#!/usr/bin/perl # setup.cgi # Create a default nftables ruleset require './nftables-lib.pl'; use strict; use warnings; our (%in, %text, %config); &ReadParse(); if ($in{'action'} eq 'create') { my $type = $in{'type'}; my @tables; if ($type eq 'allow_all') { @tables = &create_allow_all_ruleset(); } elsif ($type eq 'deny_incoming') { @tables = &create_deny_incoming_ruleset(); } elsif ($type eq 'deny_all') { @tables = &create_deny_all_ruleset(); } else { &error($text{'setup_invalid_type'}); } my $error = &save_configuration(@tables); if ($error) { &error(&text('setup_failed', $error)); } $error = &apply_restore(); if ($error) { &error(&text('setup_failed', $error)); } &webmin_log("setup", "create", $type); &redirect("index.cgi"); } &ui_print_header(undef, $text{'setup_title'}, "", "intro", 1, 1); print "

$text{'setup_header'}

"; my $webmin_port = &get_webmin_port(); print "

$text{'setup_desc'}

"; print "

",&text('setup_deny_note', $webmin_port),"

"; print &ui_form_start("setup.cgi"); print &ui_hidden("action", "create"); my @type_opts = ( [ 'allow_all', $text{'setup_allow_all'} . "
" ], [ 'deny_incoming', $text{'setup_deny_incoming'} . "
" ], [ 'deny_all', $text{'setup_deny_all'} ], ); print &ui_radio("type", "allow_all", \@type_opts); print &ui_form_end([ [ undef, $text{'setup_create'} ] ]); sub create_allow_all_ruleset { my @tables; my $table = { 'name' => 'inet_filter', 'family' => 'inet', 'rules' => [], 'chains' => { 'input' => { 'type' => 'filter', 'hook' => 'input', 'priority' => 0, 'policy' => 'accept' }, 'forward' => { 'type' => 'filter', 'hook' => 'forward', 'priority' => 0, 'policy' => 'accept' }, 'output' => { 'type' => 'filter', 'hook' => 'output', 'priority' => 0, 'policy' => 'accept' } } }; push(@tables, $table); return @tables; } sub create_deny_incoming_ruleset { my @tables; my $webmin_port = &get_webmin_port(); my $table = { 'name' => 'inet_filter', 'family' => 'inet', 'rules' => [ { 'text' => 'ct state established,related accept', 'chain' => 'input' }, { 'text' => 'iif "lo" accept', 'chain' => 'input' }, { 'text' => 'tcp dport 22 accept', 'chain' => 'input' }, { 'text' => "tcp dport $webmin_port accept", 'chain' => 'input' } ], 'chains' => { 'input' => { 'type' => 'filter', 'hook' => 'input', 'priority' => 0, 'policy' => 'drop' }, 'forward' => { 'type' => 'filter', 'hook' => 'forward', 'priority' => 0, 'policy' => 'accept' }, 'output' => { 'type' => 'filter', 'hook' => 'output', 'priority' => 0, 'policy' => 'accept' } } }; push(@tables, $table); return @tables; } sub create_deny_all_ruleset { my @tables; my $webmin_port = &get_webmin_port(); my $table = { 'name' => 'inet_filter', 'family' => 'inet', 'rules' => [], 'chains' => { 'input' => { 'type' => 'filter', 'hook' => 'input', 'priority' => 0, 'policy' => 'drop' }, 'forward' => { 'type' => 'filter', 'hook' => 'forward', 'priority' => 0, 'policy' => 'drop' }, 'output' => { 'type' => 'filter', 'hook' => 'output', 'priority' => 0, 'policy' => 'drop' } } }; $table->{'rules'} = [ { 'text' => 'ct state established,related accept', 'chain' => 'output' }, { 'text' => 'iif "lo" accept', 'chain' => 'input' }, { 'text' => 'oif "lo" accept', 'chain' => 'output' }, { 'text' => 'tcp dport 22 accept', 'chain' => 'input' }, { 'text' => "tcp dport $webmin_port accept", 'chain' => 'input' } ]; push(@tables, $table); return @tables; } &ui_print_footer("/", $text{'index'});