diff --git a/CHANGELOG b/CHANGELOG index d03626f..92fe005 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -11,8 +11,10 @@ CHANGELOG * [New] Shoutbox-Time via Client-Date possible * [New] Website is now available under /content and /opt/piratebox/share * [New] [RPi] Service files for using a RTC at PiratBox -* [New] [OpenWrt] Redirect all DNS requests to local box -* [New] [OpenWrt] Redirect all web request option (disabled) +* [New] Redirect all DNS requests to local box via firewall (custom script) +* [New] Redirect all web request option via firewall (disabled) (custom script) +* [New] [OpenWrt] Redirect all DNS requests to local box via firewall +* [New] [OpenWrt] Redirect all web request option via firewall (disabled) * [New] [OpenWrt] Enable all wifi devices with the PirateBox SSID * [New] [OpenWrt] AP Client isolation activated per default * [Changed] Send HTTP-Code 204 via PHP, much cleaner diff --git a/Makefile b/Makefile index e5ed931..b1e94f0 100644 --- a/Makefile +++ b/Makefile @@ -66,6 +66,8 @@ $(OPENWRT_CONFIG_FOLDER): sed 's:DROOPY_USE_USER="yes":DROOPY_USE_USER="no":' -i $@/piratebox.conf sed 's:LEASE_FILE_LOCATION=$$PIRATEBOX_FOLDER/tmp/lease.file:LEASE_FILE_LOCATION=/tmp/lease.file:' -i $@/piratebox.conf sed 's:TIMESAVE_FORMAT="":TIMESAVE_FORMAT="+%C%g%m%d%H%M":' -i $@/piratebox.conf + sed 's:FIREWALL_FETCH_DNS="yes":FIREWALL_FETCH_DNS="no":' -i $@/firewall.conf + sed 's:FIREWALL_FETCH_HTTP="yes":FIREWALL_FETCH_HTTP="no":' -i $@/firewall.conf $(OPENWRT_BIN_FOLDER): diff --git a/piratebox/piratebox/bin/firewall.sh b/piratebox/piratebox/bin/firewall.sh new file mode 100755 index 0000000..d10c368 --- /dev/null +++ b/piratebox/piratebox/bin/firewall.sh @@ -0,0 +1,70 @@ +#!/bin/sh + +# Matthias Strubel (c) 2016 - GPL3 +# Script for manipulating firewall rules during start and stop of PirateBox + +PIRATEBOX_CONFIG="/opt/piratebox/conf/piratebox.conf" +FIREWALL_CONFIG="/opt/piratebox/conf/firewall.conf" + +run="" + +help_text(){ + + echo "Script for setting up Firewall rules on PirateBox. (IPv4 only)" + echo " +Usage: + + -s : Start, add IPtables rules + -k : Stop , remove IPtables rules + + -c : different PirateBox config location + -f : different PirateBox firewall config location +" + exit 1 +} + + +while getopts "skc:f:" opt ; do + case $opt in + s) run="start" ;; + k) run="end" ;; + c) PIRATEBOX_CONFIG="$OPTARG" ;; + f) FIREWALL_CONFIG="$OPTARG" ;; + h) help_text ;; + \?) + echo "Invalid option: -$OPTARG" + help_text + ;; + esac +done + +if test -z "$run" ; then + echo "ERROR: You need to select -s (start) or -k (stop) " + help_text +fi +if test -z $PIRATEBOX_CONFIG || test -z "$FIREWALL_CONFIG" ; then + echo "ERROR: one of the config paths is empty, while it should not" + help_text +fi + + . $PIRATEBOX_CONFIG || exit 6 + . $FIREWALL_CONFIG || exit 5 + +if [ "$run" = "start" ] ; then + IPT_FLAG="-A" +else + IPT_FLAG="-D" +fi + +if [ "$FIREWALL_FETCH_DNS" = "yes" ] ; then + iptables -t nat $IPT_FLAG PREROUTING -i "$DNSMASQ_INTERFACE" -d 0/0 \ + -p tcp --dport 53 -j DNAT --to-destination "${IP}:53" + iptables -t nat $IPT_FLAG PREROUTING -i "$DNSMASQ_INTERFACE" -d 0/0 \ + -p udp --dport 53 -j DNAT --to-destination "${IP}:53" +fi + +if [ "$FIREWALL_FETCH_HTTP" = "yes" ] ; then + iptables -t nat $IPT_FLAG PREROUTING -i "$DNSMASQ_INTERFACE" -d 0/0 \ + -p tcp --dport 80 -j DNAT --to-destination "${IP}:80" +fi + diff --git a/piratebox/piratebox/conf/firewall.conf b/piratebox/piratebox/conf/firewall.conf new file mode 100644 index 0000000..f4187ba --- /dev/null +++ b/piratebox/piratebox/conf/firewall.conf @@ -0,0 +1,12 @@ +#!/bin/sh + +# Configuration file for PirateBox firewall configuration +# + +# Collect all incoming DNS requests, even these are not addressed +# to this machine. +FIREWALL_FETCH_DNS="yes" + +# Collect all incoming Port 80 request, even these should be +# relayed to a different machine +FIREWALL_FETCH_HTTP="no" diff --git a/piratebox/piratebox/init.d/piratebox b/piratebox/piratebox/init.d/piratebox index 7b95fff..870466c 100755 --- a/piratebox/piratebox/init.d/piratebox +++ b/piratebox/piratebox/init.d/piratebox @@ -149,6 +149,12 @@ case "$1" in log_end_msg $? fi + #Setting up firewall rules + log_daemon_msg "Setting up firewall rules..." + $PIRATEBOX_FOLDER/bin/firewall.sh -s + log_end_msg $? + + if [ "$IPV6_ENABLE" == "yes" ] && [ "$IPV6_ADVERT" == "radvd" ] ; then log_daemon_msg "Starting radvd..." start-stop-daemon --start --quiet --exec radvd -- -p $PIDFILE_RADVD -C $CONF_RADVD @@ -219,6 +225,10 @@ case "$1" in log_end_msg $? fi + log_daemon_msg "Removing firewall rules..." + $PIRATEBOX_FOLDER/bin/firewall.sh -k + log_end_msg $? + if [ "$USE_APN" = "yes" ] ; then log_daemon_msg "Stopping hostap... " start-stop-daemon --stop --quiet --pidfile $PIDFILE_HOSTAPN --oknodo --startas "hostapd" diff --git a/piratebox/piratebox/init.d/piratebox_alt b/piratebox/piratebox/init.d/piratebox_alt index 8c1be33..352acbf 100755 --- a/piratebox/piratebox/init.d/piratebox_alt +++ b/piratebox/piratebox/init.d/piratebox_alt @@ -143,6 +143,11 @@ case "$1" in echo $? fi + + echo "Setting up firewall rules..." + $PIRATEBOX_FOLDER/bin/firewall.sh -s + echo $? + if [ "$IPV6_ENABLE" == "yes" ] && [ "$IPV6_ADVERT" == "radvd" ] ; then echo "Starting radvd..." start-stop-daemon -S -q -x radvd -- -p $PIDFILE_RADVD -C $CONF_RADVD @@ -215,6 +220,11 @@ case "$1" in echo $? fi + + echo "Removing firewall rules..." + $PIRATEBOX_FOLDER/bin/firewall.sh -k + echo $? + if [ -e $PIDFILE_RADVD ] ; then echo "Stopping radvd..." start-stop-daemon -K -q -p $PIDFILE_RADVD