Merge pull request hestiacp#1892 from myrevery/fix/firewall-rules

[Bug Fix] Improve generate and loading firewall rules

Author: jaapmarcus

CHANGELOG.md

@@ -10,6 +10,7 @@ All notable changes to this project will be documented in this file.
 ### Bugfixes
 
 - Improve the calculated disk size of a new backup estimated by excluding the exclude folders, mail accounts and database in backups (#1616) @Myself5
+- Improve v-update-firewall / v-stop-firewarewall to make it self healing (#1892) @myrevery 
 - Update phpMyAdmin version to 1.5.1 (See https://www.phpmyadmin.net/news/2021/6/4/phpmyadmin-511-released/)
 - Fixed a bug after rebuilding mail with Exim4 and suspended domains (#1886)
 - Fixed "Allowed IP addresses for API" field with strange behaviour #1866

bin/v-stop-firewall

@@ -76,33 +76,28 @@ if [ -d "/etc/sysconfig" ]; then
     fi
 else
     /sbin/iptables-save > /etc/iptables.rules
+    routable="/usr/lib/networkd-dispatcher/routable.d/10-hestia-iptables"
+    preup="/etc/network/if-pre-up.d/hestia-iptables"
+    # Recreate the Hestia iptables rules loading script
+    rm -f $routable $preup
     if dpkg-query -W -f'${Status}' "netplan*" 2>/dev/null | grep -q "ok installed" && [ -d /etc/netplan ] && [ -n "$(ls -A /etc/netplan 2>/dev/null)" ]; then
-        preup="/usr/lib/networkd-dispatcher/routable.d/10-hestia-iptables"
-        if [ ! -e "$preup" ]; then
-            IFS='%'
-            echo '#!/bin/sh' > $preup
-            echo '' >> $preup
-            echo 'if [ "$IFACE" = "'$(ip route list | awk '/default .+/ {print $5}' | uniq)'" ]; then' >> $preup
-            [ -x "$(which ipset)" ] && echo "    ${HESTIA}/bin/v-update-firewall-ipset" >> $preup
-            echo '    sleep 3' >> $preup
-            echo '    /sbin/iptables-restore < /etc/iptables.rules' >> $preup
-            echo 'fi' >> $preup
-            echo "exit 0" >> $preup
-            chmod +x $preup
-        fi
+        echo '#!/bin/sh' > $routable
+        echo '' >> $routable
+        echo 'if [ "$IFACE" = "'$(ip route list | awk '/default .+/ {print $5}' | uniq)'" ]; then' >> $routable
+        echo '    /sbin/iptables-restore < /etc/iptables.rules' >> $routable
+        echo 'fi' >> $routable
+        echo '' >> $routable
+        echo "exit 0" >> $routable
+        chmod +x $routable
     else
-        preup="/etc/network/if-pre-up.d/hestia-iptables"
-        if [ ! -e "$preup" ]; then
-            IFS='%'
-            echo '#!/bin/sh' > $preup
-            echo '' >> $preup
-            echo 'if [ "$IFACE" = "'$(ip route list | awk '/default .+/ {print $5}' | uniq)'" ]; then' >> $preup
-            [ -x "$(which ipset)" ] && echo "    ${HESTIA}/bin/v-update-firewall-ipset" >> $preup
-            echo '    /sbin/iptables-restore < /etc/iptables.rules' >> $preup
-            echo 'fi' >> $preup
-            echo "exit 0" >> $preup
-            chmod +x $preup
-        fi
+        echo '#!/bin/sh' > $preup
+        echo '' >> $preup
+        echo 'if [ "$IFACE" = "'$(ip route list | awk '/default .+/ {print $5}' | uniq)'" ]; then' >> $preup
+        echo '    /sbin/iptables-restore < /etc/iptables.rules' >> $preup
+        echo 'fi' >> $preup
+        echo '' >> $preup
+        echo "exit 0" >> $preup
+        chmod +x $preup
     fi
 fi
 

bin/v-update-firewall

@@ -18,12 +18,12 @@ modprobe="/sbin/modprobe"
 sysctl="/sbin/sysctl"
 
 # Includes
-# shellcheck source=/usr/local/hestia/func/main.sh
-# shellcheck source=/usr/local/hestia/func/firewall.sh
-# shellcheck source=/usr/local/hestia/conf/hestia.conf
 source /etc/profile.d/hestia.sh
+# shellcheck source=/usr/local/hestia/func/main.sh
 source $HESTIA/func/main.sh
+# shellcheck source=/usr/local/hestia/func/firewall.sh
 source $HESTIA/func/firewall.sh
+# shellcheck source=/usr/local/hestia/conf/hestia.conf
 source $HESTIA/conf/hestia.conf
 
 
@@ -48,13 +48,15 @@ if [ ! -e "$rules" ]; then
     exit
 fi
 
-$sysctl net.netfilter.nf_conntrack_max >/dev/null 2>&1
+# Checking conntrack module avaiabilty
+$modprobe nf_conntrack >/dev/null 2>&1
 if [ $? -ne 0 ]; then
-    conntrack='no'
+    $sysctl net.netfilter.nf_conntrack_max >/dev/null 2>&1
+    if [ $? -ne 0 ]; then
+        conntrack='no'
+    fi
 fi
 
-# Checking conntrack module avaiabilty
-$modprobe nf_conntrack >/dev/null 2>&1
 $modprobe nf_conntrack_ftp >/dev/null 2>&1
 if [ $? -ne 0 ]; then
     conntrack_ftp='no'
@@ -67,7 +69,7 @@ if [[ "$sshport" =~ ^[0-9]+$ ]] && [ "$sshport" -ne "22"  ]; then
 fi
 
 # Load ipset lists before adding Hestia iptables rules
-$BIN/v-update-firewall-ipset
+[ -x "$(which ipset)" ] && $BIN/v-update-firewall-ipset
 
 # Creating temporary file
 tmp=$(mktemp)
@@ -183,33 +185,30 @@ if [ -d "/etc/sysconfig" ]; then
     fi
 else
     /sbin/iptables-save > /etc/iptables.rules
+    routable="/usr/lib/networkd-dispatcher/routable.d/10-hestia-iptables"
+    preup="/etc/network/if-pre-up.d/hestia-iptables"
+    # Recreate the Hestia iptables rules loading script
+    rm -f $routable $preup
     if dpkg-query -W -f'${Status}' "netplan*" 2>/dev/null | grep -q "ok installed" && [ -d /etc/netplan ] && [ -n "$(ls -A /etc/netplan 2>/dev/null)" ]; then
-        preup="/usr/lib/networkd-dispatcher/routable.d/10-hestia-iptables"
-        if [ ! -e "$preup" ]; then
-            IFS='%'
-            echo '#!/bin/sh' > $preup
-            echo '' >> $preup
-            echo 'if [ "$IFACE" = "'$(ip route list | awk '/default .+/ {print $5}' | uniq)'" ]; then' >> $preup
-            [ -x "$(which ipset)" ] && echo "    ${HESTIA}/bin/v-update-firewall-ipset" >> $preup
-            echo '    sleep 3' >> $preup
-            echo '    /sbin/iptables-restore < /etc/iptables.rules' >> $preup
-            echo 'fi' >> $preup
-            echo "exit 0" >> $preup
-            chmod +x $preup
-        fi
+        echo '#!/bin/sh' > $routable
+        echo '' >> $routable
+        echo 'if [ "$IFACE" = "'$(ip route list | awk '/default .+/ {print $5}' | uniq)'" ]; then' >> $routable
+        echo '    [ -x "'$(which ipset)'" ] && '"${HESTIA}/bin/v-update-firewall-ipset" >> $routable
+        echo '    /sbin/iptables-restore < /etc/iptables.rules' >> $routable
+        echo 'fi' >> $routable
+        echo '' >> $routable
+        echo "exit 0" >> $routable
+        chmod +x $routable
     else
-        preup="/etc/network/if-pre-up.d/hestia-iptables"
-        if [ ! -e "$preup" ]; then
-            IFS='%'
-            echo '#!/bin/sh' > $preup
-            echo '' >> $preup
-            echo 'if [ "$IFACE" = "'$(ip route list | awk '/default .+/ {print $5}' | uniq)'" ]; then' >> $preup
-            [ -x "$(which ipset)" ] && echo "    ${HESTIA}/bin/v-update-firewall-ipset" >> $preup
-            echo '    /sbin/iptables-restore < /etc/iptables.rules' >> $preup
-            echo 'fi' >> $preup
-            echo "exit 0" >> $preup
-            chmod +x $preup
-        fi
+        echo '#!/bin/sh' > $preup
+        echo '' >> $preup
+        echo 'if [ "$IFACE" = "'$(ip route list | awk '/default .+/ {print $5}' | uniq)'" ]; then' >> $preup
+        echo '    [ -x "'$(which ipset)'" ] && '"${HESTIA}/bin/v-update-firewall-ipset" >> $preup
+        echo '    /sbin/iptables-restore < /etc/iptables.rules' >> $preup
+        echo 'fi' >> $preup
+        echo '' >> $preup
+        echo "exit 0" >> $preup
+        chmod +x $preup
     fi
 fi
 

install/upgrade/versions/1.4.3.sh

@@ -6,3 +6,8 @@
 #######                      Place additional commands below.                   #######
 #######################################################################################
 
+# Improve generate and loading firewall rules
+if [ "$FIREWALL_SYSTEM" = "iptables" ]; then
+    echo "[ * ] Fix the issue of generate firewall rules..."
+    $BIN/v-update-firewall
+fi