IP Tables WebUI

A nice webui for the iptables command, written in NodeJS. Currently a work in progress.

Security

This WebUI is not meant to be used as a general access long running web server. Instead the following flow is assumed:

1. The User SSH's into a remote server with a port forward e.g: ssh myserver.com -L 8099:localhost:8099
2. The user starts the iptables web interface iptables-webui start
3. The user navigates to the address in their browser e.g: http://localhost:8099

Pro-tip: Store the server/forwarding details in ~/.ssh/config:

Host myserver
  Hostname myserver.com
  User me
  LocalForward 8099:localhost:8099

It would be possible to run it as a typical web server process, but it would not be recommended as good security practice to leave IPTables so wide open. Even if there was authentication and authorization built into this app.

Planned Features

• Modular handling of rules (enable and disable named groups of rules)
• Raw rule editing
• Flexible Port Forwarding table
• Simple Pre-built rules (like enable/disable SSH or HTTP in/out)
• Advanced Pre-built rules (internet connection sharing, load balancing)
• Current Status of IP Tables
• View Compiled rules vs Source rules
• Help with enabling/disabling kernel network features (forwarding, masquerading)

Rule Spec

This is an example of what a rule looks like in JSON:

• name: the name (user set)
• enabled: whether the rule is enabled (user set)
• lines: the lines that make up the rule, can be either (user set):
• an object that can be parsed by the RuleParser
• or a string of iptables arguments
• valid: determined by the result of the last test
• test_lines: the lines that made up the file used for the last test
• error: the error that occured on the last test

{
  name: 'my_dumb-rule',
  enabled: false,
  lines: [
    '# lines in the rule can be JSON or string',
    '-A INPUT --dport 22 -j ACCEPT',
    {chain: 'input', dport: 80, target: 'accept'}
  ]
  valid: true,
  test_lines: [
    '# iptables-restore test file generated by iprules 2015-01-06 00:00',
    '*filter'
    '# my_dumb-rule'
    '# lines in the rule can be JSON or string',
    '-A INPUT --dport 22 -j ACCEPT',
    '-A INPUT --dport 80 -j ACCEPT',
    '#end'
  ],
  error: ''
}

RuleParser spec

The RuleParser can handle the following arguments (examples shown):

{
  chain:    'INPUT',
  protocol: 'tcp',      // default is TCP
  sport:    false,      // this will be ignored during compile time
  dport:    8822,
  target:   'ACCEPT',
  src:      '192.168.3.0/24',
  dst:      '172.16.0.233',
  in:       'eth0',
  out:      'eth1',
  table:    'nat',      // default is filter
  states:   ['new'],
  to_dst:   '172.16.0.233:22'
}

API Spec

This is the API so far, not everything is working:

GET    /rules              # gets all the rules
POST   /rules              # creates a rule
GET    /rules/:pattern     # gets a rule by name or glob pattern
PUT    /rules/:name        # updates the named rule
DELETE /rules/:name        # deletes the named rule
GET    /rules/:name/test   # tests the named rule
GET    /iptables/list      # gives iptables -L output
GET    /status             # various statuses

You damn kids are just jamming javascript in everywhere!

I did it in NodeJS and ReactJS because:

• I don't want to learn a real language like C++
• I want to learn more about NodeJS an ReactJS
• I want to use it on an ARM and Node is faster than ruby (dammit!)
• I am a sadomasochist