From 719572887215272212e66bb1dd7f8ddaa5d1cfab Mon Sep 17 00:00:00 2001
From: Slava-Shchipunov <shchipunovsd@gmail.com>
Date: Sat, 26 Oct 2024 02:53:26 +0700
Subject: [PATCH] feat: add firewall settings

---
 amneziawg-install.sh | 39 +++++++++++++++++++++++++++++++++------
 1 file changed, 33 insertions(+), 6 deletions(-)

diff --git a/amneziawg-install.sh b/amneziawg-install.sh
index 0900649..cae3320 100644
--- a/amneziawg-install.sh
+++ b/amneziawg-install.sh
@@ -97,15 +97,15 @@ install_awg_packages() {
 }
 
 configure_amneziawg_interface() {
-    INTERFACE_NAME="awg1"
-    CONFIG_NAME="amneziawg_awg1"
+    INTERFACE_NAME="awg0"
+    CONFIG_NAME="amneziawg_0"
     PROTO="amneziawg"
-    ZONE_NAME="awg_internal"
+    ZONE_NAME="awg0"
 
     read -r -p "Enter the private key (from [Interface]):"$'\n' AWG_PRIVATE_KEY_INT
 
     while true; do
-        read -r -p "Enter internal IP address with subnet, example 192.168.100.5/24 (from [Interface]):"$'\n' AWG_IP
+        read -r -p "Enter internal IP address with subnet, example 192.168.100.5/24 (Address from [Interface]):"$'\n' AWG_IP
         if echo "$AWG_IP" | egrep -oq '^([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]+$'; then
             break
         else
@@ -157,12 +157,39 @@ configure_amneziawg_interface() {
     uci set network.@${CONFIG_NAME}[0].name="${INTERFACE_NAME}_client"
     uci set network.@${CONFIG_NAME}[0].public_key=$AWG_PUBLIC_KEY_INT
     uci set network.@${CONFIG_NAME}[0].preshared_key=$AWG_PRESHARED_KEY_INT
-    uci set network.@${CONFIG_NAME}[0].route_allowed_ips='0'
+    uci set network.@${CONFIG_NAME}[0].route_allowed_ips='1'
     uci set network.@${CONFIG_NAME}[0].persistent_keepalive='25'
     uci set network.@${CONFIG_NAME}[0].endpoint_host=$AWG_ENDPOINT_INT
-    uci set network.@${CONFIG_NAME}[0].allowed_ips='0.0.0.0/0'
+    uci set network.@${CONFIG_NAME}[0].allowed_ips='0.0.0.0/0 ::/0'
     uci set network.@${CONFIG_NAME}[0].endpoint_port=$AWG_ENDPOINT_PORT_INT
     uci commit network
+
+    if ! uci show firewall | grep -q "@zone.*name='${ZONE_NAME}'"; then
+        printf "\033[32;1mZone Create\033[0m\n"
+        uci add firewall zone
+        uci set firewall.@zone[-1].name=$ZONE_NAME
+        uci set firewall.@zone[-1].network=$INTERFACE_NAME
+        uci set firewall.@zone[-1].forward='REJECT'
+        uci set firewall.@zone[-1].output='ACCEPT'
+        uci set firewall.@zone[-1].input='REJECT'
+        uci set firewall.@zone[-1].masq='1'
+        uci set firewall.@zone[-1].mtu_fix='1'
+        uci set firewall.@zone[-1].family='ipv4'
+        uci commit firewall
+    fi
+
+    if ! uci show firewall | grep -q "@forwarding.*name='${ZONE_NAME}'"; then
+        printf "\033[32;1mConfigured forwarding\033[0m\n"
+        uci add firewall forwarding
+        uci set firewall.@forwarding[-1]=forwarding
+        uci set firewall.@forwarding[-1].name="${ZONE_NAME}-lan"
+        uci set firewall.@forwarding[-1].dest=${ZONE_NAME}
+        uci set firewall.@forwarding[-1].src='lan'
+        uci set firewall.@forwarding[-1].family='ipv4'
+        uci commit firewall
+    fi
+
+    service network restart
 }
 
 check_repo