count > 0 ) { if ( $count > 0 ) {
exec("chmod +x ".RASPAP_IPTABLES_SCRIPT); exec("chmod +x ".RASPAP_IPTABLES_SCRIPT);
exec("sudo ".RASPAP_IPTABLES_SCRIPT); exec("sudo ".RASPAP_IPTABLES_SCRIPT);
@ -113,7 +103,14 @@ function configureFirewall() {
} }
function WriteFirewallConf($conf) { function WriteFirewallConf($conf) {
if ( is_array($conf) ) write_php_ini($conf,RASPAP_FIREWALL_CONF); $ret = false;
if ( is_array($conf) ) {
write_php_ini($conf,"/tmp/fwdata");
exec('sudo /bin/cp /tmp/fwdata '. RASPAP_FIREWALL_CONF,$out);
$ret = empty($out);
unlink("/tmp/fwdata");
}
return $ret
} }
@ -147,7 +144,7 @@ function ReadFirewallConf() {
$conf["openvpn-enable"] = true; $conf["openvpn-enable"] = true;
} }
} }
} }
# get wireguard server IP (if existing) # get wireguard server IP (if existing)
if ( RASPI_WIREGUARD_ENABLED && file_exists(RASPI_WIREGUARD_CONFIG) ) { if ( RASPI_WIREGUARD_ENABLED && file_exists(RASPI_WIREGUARD_CONFIG) ) {
# search for endpoint # search for endpoint