admin/gluetun
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Updated dependencies

Browse Source
This commit is contained in:
Quentin McGaw
2020-04-19 18:13:48 +00:00
parent cbd11bfdf2
commit e805d42197
21 changed files with 140 additions and 108 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
internal/firewall/firewall.go
View File

@@ -1,6 +1,7 @@
package firewall
import (
"context"
"net"
"github.com/qdm12/golibs/command"
@@ -10,15 +11,15 @@ import (
// Configurator allows to change firewall rules and modify network routes
type Configurator interface {
Version() (string, error)
AcceptAll() error
Clear() error
BlockAll() error
CreateGeneralRules() error
CreateVPNRules(dev models.VPNDevice, defaultInterface string, connections []models.OpenVPNConnection) error
CreateLocalSubnetsRules(subnet net.IPNet, extraSubnets []net.IPNet, defaultInterface string) error
AllowInputTrafficOnPort(device models.VPNDevice, port uint16) error
AllowAnyIncomingOnPort(port uint16) error
Version(ctx context.Context) (string, error)
AcceptAll(ctx context.Context) error
Clear(ctx context.Context) error
BlockAll(ctx context.Context) error
CreateGeneralRules(ctx context.Context) error
CreateVPNRules(ctx context.Context, dev models.VPNDevice, defaultInterface string, connections []models.OpenVPNConnection) error
CreateLocalSubnetsRules(ctx context.Context, subnet net.IPNet, extraSubnets []net.IPNet, defaultInterface string) error
AllowInputTrafficOnPort(ctx context.Context, device models.VPNDevice, port uint16) error
AllowAnyIncomingOnPort(ctx context.Context, port uint16) error
}
type configurator struct {

51
internal/firewall/iptables.go
View File

@@ -1,6 +1,7 @@
package firewall
import (
"context"
"fmt"
"net"
"strings"
@@ -9,8 +10,8 @@ import (
)
// Version obtains the version of the installed iptables
func (c *configurator) Version() (string, error) {
output, err := c.commander.Run("iptables", "--version")
func (c *configurator) Version(ctx context.Context) (string, error) {
output, err := c.commander.Run(ctx, "iptables", "--version")
if err != nil {
return "", err
}
@@ -21,26 +22,26 @@ func (c *configurator) Version() (string, error) {
return words[1], nil
}
func (c *configurator) runIptablesInstructions(instructions []string) error {
func (c *configurator) runIptablesInstructions(ctx context.Context, instructions []string) error {
for _, instruction := range instructions {
if err := c.runIptablesInstruction(instruction); err != nil {
if err := c.runIptablesInstruction(ctx, instruction); err != nil {
return err
}
}
return nil
}
func (c *configurator) runIptablesInstruction(instruction string) error {
func (c *configurator) runIptablesInstruction(ctx context.Context, instruction string) error {
flags := strings.Fields(instruction)
if output, err := c.commander.Run("iptables", flags...); err != nil {
if output, err := c.commander.Run(ctx, "iptables", flags...); err != nil {
return fmt.Errorf("failed executing %q: %s: %w", instruction, output, err)
}
return nil
}
func (c *configurator) Clear() error {
func (c *configurator) Clear(ctx context.Context) error {
c.logger.Info("clearing all rules")
return c.runIptablesInstructions([]string{
return c.runIptablesInstructions(ctx, []string{
"--flush",
"--delete-chain",
"-t nat --flush",
@@ -48,18 +49,18 @@ func (c *configurator) Clear() error {
})
}
func (c *configurator) AcceptAll() error {
func (c *configurator) AcceptAll(ctx context.Context) error {
c.logger.Info("accepting all traffic")
return c.runIptablesInstructions([]string{
return c.runIptablesInstructions(ctx, []string{
"-P INPUT ACCEPT",
"-P OUTPUT ACCEPT",
"-P FORWARD ACCEPT",
})
}
func (c *configurator) BlockAll() error {
func (c *configurator) BlockAll(ctx context.Context) error {
c.logger.Info("blocking all traffic")
return c.runIptablesInstructions([]string{
return c.runIptablesInstructions(ctx, []string{
"-P INPUT DROP",
"-F OUTPUT",
"-P OUTPUT DROP",
@@ -67,9 +68,9 @@ func (c *configurator) BlockAll() error {
})
}
func (c *configurator) CreateGeneralRules() error {
func (c *configurator) CreateGeneralRules(ctx context.Context) error {
c.logger.Info("creating general rules")
return c.runIptablesInstructions([]string{
return c.runIptablesInstructions(ctx, []string{
"-A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT",
"-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT",
"-A OUTPUT -o lo -j ACCEPT",
@@ -77,26 +78,26 @@ func (c *configurator) CreateGeneralRules() error {
})
}
func (c *configurator) CreateVPNRules(dev models.VPNDevice, defaultInterface string, connections []models.OpenVPNConnection) error {
func (c *configurator) CreateVPNRules(ctx context.Context, dev models.VPNDevice, defaultInterface string, connections []models.OpenVPNConnection) error {
for _, connection := range connections {
c.logger.Info("allowing output traffic to VPN server %s through %s on port %s %d",
connection.IP, defaultInterface, connection.Protocol, connection.Port)
if err := c.runIptablesInstruction(
if err := c.runIptablesInstruction(ctx,
fmt.Sprintf("-A OUTPUT -d %s -o %s -p %s -m %s --dport %d -j ACCEPT",
connection.IP, defaultInterface, connection.Protocol, connection.Protocol, connection.Port)); err != nil {
return err
}
}
if err := c.runIptablesInstruction(fmt.Sprintf("-A OUTPUT -o %s -j ACCEPT", dev)); err != nil {
if err := c.runIptablesInstruction(ctx, fmt.Sprintf("-A OUTPUT -o %s -j ACCEPT", dev)); err != nil {
return err
}
return nil
}
func (c *configurator) CreateLocalSubnetsRules(subnet net.IPNet, extraSubnets []net.IPNet, defaultInterface string) error {
func (c *configurator) CreateLocalSubnetsRules(ctx context.Context, subnet net.IPNet, extraSubnets []net.IPNet, defaultInterface string) error {
subnetStr := subnet.String()
c.logger.Info("accepting input and output traffic for %s", subnetStr)
if err := c.runIptablesInstructions([]string{
if err := c.runIptablesInstructions(ctx, []string{
fmt.Sprintf("-A INPUT -s %s -d %s -j ACCEPT", subnetStr, subnetStr),
fmt.Sprintf("-A OUTPUT -s %s -d %s -j ACCEPT", subnetStr, subnetStr),
}); err != nil {
@@ -105,13 +106,13 @@ func (c *configurator) CreateLocalSubnetsRules(subnet net.IPNet, extraSubnets []
for _, extraSubnet := range extraSubnets {
extraSubnetStr := extraSubnet.String()
c.logger.Info("accepting input traffic through %s from %s to %s", defaultInterface, extraSubnetStr, subnetStr)
if err := c.runIptablesInstruction(
if err := c.runIptablesInstruction(ctx,
fmt.Sprintf("-A INPUT -i %s -s %s -d %s -j ACCEPT", defaultInterface, extraSubnetStr, subnetStr)); err != nil {
return err
}
// Thanks to @npawelek
c.logger.Info("accepting output traffic through %s from %s to %s", defaultInterface, subnetStr, extraSubnetStr)
if err := c.runIptablesInstruction(
if err := c.runIptablesInstruction(ctx,
fmt.Sprintf("-A OUTPUT -o %s -s %s -d %s -j ACCEPT", defaultInterface, subnetStr, extraSubnetStr)); err != nil {
return err
}
@@ -120,17 +121,17 @@ func (c *configurator) CreateLocalSubnetsRules(subnet net.IPNet, extraSubnets []
}
// Used for port forwarding
func (c *configurator) AllowInputTrafficOnPort(device models.VPNDevice, port uint16) error {
func (c *configurator) AllowInputTrafficOnPort(ctx context.Context, device models.VPNDevice, port uint16) error {
c.logger.Info("accepting input traffic through %s on port %d", device, port)
return c.runIptablesInstructions([]string{
return c.runIptablesInstructions(ctx, []string{
fmt.Sprintf("-A INPUT -i %s -p tcp --dport %d -j ACCEPT", device, port),
fmt.Sprintf("-A INPUT -i %s -p udp --dport %d -j ACCEPT", device, port),
})
}
func (c *configurator) AllowAnyIncomingOnPort(port uint16) error {
func (c *configurator) AllowAnyIncomingOnPort(ctx context.Context, port uint16) error {
c.logger.Info("accepting any input traffic on port %d", port)
return c.runIptablesInstructions([]string{
return c.runIptablesInstructions(ctx, []string{
fmt.Sprintf("-A INPUT -p tcp --dport %d -j ACCEPT", port),
fmt.Sprintf("-A INPUT -p udp --dport %d -j ACCEPT", port),
})