]>
Commit | Line | Data |
---|---|---|
900832fa CS |
1 | /* IPCop helper program - wirelessctrl |
2 | * | |
3 | * This program is distributed under the terms of the GNU General Public | |
4 | * Licence. See the file COPYING for details. | |
5 | * | |
6 | * (c) Alan Hourihane, 2003 | |
0a56f193 | 7 | * |
900832fa CS |
8 | */ |
9 | ||
10 | #include "libsmooth.h" | |
11 | #include <stdio.h> | |
12 | #include <stdlib.h> | |
13 | #include <unistd.h> | |
14 | #include <fcntl.h> | |
15 | #include <string.h> | |
16 | #include <sys/types.h> | |
17 | #include <sys/stat.h> | |
18 | #include <signal.h> | |
42dc0090 | 19 | #include <errno.h> |
900832fa | 20 | |
52e54c1c MT |
21 | #include "setuid.h" |
22 | #include "netutil.h" | |
23 | ||
900832fa CS |
24 | FILE *fd = NULL; |
25 | char blue_dev[STRING_SIZE] = ""; | |
26 | char command[STRING_SIZE]; | |
27 | ||
d69bf619 MT |
28 | void exithandler(void) { |
29 | /* added comment mark to the drop rules to be able to collect the bytes by the collectd */ | |
30 | if (strlen(blue_dev) > 0) { | |
7506baa2 | 31 | snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -i %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev); |
d69bf619 | 32 | safe_system(command); |
7506baa2 | 33 | snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -i %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev); |
d69bf619 MT |
34 | safe_system(command); |
35 | } | |
36 | ||
37 | if (fd) | |
38 | fclose(fd); | |
0a56f193 CS |
39 | } |
40 | ||
d69bf619 | 41 | int main(void) { |
d69bf619 MT |
42 | char buffer[STRING_SIZE]; |
43 | char *index, *ipaddress, *macaddress, *enabled; | |
44 | struct keyvalue *kv = NULL; | |
5906c962 | 45 | struct keyvalue* captive_settings = NULL; |
d69bf619 MT |
46 | |
47 | if (!(initsetuid())) | |
48 | exit(1); | |
49 | ||
50 | /* flush wireless iptables */ | |
7506baa2 MT |
51 | safe_system("/sbin/iptables --wait -F WIRELESSINPUT > /dev/null 2> /dev/null"); |
52 | safe_system("/sbin/iptables --wait -F WIRELESSFORWARD > /dev/null 2> /dev/null"); | |
d69bf619 MT |
53 | |
54 | memset(buffer, 0, STRING_SIZE); | |
55 | ||
56 | /* Init the keyvalue structure */ | |
57 | kv=initkeyvalues(); | |
58 | ||
59 | /* Read in the current values */ | |
60 | if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) { | |
61 | fprintf(stderr, "Cannot read ethernet settings\n"); | |
62 | exit(1); | |
63 | } | |
64 | ||
65 | /* Read in the firewall values */ | |
66 | if (!readkeyvalues(kv, CONFIG_ROOT "/optionsfw/settings")) { | |
67 | fprintf(stderr, "Cannot read optionsfw settings\n"); | |
68 | exit(1); | |
69 | } | |
70 | ||
5906c962 MT |
71 | // Read captive portal settings |
72 | captive_settings = initkeyvalues(); | |
73 | if (!readkeyvalues(captive_settings, CONFIG_ROOT "/captive/settings")) { | |
74 | fprintf(stderr, "Could not read captive portal settings\n"); | |
75 | exit(1); | |
76 | } | |
77 | ||
d69bf619 | 78 | /* Get the BLUE interface details */ |
27ba58fb MT |
79 | if (findkey(kv, "BLUE_DEV", blue_dev) > 0) { |
80 | if ((strlen(blue_dev) > 0) && !VALID_DEVICE(blue_dev)) { | |
81 | fprintf(stderr, "Bad BLUE_DEV: %s\n", blue_dev); | |
82 | exit(1); | |
83 | } | |
d69bf619 MT |
84 | } |
85 | ||
27ba58fb | 86 | if (strlen(blue_dev) == 0) { |
d69bf619 MT |
87 | exit(0); |
88 | } | |
89 | ||
5906c962 MT |
90 | // Check if the captive portal is enabled on blue. If so, we will |
91 | // just keep the chains flushed and do not add any rules. | |
92 | char captive_enabled[STRING_SIZE]; | |
93 | if (findkey(captive_settings, "ENABLE_BLUE", captive_enabled) > 0) { | |
94 | if (strcmp(captive_enabled, "on") == 0) { | |
95 | return 0; | |
96 | } | |
97 | } | |
98 | ||
d69bf619 MT |
99 | if ((fd = fopen(CONFIG_ROOT "/wireless/nodrop", "r"))) |
100 | return 0; | |
101 | ||
102 | /* register exit handler to ensure the block rule is always present */ | |
103 | atexit(exithandler); | |
104 | ||
105 | if (!(fd = fopen(CONFIG_ROOT "/wireless/config", "r"))) { | |
106 | exit(0); | |
107 | } | |
108 | ||
109 | /* restrict blue access tp the proxy port */ | |
ec36876e | 110 | if (findkey(kv, "DROPPROXY", buffer) && strcmp(buffer, "on") == 0) { |
d69bf619 MT |
111 | /* Read the proxy values */ |
112 | if (!readkeyvalues(kv, CONFIG_ROOT "/proxy/settings") || !(findkey(kv, "PROXY_PORT", buffer))) { | |
113 | fprintf(stderr, "Cannot read proxy settings\n"); | |
114 | exit(1); | |
115 | } | |
116 | ||
7506baa2 | 117 | snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -i %s -p tcp ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev, buffer); |
d69bf619 | 118 | safe_system(command); |
7506baa2 | 119 | snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -i %s -p tcp ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev, buffer); |
d69bf619 MT |
120 | safe_system(command); |
121 | } | |
122 | ||
123 | /* not allow blue to acces a samba server running on local fire*/ | |
ec36876e | 124 | if (findkey(kv, "DROPSAMBA", buffer) && strcmp(buffer, "on") == 0) { |
7506baa2 | 125 | snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -i %s -p tcp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev); |
d69bf619 | 126 | safe_system(command); |
7506baa2 | 127 | snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -i %s -p tcp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev); |
d69bf619 | 128 | safe_system(command); |
7506baa2 | 129 | snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -i %s -p udp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev); |
d69bf619 | 130 | safe_system(command); |
7506baa2 | 131 | snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -i %s -p udp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev); |
d69bf619 MT |
132 | safe_system(command); |
133 | } | |
134 | ||
135 | while (fgets(buffer, STRING_SIZE, fd)) { | |
136 | buffer[strlen(buffer) - 1] = 0; | |
137 | ||
138 | index = strtok(buffer, ","); | |
139 | ipaddress = strtok(NULL, ","); | |
140 | macaddress = strtok(NULL, ","); | |
141 | enabled = strtok(NULL, ","); | |
142 | ||
f7bb0031 | 143 | if (strcmp(enabled, "on") == 0) { |
d69bf619 MT |
144 | /* both specified, added security */ |
145 | if ((strlen(macaddress) == 17) && (VALID_IP_AND_MASK(ipaddress))) { | |
645378fb | 146 | snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j RETURN", macaddress, ipaddress, blue_dev); |
d69bf619 | 147 | safe_system(command); |
7506baa2 | 148 | snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j RETURN", macaddress, ipaddress, blue_dev); |
d69bf619 MT |
149 | safe_system(command); |
150 | } else { | |
151 | /* correctly formed mac address is 17 chars */ | |
152 | if (strlen(macaddress) == 17) { | |
645378fb | 153 | snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -m mac --mac-source %s -i %s -j RETURN", macaddress, blue_dev); |
d69bf619 | 154 | safe_system(command); |
7506baa2 | 155 | snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j RETURN", macaddress, blue_dev); |
d69bf619 | 156 | safe_system(command); |
0aaef8e9 CS |
157 | } |
158 | ||
d69bf619 | 159 | if (VALID_IP_AND_MASK(ipaddress)) { |
645378fb | 160 | snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -s %s -i %s -j RETURN", ipaddress, blue_dev); |
d69bf619 | 161 | safe_system(command); |
7506baa2 | 162 | snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -s %s -i %s -j RETURN", ipaddress, blue_dev); |
d69bf619 | 163 | safe_system(command); |
0aaef8e9 | 164 | } |
d69bf619 MT |
165 | } |
166 | } | |
167 | } | |
168 | ||
169 | /* with this rule you can disable the logging of the dropped wireless input packets*/ | |
ec36876e | 170 | if (findkey(kv, "DROPWIRELESSINPUT", buffer) && strcmp(buffer, "on") == 0) { |
7506baa2 | 171 | snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -i %s -j LOG --log-prefix 'DROP_Wirelessinput'", blue_dev); |
d69bf619 MT |
172 | safe_system(command); |
173 | } | |
174 | ||
175 | /* with this rule you can disable the logging of the dropped wireless forward packets*/ | |
ec36876e | 176 | if (findkey(kv, "DROPWIRELESSFORWARD", buffer) && strcmp(buffer, "on") == 0) { |
7506baa2 | 177 | snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -i %s -j LOG --log-prefix 'DROP_Wirelessforward'", blue_dev); |
d69bf619 MT |
178 | safe_system(command); |
179 | } | |
180 | ||
181 | return 0; | |
900832fa | 182 | } |