From 806f137ae03b8fbd5e2ad467b52e930c26853a36 Mon Sep 17 00:00:00 2001 From: Tim Wilkinson Date: Mon, 3 Oct 2022 17:50:31 -0700 Subject: [PATCH] Add xlinks to vpn firewall zone --- files/etc/local/mesh-firewall/05-xlink | 70 ++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100755 files/etc/local/mesh-firewall/05-xlink diff --git a/files/etc/local/mesh-firewall/05-xlink b/files/etc/local/mesh-firewall/05-xlink new file mode 100755 index 00000000..12743108 --- /dev/null +++ b/files/etc/local/mesh-firewall/05-xlink @@ -0,0 +1,70 @@ +#! /usr/bin/lua +--[[ + + Part of AREDN -- Used for creating Amateur Radio Emergency Data Networks + Copyright (C) 2022 Tim Wilkinson + Original Perl Copyright (C) 2015 Conrad Lara + See Contributors file for additional contributors + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation version 3 of the License. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + + Additional Terms: + + Additional use restrictions exist on the AREDN(TM) trademark and logo. + See AREDNLicense.txt for more info. + + Attributions to the AREDN Project must be retained in the source code. + If importing this code into a new or existing project attribution + to the AREDN project must be added to the source code. + + You must not misrepresent the origin of the material contained within. + + Modified versions must be modified to attribute to the original source + and be marked in reasonable ways as differentiate it from the original + version + +--]] + +require("nixio") +require("uci") + +if nixio.fs.stat("/etc/config.mesh/xlink") then + uci.cursor("/etc/config.mesh"):foreach("xlink", "interface", + function(section) + local ifname = section.ifname + os.execute("/usr/sbin/iptables -D FORWARD -i " .. ifname .. " -j zone_vpn_forward 2>/dev/null") + os.execute("/usr/sbin/iptables -D INPUT -i " .. ifname .. " -j zone_vpn_input 2>/dev/null") + os.execute("/usr/sbin/iptables -D OUTPUT -o " .. ifname .. " -j zone_vpn_ACCEPT 2>/dev/null") + os.execute("/usr/sbin/iptables -D zone_vpn_ACCEPT -o " .. ifname .. " -j ACCEPT") + os.execute("/usr/sbin/iptables -D zone_vpn_ACCEPT -i " .. ifname .. " -j ACCEPT") + os.execute("/usr/sbin/iptables -D zone_vpn_REJECT -o " .. ifname .. " -j reject") + os.execute("/usr/sbin/iptables -D zone_vpn_REJECT -i " .. ifname .. " -j reject") + os.execute("/usr/sbin/iptables -D zone_vpn_dest_ACCEPT -o " .. ifname .. " -j ACCEPT") + os.execute("/usr/sbin/iptables -D zone_vpn_dest_REJECT -o " .. ifname .. " -j reject") + end + ) + uci.cursor("/etc/config.mesh"):foreach("xlink", "interface", + function(section) + local ifname = section.ifname + os.execute("/usr/sbin/iptables -I FORWARD -i " .. ifname .. " -j zone_vpn_forward") + os.execute("/usr/sbin/iptables -I INPUT -i " .. ifname .. " -j zone_vpn_input") + os.execute("/usr/sbin/iptables -I OUTPUT -o " .. ifname .. " -j zone_vpn_ACCEPT") + os.execute("/usr/sbin/iptables -A zone_vpn_ACCEPT -o " .. ifname .. " -j ACCEPT") + os.execute("/usr/sbin/iptables -A zone_vpn_ACCEPT -i " .. ifname .. " -j ACCEPT") + os.execute("/usr/sbin/iptables -A zone_vpn_REJECT -o " .. ifname .. " -j reject") + os.execute("/usr/sbin/iptables -A zone_vpn_REJECT -i " .. ifname .. " -j reject") + os.execute("/usr/sbin/iptables -A zone_vpn_dest_ACCEPT -o " .. ifname .. " -j ACCEPT") + os.execute("/usr/sbin/iptables -A zone_vpn_dest_REJECT -o " .. ifname .. " -j reject") + end + ) +end