\n"; - print &ui_form_start("setup.cgi"); + print &ui_form_start("setup${ipvx}.cgi"); print &ui_hidden("version", ${ipvx_arg}); print &ui_hidden("reset", $in{'reset'}); print "
| \n"; diff --git a/firewall/save_rule.cgi b/firewall/save_rule.cgi index 7edbb52d7..355a3a737 100755 --- a/firewall/save_rule.cgi +++ b/firewall/save_rule.cgi @@ -19,7 +19,7 @@ else { } if ($in{'clone'}) { # Go back to the editing page - &redirect("edit_rule.cgi?new=1&clone=$in{'idx'}&". + &redirect("edit_rule${ipvx}.cgi?version=${ipvx_arg}&new=1&clone=$in{'idx'}&". "table=".&urlize($in{'table'})."&". "after=$in{'idx'}&". "chain=".&urlize($rule->{'chain'})); diff --git a/firewall/save_rule6.cgi b/firewall/save_rule6.cgi new file mode 100755 index 000000000..48ba0f4fa --- /dev/null +++ b/firewall/save_rule6.cgi @@ -0,0 +1,410 @@ +#!/usr/local/bin/perl +# save_rule.cgi +# Save, create or delete a rule in a chain + +require './firewall-lib.pl'; +&ReadParse(); +if (&get_ipvx_version() == 6) { require './firewall6-lib.pl'; + } else { require './firewall4-lib.pl'; } +&error_setup($text{'save_err'}); +@tables = &get_iptables_save(); +$table = $tables[$in{'table'}]; +&can_edit_table($table->{'name'}) || &error($text{'etable'}); +if ($in{'new'}) { + $rule = { 'chain' => $in{'chain'} }; + } +else { + $rule = $table->{'rules'}->[$in{'idx'}]; + &can_jump($rule) || &error($text{'ejump'}); + } +if ($in{'clone'}) { + # Go back to the editing page + &redirect("edit_rule${ipvx}.cgi?version=${ipvx_arg}&new=1&clone=$in{'idx'}&". + "table=".&urlize($in{'table'})."&". + "chain=".&urlize($rule->{'chain'})); + } + +&lock_file($ipvx_save); +if ($in{'delete'}) { + # Just delete this rule + splice(@{$table->{'rules'}}, $in{'idx'}, 1); + } +else { + # Validate and store inputs + if ($config{'comment_mod'}) { + $in{'cmt'} =~ s/^\s+//; + $in{'cmt'} =~ s/\s+$//; + if ($in{'cmt'}) { + $rule->{'comment'} = [ "", $in{'cmt'} ]; + push(@mods, "comment"); + } + else { + delete($rule->{'comment'}); + } + } + else { + $rule->{'cmt'} = $in{'cmt'}; + delete($rule->{'comment'}); + @mods = grep { $_ ne "comment" } @mods; + } + if ($in{'jump'} eq '*') { + $in{'other'} =~ /^\S+$/ || &error($text{'save_echain'}); + $rule->{'j'} = [ "", $in{'other'} ]; + } + elsif ($in{'jump'}) { + $rule->{'j'} = [ "", $in{'jump'} ]; + } + else { + delete($rule->{'j'}); + } + &can_jump($rule) || &error($text{'save_ecanjump'}); + if (defined($in{'rwithtype'})) { + if ($rule->{'j'}->[1] eq 'REJECT' && !$in{'rwithdef'}) { + $rule->{'reject-with'} = [ "", $in{'rwithtype'} ]; + } + else { + delete($rule->{'reject-with'}); + } + } + + # Parse redirect or masquerade input + if ($table->{'name'} eq 'nat') { + if ($rule->{'j'}->[1] eq 'REDIRECT' && !$in{'rtodef'}) { + $in{'rtofrom'} =~ /^\d+$/ || + &error($text{'save_ertoports'}); + $in{'rtoto'} =~ /^\d*$/ || + &error($text{'save_ertoports'}); + $rule->{'to-ports'} = [ "", $in{'rtoto'} eq '' ? + $in{'rtofrom'} : $in{'rtofrom'}."-".$in{'rtoto'} ]; + } + elsif ($rule->{'j'}->[1] eq 'MASQUERADE' && !$in{'mtodef'}) { + $in{'mtofrom'} =~ /^\d+$/ || + &error($text{'save_emtoports'}); + $in{'mtoto'} =~ /^\d*$/ || + &error($text{'save_emtoports'}); + $rule->{'to-ports'} = [ "", $in{'mtoto'} eq '' ? + $in{'mtofrom'} : $in{'mtofrom'}."-".$in{'mtoto'} ]; + } + else { + delete($rule->{'to-ports'}); + } + } + if ($table->{'name'} eq 'nat' && $rule->{'chain'} ne 'POSTROUTING') { + if ($rule->{'j'}->[1] eq 'DNAT' && !$in{'dnatdef'}) { + !$in{'dipfrom'} || &check_ipaddress($in{'dipfrom'}) || + &error($text{'save_edipfrom'}); + !$in{'dipto'} || &check_ipaddress($in{'dipto'}) || + &error($text{'save_edipto'}); + local $v = "[".$in{'dipfrom'}."]"; + $v .= "-[".$in{'dipto'}."]" if ($in{'dipto'}); + if ($in{'dpfrom'} ne '') { + $in{'dpfrom'} =~ /^\d+$/ || + &error($text{'save_edpfrom'}); + $in{'dpto'} =~ /^\d*$/ || + &error($text{'save_edpto'}); + if ($in{'dpto'} eq '') { + $v .= ":".$in{'dpfrom'}; + } + else { + $v .= ":".$in{'dpfrom'}."-".$in{'dpto'}; + } + } + $rule->{'to-destination'} = [ "", $v ]; + } + else { + delete($rule->{'to-destination'}); + } + } + if ($table->{'name'} eq 'nat' && $rule->{'chain'} ne 'PREROUTING' && + $rule->{'chain'} ne 'OUTPUT') { + if ($rule->{'j'}->[1] eq 'SNAT' && !$in{'snatdef'}) { + (!$in{'sipfrom'} && !$in{'sipto'}) || + &check_ipaddress($in{'sipfrom'}) || + &error($text{'save_esipfrom'}); + !$in{'sipto'} || &check_ipaddress($in{'sipto'}) || + &error($text{'save_esipto'}); + local $v = $in{'sipfrom'}; + $v .= "-".$in{'sipto'} if ($in{'sipto'}); + if ($in{'spfrom'} ne '') { + $in{'spfrom'} =~ /^\d+$/ || + &error($text{'save_espfrom'}); + $in{'spto'} =~ /^\d*$/ || + &error($text{'save_espto'}); + if ($in{'spto'} eq '') { + $v .= ":".$in{'spfrom'}; + } + else { + $v .= ":".$in{'spfrom'}."-".$in{'spto'}; + } + } + $rule->{'to-source'} = [ "", $v ]; + } + else { + delete($rule->{'to-source'}); + } + } + if (&parse_mode("source", $rule, "s")) { + &check_ipmask($in{'source'}) || &error($text{'save_esource'}); + $rule->{'s'}->[1] = $in{'source'}; + } + if (&parse_mode("dest", $rule, "d")) { + &check_ipmask($in{'dest'}) || &error($text{'save_edest'}); + $rule->{'d'}->[1] = $in{'dest'}; + } + if (&parse_mode("in", $rule, "i")) { + $in{'in'} ne '' || $in{'in_other'} =~ /^\S+$/ || + &error($text{'save_ein'}); + $rule->{'i'}->[1] = $in{'in'} eq '' || $in{'in'} eq 'other' ? + $in{'in_other'} : $in{'in'}; + } + if (&parse_mode("out", $rule, "o")) { + $in{'out'} ne '' || $in{'out_other'} =~ /^\S+$/ || + &error($text{'save_eout'}); + $rule->{'o'}->[1] = $in{'out'} eq '' || $in{'out'} eq 'other' ? + $in{'out_other'} : $in{'out'}; + } + if ($in{'frag'} == 0) { delete($rule->{'f'}); } + elsif ($in{'frag'} == 1) { $rule->{'f'} = [ "" ]; } + else { $rule->{'f'} = [ "!" ]; } + if (&parse_mode("proto", $rule, "p")) { + $in{'proto'} || $in{'proto_other'} =~ /^\d+$/ || + &error($text{'save_eproto'}); + $rule->{'p'}->[1] = $in{'proto'} || $in{'proto_other'}; + if (!$rule->{'p'}->[0]) { + $proto = $in{'proto'}; + push(@mods, $in{'proto'}) + if ($proto eq 'tcp' || $proto eq 'udp' || + $proto eq "icmp${ipvx_icmp}" && $in{'icmptype_mode'}); + } + } + + if (&parse_mode("sport", $rule, "sport")) { + $proto eq "tcp" || $proto eq "udp" || $proto eq "sctp" || + &error($text{'save_etcpudp'}); + if ($in{"sport_type"} == 0) { + $in{"sport"} =~ /^\S+$/ || + &error($text{'save_esport'}); + if ($in{"sport"} =~ /,/) { + $rule->{'sports'}->[1] = $in{"sport"}; + $rule->{'sports'}->[0] = $rule->{'sport'}->[0]; + push(@mods, "multiport"); + delete($rule->{'sport'}); + } + else { + $rule->{'sport'}->[1] = $in{"sport"}; + delete($rule->{'sports'}); + } + } + else { + $in{"sport_from"} =~ /^\d*$/ || + &error($text{'save_esportfrom'}); + $in{"sport_to"} =~ /^\d*$/ || + &error($text{'save_esportto'}); + $rule->{'sport'}->[1] = $in{"sport_from"}.":". + $in{"sport_to"}; + $rule->{'sport'}->[1] eq ":" && + &error($text{'save_esportrange'}); + delete($rule->{'sports'}); + } + } + else { + delete($rule->{'sports'}); + } + if (&parse_mode("dport", $rule, "dport")) { + $proto eq "tcp" || $proto eq "udp" || $proto eq "sctp" || + &error($text{'save_etcpudp'}); + if ($in{"dport_type"} == 0) { + $in{"dport"} =~ /^\S+$/ || + &error($text{'save_edport'}); + if ($in{"dport"} =~ /,/) { + $rule->{'dports'}->[1] = $in{"dport"}; + $rule->{'dports'}->[0] = $rule->{'dport'}->[0]; + push(@mods, "multiport"); + delete($rule->{'dport'}); + } + else { + $rule->{'dport'}->[1] = $in{"dport"}; + delete($rule->{'dports'}); + } + } + else { + $in{"dport_from"} =~ /^\d*$/ || + &error($text{'save_edportfrom'}); + $in{"dport_to"} =~ /^\d*$/ || + &error($text{'save_edportto'}); + $rule->{'dport'}->[1] = $in{"dport_from"}.":". + $in{"dport_to"}; + $rule->{'dport'}->[1] eq ":" && + &error($text{'save_edportrange'}); + delete($rule->{'dports'}); + } + } + else { + delete($rule->{'dports'}); + } + if (&parse_mode("ports", $rule, "ports")) { + $proto eq "tcp" || $proto eq "udp" || $proto eq "sctp" || + &error($text{'save_etcpudp'}); + $in{"ports"} =~ /^\S+$/ || &error($text{'save_eports'}); + $rule->{'ports'}->[1] = $in{'ports'}; + push(@mods, "multiport"); + } + if (&parse_mode("tcpflags", $rule, "tcp-flags")) { + $proto eq "tcp" || &error($text{'save_etcp1'}); + local $tcp0 = join(",", split(/\0/, $in{"tcpflags0"})); + local $tcp1 = join(",", split(/\0/, $in{"tcpflags1"})); + #$tcp0 && $tcp1 || &error($text{'save_etcpflags'}); + $tcp0 || &error($text{'save_etcpflags2'}); + $rule->{'tcp-flags'}->[1] = $tcp0; + $rule->{'tcp-flags'}->[2] = $tcp1 || "NONE"; + } + if (&parse_mode("tcpoption", $rule, "tcp-option")) { + $proto eq "tcp" || &error($text{'save_etcp2'}); + $in{"tcpoption"} =~ /^\d+$/ || + &error($text{'save_etcpoption'}); + $rule->{'tcp-option'}->[1] = $in{"tcpoption"}; + } + if (&parse_mode("icmptype", $rule, "icmp${ipvx_icmp}-type")) { + $proto eq "icmp${ipvx_icmp}" || &error($text{'save_eicmp'}); + $rule->{"icmp${ipvx_icmp}-type"}->[1] = $in{'icmptype'}; + } + if (&parse_mode("macsource", $rule, "mac-source")) { + $in{"macsource"} =~ /^([0-9a-z]{2}:){5}[[0-9a-z]{2}$/i || + &error($text{'save_emac'}); + $rule->{'mac-source'}->[1] = $in{'macsource'}; + push(@mods, "mac"); + } + if (&parse_mode("limit", $rule, "limit")) { + $in{'limit0'} =~ /^\d+$/ || &error($text{'save_elimit'}); + $rule->{'limit'}->[1] = $in{'limit0'}."/".$in{'limit1'}; + push(@mods, "limit"); + } + if (&parse_mode("limitburst", $rule, "limit-burst")) { + $in{'limitburst'} =~ /^\d+$/ || + &error($text{'save_elimitburst'}); + $rule->{'limit-burst'}->[1] = $in{'limitburst'}; + push(@mods, "limit"); + } + + if ($rule->{'chain'} eq 'OUTPUT') { + if (&parse_mode("uidowner", $rule, "uid-owner")) { + defined(getpwnam($in{"uidowner"})) || + &error($text{'save_euidowner'}); + $rule->{'uid-owner'}->[1] = $in{"uidowner"}; + push(@mods, "owner"); + } + if (&parse_mode("gidowner", $rule, "gid-owner")) { + defined(getgrnam($in{"gidowner"})) || + &error($text{'save_egidowner'}); + $rule->{'gid-owner'}->[1] = $in{"gidowner"}; + push(@mods, "owner"); + } + if (&parse_mode("pidowner", $rule, "pid-owner")) { + $in{"pidowner"} =~ /^\d+$/ || + &error($text{'save_epidowner'}); + $rule->{'pid-owner'}->[1] = $in{"pidowner"}; + push(@mods, "owner"); + } + if (&parse_mode("sidowner", $rule, "sid-owner")) { + $in{"sidowner"} =~ /^\d+$/ || + &error($text{'save_esidowner'}); + $rule->{'sid-owner'}->[1] = $in{"sidowner"}; + push(@mods, "owner"); + } + } + + # Save connection states and TOS + if (&parse_mode("state", $rule, "state")) { + @states = split(/\0/, $in{'state'}); + @states || &error($text{'save_estates'}); + $rule->{'state'}->[1] = join(",", @states); + push(@mods, "state"); + } + if (&parse_mode("tos", $rule, "tos")) { + $rule->{'tos'}->[1] = $in{'tos'}; + push(@mods, "tos"); + } + + # Parse physical input and output interfaces + if (&parse_mode("physdevin", $rule, "physdev-in")) { + $in{'physdevin'} ne '' || $in{'physdevin_other'} =~ /^\S+$/ || + &error($text{'save_ephysdevin'}); + $rule->{'physdev-in'}->[1] = + $in{'physdevin'} eq '' || $in{'physdevin'} eq 'other' ? + $in{'physdevin_other'} : $in{'physdevin'}; + push(@mods, "physdev"); + } + if (&parse_mode("physdevout", $rule, "physdev-out")) { + $in{'physdevout'} ne '' || $in{'physdevout_other'} =~ /^\S+$/ || + &error($text{'save_ephysdevout'}); + $rule->{'physdev-out'}->[1] = + $in{'physdevout'} eq '' || $in{'physdevout'} eq 'other' ? + $in{'physdevout_other'} : $in{'physdevout'}; + push(@mods, "physdev"); + } + + # Parse physdev match modes + if (&parse_mode("physdevisin", $rule, "physdev-is-in")) { + push(@mods, "physdev"); + } + if (&parse_mode("physdevisout", $rule, "physdev-is-out")) { + push(@mods, "physdev"); + } + if (&parse_mode("physdevisbridged", $rule, "physdev-is-bridged")) { + push(@mods, "physdev"); + } + + # Add custom paramters and modules + $rule->{'args'} = $in{'args'}; + push(@mods, split(/\s+/, $in{'mods'})); + + # Save the rule + if (@mods) { + $rule->{'m'} = [ map { [ "", $_ ] } &unique(@mods) ]; + } + else { + delete($rule->{'m'}); + } + delete($rule->{'j'}) if (!$in{'jump'}); + if ($in{'new'}) { + if ($in{'before'} ne '') { + splice(@{$table->{'rules'}}, $in{'before'}, 0, $rule); + } + elsif ($in{'after'} ne '') { + splice(@{$table->{'rules'}}, $in{'after'}+1, 0, $rule); + } + else { + push(@{$table->{'rules'}}, $rule); + } + } + } + +# Write out the new save file +&run_before_command(); +&save_table($table); +&run_after_command(); +©_to_cluster(); +&unlock_file($ipvx_save); +&webmin_log($in{'delete'} ? "delete" : $in{'new'} ? "create" : "modify", + "rule", undef, { 'chain' => $rule->{'chain'}, + 'table' => $table->{'name'} }); +&redirect("index.cgi?table=$in{'table'}"); + +# parse_mode(name, &rule, option) +sub parse_mode +{ +if ($in{"$_[0]_mode"} == 0) { + delete($_[1]->{$_[2]}); + return 0; + } +elsif ($in{"$_[0]_mode"} == 1) { + $_[1]->{$_[2]} = [ "" ]; + return 1; + } +else { + $_[1]->{$_[2]} = [ "!" ]; + return 1; + } +} + + diff --git a/firewall/setup6.cgi b/firewall/setup6.cgi new file mode 100755 index 000000000..94609e264 --- /dev/null +++ b/firewall/setup6.cgi @@ -0,0 +1,250 @@ +#!/usr/local/bin/perl +# setup.cgi +# Setup an initial save file + +require './firewall6-lib.pl'; +&ReadParse(); +$access{'setup'} || &error($text{'setup_ecannot'}); + +&lock_file($ip6tables_save_file); +if ($in{'reset'}) { + # Clear out all rules + foreach $t ("filter", "nat", "mangle") { + &system_logged("ip6tables -t $t -P INPUT ACCEPT >/dev/null 2>&1"); + &system_logged("ip6tables -t $t -P OUTPUT ACCEPT >/dev/null 2>&1"); + &system_logged("ip6tables -t $t -P FORWARD ACCEPT >/dev/null 2>&1"); + &system_logged("ip6tables -t $t -P PREROUTING ACCEPT >/dev/null 2>&1"); + &system_logged("ip6tables -t $t -P POSTROUTING ACCEPT >/dev/null 2>&1"); + &system_logged("ip6tables -t $t -F >/dev/null 2>&1"); + &system_logged("ip6tables -t $t -X >/dev/null 2>&1"); + } + } + +# Save all existing active rules +if (defined(&unapply_ip6tables)) { + &unapply_ip6tables(); + } +else { + &backquote_logged("ip6tables-save >$ip6tables_save_file 2>&1"); + } + +# Get important variable ports +&get_miniserv_config(\%miniserv); +$webmin_port = $miniserv{'port'} || 10000; +$webmin_port2 = $webmin_port + 10; +$usermin_port = undef; +if (&foreign_installed("usermin")) { + &foreign_require("usermin", "usermin-lib.pl"); + &usermin::get_usermin_miniserv_config(\%uminiserv); + $usermin_port = $uminiserv{'port'}; + } +$usermin_port ||= 20000; +$ssh_port = undef; +if (&foreign_installed("sshd")) { + &foreign_require("sshd", "sshd-lib.pl"); + $conf = &sshd::get_sshd_config(); + $ssh_port = &sshd::find_value("Port", $conf); + } +$ssh_port ||= 22; + +if ($in{'auto'}) { + @tables = &get_ip6tables_save(); + if ($in{'auto'} == 1) { + # Add a single rule to the nat table for masquerading + $iface = $in{'iface1'} eq 'other' ? $in{'iface1_other'} + : $in{'iface1'}; + $iface || &error($text{'setup_eiface'}); + ($table) = grep { $_->{'name'} eq 'nat' } @tables; + $table ||= { 'name' => 'nat', + 'rules' => [ ], + 'defaults' => { } }; + push(@{$table->{'rules'}}, + { 'chain' => 'POSTROUTING', + 'o' => [ "", $iface ], + 'j' => [ "", 'MASQUERADE' ] } ); + } + elsif ($in{'auto'} >= 2) { + # Block all incoming traffic, except for established + # connections, DNS replies and safe ICMP types + # In mode 3 allow ssh and ident too + # In mode 4 allow ftp, echo-request and high ports too + $iface = $in{'iface'.$in{'auto'}} eq 'other' ? + $in{'iface'.$in{'auto'}.'_other'} : + $in{'iface'.$in{'auto'}}; + $iface || &error($text{'setup_eiface'}); + ($table) = grep { $_->{'name'} eq 'filter' } @tables; + $table ||= { 'name' => 'nat', + 'rules' => [ ], + 'defaults' => { } }; + $table->{'defaults'}->{'INPUT'} = 'DROP'; + push(@{$table->{'rules'}}, + { 'chain' => 'INPUT', + 'i' => [ "!", $iface ], + 'j' => [ "", 'ACCEPT' ], + 'cmt' => 'Accept traffic from internal interfaces' }, + { 'chain' => 'INPUT', + 'm' => [ [ "", "tcp" ] ], + 'p' => [ "", "tcp" ], + 'tcp-flags' => [ "", "ACK", "ACK" ], + 'j' => [ "", 'ACCEPT' ], + 'cmt' => 'Accept traffic with the ACK flag set' }, + { 'chain' => 'INPUT', + 'm' => [ [ "", "state" ] ], + 'state' => [ "", "ESTABLISHED" ], + 'j' => [ "", 'ACCEPT' ], + 'cmt' => 'Allow incoming data that is part of a connection we established' }, + { 'chain' => 'INPUT', + 'm' => [ [ "", "state" ] ], + 'state' => [ "", "RELATED" ], + 'j' => [ "", 'ACCEPT' ], + 'cmt' => 'Allow data that is related to existing connections' }, + { 'chain' => 'INPUT', + 'm' => [ [ "", "udp" ] ], + 'p' => [ "", "udp" ], + 'sport' => [ "", 53 ], + 'dport' => [ "", "1024:65535" ], + 'j' => [ "", 'ACCEPT' ], + 'cmt' => 'Accept responses to DNS queries' }, + { 'chain' => 'INPUT', + 'm' => [ [ "", "icmpv6" ] ], + 'p' => [ [ "", "icmpv6" ] ], + 'j' => [ "", 'ACCEPT' ], + 'cmt' => 'Accept all ICMPv6 traffic' }, + ); + if ($in{'auto'} >= 3) { + # Allow ssh and ident + push(@{$table->{'rules'}}, + { 'chain' => 'INPUT', + 'm' => [ [ "", "tcp" ] ], + 'p' => [ "", "tcp" ], + 'dport' => [ "", $ssh_port ], + 'j' => [ "", 'ACCEPT' ], + 'cmt' => 'Allow connections to our SSH server' }, + { 'chain' => 'INPUT', + 'm' => [ [ "", "tcp" ] ], + 'p' => [ "", "tcp" ], + 'dport' => [ "", "auth" ], + 'j' => [ "", 'ACCEPT' ], + 'cmt' => 'Allow connections to our IDENT server'} + ); + } + if ($in{'auto'} >= 4) { + # Allow pings + push(@{$table->{'rules'}}, + { 'chain' => 'INPUT', + 'm' => [ [ "", "icmpv6" ] ], + 'p' => [ [ "", "icmpv6" ] ], + 'icmpv6-type' => [ "", "echo-request" ], + 'j' => [ "", 'ACCEPT' ], + 'cmt' => 'Respond to pings' }, ); + } + if ($in{'auto'} == 4) { + # Allow pings and most high ports + push(@{$table->{'rules'}}, + { 'chain' => 'INPUT', + 'm' => [ [ "", "tcp" ] ], + 'p' => [ "", "tcp" ], + 'dport' => [ "", "2049:2050" ], + 'j' => [ "", 'DROP' ], + 'cmt' => 'Protect our NFS server' }, + { 'chain' => 'INPUT', + 'm' => [ [ "", "tcp" ] ], + 'p' => [ "", "tcp" ], + 'dport' => [ "", "6000:6063" ], + 'j' => [ "", 'DROP' ], + 'cmt' => 'Protect our X11 display server' }, + { 'chain' => 'INPUT', + 'm' => [ [ "", "tcp" ] ], + 'p' => [ "", "tcp" ], + 'dport' => [ "", "7000:7010" ], + 'j' => [ "", 'DROP' ], + 'cmt' => 'Protect our X font server' }, + { 'chain' => 'INPUT', + 'm' => [ [ "", "tcp" ] ], + 'p' => [ "", "tcp" ], + 'dport' => [ "", "1024:65535" ], + 'j' => [ "", 'ACCEPT' ], + 'cmt' => 'Allow connections to unprivileged ports' }, + ); + } + if ($in{'auto'} == 5) { + # Allow typical hosting server ports + push(@{$table->{'rules'}}, + { 'chain' => 'INPUT', + 'm' => [ [ "", "tcp" ] ], + 'p' => [ "", "tcp" ], + 'dport' => [ "", "53" ], + 'j' => [ "", 'ACCEPT' ], + 'cmt' => 'Allow DNS zone transfers' }, + { 'chain' => 'INPUT', + 'm' => [ [ "", "udp" ] ], + 'p' => [ "", "udp" ], + 'dport' => [ "", "53" ], + 'j' => [ "", 'ACCEPT' ], + 'cmt' => 'Allow DNS queries' }, + { 'chain' => 'INPUT', + 'm' => [ [ "", "tcp" ] ], + 'p' => [ "", "tcp" ], + 'dport' => [ "", "80" ], + 'j' => [ "", 'ACCEPT' ], + 'cmt' => 'Allow connections to webserver' }, + { 'chain' => 'INPUT', + 'm' => [ [ "", "tcp" ] ], + 'p' => [ "", "tcp" ], + 'dport' => [ "", "443" ], + 'j' => [ "", 'ACCEPT' ], + 'cmt' => 'Allow SSL connections to webserver' }, + { 'chain' => 'INPUT', + 'm' => [ [ "", "tcp" ], [ "", "multiport" ] ], + 'p' => [ "", "tcp" ], + 'dports' => [ "", "25,587" ], + 'j' => [ "", 'ACCEPT' ], + 'cmt' => 'Allow connections to mail server' }, + { 'chain' => 'INPUT', + 'm' => [ [ "", "tcp" ] ], + 'p' => [ "", "tcp" ], + 'dport' => [ "", "20:21" ], + 'j' => [ "", 'ACCEPT' ], + 'cmt' => 'Allow connections to FTP server' }, + { 'chain' => 'INPUT', + 'm' => [ [ "", "tcp" ], [ "", "multiport" ] ], + 'p' => [ "", "tcp" ], + 'dports' => [ "", "110,995" ], + 'j' => [ "", 'ACCEPT' ], + 'cmt' => 'Allow connections to POP3 server' }, + { 'chain' => 'INPUT', + 'm' => [ [ "", "tcp" ], [ "", "multiport" ] ], + 'p' => [ "", "tcp" ], + 'dports' => [ "", "143,220,993" ], + 'j' => [ "", 'ACCEPT' ], + 'cmt' => 'Allow connections to IMAP server' }, + { 'chain' => 'INPUT', + 'm' => [ [ "", "tcp" ] ], + 'p' => [ "", "tcp" ], + 'dport' => [ "",$webmin_port.":".$webmin_port2 ], + 'j' => [ "", 'ACCEPT' ], + 'cmt' => 'Allow connections to Webmin' }, + { 'chain' => 'INPUT', + 'm' => [ [ "", "tcp" ] ], + 'p' => [ "", "tcp" ], + 'dport' => [ "", $usermin_port ], + 'j' => [ "", 'ACCEPT' ], + 'cmt' => 'Allow connections to Usermin' }, + ); + } + } + &run_before_command(); + &save_table($table); + &run_after_command(); + ©_to_cluster(); + } + +if ($in{'atboot'}) { + &create_firewall_init(); + } +&unlock_file($ip6tables_save_file); + +&webmin_log("setup"); +&redirect(""); + + |