BugFix UPNP & Check for ipv6

This commit is contained in:
titoko 2013-04-13 12:21:49 +02:00
parent bfabbf5954
commit bd26e36b83

View file

@ -33,7 +33,7 @@ def firewall_allow(protocol=None, port=None, ipv6=None, upnp=False):
"""
port = int(port)
if (upnp):
add_portmapping(protocol, upnp, ipv6)
add_portmapping(protocol, upnp, ipv6,'a')
if 0 < port < 65536:
if protocol == "Both":
@ -113,7 +113,7 @@ def firewall_reload(upnp=False):
if 22 not in firewall['ipv4']['TCP']:
update_yml(22, 'TCP', 'a', False)
if(os.path.exists("/proc/net/if_inet6")):
os.system ("ip6tables -P INPUT ACCEPT")
os.system ("ip6tables -F")
os.system ("ip6tables -X")
@ -122,21 +122,26 @@ def firewall_reload(upnp=False):
if 22 not in firewall['ipv6']['TCP']:
update_yml(22, 'TCP', 'a', False)
if upnp:
remove_portmapping()
add_portmapping('TCP', upnp, False);
add_portmapping('UDP', upnp, False);
add_portmapping('TCP', upnp, True);
add_portmapping('UDP', upnp, True);
add_portmapping('TCP', upnp, False,'r');
add_portmapping('UDP', upnp, False,'r');
if(os.path.exists("/proc/net/if_inet6")):
add_portmapping('TCP', upnp, True,'r');
add_portmapping('UDP', upnp, True,'r');
os.system ("iptables -A INPUT -i lo -j ACCEPT")
os.system ("iptables -A INPUT -p icmp -j ACCEPT")
os.system ("iptables -P INPUT DROP")
if(os.path.exists("/proc/net/if_inet6")):
os.system ("ip6tables -A INPUT -i lo -j ACCEPT")
os.system ("ip6tables -A INPUT -p icmp -j ACCEPT")
os.system ("iptables -P INPUT DROP")
os.system ("ip6tables -P INPUT DROP")
os.system("service fail2ban restart")
os.system("service fail2ban restart")
win_msg(_("Firewall successfully reloaded"))
return firewall_list()
@ -182,12 +187,14 @@ def update_yml(port=None, protocol=None, mode=None, ipv6=None):
yaml.dump(firewall, f)
def add_portmapping(protocol=None, upnp=False, ipv6=None):
def add_portmapping(protocol=None, upnp=False, ipv6=None,mode=None,):
"""
Send a port mapping rules to igd device
Keyword arguments:
protocol -- Protocol used
port -- Port to open
upnp -- Boolean upnp
ipv6 -- Boolean ipv6
mode -- Add a rule (a) or reload all rules (r)
Return
None
@ -197,7 +204,37 @@ def add_portmapping(protocol=None, upnp=False, ipv6=None):
else:
os.system ("iptables -P INPUT ACCEPT")
if upnp and mode=='a':
remove_portmapping()
if ipv6: ip = 'ipv6'
else: ip = 'ipv4'
with open('firewall.yml', 'r') as f:
firewall = yaml.load(f)
for i,port in enumerate (firewall[ip][protocol]):
if ipv6:
os.system ("ip6tables -A INPUT -p "+ protocol +" -i eth0 --dport "+ str(port) +" -j ACCEPT")
else:
os.system ("iptables -A INPUT -p "+ protocol +" -i eth0 --dport "+ str(port) +" -j ACCEPT")
if upnp:
upnpc = miniupnpc.UPnP()
upnpc.discoverdelay = 200
nbigd = upnpc.discover()
if nbigd:
upnpc.selectigd()
upnpc.addportmapping(port, protocol, upnpc.lanaddr, port, 'yunohost firewall : port %u' % port, '')
os.system ("iptables -P INPUT DROP")
def remove_portmapping():
"""
Remove all portmapping rules in the igd device
Keyword arguments:
None
Return
None
"""
upnp = miniupnpc.UPnP()
upnp.discoverdelay = 200
nbigd = upnp.discover()
@ -218,21 +255,6 @@ def add_portmapping(protocol=None, upnp=False, ipv6=None):
upnp.deleteportmapping(p[0], p[1])
if ipv6: ip = 'ipv6'
else: ip = 'ipv4'
with open('firewall.yml', 'r') as f:
firewall = yaml.load(f)
for i,port in enumerate (firewall[ip][protocol]):
if ipv6:
os.system ("ip6tables -A INPUT -p "+ protocol +" -i eth0 --dport "+ str(port) +" -j ACCEPT")
else:
os.system ("iptables -A INPUT -p "+ protocol +" -i eth0 --dport "+ str(port) +" -j ACCEPT")
if upnp:
upnp.addportmapping(port, protocol, upnp.lanaddr, port, 'yunohost firewall : port %u' % port, '')
os.system ("iptables -P INPUT DROP")
def firewall_installupnp():
"""
Add upnp cron