diff --git a/firewall/coherent-linux-lib.pl b/firewall/coherent-linux-lib.pl index f9d8d9a60..e05c25338 100755 --- a/firewall/coherent-linux-lib.pl +++ b/firewall/coherent-linux-lib.pl @@ -2,7 +2,7 @@ # Deal with redhat's /etc/sysconfig/iptables save file and startup script &foreign_require("init", "init-lib.pl"); -$init_script = "$init::config{'init_dir'}/iptables"; +$init_script = "$init::config{'init_dir'}/ip${ipvx}tables"; # check_iptables() # Returns an error message if something is wrong with iptables on this system @@ -23,6 +23,7 @@ if (!$config{'done_check_iptables'}) { return undef; } +$ip6tables_save_file = "/etc/sysconfig/ip6tables"; $iptables_save_file = "/etc/sysconfig/iptables"; # apply_iptables() @@ -46,17 +47,17 @@ return $? || $out =~ /FAILED/ ? "
$out
" : undef; # started_at_boot() sub started_at_boot { -return &init::action_status("iptables") == 2; +return &init::action_status("ip${ipvx}tables") == 2; } sub enable_at_boot { -&init::enable_at_boot("iptables"); # Assumes init script exists +&init::enable_at_boot("ip${ipvx}tables"); # Assumes init script exists } sub disable_at_boot { -&init::disable_at_boot("iptables"); +&init::disable_at_boot("ip${ipvx}tables"); } 1; diff --git a/firewall/debian-linux-lib.pl b/firewall/debian-linux-lib.pl index 397af1bba..b6d89ccf1 100755 --- a/firewall/debian-linux-lib.pl +++ b/firewall/debian-linux-lib.pl @@ -2,20 +2,24 @@ # Deal with debian's iptables save file and startup script if ($gconfig{'os_version'} >= 3.1 && - !-r "/etc/init.d/iptables" && - !-r "/etc/init.d/webmin-iptables" && + !-r "/etc/init.d/ip${ipvx}tables" && + !-r "/etc/init.d/webmin-ip${ipvx}tables" && !$config{'force_init'}) { # In newer Debians, IPtable is started by the network init script $has_new_debian_iptables = 1; + $ip6tables_save_file = "/etc/ip6tables.up.rules"; $iptables_save_file = "/etc/iptables.up.rules"; } else { # Older Debians use an init script $has_debian_iptables = -r "/etc/init.d/iptables"; + $debian_ip6tables_dir = "/var/lib/ip6tables"; $debian_iptables_dir = "/var/lib/iptables"; if ($has_debian_iptables) { + mkdir($debian_ip6tables_dir, 0755) if (!-d $debian_ip6tables_dir); mkdir($debian_iptables_dir, 0755) if (!-d $debian_iptables_dir); $iptables_save_file = "$debian_iptables_dir/active"; + $ip6tables_save_file = "$debian_ip6tables_dir/active"; } } @@ -24,7 +28,7 @@ else { sub apply_iptables { if ($has_debian_iptables) { - local $out = &backquote_logged("cd / ; /etc/init.d/iptables start 2>&1"); + local $out = &backquote_logged("cd / ; /etc/init.d/ip${ipvx}tables start 2>&1"); return $? ? "
$out
" : undef; } else { @@ -37,7 +41,7 @@ else { sub unapply_iptables { if ($has_debian_iptables) { - $out = &backquote_logged("cd / ; /etc/init.d/iptables save active 2>&1 &1 $out" : undef; } else { @@ -51,7 +55,7 @@ sub started_at_boot &foreign_require("init", "init-lib.pl"); if ($has_debian_iptables) { # Check Debian init script - return &init::action_status("iptables") == 2; + return &init::action_status("ip${ipvx}tables") == 2; } elsif ($has_new_debian_iptables) { # Check network interface config @@ -60,7 +64,7 @@ elsif ($has_new_debian_iptables) { &net::get_interface_defs(); foreach my $o (@{$debpri->[3]}) { if (($o->[0] eq "pre-up" || $o->[0] eq "post-up") && - $o->[1] =~ /\S*iptables-restore\s+<\s+(\S+)/ && + $o->[1] =~ /\S*ip${ipvx}tables-restore\s+<\s+(\S+)/ && $1 eq $iptables_save_file) { return 1; } @@ -68,7 +72,7 @@ elsif ($has_new_debian_iptables) { } else { # Check Webmin init script - return &init::action_status("webmin-iptables") == 2; + return &init::action_status("webmin-ip${ipvx}tables") == 2; } } @@ -76,7 +80,7 @@ sub enable_at_boot { &foreign_require("init", "init-lib.pl"); if ($has_debian_iptables) { - &init::enable_at_boot("iptables"); # Assumes init script exists + &init::enable_at_boot("ip${ipvx}tables"); # Assumes init script exists } elsif ($has_new_debian_iptables) { # Add to network interface config @@ -85,7 +89,7 @@ elsif ($has_new_debian_iptables) { &net::get_interface_defs(); if ($debpri && !&started_at_boot()) { push(@{$debpri->[3]}, - [ "post-up", "iptables-restore < $iptables_save_file" ]); + [ "post-up", "ip${ipvx}tables-restore < $iptables_save_file" ]); &net::modify_interface_def(@$debpri); } } @@ -98,7 +102,7 @@ sub disable_at_boot { &foreign_require("init", "init-lib.pl"); if ($has_debian_iptables) { - &init::disable_at_boot("iptables"); + &init::disable_at_boot("ip${ipvx}tables"); } elsif ($has_new_debian_iptables) { # Remove from network interface config @@ -107,11 +111,11 @@ elsif ($has_new_debian_iptables) { &net::get_interface_defs(); @{$debpri->[3]} = grep { ($_->[0] ne "pre-up" && $_->[0] ne "post-up") || - $_->[1] !~ /^\S*iptables/ } @{$debpri->[3]}; + $_->[1] !~ /^\S*ip${ipvx}tables/ } @{$debpri->[3]}; &net::modify_interface_def(@$debpri); } else { - &init::disable_at_boot("webmin-iptables"); + &init::disable_at_boot("webmin-ip${ipvx}tables"); } } diff --git a/firewall6/CHANGELOG b/firewall6/CHANGELOG deleted file mode 100644 index f2af47e0a..000000000 --- a/firewall6/CHANGELOG +++ /dev/null @@ -1,2 +0,0 @@ ----- Changes since 1.800 ---- -First version of this module, contributed by Patrick Wahle. diff --git a/firewall6/coherent-linux-lib.pl b/firewall6/coherent-linux-lib.pl deleted file mode 100644 index 70417eaf2..000000000 --- a/firewall6/coherent-linux-lib.pl +++ /dev/null @@ -1,63 +0,0 @@ -# coherant-linux-lib.pl -# Deal with redhat's /etc/sysconfig/ip6tables save file and startup script - -&foreign_require("init", "init-lib.pl"); -$init_script = "$init::config{'init_dir'}/ip6tables"; - -# check_ip6tables() -# Returns an error message if something is wrong with ip6tables on this system -sub check_ip6tables -{ -if (!-r $init_script) { - return &text('coherent_escript', "$init_script"); - } -if (!$config{'done_check_ip6tables'}) { - local $out = `$init_script status 2>&1`; - if ($out !~ /table:|INPUT|FORWARD|OUTPUT/) { - return &text('coherent_eoutput', - "$init_script status"); - } - $config{'done_check_ip6tables'} = 1; - &save_module_config(); - } -return undef; -} - -$ip6tables_save_file = "/etc/sysconfig/ip6tables"; - -# apply_ip6tables() -# Applies the current ip6tables configuration from the save file -sub apply_ip6tables -{ -local $out = &backquote_logged("cd / ; $init_script restart 2>&1"); -$out =~ s/\033[^m]+m//g; -return $? || $out =~ /FAILED/ ? "
$out
" : undef; -} - -# unapply_ip6tables() -# Writes the current ip6tables configuration to the save file -sub unapply_ip6tables -{ -$out = &backquote_logged("cd / ; $init_script save 2>&1 $out" : undef; -} - -# started_at_boot() -sub started_at_boot -{ -return &init::action_status("ip6tables") == 2; -} - -sub enable_at_boot -{ -&init::enable_at_boot("ip6tables"); # Assumes init script exists -} - -sub disable_at_boot -{ -&init::disable_at_boot("ip6tables"); -} - -1; - diff --git a/firewall6/coherent-linux-lib.pl b/firewall6/coherent-linux-lib.pl new file mode 120000 index 000000000..eb972d671 --- /dev/null +++ b/firewall6/coherent-linux-lib.pl @@ -0,0 +1 @@ +../firewall/coherent-linux-lib.pl \ No newline at end of file diff --git a/firewall6/debian-linux-lib.pl b/firewall6/debian-linux-lib.pl deleted file mode 100644 index 48dff52b0..000000000 --- a/firewall6/debian-linux-lib.pl +++ /dev/null @@ -1,131 +0,0 @@ -# debians-linux-lib.pl -# Deal with debian's ip6tables save file and startup script - -if ($gconfig{'os_version'} >= 3.1 && - !-r "/etc/init.d/ip6tables" && - !-r "/etc/init.d/webmin-ip6tables" && - !$config{'force_init'}) { - # In newer Debians, IPtable is started by the network init script - $has_new_debian_ip6tables = 1; - $ip6tables_save_file = "/etc/ip6tables.up.rules"; - } -else { - # Older Debians use an init script - $has_debian_ip6tables = -r "/etc/init.d/ip6tables"; - $debian_ip6tables_dir = "/var/lib/ip6tables"; - if ($has_debian_ip6tables) { - mkdir($debian_ip6tables_dir, 0755) if (!-d $debian_ip6tables_dir); - $ip6tables_save_file = "$debian_ip6tables_dir/active"; - } - } - -# apply_ip6tables() -# Applies the current ip6tables configuration from the save file -sub apply_ip6tables -{ -if ($has_debian_ip6tables) { - local $out = &backquote_logged("cd / ; /etc/init.d/ip6tables start 2>&1"); - return $? ? "
$out
" : undef; - } -else { - return &ip6tables_restore(); - } -} - -# unapply_ip6tables() -# Writes the current ip6tables configuration to the save file -sub unapply_ip6tables -{ -if ($has_debian_ip6tables) { - $out = &backquote_logged("cd / ; /etc/init.d/ip6tables save active 2>&1 $out" : undef; - } -else { - return &ip6tables_save(); - } -} - -# started_at_boot() -sub started_at_boot -{ -&foreign_require("init", "init-lib.pl"); -if ($has_debian_ip6tables) { - # Check Debian init script - return &init::action_status("ip6tables") == 2; - } -elsif ($has_new_debian_ip6tables) { - # Check network interface config - local $pri = &get_primary_network_interface(); - local ($debpri) = grep { $_->[0] eq $pri->{'fullname'} } - &net::get_interface_defs(); - foreach my $o (@{$debpri->[3]}) { - if (($o->[0] eq "pre-up" || $o->[0] eq "post-up") && - $o->[1] =~ /\S*ip6tables-restore\s+<\s+(\S+)/ && - $1 eq $ip6tables_save_file) { - return 1; - } - } - } -else { - # Check Webmin init script - return &init::action_status("webmin-ip6tables") == 2; - } -} - -sub enable_at_boot -{ -&foreign_require("init", "init-lib.pl"); -if ($has_debian_ip6tables) { - &init::enable_at_boot("ip6tables"); # Assumes init script exists - } -elsif ($has_new_debian_ip6tables) { - # Add to network interface config - local $pri = &get_primary_network_interface(); - local ($debpri) = grep { $_->[0] eq $pri->{'fullname'} } - &net::get_interface_defs(); - if ($debpri && !&started_at_boot()) { - push(@{$debpri->[3]}, - [ "post-up", "ip6tables-restore < $ip6tables_save_file" ]); - &net::modify_interface_def(@$debpri); - } - } -else { - &create_webmin_init(); - } -} - -sub disable_at_boot -{ -&foreign_require("init", "init-lib.pl"); -if ($has_debian_ip6tables) { - &init::disable_at_boot("ip6tables"); - } -elsif ($has_new_debian_ip6tables) { - # Remove from network interface config - local $pri = &get_primary_network_interface(); - local ($debpri) = grep { $_->[0] eq $pri->{'fullname'} } - &net::get_interface_defs(); - @{$debpri->[3]} = grep { - ($_->[0] ne "pre-up" && $_->[0] ne "post-up") || - $_->[1] !~ /^\S*ip6tables/ } @{$debpri->[3]}; - &net::modify_interface_def(@$debpri); - } -else { - &init::disable_at_boot("webmin-ip6tables"); - } -} - -sub get_primary_network_interface -{ -&foreign_require("net", "net-lib.pl"); -local @boot = sort { $a->{'fullname'} cmp $b->{'fullname'} } - &net::boot_interfaces(); -local ($eth) = grep { $_->{'fullname'} =~ /^eth\d+$/ } @boot; -local ($ppp) = grep { $_->{'fullname'} =~ /^ppp\d+$/ } @boot; -local ($venetn) = grep { $_->{'fullname'} =~ /^venet\d+:\d+$/ } @boot; -local ($venet) = grep { $_->{'fullname'} =~ /^venet\d+$/ } @boot; -return $eth || $ppp || $venetn || $venet || $boot[0]; -} - -1; - diff --git a/firewall6/debian-linux-lib.pl b/firewall6/debian-linux-lib.pl new file mode 120000 index 000000000..4352a2da8 --- /dev/null +++ b/firewall6/debian-linux-lib.pl @@ -0,0 +1 @@ +../firewall/debian-linux-lib.pl \ No newline at end of file diff --git a/firewall6/images b/firewall6/images new file mode 120000 index 000000000..dd1d5d41b --- /dev/null +++ b/firewall6/images @@ -0,0 +1 @@ +../firewall/images \ No newline at end of file diff --git a/firewall6/images/after.gif b/firewall6/images/after.gif deleted file mode 100644 index f4c0eb151..000000000 Binary files a/firewall6/images/after.gif and /dev/null differ diff --git a/firewall6/images/before.gif b/firewall6/images/before.gif deleted file mode 100644 index 5c1010e84..000000000 Binary files a/firewall6/images/before.gif and /dev/null differ diff --git a/firewall6/images/down.gif b/firewall6/images/down.gif deleted file mode 100644 index 73025ba51..000000000 Binary files a/firewall6/images/down.gif and /dev/null differ diff --git a/firewall6/images/gap.gif b/firewall6/images/gap.gif deleted file mode 100644 index 1a7776453..000000000 Binary files a/firewall6/images/gap.gif and /dev/null differ diff --git a/firewall6/images/icon.gif b/firewall6/images/icon.gif deleted file mode 100644 index 650a15379..000000000 Binary files a/firewall6/images/icon.gif and /dev/null differ diff --git a/firewall6/images/smallicon.gif b/firewall6/images/smallicon.gif deleted file mode 100644 index 6cab0a9d3..000000000 Binary files a/firewall6/images/smallicon.gif and /dev/null differ diff --git a/firewall6/images/up.gif b/firewall6/images/up.gif deleted file mode 100644 index 23ff2fefb..000000000 Binary files a/firewall6/images/up.gif and /dev/null differ diff --git a/firewall6/install_check.pl b/firewall6/install_check.pl deleted file mode 100644 index e57167095..000000000 --- a/firewall6/install_check.pl +++ /dev/null @@ -1,24 +0,0 @@ -# install_check.pl - -do 'firewall6-lib.pl'; - -# is_installed(mode) -# For mode 1, returns 2 if the server is installed and configured for use by -# Webmin, 1 if installed but not configured, or 0 otherwise. -# For mode 0, returns 1 if installed, 0 if not -sub is_installed -{ -return 0 if (&missing_firewall_commands()); -local $out = &backquote_command("ip6tables -n -t filter -L OUTPUT 2>&1"); -return 0 if ($?); -if ($_[0]) { - if (!$config{'direct'} && - (defined(&check_ip6tables) && &check_ip6tables() || - !-s $ip6tables_save_file)) { - return 1; - } - return 2; - } -return 1; -} - diff --git a/firewall6/install_check.pl b/firewall6/install_check.pl new file mode 120000 index 000000000..e7584e39c --- /dev/null +++ b/firewall6/install_check.pl @@ -0,0 +1 @@ +../firewall/install_check.pl \ No newline at end of file diff --git a/firewall6/module.info b/firewall6/module.info deleted file mode 100644 index f9178542d..000000000 --- a/firewall6/module.info +++ /dev/null @@ -1,9 +0,0 @@ -desc=Linux IPv6 Firewall -category=net -longdesc=Configure a Linux firewall using ip6tables. Allows the editing of all tables, chains, rules and options. -name=Firewall6 -desc_de=Linux IPv6 Firewall -os_support=*-linux -desc_ca=Tallafocs Linux IPv6 -longdesc_ca=Configura un tallafocs Linux utilitzant ip6tables. Permet l'edició de totes les taules, cadenes, regles i opcions. -longdesc_de=Konfiguriert eine Linux-Firewall mit ip6tables. Ermöglicht die Bearbeitung aller Tabellen, Ketten, Regeln und Optionen. diff --git a/firewall6/module.info b/firewall6/module.info new file mode 120000 index 000000000..af8091b44 --- /dev/null +++ b/firewall6/module.info @@ -0,0 +1 @@ +../firewall/module.info \ No newline at end of file diff --git a/firewall6/open-ports.pl b/firewall6/open-ports.pl deleted file mode 100644 index ab6e87c2d..000000000 --- a/firewall6/open-ports.pl +++ /dev/null @@ -1,142 +0,0 @@ -#!/usr/local/bin/perl -# Open some ports on the firewall. Exit statuses are : -# 0 - Nothing needed to be done -# 1 - Given ports were opened up -# 2 - ip6tables is not installed or supported -# 3 - No firewall is active -# 4 - Could not apply configuration -# 5 - Bad args - -$no_acl_check++; -$ENV{'WEBMIN_CONFIG'} = "/etc/webmin"; -$ENV{'WEBMIN_VAR'} = "/var/webmin"; -if ($0 =~ /^(.*\/)[^\/]+$/) { - chdir($1); - } -require './firewall6-lib.pl'; -if ($module_name ne 'firewall') { - print STDERR "Command must be run with full path\n"; - exit(5); - } - -# Parse args -if ($ARGV[0] eq "--no-apply") { - $no_apply = 1; - shift(@ARGV); - } -if (!@ARGV) { - print STDERR "Missing ports to open\n"; - exit(5); - } -foreach $p (@ARGV) { - if ($p !~ /^\d+$/ && $p !~ /^\d+:\d+$/ && $p !~ /^\d+(,\d+)*$/) { - print STDERR "Port $p must be number or start:end range\n"; - exit(5); - } - } - -# Check ip6tables support -if (&foreign_installed($module_name, 1) != 2) { - print STDERR "ip6tables is not available\n"; - exit(2); - } - -# Check if any rules exist -@tables = &get_ip6tables_save(); -if (!@tables) { - print STDERR "No ip6tables rules exist yet\n"; - exit(3); - } -($filter) = grep { $_->{'name'} eq 'filter' } @tables; -if (!$filter) { - print STDERR "No ip6tables filter table found\n"; - exit(3); - } -elsif (!@{$filter->{'rules'}}) { - print STDERR "No ip6tables rules found in filter table\n"; - exit(3); - } - -# Check if any rules are active -@livetables = &get_ip6tables_save("ip6tables-save 2>/dev/null |"); -($livefilter) = grep { $_->{'name'} eq 'filter' } @livetables; - -@added = ( ); -PORT: foreach $p (@ARGV) { - # For each port, find existing rules - print STDERR "Checking for port $p ..\n"; - foreach $r (@{$filter->{'rules'}}) { - if ($r->{'chain'} eq 'INPUT' && - $r->{'j'} && $r->{'j'}->[1] eq 'ACCEPT' && - $r->{'p'} && $r->{'p'}->[0] eq '' && - $r->{'p'}->[1] eq 'tcp') { - # Found tcp rule .. check ports - @rports = ( ); - $rrange = undef; - if ($r->{'dports'} && $r->{'dports'}->[0] eq '') { - push(@rports, split(/,/, $r->{'dports'}->[1])); - $rrange = $r->{'dports'}->[1]; - } - if ($r->{'dport'} && $r->{'dport'}->[0] eq '') { - ($s, $e) = split(":", $r->{'dport'}->[1]); - if ($s && $e) { - push(@rports, ($s .. $e)); - } - elsif ($s) { - push(@rports, $s); - } - $rrange = $r->{'dport'}->[1]; - } - if (&indexof($p, @rports) >= 0 || - $p eq $rrange) { - print STDERR ".. already allowed\n"; - next PORT; - } - } - } - - # Add a rule at the top for this port - $r = { 'chain' => 'INPUT', - 'm' => [ [ "", "tcp" ] ], - 'p' => [ "", "tcp" ], - 'j' => [ "", 'ACCEPT' ] }; - if ($p =~ /,/) { - $r->{'dports'} = [ "", $p ]; - push(@{$r->{'m'}}, [ "", "multiport" ]); - } - else { - $r->{'dport'} = [ "", $p ]; - } - unshift(@{$filter->{'rules'}}, $r); - push(@added, $p); - } - -if (@added) { - # Added some rules .. save them - &run_before_command(); - &lock_file($ip6tables_save_file); - &save_table($filter); - &unlock_file($ip6tables_save_file); - &run_after_command(); - ©_to_cluster(); - print STDERR "Opened ports ",join(" ", @added),"\n"; - - # Apply, if live - $ex = 1; - if (!$no_apply && $livefilter && @{$livefilter->{'rules'}}) { - $err = &apply_configuration(); - if ($err) { - print "Failed to apply configuration : $err\n"; - $ex = 4; - } - else { - print "Applied configuration successfully\n"; - } - } - &webmin_log("openports", undef, undef, { 'ports' => \@added }); - exit($ex); - } -else { - print STDERR "All ports are already open\n"; - exit(0); - } diff --git a/firewall6/open-ports.pl b/firewall6/open-ports.pl new file mode 120000 index 000000000..b3706296f --- /dev/null +++ b/firewall6/open-ports.pl @@ -0,0 +1 @@ +../firewall/open-ports.pl \ No newline at end of file