Feature: Firewall rules for non OpenWrt PirateBoxes
- Per default we now collect all DNS requests even not the one which addresses us directly (like 8.8.8.8 ) - Disables is an all Port 80 catch Fixes: #137
This commit is contained in:
parent
33d1d2bda9
commit
f0c4b4ab38
|
@ -11,8 +11,10 @@ CHANGELOG
|
|||
* [New] Shoutbox-Time via Client-Date possible
|
||||
* [New] Website is now available under /content and /opt/piratebox/share
|
||||
* [New] [RPi] Service files for using a RTC at PiratBox
|
||||
* [New] [OpenWrt] Redirect all DNS requests to local box
|
||||
* [New] [OpenWrt] Redirect all web request option (disabled)
|
||||
* [New] Redirect all DNS requests to local box via firewall (custom script)
|
||||
* [New] Redirect all web request option via firewall (disabled) (custom script)
|
||||
* [New] [OpenWrt] Redirect all DNS requests to local box via firewall
|
||||
* [New] [OpenWrt] Redirect all web request option via firewall (disabled)
|
||||
* [New] [OpenWrt] Enable all wifi devices with the PirateBox SSID
|
||||
* [New] [OpenWrt] AP Client isolation activated per default
|
||||
* [Changed] Send HTTP-Code 204 via PHP, much cleaner
|
||||
|
|
2
Makefile
2
Makefile
|
@ -66,6 +66,8 @@ $(OPENWRT_CONFIG_FOLDER):
|
|||
sed 's:DROOPY_USE_USER="yes":DROOPY_USE_USER="no":' -i $@/piratebox.conf
|
||||
sed 's:LEASE_FILE_LOCATION=$$PIRATEBOX_FOLDER/tmp/lease.file:LEASE_FILE_LOCATION=/tmp/lease.file:' -i $@/piratebox.conf
|
||||
sed 's:TIMESAVE_FORMAT="":TIMESAVE_FORMAT="+%C%g%m%d%H%M":' -i $@/piratebox.conf
|
||||
sed 's:FIREWALL_FETCH_DNS="yes":FIREWALL_FETCH_DNS="no":' -i $@/firewall.conf
|
||||
sed 's:FIREWALL_FETCH_HTTP="yes":FIREWALL_FETCH_HTTP="no":' -i $@/firewall.conf
|
||||
|
||||
|
||||
$(OPENWRT_BIN_FOLDER):
|
||||
|
|
|
@ -0,0 +1,70 @@
|
|||
#!/bin/sh
|
||||
|
||||
# Matthias Strubel (c) 2016 - GPL3
|
||||
# Script for manipulating firewall rules during start and stop of PirateBox
|
||||
|
||||
PIRATEBOX_CONFIG="/opt/piratebox/conf/piratebox.conf"
|
||||
FIREWALL_CONFIG="/opt/piratebox/conf/firewall.conf"
|
||||
|
||||
run=""
|
||||
|
||||
help_text(){
|
||||
|
||||
echo "Script for setting up Firewall rules on PirateBox. (IPv4 only)"
|
||||
echo "
|
||||
Usage:
|
||||
|
||||
-s : Start, add IPtables rules
|
||||
-k : Stop , remove IPtables rules
|
||||
|
||||
-c : different PirateBox config location
|
||||
-f : different PirateBox firewall config location
|
||||
"
|
||||
exit 1
|
||||
}
|
||||
|
||||
|
||||
while getopts "skc:f:" opt ; do
|
||||
case $opt in
|
||||
s) run="start" ;;
|
||||
k) run="end" ;;
|
||||
c) PIRATEBOX_CONFIG="$OPTARG" ;;
|
||||
f) FIREWALL_CONFIG="$OPTARG" ;;
|
||||
h) help_text ;;
|
||||
\?)
|
||||
echo "Invalid option: -$OPTARG"
|
||||
help_text
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
if test -z "$run" ; then
|
||||
echo "ERROR: You need to select -s (start) or -k (stop) "
|
||||
help_text
|
||||
fi
|
||||
if test -z $PIRATEBOX_CONFIG || test -z "$FIREWALL_CONFIG" ; then
|
||||
echo "ERROR: one of the config paths is empty, while it should not"
|
||||
help_text
|
||||
fi
|
||||
|
||||
. $PIRATEBOX_CONFIG || exit 6
|
||||
. $FIREWALL_CONFIG || exit 5
|
||||
|
||||
if [ "$run" = "start" ] ; then
|
||||
IPT_FLAG="-A"
|
||||
else
|
||||
IPT_FLAG="-D"
|
||||
fi
|
||||
|
||||
if [ "$FIREWALL_FETCH_DNS" = "yes" ] ; then
|
||||
iptables -t nat $IPT_FLAG PREROUTING -i "$DNSMASQ_INTERFACE" -d 0/0 \
|
||||
-p tcp --dport 53 -j DNAT --to-destination "${IP}:53"
|
||||
iptables -t nat $IPT_FLAG PREROUTING -i "$DNSMASQ_INTERFACE" -d 0/0 \
|
||||
-p udp --dport 53 -j DNAT --to-destination "${IP}:53"
|
||||
fi
|
||||
|
||||
if [ "$FIREWALL_FETCH_HTTP" = "yes" ] ; then
|
||||
iptables -t nat $IPT_FLAG PREROUTING -i "$DNSMASQ_INTERFACE" -d 0/0 \
|
||||
-p tcp --dport 80 -j DNAT --to-destination "${IP}:80"
|
||||
fi
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
#!/bin/sh
|
||||
|
||||
# Configuration file for PirateBox firewall configuration
|
||||
#
|
||||
|
||||
# Collect all incoming DNS requests, even these are not addressed
|
||||
# to this machine.
|
||||
FIREWALL_FETCH_DNS="yes"
|
||||
|
||||
# Collect all incoming Port 80 request, even these should be
|
||||
# relayed to a different machine
|
||||
FIREWALL_FETCH_HTTP="no"
|
|
@ -149,6 +149,12 @@ case "$1" in
|
|||
log_end_msg $?
|
||||
fi
|
||||
|
||||
#Setting up firewall rules
|
||||
log_daemon_msg "Setting up firewall rules..."
|
||||
$PIRATEBOX_FOLDER/bin/firewall.sh -s
|
||||
log_end_msg $?
|
||||
|
||||
|
||||
if [ "$IPV6_ENABLE" == "yes" ] && [ "$IPV6_ADVERT" == "radvd" ] ; then
|
||||
log_daemon_msg "Starting radvd..."
|
||||
start-stop-daemon --start --quiet --exec radvd -- -p $PIDFILE_RADVD -C $CONF_RADVD
|
||||
|
@ -219,6 +225,10 @@ case "$1" in
|
|||
log_end_msg $?
|
||||
fi
|
||||
|
||||
log_daemon_msg "Removing firewall rules..."
|
||||
$PIRATEBOX_FOLDER/bin/firewall.sh -k
|
||||
log_end_msg $?
|
||||
|
||||
if [ "$USE_APN" = "yes" ] ; then
|
||||
log_daemon_msg "Stopping hostap... "
|
||||
start-stop-daemon --stop --quiet --pidfile $PIDFILE_HOSTAPN --oknodo --startas "hostapd"
|
||||
|
|
|
@ -143,6 +143,11 @@ case "$1" in
|
|||
echo $?
|
||||
fi
|
||||
|
||||
|
||||
echo "Setting up firewall rules..."
|
||||
$PIRATEBOX_FOLDER/bin/firewall.sh -s
|
||||
echo $?
|
||||
|
||||
if [ "$IPV6_ENABLE" == "yes" ] && [ "$IPV6_ADVERT" == "radvd" ] ; then
|
||||
echo "Starting radvd..."
|
||||
start-stop-daemon -S -q -x radvd -- -p $PIDFILE_RADVD -C $CONF_RADVD
|
||||
|
@ -215,6 +220,11 @@ case "$1" in
|
|||
echo $?
|
||||
fi
|
||||
|
||||
|
||||
echo "Removing firewall rules..."
|
||||
$PIRATEBOX_FOLDER/bin/firewall.sh -k
|
||||
echo $?
|
||||
|
||||
if [ -e $PIDFILE_RADVD ] ; then
|
||||
echo "Stopping radvd..."
|
||||
start-stop-daemon -K -q -p $PIDFILE_RADVD
|
||||
|
|
Loading…
Reference in New Issue