feat: improve iptables firewall

Author: HynoR

agent/app/service/iptables_filter.go

@@ -145,7 +145,7 @@ func (s *IptablesFilterService) AddRule(req dto.IptablesFilterRuleOperate) error
 	if (req.Action == "DROP" || req.Action == "REJECT") &&
 		req.Protocol == "" && req.SourceIP == "" && req.DestIP == "" &&
 		req.SourcePort == 0 && req.DestPort == 0 {
-		return fmt.Errorf("不允许添加无条件 %s 规则，这会锁定系统", req.Action)
+		return fmt.Errorf("Iptables Rule Security Check: unconditional %s rules are not allowed, this may lock you out of the system", req.Action)
 	}
 
 	ctx := context.Background()
@@ -298,7 +298,7 @@ func (s *IptablesFilterService) ApplyFirewall() error {
 			if (p.Action == "DROP" || p.Action == "REJECT") &&
 				p.Protocol == "" && p.SourceIP == "" && p.DestIP == "" &&
 				p.SrcPort == 0 && p.DstPort == 0 {
-				return fmt.Errorf("链 %s 包含无条件 %s 规则，不允许应用", Chain1PanelInput, p.Action)
+				return fmt.Errorf("Chain %s includes unconditional %s rule, not allowed to apply", Chain1PanelInput, p.Action)
 			}
 			item = item.Next()
 		}
@@ -312,59 +312,21 @@ func (s *IptablesFilterService) ApplyFirewall() error {
 			if (p.Action == "DROP" || p.Action == "REJECT") &&
 				p.Protocol == "" && p.SourceIP == "" && p.DestIP == "" &&
 				p.SrcPort == 0 && p.DstPort == 0 {
-				return fmt.Errorf("链 %s 包含无条件 %s 规则，不允许应用", Chain1PanelOutput, p.Action)
+				return fmt.Errorf("Chain %s includes unconditional %s rule, not allowed to apply", Chain1PanelOutput, p.Action)
 			}
 			item = item.Next()
 		}
 	}
 
-	// 检查 INPUT 链是否已有跳转规则
-	inputChains, _ := s.iptablesClient.ReadFilter([]string{ChainInput})
-	hasInputRule := false
-	if inputChain, ok := inputChains[ChainInput]; ok {
-		item := inputChain.FirstRule
-		for item != nil {
-			if item.P.Action == Chain1PanelInput {
-				hasInputRule = true
-				break
-			}
-			item = item.Next()
-		}
-	}
-
-	// 应用到 INPUT 链
-	if !hasInputRule {
-		if err := s.iptablesClient.Run(client.FilterTab, fmt.Sprintf("-I %s 1 -j %s", ChainInput, Chain1PanelInput)); err != nil {
-			return fmt.Errorf("failed to apply %s to %s: %w", Chain1PanelInput, ChainInput, err)
-		}
-		global.LOG.Infof("Applied %s to %s chain", Chain1PanelInput, ChainInput)
-	} else {
-		global.LOG.Infof("%s already applied to %s chain", Chain1PanelInput, ChainInput)
+	if err := s.iptablesClient.Setup1PanelFirewallChains("input"); err != nil {
+		return fmt.Errorf("failed to apply %s to %s: %w", Chain1PanelInput, ChainInput, err)
 	}
+	global.LOG.Infof("Applied %s to %s chain", Chain1PanelInput, ChainInput)
 
-	// 检查 OUTPUT 链是否已有跳转规则
-	outputChains, _ := s.iptablesClient.ReadFilter([]string{ChainOutput})
-	hasOutputRule := false
-	if outputChain, ok := outputChains[ChainOutput]; ok {
-		item := outputChain.FirstRule
-		for item != nil {
-			if item.P.Action == Chain1PanelOutput {
-				hasOutputRule = true
-				break
-			}
-			item = item.Next()
-		}
-	}
-
-	// 应用到 OUTPUT 链
-	if !hasOutputRule {
-		if err := s.iptablesClient.Run(client.FilterTab, fmt.Sprintf("-I %s 1 -j %s", ChainOutput, Chain1PanelOutput)); err != nil {
-			return fmt.Errorf("failed to apply %s to %s: %w", Chain1PanelOutput, ChainOutput, err)
-		}
-		global.LOG.Infof("Applied %s to %s chain", Chain1PanelOutput, ChainOutput)
-	} else {
-		global.LOG.Infof("%s already applied to %s chain", Chain1PanelOutput, ChainOutput)
+	if err := s.iptablesClient.Setup1PanelFirewallChains("output"); err != nil {
+		return fmt.Errorf("failed to apply %s to %s: %w", Chain1PanelInput, ChainInput, err)
 	}
+	global.LOG.Infof("Applied %s to %s chain", Chain1PanelInput, ChainInput)
 
 	return nil
 }

agent/utils/firewall/client/iptables.go

@@ -12,9 +12,13 @@ import (
 )
 
 const (
-	PreRoutingChain  = "1PANEL_PREROUTING"
-	PostRoutingChain = "1PANEL_POSTROUTING"
-	ForwardChain     = "1PANEL_FORWARD"
+	PreRoutingChain   = "1PANEL_PREROUTING"
+	PostRoutingChain  = "1PANEL_POSTROUTING"
+	ForwardChain      = "1PANEL_FORWARD"
+	ChainInput        = "INPUT"
+	ChainOutput       = "OUTPUT"
+	Chain1PanelInput  = "1PANEL_INPUT"
+	Chain1PanelOutput = "1PANEL_OUTPUT"
 )
 
 const (
@@ -432,3 +436,57 @@ func (iptables *Iptables) DeletePolicy(chain string, policy IptablesPolicy) erro
 
 	return iptables.run(FilterTab, iptablesArg)
 }
+
+// CheckPolicyExists 检查策略是否存在
+func (iptables *Iptables) CheckPolicyExists(chain string, policyStr string) bool {
+	err := iptables.run(FilterTab, fmt.Sprintf("-C %s %s", chain, policyStr))
+	if err != nil {
+		return false
+	}
+	return true
+}
+
+const (
+	establishedRule = "-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
+	ioRuleIn        = "-i lo -j ACCEPT"
+	ioRuleOut       = "-o lo -j ACCEPT"
+)
+
+func (iptables *Iptables) setupEstablishedRules(direction string) {
+	if direction == "input" {
+		if !iptables.CheckPolicyExists("INPUT", ioRuleIn) {
+			iptables.run(FilterTab, fmt.Sprintf("-I INPUT 1 %s", ioRuleIn))
+		}
+
+		if !iptables.CheckPolicyExists("INPUT", establishedRule) {
+			iptables.run(FilterTab, fmt.Sprintf("-I INPUT 2 %s", establishedRule))
+		}
+	}
+
+	if direction == "output" {
+		if !iptables.CheckPolicyExists("OUTPUT", ioRuleOut) {
+			iptables.run(FilterTab, fmt.Sprintf("-I OUTPUT 1 %s", ioRuleOut))
+		}
+		if !iptables.CheckPolicyExists("OUTPUT", establishedRule) {
+			iptables.run(FilterTab, fmt.Sprintf("-I OUTPUT 2 %s", establishedRule))
+		}
+	}
+}
+
+func (iptables *Iptables) Setup1PanelFirewallChains(direction string) error {
+	iptables.setupEstablishedRules(direction)
+	if direction == "input" {
+		if !iptables.CheckPolicyExists(ChainInput, fmt.Sprintf("-j %s", Chain1PanelInput)) {
+			if err := iptables.run(FilterTab, fmt.Sprintf("-I %s 3 -j %s", ChainInput, Chain1PanelInput)); err != nil {
+				return err
+			}
+		}
+	} else if direction == "output" {
+		if !iptables.CheckPolicyExists(ChainOutput, fmt.Sprintf("-j %s", Chain1PanelOutput)) {
+			if err := iptables.run(FilterTab, fmt.Sprintf("-I %s 3 -j %s", ChainOutput, Chain1PanelOutput)); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}

frontend/src/lang/modules/en.ts

@@ -2868,6 +2868,9 @@ const message = {
         changeStrategyHelper:
             'Change [{1}] {0} strategy to [{2}]. After setting, {0} will access {2} externally. Do you want to continue?',
         portHelper: 'Multiple ports can be entered, e.g. 80,81, or range ports, e.g. 80-88',
+        allPorts: 'All Ports',
+        ruleTemplate: 'Rule template',
+
         strategy: 'Strategy',
         accept: 'Accept',
         drop: 'Drop',
@@ -2888,6 +2891,8 @@ const message = {
         createIpRule: '@:commons.button.create @:firewall.ipRule',
         userAgent: 'User-Agent filter',
         sourcePort: 'Source port',
+        inboundDirection: 'Inbound',
+        outboundDirection: 'Outbound',
         targetIP: 'Destination IP',
         targetPort: 'Destination port',
         forwardHelper1: 'If you want to forward to the local port, the destination IP should be set to "127.0.0.1".',

frontend/src/lang/modules/es-es.ts

@@ -2839,6 +2839,9 @@ const message = {
         changeStrategyHelper:
             'Cambiar estrategia de {0} [{1}] a [{2}]. Después de configurarla, {0} tendrá acceso externo como {2}. ¿Deseas continuar?',
         portHelper: 'Se pueden ingresar múltiples puertos, ej. 80,81, o rangos, ej. 80-88',
+        allPorts: 'Todos los puertos',
+        ruleTemplate: 'Plantilla de regla',
+
         strategy: 'Estrategia',
         accept: 'Aceptar',
         drop: 'Rechazar',
@@ -2859,6 +2862,8 @@ const message = {
         createIpRule: '@:commons.button.create @:firewall.ipRule',
         userAgent: 'Filtro User-Agent',
         sourcePort: 'Puerto de origen',
+        inboundDirection: 'Entrada',
+        outboundDirection: 'Salida',
         targetIP: 'IP de destino',
         targetPort: 'Puerto de destino',
         forwardHelper1: 'Si quieres reenviar al puerto local, la IP de destino debe ser "127.0.0.1".',

frontend/src/lang/modules/ja.ts

@@ -2785,6 +2785,9 @@ const message = {
         changeStrategyHelper:
             '[{1}] {0}戦略を[{2}]に変更します。設定後、{0}は外部から{2}にアクセスします。続けたいですか？',
         portHelper: '複数のポートを入力できます。80,81、または範囲ポート、例えば80-88',
+        allPorts: 'すべてのポート',
+        ruleTemplate: 'ルールテンプレート',
+
         strategy: '戦略',
         accept: '受け入れる',
         drop: '落とす',
@@ -2805,6 +2808,8 @@ const message = {
         createIpRule: '@:commons.button.create @:firewall.iprule',
         userAgent: 'ユーザーエージェントフィルター',
         sourcePort: 'ソースポート',
+        inboundDirection: '受信方向',
+        outboundDirection: '送信方向',
         targetIP: '宛先IP',
         targetPort: '宛先ポート',
         forwardHelper1: 'ローカルポートに転送する場合は、宛先IPを「127.0.0.1」に設定する必要があります。',

frontend/src/lang/modules/ko.ts

@@ -2735,6 +2735,9 @@ const message = {
         changeStrategyHelper:
             '[{1}] {0} 전략을 [{2}]로 변경합니다. 설정 후 {0}은(는) {2}로 외부 접근을 허용합니다. 계속하시겠습니까?',
         portHelper: '여러 포트를 입력할 수 있습니다. 예: 80, 81 또는 포트 범위, 예: 80-88',
+        allPorts: '모든 포트',
+        ruleTemplate: '규칙 템플릿',
+
         strategy: '전략',
         accept: '허용',
         drop: '차단',
@@ -2755,6 +2758,8 @@ const message = {
         createIpRule: '@:commons.button.create @:firewall.ipRule',
         userAgent: 'User-Agent 필터',
         sourcePort: '소스 포트',
+        inboundDirection: '인바운드',
+        outboundDirection: '아웃바운드',
         targetIP: '대상 IP',
         targetPort: '대상 포트',
         forwardHelper1: "로컬 포트로 전달하려면, 대상 IP 를 '127.0.0.1'로 설정해야 합니다.",

frontend/src/lang/modules/ms.ts

@@ -2850,6 +2850,9 @@ const message = {
         changeStrategyHelper:
             'Tukar strategi {0} [{1}] kepada [{2}]. Selepas tetapan, {0} akan mengakses {2} secara luaran. Adakah anda mahu meneruskan?',
         portHelper: 'Pelbagai port boleh dimasukkan, contohnya 80,81, atau rentang port, contohnya 80-88',
+        allPorts: 'Semua port',
+        ruleTemplate: 'Templat peraturan',
+
         strategy: 'Strategi',
         accept: 'Terima',
         drop: 'Lumpuhkan',
@@ -2870,6 +2873,8 @@ const message = {
         createIpRule: '@:commons.button.create @:firewall.ipRule',
         userAgent: 'Penapis User-Agent',
         sourcePort: 'Port sumber',
+        inboundDirection: 'Masuk',
+        outboundDirection: 'Keluar',
         targetIP: 'IP sasaran',
         targetPort: 'Port sasaran',
         forwardHelper1: 'Jika anda ingin memajukan ke port tempatan, IP sasaran harus ditetapkan kepada "127.0.0.1".',

frontend/src/lang/modules/pt-br.ts

@@ -2853,6 +2853,9 @@ const message = {
         changeStrategyHelper:
             'Alterar a estratégia [{1}] {0} para [{2}]. Após a definição, {0} acessará {2} externamente. Deseja continuar?',
         portHelper: 'Várias portas podem ser inseridas, ex.: 80,81, ou faixas de portas, ex.: 80-88',
+        allPorts: 'Todas as portas',
+        ruleTemplate: 'Modelo de regra',
+
         strategy: 'Estratégia',
         accept: 'Aceitar',
         drop: 'Bloquear',
@@ -2873,6 +2876,8 @@ const message = {
         createIpRule: '@:commons.button.create @:firewall.ipRule',
         userAgent: 'Filtro User-Agent',
         sourcePort: 'Porta de origem',
+        inboundDirection: 'Entrada',
+        outboundDirection: 'Saída',
         targetIP: 'IP de destino',
         targetPort: 'Porta de destino',
         forwardHelper1:

frontend/src/lang/modules/ru.ts

@@ -2849,6 +2849,9 @@ const message = {
         changeStrategyHelper:
             'Изменить стратегию {0} [{1}] на [{2}]. После установки {0} будет иметь внешний доступ {2}. Хотите продолжить?',
         portHelper: 'Можно ввести несколько портов, например 80,81, или диапазон портов, например 80-88',
+        allPorts: 'Все порты',
+        ruleTemplate: 'Шаблон правила',
+
         strategy: 'Стратегия',
         accept: 'Принять',
         drop: 'Отбросить',
@@ -2869,6 +2872,8 @@ const message = {
         createIpRule: '@:commons.button.create @:firewall.ipRule',
         userAgent: 'Фильтр User-Agent',
         sourcePort: 'Исходный порт',
+        inboundDirection: 'Входящий',
+        outboundDirection: 'Исходящий',
         targetIP: 'Целевой IP',
         targetPort: 'Целевой порт',
         forwardHelper1:

frontend/src/lang/modules/tr.ts

@@ -2907,6 +2907,8 @@ const message = {
         changeStrategyHelper:
             '[{1}] {0} stratejisini [{2}] olarak değiştirin. Ayar yapıldıktan sonra {0}, dışarıdan {2} erişimi sağlayacak. Devam etmek istiyor musunuz?',
         portHelper: 'Birden fazla port girilebilir, ör. 80,81 veya aralık portları, ör. 80-88',
+        allPorts: 'Tüm portlar',
+        ruleTemplate: 'Kural şablonu',
         strategy: 'Strateji',
         accept: 'Kabul Et',
         drop: 'Reddet',
@@ -2927,6 +2929,8 @@ const message = {
         createIpRule: '@:commons.button.create @:firewall.ipRule',
         userAgent: 'Kullanıcı-Aracısı filtresi',
         sourcePort: 'Kaynak port',
+        inboundDirection: 'Gelen',
+        outboundDirection: 'Giden',
         targetIP: 'Hedef IP',
         targetPort: 'Hedef port',
         forwardHelper1: 'Yerel porta yönlendirmek istiyorsanız, hedef IP "127.0.0.1" olarak ayarlanmalıdır.',