Feature: Firewall rules for non OpenWrt PirateBoxes

- Per default we now collect all DNS requests even not the
    one which addresses us directly (like 8.8.8.8 )
  - Disables is an all Port 80 catch

Fixes: #137

CHANGELOG

@@ -11,8 +11,10 @@ CHANGELOG
 * [New] Shoutbox-Time via Client-Date possible
 * [New] Website is now available under /content and /opt/piratebox/share
 * [New] [RPi] Service files for using a RTC at PiratBox
-* [New] [OpenWrt] Redirect all DNS requests to local box
-* [New] [OpenWrt] Redirect all web request option (disabled)
+* [New] Redirect all DNS requests to local box via firewall (custom script)
+* [New] Redirect all web request option via firewall (disabled) (custom script)
+* [New] [OpenWrt] Redirect all DNS requests to local box via firewall
+* [New] [OpenWrt] Redirect all web request option via firewall (disabled)
 * [New] [OpenWrt] Enable all wifi devices with the PirateBox SSID
 * [New] [OpenWrt] AP Client isolation activated per default
 * [Changed] Send HTTP-Code 204 via PHP, much cleaner

Makefile

@@ -66,6 +66,8 @@ $(OPENWRT_CONFIG_FOLDER):
 	sed 's:DROOPY_USE_USER="yes":DROOPY_USE_USER="no":' -i  $@/piratebox.conf
 	sed 's:LEASE_FILE_LOCATION=$$PIRATEBOX_FOLDER/tmp/lease.file:LEASE_FILE_LOCATION=/tmp/lease.file:' -i  $@/piratebox.conf
 	sed 's:TIMESAVE_FORMAT="":TIMESAVE_FORMAT="+%C%g%m%d%H%M":' -i $@/piratebox.conf
+	sed 's:FIREWALL_FETCH_DNS="yes":FIREWALL_FETCH_DNS="no":' -i $@/firewall.conf
+	sed 's:FIREWALL_FETCH_HTTP="yes":FIREWALL_FETCH_HTTP="no":' -i $@/firewall.conf
 
 
 $(OPENWRT_BIN_FOLDER):

piratebox/piratebox/bin/firewall.sh

@@ -0,0 +1,70 @@
+#!/bin/sh
+
+#  Matthias Strubel (c) 2016  - GPL3
+# Script for manipulating firewall rules during start and stop of PirateBox
+
+PIRATEBOX_CONFIG="/opt/piratebox/conf/piratebox.conf"
+FIREWALL_CONFIG="/opt/piratebox/conf/firewall.conf"
+
+run=""
+
+help_text(){
+
+  echo "Script for setting up Firewall rules on PirateBox. (IPv4 only)"
+  echo "
+Usage:
+
+  -s   	: Start, add IPtables rules
+  -k    : Stop , remove IPtables rules
+
+  -c    : different PirateBox config location
+  -f    : different PirateBox firewall config location
+"
+  exit 1
+}
+
+
+while getopts "skc:f:" opt ; do 
+	case $opt in 
+		s)  run="start"  ;;
+		k)  run="end"    ;;
+		c)  PIRATEBOX_CONFIG="$OPTARG" ;;
+		f)  FIREWALL_CONFIG="$OPTARG" ;;
+		h)  help_text  ;;
+		\?)
+			echo "Invalid option: -$OPTARG"
+			help_text
+			;;
+	esac
+done
+
+if test -z "$run" ; then
+	echo "ERROR: You need to select -s (start) or -k (stop) "
+	help_text
+fi
+if test -z $PIRATEBOX_CONFIG || test -z "$FIREWALL_CONFIG" ; then
+	echo "ERROR: one of the config paths is empty, while it should not"
+	help_text
+fi
+
+ . $PIRATEBOX_CONFIG  || exit 6
+ . $FIREWALL_CONFIG   || exit 5
+
+if [ "$run" = "start" ] ; then
+	IPT_FLAG="-A"
+else
+	IPT_FLAG="-D"
+fi
+
+if [ "$FIREWALL_FETCH_DNS" = "yes" ] ; then
+	 iptables -t nat $IPT_FLAG PREROUTING -i "$DNSMASQ_INTERFACE" -d 0/0 \
+		-p tcp --dport 53 -j DNAT --to-destination "${IP}:53"
+	 iptables -t nat $IPT_FLAG PREROUTING -i "$DNSMASQ_INTERFACE" -d 0/0 \
+		-p udp --dport 53 -j DNAT --to-destination "${IP}:53"
+fi 
+
+if [ "$FIREWALL_FETCH_HTTP" = "yes" ] ; then
+	iptables -t nat $IPT_FLAG PREROUTING -i "$DNSMASQ_INTERFACE"  -d 0/0 \
+		-p tcp --dport 80 -j DNAT --to-destination "${IP}:80"
+fi 
+  

piratebox/piratebox/conf/firewall.conf

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+# Configuration file for PirateBox firewall configuration
+#
+
+# Collect all incoming DNS requests, even these are not addressed 
+#  to this machine.
+FIREWALL_FETCH_DNS="yes"
+
+# Collect all incoming Port 80 request, even these should be 
+#  relayed to a different machine
+FIREWALL_FETCH_HTTP="no"

piratebox/piratebox/init.d/piratebox

@@ -149,6 +149,12 @@ case "$1" in
          log_end_msg $?
        fi
 
+       #Setting up firewall rules
+       log_daemon_msg    "Setting up firewall rules..."
+       $PIRATEBOX_FOLDER/bin/firewall.sh -s
+       log_end_msg $?
+
+
 	if [ "$IPV6_ENABLE" == "yes" ] && [ "$IPV6_ADVERT" == "radvd" ] ; then
 	  log_daemon_msg "Starting radvd..."
 	  start-stop-daemon --start --quiet --exec radvd  -- -p $PIDFILE_RADVD -C $CONF_RADVD
@@ -219,6 +225,10 @@ case "$1" in
 	log_end_msg $?
     fi 
 
+       log_daemon_msg    "Removing firewall rules..."
+       $PIRATEBOX_FOLDER/bin/firewall.sh -k
+       log_end_msg $?
+
     if [  "$USE_APN"  = "yes" ] ;  then
        log_daemon_msg  "Stopping hostap... "
        start-stop-daemon --stop --quiet  --pidfile $PIDFILE_HOSTAPN  --oknodo  --startas "hostapd"

piratebox/piratebox/init.d/piratebox_alt

@@ -143,6 +143,11 @@ case "$1" in
          echo  $?
        fi
 
+
+       echo  "Setting up firewall rules..."
+       $PIRATEBOX_FOLDER/bin/firewall.sh -s
+       echo $?
+
         if [ "$IPV6_ENABLE" == "yes" ] && [ "$IPV6_ADVERT" == "radvd" ] ; then
           echo  "Starting radvd..."
           start-stop-daemon  -S -q -x radvd  --  -p $PIDFILE_RADVD -C $CONF_RADVD
@@ -215,6 +220,11 @@ case "$1" in
        echo  $?
    fi
 
+
+       echo  "Removing firewall rules..."
+       $PIRATEBOX_FOLDER/bin/firewall.sh -k
+       echo $?
+
      if [ -e $PIDFILE_RADVD ] ; then
         echo "Stopping radvd..."
         start-stop-daemon -K -q -p $PIDFILE_RADVD