firewall: implement blocklist

setup/start/cloudron-firewall.sh

@@ -12,6 +12,20 @@ iptables -t filter -I CLOUDRON -m state --state RELATED,ESTABLISHED -j ACCEPT
 # ssh is allowed alternately on port 202
 iptables -A CLOUDRON -p tcp -m tcp -m multiport --dports 22,25,80,202,443 -j ACCEPT
 
+# user firewall
+user_firewall_json="/home/yellowtent/boxdata/firewall-config.json"
+if allowed_tcp_ports=$(node -e "console.log(JSON.parse(fs.readFileSync('${user_firewall_json}', 'utf8')).allowed_tcp_ports.join(','))" 2>/dev/null); then
+    [[ -n "${allowed_tcp_ports}" ]] && iptables -A CLOUDRON -p tcp -m tcp -m multiport --dports "${allowed_tcp_ports}" -j ACCEPT
+fi
+
+ipset create cloudron_blocklist hash:net || true
+/home/yellowtent/box/src/scripts/setblocklist.sh
+
+iptables -t filter -A CLOUDRON -m set --match-set cloudron_blocklist src -j DROP
+if ! iptables -t filter -C FORWARD -m set --match-set cloudron_blocklist src -j DROP; then
+    iptables -t filter -I FORWARD -m set --match-set cloudron_blocklist src -j DROP
+fi
+
 # turn and stun service
 iptables -t filter -A CLOUDRON -p tcp -m multiport --dports 3478,5349 -j ACCEPT
 iptables -t filter -A CLOUDRON -p udp -m multiport --dports 3478,5349 -j ACCEPT