]>
Commit | Line | Data |
---|---|---|
900832fa CS |
1 | /* IPCop helper program - wirelessctrl |
2 | * | |
3 | * This program is distributed under the terms of the GNU General Public | |
4 | * Licence. See the file COPYING for details. | |
5 | * | |
6 | * (c) Alan Hourihane, 2003 | |
0a56f193 | 7 | * |
900832fa CS |
8 | * $Id: wirelessctrl.c,v 1.2.2.5 2005/07/11 10:56:47 franck78 Exp $ |
9 | * | |
10 | */ | |
11 | ||
12 | #include "libsmooth.h" | |
13 | #include <stdio.h> | |
14 | #include <stdlib.h> | |
15 | #include <unistd.h> | |
16 | #include <fcntl.h> | |
17 | #include <string.h> | |
18 | #include <sys/types.h> | |
19 | #include <sys/stat.h> | |
20 | #include <signal.h> | |
21 | #include "setuid.h" | |
42dc0090 | 22 | #include <errno.h> |
900832fa CS |
23 | |
24 | FILE *fd = NULL; | |
25 | char blue_dev[STRING_SIZE] = ""; | |
26 | char command[STRING_SIZE]; | |
27 | ||
0a56f193 CS |
28 | void exithandler(void) |
29 | { | |
0aaef8e9 CS |
30 | /* added comment mark to the drop rules to be able to collect the bytes by the collectd */ |
31 | if(strlen(blue_dev)) | |
32 | { | |
33 | snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev); | |
34 | safe_system(command); | |
35 | snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev); | |
36 | safe_system(command); | |
37 | } | |
38 | ||
39 | if (fd) | |
40 | fclose(fd); | |
0a56f193 CS |
41 | } |
42 | ||
900832fa CS |
43 | int main(void) |
44 | { | |
0aaef8e9 CS |
45 | char green_dev[STRING_SIZE] = ""; |
46 | char buffer[STRING_SIZE]; | |
47 | char *index, *ipaddress, *macaddress, *enabled; | |
48 | struct keyvalue *kv = NULL; | |
49 | ||
50 | if (!(initsetuid())) | |
51 | exit(1); | |
52 | ||
53 | /* flush wireless iptables */ | |
54 | safe_system("/sbin/iptables -F WIRELESSINPUT > /dev/null 2> /dev/null"); | |
55 | safe_system("/sbin/iptables -F WIRELESSFORWARD > /dev/null 2> /dev/null"); | |
56 | ||
57 | memset(buffer, 0, STRING_SIZE); | |
58 | ||
59 | /* Init the keyvalue structure */ | |
60 | kv=initkeyvalues(); | |
61 | ||
62 | /* Read in the current values */ | |
63 | if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) | |
64 | { | |
65 | fprintf(stderr, "Cannot read ethernet settings\n"); | |
66 | exit(1); | |
67 | } | |
68 | ||
69 | /* Read in the firewall values */ | |
70 | if (!readkeyvalues(kv, CONFIG_ROOT "/optionsfw/settings")) | |
71 | { | |
72 | fprintf(stderr, "Cannot read optionsfw settings\n"); | |
73 | exit(1); | |
74 | } | |
75 | ||
76 | /* Get the GREEN interface details */ | |
77 | if(!findkey(kv, "GREEN_DEV", green_dev)) | |
78 | { | |
79 | fprintf(stderr, "Cannot read GREEN_DEV\n"); | |
80 | exit(1); | |
81 | } | |
82 | if (!VALID_DEVICE(green_dev)) | |
83 | { | |
84 | fprintf(stderr, "Bad GREEN_DEV: %s\n", green_dev); | |
85 | exit(1); | |
86 | } | |
87 | /* Get the BLUE interface details */ | |
88 | if(!findkey(kv, "BLUE_DEV", blue_dev)) | |
89 | { | |
90 | fprintf(stderr, "Cannot read BLUE_DEV\n"); | |
91 | exit(1); | |
92 | } | |
93 | if (strlen(blue_dev) && !VALID_DEVICE(blue_dev)) | |
94 | { | |
95 | fprintf(stderr, "Bad BLUE_DEV: %s\n", blue_dev); | |
96 | exit(1); | |
97 | } | |
98 | if(! strlen(blue_dev) > 0) | |
99 | { | |
100 | fprintf(stderr, "No BLUE interface\n"); | |
101 | exit(0); | |
102 | } | |
103 | ||
8cc93ee1 MT |
104 | if ((fd = fopen(CONFIG_ROOT "/wireless/nodrop", "r"))) |
105 | return 0; | |
106 | ||
0aaef8e9 CS |
107 | /* register exit handler to ensure the block rule is always present */ |
108 | atexit(exithandler); | |
109 | ||
110 | if (!(fd = fopen(CONFIG_ROOT "/wireless/config", "r"))) | |
111 | { | |
112 | exit(0); | |
113 | } | |
114 | ||
115 | /* restrict blue access tp the proxy port */ | |
0b06ad05 | 116 | if(findkey(kv, "DROPPROXY", buffer) && strcmp(buffer,"off")){ |
0aaef8e9 CS |
117 | /* Read the proxy values */ |
118 | if (!readkeyvalues(kv, CONFIG_ROOT "/proxy/settings") || !(findkey(kv, "PROXY_PORT", buffer))) | |
119 | { | |
120 | fprintf(stderr, "Cannot read proxy settings\n"); | |
121 | exit(1); | |
122 | } | |
0b06ad05 | 123 | snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p tcp ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev, buffer); |
0aaef8e9 | 124 | safe_system(command); |
0b06ad05 | 125 | snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p tcp ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev, buffer); |
0aaef8e9 CS |
126 | safe_system(command); |
127 | } | |
128 | ||
129 | /* not allow blue to acces a samba server running on local fire*/ | |
0b06ad05 CS |
130 | if(findkey(kv, "DROPSAMBA", buffer) && strcmp(buffer,"off")){ |
131 | snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p tcp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev); | |
0aaef8e9 | 132 | safe_system(command); |
0b06ad05 | 133 | snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p tcp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev); |
0aaef8e9 | 134 | safe_system(command); |
0b06ad05 | 135 | snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p udp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev); |
0aaef8e9 | 136 | safe_system(command); |
0b06ad05 | 137 | snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p udp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev); |
0aaef8e9 CS |
138 | safe_system(command); |
139 | } | |
140 | ||
141 | while (fgets(buffer, STRING_SIZE, fd)) | |
142 | { | |
143 | buffer[strlen(buffer) - 1] = 0; | |
144 | ||
145 | index = strtok(buffer, ","); | |
146 | ipaddress = strtok(NULL, ","); | |
147 | macaddress = strtok(NULL, ","); | |
148 | enabled = strtok(NULL, ","); | |
149 | ||
150 | if (!strncmp(enabled, "on", 2)) { | |
151 | ||
152 | /* both specified, added security */ | |
153 | if ((strlen(macaddress) == 17) && | |
45f26735 | 154 | (VALID_IP_AND_MASK(ipaddress))) { |
0aaef8e9 CS |
155 | snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev); |
156 | safe_system(command); | |
dd79c399 | 157 | snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s ! -o %s -j ACCEPT", macaddress, ipaddress, blue_dev, green_dev); |
0aaef8e9 CS |
158 | safe_system(command); |
159 | snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j DMZHOLES", macaddress, ipaddress, blue_dev); | |
160 | safe_system(command); | |
161 | } else { | |
162 | ||
163 | /* correctly formed mac address is 17 chars */ | |
164 | if (strlen(macaddress) == 17) { | |
165 | snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev); | |
166 | safe_system(command); | |
dd79c399 | 167 | snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s ! -o %s -j ACCEPT", macaddress, blue_dev, green_dev); |
0aaef8e9 CS |
168 | safe_system(command); |
169 | snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j DMZHOLES", macaddress, blue_dev); | |
170 | safe_system(command); | |
171 | } | |
172 | ||
45f26735 | 173 | if (VALID_IP_AND_MASK(ipaddress)) { |
0aaef8e9 CS |
174 | snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev); |
175 | safe_system(command); | |
dd79c399 | 176 | snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s ! -o %s -j ACCEPT", ipaddress, blue_dev, green_dev); |
0aaef8e9 CS |
177 | safe_system(command); |
178 | snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j DMZHOLES", ipaddress, blue_dev); | |
179 | safe_system(command); | |
180 | } | |
181 | } | |
182 | } | |
183 | } | |
184 | ||
185 | /* with this rule you can disable the logging of the dropped wireless input packets*/ | |
186 | if(!findkey(kv, "DROPWIRELESSINPUT", buffer) || strcmp(buffer,"off")){ | |
187 | snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j LOG --log-prefix 'DROP_Wirelessinput'", blue_dev); | |
188 | safe_system(command); | |
189 | } | |
190 | /* with this rule you can disable the logging of the dropped wireless forward packets*/ | |
191 | if(!findkey(kv, "DROPWIRELESSFORWARD", buffer) || strcmp(buffer,"off")){ | |
192 | snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j LOG --log-prefix 'DROP_Wirelessforward'", blue_dev); | |
193 | safe_system(command); | |
194 | } | |
195 | ||
196 | return 0; | |
900832fa | 197 | } |