diff --git a/agent/app/service/firewall.go b/agent/app/service/firewall.go index a5526dff7617..bb36d6d10013 100644 --- a/agent/app/service/firewall.go +++ b/agent/app/service/firewall.go @@ -68,7 +68,7 @@ func (u *FirewallService) LoadBaseInfo(tab string) (dto.FirewallBaseInfo, error) go func() { defer wg.Done() baseInfo.IsActive, _ = client.Status() - baseInfo.IsInit, baseInfo.IsBind = loadInitStatus(baseInfo.Name, tab) + baseInfo.IsInit, baseInfo.IsBind = iptables.LoadInitStatus(baseInfo.Name, tab) }() wg.Wait() return baseInfo, nil @@ -826,96 +826,3 @@ func checkPortUsed(ports, proto string, apps []portOfApp) string { } return "" } - -func loadInitStatus(clientName, tab string) (bool, bool) { - if clientName == "firewalld" { - return true, true - } - if clientName == "ufw" && tab != "forward" { - return true, true - } - switch tab { - case "base": - if isExist, _ := iptables.CheckChainExist(iptables.FilterTab, iptables.Chain1PanelBasicBefore); !isExist { - return false, false - } - if exist := iptables.CheckRuleExist(iptables.FilterTab, iptables.Chain1PanelBasicBefore, iptables.IoRuleIn); !exist { - return false, false - } - if exist := iptables.CheckRuleExist(iptables.FilterTab, iptables.Chain1PanelBasicBefore, iptables.EstablishedRule); !exist { - return false, false - } - if exist, _ := iptables.CheckChainExist(iptables.FilterTab, iptables.Chain1PanelBasic); !exist { - return false, false - } - if exist, _ := iptables.CheckChainExist(iptables.FilterTab, iptables.Chain1PanelBasicAfter); !exist { - return false, false - } - if exist := iptables.CheckRuleExist(iptables.FilterTab, iptables.Chain1PanelBasicAfter, iptables.DropAllTcp); !exist { - return false, false - } - if exist := iptables.CheckRuleExist(iptables.FilterTab, iptables.Chain1PanelBasicAfter, iptables.DropAllUdp); !exist { - return false, false - } - if bind, _ := iptables.CheckChainBind(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelBasicBefore); !bind { - return true, false - } - if bind, _ := iptables.CheckChainBind(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelBasic); !bind { - return true, false - } - if bind, _ := iptables.CheckChainBind(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelBasicAfter); !bind { - return true, false - } - return true, true - case "advance": - isExist, _ := iptables.CheckChainExist(iptables.FilterTab, iptables.Chain1PanelInput) - if !isExist { - return false, false - } - isExist, _ = iptables.CheckChainExist(iptables.FilterTab, iptables.Chain1PanelOutput) - if !isExist { - return false, false - } - - isBind, _ := iptables.CheckChainBind(iptables.FilterTab, iptables.ChainInput, iptables.Chain1PanelInput) - if !isBind { - return true, false - } - isBind, _ = iptables.CheckChainBind(iptables.FilterTab, iptables.ChainOutput, iptables.Chain1PanelOutput) - return true, isBind - case "forward": - stdout, err := cmd.RunDefaultWithStdoutBashC("cat /proc/sys/net/ipv4/ip_forward") - if err != nil { - global.LOG.Errorf("check /proc/sys/net/ipv4/ip_forward failed, err: %v", err) - return false, false - } - if strings.TrimSpace(stdout) == "0" { - return false, false - } - - exist, _ := iptables.CheckChainExist(iptables.NatTab, iptables.Chain1PanelPreRouting) - if !exist { - return false, false - } - exist, _ = iptables.CheckChainExist(iptables.NatTab, iptables.Chain1PanelPostRouting) - if !exist { - return false, false - } - exist, _ = iptables.CheckChainExist(iptables.FilterTab, iptables.Chain1PanelForward) - if !exist { - return false, false - } - isBind, _ := iptables.CheckChainBind(iptables.NatTab, "PREROUTING", iptables.Chain1PanelPreRouting) - if !isBind { - return false, false - } - isBind, _ = iptables.CheckChainBind(iptables.NatTab, "POSTROUTING", iptables.Chain1PanelPostRouting) - if !isBind { - return false, false - } - isBind, _ = iptables.CheckChainBind(iptables.FilterTab, "FORWARD", iptables.Chain1PanelForward) - return true, isBind - default: - return false, false - } -} diff --git a/agent/server/server.go b/agent/server/server.go index 8201b4c19088..66d395fee1c3 100644 --- a/agent/server/server.go +++ b/agent/server/server.go @@ -42,11 +42,11 @@ func Start() { i18n.Init() cache.Init() app.Init() - firewall.Init() lang.Init() validator.Init() cron.Run() hook.Init() + go firewall.Init() InitOthers() rootRouter := router.Routers() diff --git a/agent/utils/firewall/client/iptables/common.go b/agent/utils/firewall/client/iptables/common.go index 225dbb84aecf..7fb33c89de60 100644 --- a/agent/utils/firewall/client/iptables/common.go +++ b/agent/utils/firewall/client/iptables/common.go @@ -24,7 +24,7 @@ const ( ) const ( - EstablishedRule = "-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment 'ESTABLISHED Whitelist'" + EstablishedRule = "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment 'ESTABLISHED Whitelist'" IoRuleIn = "-i lo -j ACCEPT -m comment --comment 'Loopback Whitelist'" DropAllTcp = "-p tcp -j DROP" DropAllUdp = "-p udp -j DROP" diff --git a/agent/utils/firewall/client/iptables/filter.go b/agent/utils/firewall/client/iptables/filter.go index 3b4e6d3fba6d..4a40bc7d7f98 100644 --- a/agent/utils/firewall/client/iptables/filter.go +++ b/agent/utils/firewall/client/iptables/filter.go @@ -5,6 +5,7 @@ import ( "strings" "time" + "github.com/1Panel-dev/1Panel/agent/global" "github.com/1Panel-dev/1Panel/agent/utils/cmd" ) @@ -117,6 +118,120 @@ func LoadDefaultStrategy(chain string) (string, error) { return ACCEPT, nil } +func LoadInitStatus(clientName, tab string) (bool, bool) { + if clientName == "firewalld" { + return true, true + } + if clientName == "ufw" && tab != "forward" { + return true, true + } + switch tab { + case "base": + filterRules, err := RunWithStd(FilterTab, "-S") + if err != nil { + return false, false + } + lines := strings.Split(filterRules, "\n") + initRules := []string{ + "-N " + Chain1PanelBasicBefore, + "-N " + Chain1PanelBasic, + "-N " + Chain1PanelBasicAfter, + fmt.Sprintf("-A %s %s -j ACCEPT", Chain1PanelBasicBefore, strings.ReplaceAll(strings.ReplaceAll(IoRuleIn, "'", "\""), " -j ACCEPT", "")), + fmt.Sprintf("-A %s %s -j ACCEPT", Chain1PanelBasicBefore, strings.ReplaceAll(strings.ReplaceAll(EstablishedRule, "'", "\""), " -j ACCEPT", "")), + fmt.Sprintf("-A %s %s", Chain1PanelBasicAfter, DropAllTcp), + fmt.Sprintf("-A %s %s", Chain1PanelBasicAfter, DropAllUdp), + } + bindRules := []string{ + fmt.Sprintf("-A %s -j %s", ChainInput, Chain1PanelBasicBefore), + fmt.Sprintf("-A %s -j %s", ChainInput, Chain1PanelBasic), + fmt.Sprintf("-A %s -j %s", ChainInput, Chain1PanelBasicAfter), + } + return checkWithInitAndBind(initRules, bindRules, lines) + case "advance": + filterRules, err := RunWithStd(FilterTab, "-S") + if err != nil { + return false, false + } + lines := strings.Split(filterRules, "\n") + initRules := []string{ + "-N " + Chain1PanelInput, + "-N " + Chain1PanelOutput, + } + bindRules := []string{ + fmt.Sprintf("-A %s -j %s", ChainInput, Chain1PanelInput), + fmt.Sprintf("-A %s -j %s", ChainOutput, Chain1PanelOutput), + } + return checkWithInitAndBind(initRules, bindRules, lines) + case "forward": + stdout, err := cmd.RunDefaultWithStdoutBashC("cat /proc/sys/net/ipv4/ip_forward") + if err != nil { + global.LOG.Errorf("check /proc/sys/net/ipv4/ip_forward failed, err: %v", err) + return false, false + } + if strings.TrimSpace(stdout) == "0" { + return false, false + } + natRules, err := RunWithStd(NatTab, "-S") + if err != nil { + return false, false + } + lines := strings.Split(natRules, "\n") + initRules := []string{ + "-N " + Chain1PanelPreRouting, + "-N " + Chain1PanelPostRouting, + } + bindRules := []string{ + fmt.Sprintf("-A PREROUTING -j %s", Chain1PanelPreRouting), + fmt.Sprintf("-A POSTROUTING -j %s", Chain1PanelPostRouting), + } + isNatInit, isNatBind := checkWithInitAndBind(initRules, bindRules, lines) + if !isNatInit { + return false, false + } + filterRules, err := RunWithStd(FilterTab, "-S") + if err != nil { + return false, false + } + filterLines := strings.Split(filterRules, "\n") + filterInitRules := []string{"-N " + Chain1PanelForward} + filterBindRules := []string{fmt.Sprintf("-A FORWARD -j %s", Chain1PanelForward)} + isFilterInit, isFilterBind := checkWithInitAndBind(filterInitRules, filterBindRules, filterLines) + return isNatInit && isFilterInit, isNatBind && isFilterBind + default: + return false, false + } +} + +func checkWithInitAndBind(initRules, bindRules []string, lines []string) (bool, bool) { + for _, rule := range initRules { + found := false + for _, line := range lines { + if strings.TrimSpace(line) == strings.TrimSpace(rule) { + found = true + break + } + } + if !found { + global.LOG.Debugf("not found init rule: %s", rule) + return false, false + } + } + for _, rule := range bindRules { + found := false + for _, line := range lines { + if strings.TrimSpace(line) == strings.TrimSpace(rule) { + found = true + break + } + } + if !found { + global.LOG.Debugf("not found bind rule: %s", rule) + return true, false + } + } + return true, true +} + func loadPort(position string, portStr []string) string { if len(portStr) < 7 { return ""