mirror of
https://github.com/YunoHost/moulinette.git
synced 2024-09-03 20:06:31 +02:00
commit
fa9b528fac
1 changed files with 62 additions and 40 deletions
|
@ -33,7 +33,7 @@ def firewall_allow(protocol=None, port=None, ipv6=None, upnp=False):
|
||||||
"""
|
"""
|
||||||
port = int(port)
|
port = int(port)
|
||||||
if (upnp):
|
if (upnp):
|
||||||
add_portmapping(protocol, upnp, ipv6)
|
add_portmapping(protocol, upnp, ipv6,'a')
|
||||||
|
|
||||||
if 0 < port < 65536:
|
if 0 < port < 65536:
|
||||||
if protocol == "Both":
|
if protocol == "Both":
|
||||||
|
@ -113,7 +113,7 @@ def firewall_reload(upnp=False):
|
||||||
if 22 not in firewall['ipv4']['TCP']:
|
if 22 not in firewall['ipv4']['TCP']:
|
||||||
update_yml(22, 'TCP', 'a', False)
|
update_yml(22, 'TCP', 'a', False)
|
||||||
|
|
||||||
|
if(os.path.exists("/proc/net/if_inet6")):
|
||||||
os.system ("ip6tables -P INPUT ACCEPT")
|
os.system ("ip6tables -P INPUT ACCEPT")
|
||||||
os.system ("ip6tables -F")
|
os.system ("ip6tables -F")
|
||||||
os.system ("ip6tables -X")
|
os.system ("ip6tables -X")
|
||||||
|
@ -122,21 +122,26 @@ def firewall_reload(upnp=False):
|
||||||
if 22 not in firewall['ipv6']['TCP']:
|
if 22 not in firewall['ipv6']['TCP']:
|
||||||
update_yml(22, 'TCP', 'a', False)
|
update_yml(22, 'TCP', 'a', False)
|
||||||
|
|
||||||
|
if upnp:
|
||||||
|
remove_portmapping()
|
||||||
|
|
||||||
add_portmapping('TCP', upnp, False);
|
add_portmapping('TCP', upnp, False,'r');
|
||||||
add_portmapping('UDP', upnp, False);
|
add_portmapping('UDP', upnp, False,'r');
|
||||||
add_portmapping('TCP', upnp, True);
|
|
||||||
add_portmapping('UDP', upnp, True);
|
if(os.path.exists("/proc/net/if_inet6")):
|
||||||
|
add_portmapping('TCP', upnp, True,'r');
|
||||||
|
add_portmapping('UDP', upnp, True,'r');
|
||||||
|
|
||||||
os.system ("iptables -A INPUT -i lo -j ACCEPT")
|
os.system ("iptables -A INPUT -i lo -j ACCEPT")
|
||||||
os.system ("iptables -A INPUT -p icmp -j ACCEPT")
|
os.system ("iptables -A INPUT -p icmp -j ACCEPT")
|
||||||
|
os.system ("iptables -P INPUT DROP")
|
||||||
|
|
||||||
|
if(os.path.exists("/proc/net/if_inet6")):
|
||||||
os.system ("ip6tables -A INPUT -i lo -j ACCEPT")
|
os.system ("ip6tables -A INPUT -i lo -j ACCEPT")
|
||||||
os.system ("ip6tables -A INPUT -p icmp -j ACCEPT")
|
os.system ("ip6tables -A INPUT -p icmp -j ACCEPT")
|
||||||
|
|
||||||
os.system ("iptables -P INPUT DROP")
|
|
||||||
os.system ("ip6tables -P INPUT DROP")
|
os.system ("ip6tables -P INPUT DROP")
|
||||||
os.system("service fail2ban restart")
|
|
||||||
|
|
||||||
|
os.system("service fail2ban restart")
|
||||||
win_msg(_("Firewall successfully reloaded"))
|
win_msg(_("Firewall successfully reloaded"))
|
||||||
|
|
||||||
return firewall_list()
|
return firewall_list()
|
||||||
|
@ -182,12 +187,14 @@ def update_yml(port=None, protocol=None, mode=None, ipv6=None):
|
||||||
yaml.dump(firewall, f)
|
yaml.dump(firewall, f)
|
||||||
|
|
||||||
|
|
||||||
def add_portmapping(protocol=None, upnp=False, ipv6=None):
|
def add_portmapping(protocol=None, upnp=False, ipv6=None,mode=None,):
|
||||||
"""
|
"""
|
||||||
Send a port mapping rules to igd device
|
Send a port mapping rules to igd device
|
||||||
Keyword arguments:
|
Keyword arguments:
|
||||||
protocol -- Protocol used
|
protocol -- Protocol used
|
||||||
port -- Port to open
|
upnp -- Boolean upnp
|
||||||
|
ipv6 -- Boolean ipv6
|
||||||
|
mode -- Add a rule (a) or reload all rules (r)
|
||||||
|
|
||||||
Return
|
Return
|
||||||
None
|
None
|
||||||
|
@ -197,7 +204,37 @@ def add_portmapping(protocol=None, upnp=False, ipv6=None):
|
||||||
else:
|
else:
|
||||||
os.system ("iptables -P INPUT ACCEPT")
|
os.system ("iptables -P INPUT ACCEPT")
|
||||||
|
|
||||||
|
if upnp and mode=='a':
|
||||||
|
remove_portmapping()
|
||||||
|
|
||||||
|
if ipv6: ip = 'ipv6'
|
||||||
|
else: ip = 'ipv4'
|
||||||
|
with open('firewall.yml', 'r') as f:
|
||||||
|
firewall = yaml.load(f)
|
||||||
|
|
||||||
|
for i,port in enumerate (firewall[ip][protocol]):
|
||||||
|
if ipv6:
|
||||||
|
os.system ("ip6tables -A INPUT -p "+ protocol +" -i eth0 --dport "+ str(port) +" -j ACCEPT")
|
||||||
|
else:
|
||||||
|
os.system ("iptables -A INPUT -p "+ protocol +" -i eth0 --dport "+ str(port) +" -j ACCEPT")
|
||||||
if upnp:
|
if upnp:
|
||||||
|
upnpc = miniupnpc.UPnP()
|
||||||
|
upnpc.discoverdelay = 200
|
||||||
|
nbigd = upnpc.discover()
|
||||||
|
if nbigd:
|
||||||
|
upnpc.selectigd()
|
||||||
|
upnpc.addportmapping(port, protocol, upnpc.lanaddr, port, 'yunohost firewall : port %u' % port, '')
|
||||||
|
|
||||||
|
os.system ("iptables -P INPUT DROP")
|
||||||
|
|
||||||
|
def remove_portmapping():
|
||||||
|
"""
|
||||||
|
Remove all portmapping rules in the igd device
|
||||||
|
Keyword arguments:
|
||||||
|
None
|
||||||
|
Return
|
||||||
|
None
|
||||||
|
"""
|
||||||
upnp = miniupnpc.UPnP()
|
upnp = miniupnpc.UPnP()
|
||||||
upnp.discoverdelay = 200
|
upnp.discoverdelay = 200
|
||||||
nbigd = upnp.discover()
|
nbigd = upnp.discover()
|
||||||
|
@ -218,21 +255,6 @@ def add_portmapping(protocol=None, upnp=False, ipv6=None):
|
||||||
upnp.deleteportmapping(p[0], p[1])
|
upnp.deleteportmapping(p[0], p[1])
|
||||||
|
|
||||||
|
|
||||||
if ipv6: ip = 'ipv6'
|
|
||||||
else: ip = 'ipv4'
|
|
||||||
with open('firewall.yml', 'r') as f:
|
|
||||||
firewall = yaml.load(f)
|
|
||||||
|
|
||||||
for i,port in enumerate (firewall[ip][protocol]):
|
|
||||||
if ipv6:
|
|
||||||
os.system ("ip6tables -A INPUT -p "+ protocol +" -i eth0 --dport "+ str(port) +" -j ACCEPT")
|
|
||||||
else:
|
|
||||||
os.system ("iptables -A INPUT -p "+ protocol +" -i eth0 --dport "+ str(port) +" -j ACCEPT")
|
|
||||||
if upnp:
|
|
||||||
upnp.addportmapping(port, protocol, upnp.lanaddr, port, 'yunohost firewall : port %u' % port, '')
|
|
||||||
|
|
||||||
os.system ("iptables -P INPUT DROP")
|
|
||||||
|
|
||||||
def firewall_installupnp():
|
def firewall_installupnp():
|
||||||
"""
|
"""
|
||||||
Add upnp cron
|
Add upnp cron
|
||||||
|
|
Loading…
Reference in a new issue