iopsys-feed/bbfdm/files/etc/firewall.userinterface

#!/bin/sh

. /lib/functions.sh

IDENTIFIER="UI-REMOTE-ACCESS-WAN"

log() {
	echo "${@}"|logger -t firewall.userinterface -p info
}

if [ ! -f "/etc/config/userinterface" ] || [ ! -f "/etc/config/nginx" ]; then
	exit 0;
fi

exec_cmd() {
	if ! "$@"; then
		log "Failed to run [$*]"
	fi
}

delete_ui_firewall_rules() {
	input_chains=$(iptables -S | grep -E "^-N zone[a-zA-Z0-9_]+input$" | cut -d' ' -f 2)
	output_chains=$(iptables -S | grep -E "^-N zone[a-zA-Z0-9_]+output$" | cut -d' ' -f 2)

	for chain in ${input_chains}; do
		CMD="iptables -w 1 -t filter -nL ${chain} --line-numbers"
		while ${CMD} 2>/dev/null | grep "${IDENTIFIER}"; do
			rule_num="$(${CMD} | grep "${IDENTIFIER}" | head -1|awk '{print $1}')"
			if [ -n "${rule_num}" ]; then
				exec_cmd iptables -w 1 -t filter -D "${chain}" "${rule_num}";
			fi
		done
	done

	for chain in ${output_chains}; do
		CMD="iptables -w 1 -t filter -nL ${chain} --line-numbers"
		while ${CMD} 2>/dev/null | grep "${IDENTIFIER}"; do
			rule_num="$(${CMD} | grep "${IDENTIFIER}" | head -1|awk '{print $1}')"
			if [ -n "${rule_num}" ]; then
				exec_cmd iptables -w 1 -t filter -D "${chain}" "${rule_num}";
			fi
		done
	done

	input6_chains=$(ip6tables -S | grep -E "^-N zone[a-zA-Z0-9_]+input$" | cut -d' ' -f 2)
	output6_chains=$(ip6tables -S | grep -E "^-N zone[a-zA-Z0-9_]+output$" | cut -d' ' -f 2)

	for chain in ${input6_chains}; do
		CMD="ip6tables -w 1 -t filter -nL ${chain} --line-numbers"
		while ${CMD} 2>/dev/null | grep "${IDENTIFIER}"; do
			rule_num="$(${CMD} | grep "${IDENTIFIER}" | head -1|awk '{print $1}')"
			if [ -n "${rule_num}" ]; then
				exec_cmd ip6tables -w 1 -t filter -D "${chain}" "${rule_num}";
			fi
		done
	done

	for chain in ${output6_chains}; do
		CMD="ip6tables -w 1 -t filter -nL ${chain} --line-numbers"
		while ${CMD} 2>/dev/null | grep "${IDENTIFIER}"; do
			rule_num="$(${CMD} | grep "${IDENTIFIER}" | head -1|awk '{print $1}')"
			if [ -n "${rule_num}" ]; then
				exec_cmd ip6tables -w 1 -t filter -D "${chain}" "${rule_num}";
			fi
		done
	done
}

configure_ui_firewall_rule() {
	local sec="${1}"
	local enabled access interface
	local port=""

	config_get_bool enabled "${sec}" uci_enable '1'
	config_get access "${sec}" uci_access ""
	config_get interface "${sec}" uci_interface ""

	if [ "${enabled}" -eq "1" ] && [ "${access}" == "remote" ] && [ -n "${interface}" ]; then
		port_list=$(uci -q show nginx."${1}".listen|cut -d'=' -f 2|sed "s/'/ /g"|sed "s/\[\:\:\]\://g")
		for item in ${port_list}; do
			if [ -z "${item##[0-9]*}" ]; then
				port="${item}"
				break
			fi
		done

		if [ -z "${port}" ]; then
			return 0
		fi

		zone="zone_${interface}_input"
		iptables -w 1 -t filter -nL ${zone} 2>/dev/null 1>&2
		if [ "$?" -eq 0 ]; then
			iptables -w 1 -I "${zone}" -p tcp -m multiport --dports "${port}" -m conntrack --ctstate NEW,ESTABLISHED -m comment --comment "${IDENTIFIER}" -j ACCEPT
		fi

		ip6tables -w 1 -t filter -nL ${zone} 2>/dev/null 1>&2
		if [ "$?" -eq 0 ]; then
			ip6tables -w 1 -I "${zone}" -p tcp -m multiport --dports "${port}" -m conntrack --ctstate NEW,ESTABLISHED -m comment --comment "${IDENTIFIER}" -j ACCEPT
		fi

		zone="zone_${interface}_output"
		iptables -w 1 -t filter -nL "${zone}" 2>/dev/null 1>&2
		if [ "$?" -eq 0 ]; then
			iptables -w 1 -I "${zone}" -p tcp -m multiport --dports "${port}" -m conntrack --ctstate ESTABLISHED -m comment --comment "${IDENTIFIER}" -j ACCEPT
		fi

		ip6tables -w 1 -t filter -nL "${zone}" 2>/dev/null 1>&2
		if [ "$?" -eq 0 ]; then
			ip6tables -w 1 -I "${zone}" -p tcp -m multiport --dports "${port}" -m conntrack --ctstate ESTABLISHED -m comment --comment "${IDENTIFIER}" -j ACCEPT
		fi
	fi
}

# Delete existing remote access rules
delete_ui_firewall_rules

config_load userinterface
config_get_bool serv_enable global enable 1

if [ "${serv_enable}" -eq "1" ]; then
	config_load nginx
	# Configure the User Interface rule
	config_foreach configure_ui_firewall_rule server
fi