WIP: feat: commands and tools to setup fw and system settings for VPN:

This is scrapped for now. It may be outside the scope of
    this service to manage the fw...

    Let that be handled by automations such as Ansible or other tools
    during deployment-time.

Signed-off-by: HeshamTB <hishaminv@gmail.com>

cmd/hvpn-node/hvpn-node.go

@@ -20,6 +20,7 @@ import (
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
 	hvpnnode3 "gitea.hbanafa.com/HeshamTB/hvpn-node3"
+	netcmd "gitea.hbanafa.com/HeshamTB/hvpn-node3/net"
 )
 
 /*
@@ -174,6 +175,13 @@ func createCliApp() *cli.App {
     }
     app.Flags = append(app.Flags, &wgInterfaceName)
 
+    uplinkName := cli.StringFlag{
+        Name: "uplink",
+        Usage: "Name of the interface to be used for Wireguard traffic",
+        Required: true,
+    }
+    app.Flags = append(app.Flags, &uplinkName)
+
     wgEndpoint := cli.StringFlag{
         Name: "endpoint",
         Usage: "Wireguard endpoint domain or address without the port",
@@ -276,6 +284,7 @@ func createCliApp() *cli.App {
     app.Flags = append(app.Flags, &TLSCertKey)
 
 
+    app.Commands = append(app.Commands, NetSetupCommand())
 
     app.Action = func(ctx *cli.Context) error {
         err := setup(ctx)
@@ -289,6 +298,123 @@ func createCliApp() *cli.App {
     return app
 }
 
+func NetSetupCommand() *cli.Command {
+    cmd := cli.Command{
+        Name: "nsetup",
+        Usage: "Tools to setup the host for routing VPN traffic\nGlobal flags have an effect on this commands behaviour",
+        Action: func(ctx *cli.Context) error {
+            err := preUpCommands(ctx)
+            if err != nil {
+                return err
+            }
+
+            return nil
+        },
+    }
+
+    return &cmd
+}
+
+func preUpCommands(ctx *cli.Context) error {
+
+    /* Make a Revertable Command Intrface to make this more general */
+    sysProcFile, err := os.OpenFile(
+        hvpnnode3.SYS_PROC_IPV4_IP_FORWARD,
+        os.O_RDWR, 0644,
+    )
+    defer sysProcFile.Close()
+    if err != nil {
+        return err
+    }
+    
+    uplinkIface := ctx.String("uplink")
+    wgIface := ctx.String("interface")
+    wgport := ctx.Int("port")
+    wgportStr := fmt.Sprint(wgport)
+
+    sysCtlAllowForward := netcmd.SysctlIpv4Forward(sysProcFile, true)
+    ipTables1 := netcmd.IptablesForwardWGInAccept(true, uplinkIface, wgIface)
+    ipTables2 := netcmd.IptablesForwardWGOutAccept(true, uplinkIface, wgIface)
+    ipTables3 := netcmd.IptablesNatPostRoutingMasq(true, uplinkIface)
+    ipTablesAllowPort := netcmd.IptablesPort(true, uplinkIface, wgportStr, netcmd.UDP)
+    
+    sysCtlDisAllowForward := netcmd.SysctlIpv4Forward(sysProcFile, false)
+    ipTables4 := netcmd.IptablesForwardWGInAccept(false, uplinkIface, wgIface)
+    ipTables5 := netcmd.IptablesForwardWGOutAccept(false, uplinkIface, wgIface)
+    ipTables6 := netcmd.IptablesNatPostRoutingMasq(false, uplinkIface)
+    ipTablesDisAllow := netcmd.IptablesPort(false, uplinkIface, wgportStr, netcmd.UDP)
+
+    slog.Debug(sysCtlAllowForward.String())
+    err = sysCtlAllowForward.Run()
+    if err != nil {
+        return err
+    }
+
+    slog.Debug(ipTables1.String())
+    err = ipTables1.Run()
+    if err != nil {
+        sysCtlDisAllowForward.Run()
+        return err
+    }
+
+    slog.Debug(ipTables2.String())
+    err = ipTables2.Run()
+    if err != nil {
+        sysCtlDisAllowForward.Run()
+        ipTables4.Run()
+        return err
+    }
+
+    slog.Debug(ipTables3.String())
+    err = ipTables3.Run()
+    if err != nil {
+        sysCtlDisAllowForward.Run()
+        ipTables4.Run()
+        ipTables5.Run()
+        return err
+    }
+
+    slog.Debug(ipTablesAllowPort.String())
+    err = ipTablesAllowPort.Run()
+    if err != nil {
+        sysCtlDisAllowForward.Run()
+        ipTables4.Run()
+        ipTables5.Run()
+        ipTables6.Run()
+        return err
+    }
+    
+    /* At this point all passed. revert.*/
+
+    err = sysCtlDisAllowForward.Run()
+    if err != nil {
+        slog.Debug(err.Error())
+    }
+    err = ipTables4.Run()
+    if err != nil {
+        slog.Debug(err.Error())
+    }
+    err = ipTables5.Run()
+    if err != nil {
+        slog.Debug(err.Error())
+    }
+    err = ipTables6.Run()
+    if err != nil {
+        slog.Debug(err.Error())
+    }
+    err = ipTablesDisAllow.Run()
+    if err != nil {
+        slog.Debug(err.Error())
+    }
+
+    return nil
+
+}
+
+func postDownCommands(ctx *cli.Context) error {
+    return nil
+}
+
 func setup(ctx *cli.Context) error {
     slog.Debug("Starting setup()")
         uid := os.Getuid()

const.go

@@ -7,6 +7,7 @@ const (
     CONTENT_OCTET = "application/octet-stream"
     CONTENT_PLAIN_TEXT = "text/plain"
     WG_CLIENT_MTU = 1380
+    SYS_PROC_IPV4_IP_FORWARD = "/proc/sys/net/ipv4/ip_forward"
 )
 
 var (

scripts/set_rules.sh

@@ -1,101 +0,0 @@
-#!/usr/bin/env bash 
-
-iptables=iptables
-
-PROGRAM="${0}"
-cmd="${1}"
-wg_iface="${2}"
-uplink_iface="${3}"
-wg_port="${4}"
-
-cmd() {
-	echo "[#] $*" >&2
-	"$@"
-}
-
-print_usage() {
-	cat >&2 <<-_EOF
-    ${PROGRAM} [ set | unset ] <wg_interface> <uplink_interface> <wg_port> 
-	_EOF
-}
-
-HAVE_SET_NAT=0
-add_nat() {
-    cmd ${iptables} -t nat -A POSTROUTING -o ${uplink_iface} -j MASQUERADE
-    HAVE_SET_NAT=1
-}
-
-HAVE_SET_FORWARD=0
-add_forward() {
-    cmd ${iptables} -I FORWARD 1 -i ${uplink_iface} -o ${wg_iface} -j ACCEPT
-    cmd ${iptables} -I FORWARD 1 -i ${wg_iface} -o ${uplink_iface} -j ACCEPT
-    HAVE_SET_FORWARD=1
-}
-
-HAVE_SET_ISOLATION=0
-add_isolation() {
-    cmd ${iptables} -I FORWARD -i ${wg_iface} -o ${wg_iface} -j DROP
-    HAVE_SET_ISOLATION=1
-}
-
-HAVE_OPEN_PORT=0
-add_port() {
-    cmd ${iptables} -I INPUT 1 -i ${uplink_iface} -p udp --dport ${wg_port} -j ACCEPT
-    HAVE_OPEN_PORT=1
-}
-
-add_rules() {
-    trap 'rm_rules; exit' INT TERM EXIT
-    add_forward || exit 1
-    add_nat || exit 1
-    add_isolation || exit 1
-    add_port || exit 1
-    trap - INT TERM EXIT
-}
-
-rm_forward() {
-    cmd ${iptables} -D FORWARD -i ${uplink_iface} -o ${wg_iface} -j ACCEPT
-    cmd ${iptables} -D FORWARD -i ${wg_iface} -o ${uplink_iface} -j ACCEPT
-}
-
-rm_nat() {
-    cmd ${iptables} -t nat -D POSTROUTING -o ${uplink_iface} -j MASQUERADE
-}
-
-rm_isolate() {
-    cmd ${iptables} -D FORWARD -i ${wg_iface} -o ${wg_iface} -j DROP
-}
-
-rm_port() {
-    cmd ${iptables} -D INPUT -i ${uplink_iface} -p udp --dport ${wg_port} -j ACCEPT
-}
-
-rm_rules() {
-    [[ $HAVE_SET_FORWARD -eq 0 ]] || rm_forward
-    [[ $HAVE_SET_NAT -eq 0 ]] || rm_nat
-    [[ $HAVE_SET_ISOLATION -eq 0 ]] || rm_isolate
-    [[ $HAVE_OPEN_PORT -eq 0 ]] || rm_port
-}
-
-if [ ! $# -eq 4 ]
-then
-    print_usage
-    exit 1
-fi
-
-if [ "${cmd}" == "set" ]
-then
-    add_rules
-
-elif [ "${cmd}" == "unset" ]; 
-then
-    HAVE_OPEN_PORT=1
-    HAVE_SET_ISOLATION=1
-    HAVE_SET_NAT=1
-    HAVE_SET_FORWARD=1
-    rm_rules
-else
-   # cat << "Invalid command. Use set or unset" >&2
-   echo "Invalid command. Use set or unset"
-fi
-