mirror/eduardogsilva.wireguard_webadmin
1
1
Fork 0
mirror of https://github.com/eduardogsilva/wireguard_webadmin.git synced 2025-08-03 09:44:26 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Legacy firewall migrate routines and export fw rules.

Browse source
This commit is contained in:
Eduardo Silva 2024-03-04 12:58:33 -03:00
parent de073a4795
commit b6a7cdaac9
14 changed files with 406 additions and 112 deletions
Download patch file Download diff file Expand all files Collapse all files

83
wireguard_tools/views.py
View file

@ -4,6 +4,7 @@ import qrcode
import subprocess
from django.http import HttpResponse
from django.shortcuts import redirect, get_object_or_404, render
from firewall.tools import generate_firewall_header, generate_firewall_footer, generate_port_forward_firewall, export_user_firewall
from user_manager.models import UserAcl
from wireguard.models import WireGuardInstance, Peer, PeerAllowedIP
from firewall.models import RedirectRule
@ -46,6 +47,19 @@ def generate_peer_config(peer_uuid):
]
return "\n".join(config_lines)
def export_firewall_configuration():
firewall_content = generate_firewall_header()
firewall_content += generate_port_forward_firewall()
firewall_content += export_user_firewall()
firewall_content += generate_firewall_footer()
firewall_path = "/etc/wireguard/wg-firewall.sh"
with open(firewall_path, "w") as firewall_file:
firewall_file.write(firewall_content)
subprocess.run(['chmod', '+x', firewall_path], check=True)
return
@login_required
def export_wireguard_configs(request):
if not UserAcl.objects.filter(user=request.user).filter(user_level__gte=30).exists():
@ -53,35 +67,50 @@ def export_wireguard_configs(request):
instances = WireGuardInstance.objects.all()
base_dir = "/etc/wireguard"
export_firewall_configuration()
firewall_inserted = False
for instance in instances:
post_up_processed = clean_command_field(instance.post_up) if instance.post_up else ""
post_down_processed = clean_command_field(instance.post_down) if instance.post_down else ""
if post_up_processed:
post_up_processed += '; '
if post_down_processed:
post_down_processed += '; '
if instance.legacy_firewall:
post_up_processed = clean_command_field(instance.post_up) if instance.post_up else ""
post_down_processed = clean_command_field(instance.post_down) if instance.post_down else ""
if post_up_processed:
post_up_processed += '; '
if post_down_processed:
post_down_processed += '; '
for redirect_rule in RedirectRule.objects.filter(wireguard_instance=instance):
rule_text_up = ""
rule_text_down = ""
rule_destination = redirect_rule.ip_address
if redirect_rule.peer:
peer_allowed_ip_address = PeerAllowedIP.objects.filter(peer=redirect_rule.peer, netmask=32, priority=0).first()
if peer_allowed_ip_address:
rule_destination = peer_allowed_ip_address.allowed_ip
if rule_destination:
rule_text_up = f"iptables -t nat -A PREROUTING -p {redirect_rule.protocol} -d wireguard-webadmin --dport {redirect_rule.port} -j DNAT --to-dest {rule_destination}:{redirect_rule.port} ; "
rule_text_down = f"iptables -t nat -D PREROUTING -p {redirect_rule.protocol} -d wireguard-webadmin --dport {redirect_rule.port} -j DNAT --to-dest {rule_destination}:{redirect_rule.port} ; "
if redirect_rule.add_forward_rule:
rule_text_up += f"iptables -A FORWARD -d {rule_destination} -p {redirect_rule.protocol} --dport {redirect_rule.port} -j ACCEPT ; "
rule_text_down += f"iptables -D FORWARD -d {rule_destination} -p {redirect_rule.protocol} --dport {redirect_rule.port} -j ACCEPT ; "
if redirect_rule.masquerade_source:
rule_text_up += f"iptables -t nat -A POSTROUTING -d {rule_destination} -p {redirect_rule.protocol} --dport {redirect_rule.port} -j MASQUERADE ; "
rule_text_down += f"iptables -t nat -D POSTROUTING -d {rule_destination} -p {redirect_rule.protocol} --dport {redirect_rule.port} -j MASQUERADE ; "
post_up_processed += rule_text_up
post_down_processed += rule_text_down
pass
else:
post_down_processed = ''
if not firewall_inserted:
post_up_processed = '/etc/wireguard/wg-firewall.sh'
firewall_inserted = True
else:
post_up_processed = ''
for redirect_rule in RedirectRule.objects.filter(wireguard_instance=instance):
rule_text_up = ""
rule_text_down = ""
rule_destination = redirect_rule.ip_address
if redirect_rule.peer:
peer_allowed_ip_address = PeerAllowedIP.objects.filter(peer=redirect_rule.peer, netmask=32, priority=0).first()
if peer_allowed_ip_address:
rule_destination = peer_allowed_ip_address.allowed_ip
if rule_destination:
rule_text_up = f"iptables -t nat -A PREROUTING -p {redirect_rule.protocol} -d wireguard-webadmin --dport {redirect_rule.port} -j DNAT --to-dest {rule_destination}:{redirect_rule.port} ; "
rule_text_down = f"iptables -t nat -D PREROUTING -p {redirect_rule.protocol} -d wireguard-webadmin --dport {redirect_rule.port} -j DNAT --to-dest {rule_destination}:{redirect_rule.port} ; "
if redirect_rule.add_forward_rule:
rule_text_up += f"iptables -A FORWARD -d {rule_destination} -p {redirect_rule.protocol} --dport {redirect_rule.port} -j ACCEPT ; "
rule_text_down += f"iptables -D FORWARD -d {rule_destination} -p {redirect_rule.protocol} --dport {redirect_rule.port} -j ACCEPT ; "
if redirect_rule.masquerade_source:
rule_text_up += f"iptables -t nat -A POSTROUTING -d {rule_destination} -p {redirect_rule.protocol} --dport {redirect_rule.port} -j MASQUERADE ; "
rule_text_down += f"iptables -t nat -D POSTROUTING -d {rule_destination} -p {redirect_rule.protocol} --dport {redirect_rule.port} -j MASQUERADE ; "
post_up_processed += rule_text_up
post_down_processed += rule_text_down
config_lines = [
"[Interface]",
f"PrivateKey = {instance.private_key}",