hestiacp · jaapmarcus · May 28, 2023 · May 28, 2023 · May 28, 2023 · May 28, 2023
diff --git a/bin/v-add-firewall-ban b/bin/v-add-firewall-ban
@@ -37,13 +37,13 @@ is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
 ip_format=$(get_ip_format "$ip46") # ip verification and format identification
 case "$ip_format" in
 	4)
-		family="inet4"
+		ipfamily="inet4"
 		iptables="iptables"
 		ip2ban="$ip46"
 		reject_with="icmp-port-unreachable"
 		;;
 	6)
-		family="inet6"
+		ipfamily="inet6"
 		iptables="ip6tables"
 		[ -x "$subnetcalc_bin" ] && ip2ban="${ip46}/64" || ip2ban="$ip46" # subnet ban of /64 net only if subnetcalc binary is installed
 		reject_with="icmp6-port-unreachable"
@@ -63,6 +63,9 @@ check_hestia_demo_mode
 # Self heal iptables links
 heal_iptables_links
 
+# Get iptables binary
+iptables="$(get_iptables_bin "$iptables")"
+
 # Checking server ip
 if [ -e "$HESTIA/data/ips/$ip46" ] || [ "$ip46" = '127.0.0.1' ]; then
 	exit
@@ -83,7 +86,7 @@ if [ -n "$check_ip" ]; then
 fi
 
 # Adding chain
-"$BIN/v-add-firewall-chain" "$chain" "" "" "$family" "$iptables"
+"$BIN/v-add-firewall-chain" "$chain" "" "" "$ipfamily" "$iptables"
 
 # Generating timestamp
 time_n_date=$(date +'%T %F')

diff --git a/bin/v-add-firewall-chain b/bin/v-add-firewall-chain
@@ -1,6 +1,6 @@
 #!/bin/bash
 # info: add firewall chain
-# options: CHAIN [PORT] [PROTOCOL] [FAMILY] [IPTABLES] [LOCKINGOPT]
+# options: CHAIN [PORT] [PROTOCOL] [IPFAMILY] [IPTABLES] [FW_LOCKINGOPT]
 #
 # example: v-add-firewall-chain CRM 5678 TCP
 #
@@ -18,14 +18,15 @@ protocol="$3"
 [ -z "$protocol" ] && protocol='TCP'
 protocol=$(echo "$protocol" | tr '[:lower:]' '[:upper:]')
 
-family="$4"
-[ -z "$family" ] && family="inet4"
+# Defining ip family version
+ipfamily="$4"
+[ -z "$ipfamily" ] && ipfamily="inet4"
 
-# Defining absolute path to iptables
+# Defining iptables version
 iptables="$5"
-[ -z "$iptables" ] && iptables="/sbin/iptables"
 
-lockingopt="$6"
+# Defining locking option for iptables
+fw_lockingopt="$6"
 
 # Includes
 # shellcheck source=/etc/hestiacp/hestia.conf
@@ -47,8 +48,8 @@ fi
 #                    Verifications                         #
 #----------------------------------------------------------#
 
-check_args '1' "$#" 'CHAIN [PORT] [PROTOCOL] [FAMILY] [IPTABLES] [LOCKINGOPT]'
-is_format_valid 'chain' 'port_ext' 'protocol'
+check_args '1' "$#" 'CHAIN [PORT] [PROTOCOL] [IPFAMILY] [IPTABLES] [FW_LOCKINGOPT]'
+is_format_valid 'chain' 'port_ext' 'protocol' 'ipfamily' 'iptables' 'fw_lockingopt'
 is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
 
 # Perform verification if read-only mode is enabled
@@ -61,6 +62,10 @@ check_hestia_demo_mode
 # Self heal iptables links
 heal_iptables_links
 
+# Get iptables binary
+iptables="$(get_iptables_bin "$iptables")"
+[ -n "$fw_lockingopt" ] && iptables="$iptables $fw_lockingopt"
+
 # Checking known chains
 case $chain in
 	SSH) # Get ssh port (or ports) using v-list-sys-sshd-port.
@@ -103,17 +108,17 @@ case $chain in
 esac
 
 # Adding chain
-"$iptables" -N "fail2ban-$chain" 2> /dev/null
+${iptables} -N "fail2ban-$chain" 2> /dev/null
 if [ $? -eq 0 ]; then
-	"$iptables" -A "fail2ban-$chain" -j RETURN
+	${iptables} -A "fail2ban-$chain" -j RETURN
 
 	# Adding multiport module
 	if [[ "$port" =~ ,|-|: ]]; then
 		port_str="-m multiport --dports $port"
 	else
 		port_str="--dport $port"
 	fi
-	"$iptables" -I INPUT -p "$protocol" $port_str -j "fail2ban-$chain"
+	${iptables} -I INPUT -p "$protocol" $port_str -j "fail2ban-$chain"
 fi
 
 # Preserving chain

diff --git a/bin/v-delete-firewall-ban b/bin/v-delete-firewall-ban
@@ -37,12 +37,10 @@ is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
 ip_format=$(get_ip_format "$ip46") # ip verification and format identification
 case "$ip_format" in
 	4)
-		family="inet4"
 		iptables="iptables"
 		ip2ban="$ip46"
 		;;
 	6)
-		family="inet6"
 		iptables="ip6tables"
 		if [ -x "$subnetcalc_bin" ]; then
 			# if subnetcalc binary is installed on system, then ban of whole /64 subnet

diff --git a/func/firewall.sh b/func/firewall.sh
@@ -7,7 +7,7 @@
 #===========================================================================#
 
 heal_iptables_links() {
-	packages="iptables iptables-save iptables-restore"
+	packages="iptables iptables-save iptables-restore ip6tables ip6tables-save ip6tables-restore"
 	for package in $packages; do
 		if [ ! -e "/sbin/${package}" ]; then
 			if which ${package}; then
@@ -23,20 +23,9 @@ heal_iptables_links() {
 		fi
 	done
 }
-heal_ip6tables_links() {
-	packages="ip6tables ip6tables-save ip6tables-restore"
-	for package in $packages; do
-		if [ ! -e "/sbin/${package}" ]; then
-			if which ${package}; then
-				ln -s "$(which ${package})" /sbin/${package}
-			elif [ -e "/usr/sbin/${package}" ]; then
-				ln -s /usr/sbin/${package} /sbin/${package}
-			elif whereis -B /bin /sbin /usr/bin /usr/sbin -f -b ${package}; then
-				autoiptables=$(whereis -B /bin /sbin /usr/bin /usr/sbin -f -b ${package} | cut -d '' -f 2)
-				if [ -x "$autoiptables" ]; then
-					ln -s "$autoiptables" /sbin/${package}
-				fi
-			fi
-		fi
-	done
+get_iptables_bin() {
+	#	get iptables binary
+	iptables_par="$1"                                 # input parameter
+	[ -z "$iptables_par" ] && iptables_par="iptables" #	IPV4 version, if empty or not defined
+	[ "$iptables_par" = "iptables" -o "$iptables_par" = "ip6tables" ] && echo "$(which "$iptables_par")"
 }
diff --git a/func/main.sh b/func/main.sh
@@ -876,6 +876,13 @@ is_ip_format_valid() {
 	esac
 }
 
+# IP family validator
+is_ipfamily_format_valid() {
+	if [ "$1" != "inet" ] && [ "$1" != "inet4" ] && [ "$1" != 'inet6' ] && [ -n "$1" ]; then
+		check_result "$E_INVALID" "invalid ipfamily format :: $1"
+	fi
+}
+
 # Proxy extention format validator
 is_extention_format_valid() {
 	exclude="[!|#|$|^|&|(|)|+|=|{|}|:|@|<|>|?|/|\|\"|'|;|%|\`| ]"
@@ -1056,6 +1063,20 @@ is_fw_port_format_valid() {
 	fi
 }
 
+# Firewall iptables validator
+is_fw_iptables_format_valid() {
+	if [ "$1" != "iptables" ] && [ "$1" != 'ip6tables' ] && [ -n "$1" ]; then
+		check_result "$E_INVALID" "invalid iptables format :: $1"
+	fi
+}
+
+# Firewall lockingopt validator
+is_fw_lockingopt_format_valid() {
+	if [ "$1" != "-w" ] && [ -n "$1" ]; then
+		check_result "$E_INVALID" "invalid lockingopt format :: $1"
+	fi
+}
+
 # DNS record id validator
 is_id_format_valid() {
 	if ! echo "$1" | grep -qE '^[1-9][0-9]{0,}$'; then
@@ -1227,6 +1248,7 @@ is_format_valid() {
 				format) is_type_valid 'plain json shell csv' "$arg" ;;
 				ftp_password) is_password_format_valid "$arg" ;;
 				ftp_user) is_user_format_valid "$arg" "$arg_name" ;;
+				fw_lockingopt) is_fw_lockingopt_format_valid "$arg" ;;
 				hash) is_hash_format_valid "$arg" "$arg_name" ;;
 				host) is_object_format_valid "$arg" "$arg_name" ;;
 				hour) is_cron_format_valid "$arg" $arg_name ;;
@@ -1237,6 +1259,8 @@ is_format_valid() {
 				ip46 | ipv46) is_ip_format_valid "$arg" 'ipv46' ;;
 				ip_name) is_domain_format_valid "$arg" 'IP name' ;;
 				ip_status) is_ip_status_format_valid "$arg" ;;
+				ipfamily) is_ipfamily_format_valid "$arg" ;;
+				iptables) is_fw_iptables_format_valid "$arg" ;;
 				job) is_int_format_valid "$arg" 'job' ;;
 				key) is_common_format_valid "$arg" "$arg_name" ;;
 				malias) is_user_format_valid "$arg" "$arg_name" '64' ;;