Add Plustek Parallelport scanner module to core10
[people/pmueller/ipfire-2.x.git] / src / misc-progs / wirelessctrl.c
CommitLineData
900832fa
CS
1/* IPCop helper program - wirelessctrl
2 *
3 * This program is distributed under the terms of the GNU General Public
4 * Licence. See the file COPYING for details.
5 *
6 * (c) Alan Hourihane, 2003
0a56f193 7 *
900832fa
CS
8 * $Id: wirelessctrl.c,v 1.2.2.5 2005/07/11 10:56:47 franck78 Exp $
9 *
10 */
11
12#include "libsmooth.h"
13#include <stdio.h>
14#include <stdlib.h>
15#include <unistd.h>
16#include <fcntl.h>
17#include <string.h>
18#include <sys/types.h>
19#include <sys/stat.h>
20#include <signal.h>
21#include "setuid.h"
42dc0090 22#include <errno.h>
900832fa
CS
23
24FILE *fd = NULL;
25char blue_dev[STRING_SIZE] = "";
26char command[STRING_SIZE];
27
0a56f193
CS
28void exithandler(void)
29{
0aaef8e9
CS
30 /* added comment mark to the drop rules to be able to collect the bytes by the collectd */
31 if(strlen(blue_dev))
32 {
33 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
34 safe_system(command);
35 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
36 safe_system(command);
37 }
38
39 if (fd)
40 fclose(fd);
0a56f193
CS
41}
42
900832fa
CS
43int main(void)
44{
0aaef8e9
CS
45 char green_dev[STRING_SIZE] = "";
46 char buffer[STRING_SIZE];
47 char *index, *ipaddress, *macaddress, *enabled;
48 struct keyvalue *kv = NULL;
49
50 if (!(initsetuid()))
51 exit(1);
52
53 /* flush wireless iptables */
54 safe_system("/sbin/iptables -F WIRELESSINPUT > /dev/null 2> /dev/null");
55 safe_system("/sbin/iptables -F WIRELESSFORWARD > /dev/null 2> /dev/null");
56
57 memset(buffer, 0, STRING_SIZE);
58
59 /* Init the keyvalue structure */
60 kv=initkeyvalues();
61
62 /* Read in the current values */
63 if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))
64 {
65 fprintf(stderr, "Cannot read ethernet settings\n");
66 exit(1);
67 }
68
69 /* Read in the firewall values */
70 if (!readkeyvalues(kv, CONFIG_ROOT "/optionsfw/settings"))
71 {
72 fprintf(stderr, "Cannot read optionsfw settings\n");
73 exit(1);
74 }
75
76 /* Get the GREEN interface details */
77 if(!findkey(kv, "GREEN_DEV", green_dev))
78 {
79 fprintf(stderr, "Cannot read GREEN_DEV\n");
80 exit(1);
81 }
82 if (!VALID_DEVICE(green_dev))
83 {
84 fprintf(stderr, "Bad GREEN_DEV: %s\n", green_dev);
85 exit(1);
86 }
87 /* Get the BLUE interface details */
88 if(!findkey(kv, "BLUE_DEV", blue_dev))
89 {
90 fprintf(stderr, "Cannot read BLUE_DEV\n");
91 exit(1);
92 }
93 if (strlen(blue_dev) && !VALID_DEVICE(blue_dev))
94 {
95 fprintf(stderr, "Bad BLUE_DEV: %s\n", blue_dev);
96 exit(1);
97 }
98 if(! strlen(blue_dev) > 0)
99 {
100 fprintf(stderr, "No BLUE interface\n");
101 exit(0);
102 }
103
104 /* register exit handler to ensure the block rule is always present */
105 atexit(exithandler);
106
107 if (!(fd = fopen(CONFIG_ROOT "/wireless/config", "r")))
108 {
109 exit(0);
110 }
111
112 /* restrict blue access tp the proxy port */
113 if(findkey(kv, "DROPPROXY", buffer) && strcmp(buffer,"on")){
114 /* Read the proxy values */
115 if (!readkeyvalues(kv, CONFIG_ROOT "/proxy/settings") || !(findkey(kv, "PROXY_PORT", buffer)))
116 {
117 fprintf(stderr, "Cannot read proxy settings\n");
118 exit(1);
119 }
120 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p tcp ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessforward'", buffer, blue_dev);
121 safe_system(command);
122 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p tcp ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessinput'", buffer, blue_dev);
123 safe_system(command);
124 }
125
126 /* not allow blue to acces a samba server running on local fire*/
127 if(findkey(kv, "DROPSAMBA", buffer) && strcmp(buffer,"on")){
128 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p tcp -m multiport --dport 135,137,138,139,445,1025-j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
129 safe_system(command);
130 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p tcp -m multiport --dport 135,137,,138139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
131 safe_system(command);
132 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p udp -m multiport --dport 135,137,138,139,445,1025-j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
133 safe_system(command);
134 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p udp -m multiport --dport 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
135 safe_system(command);
136 }
137
138 while (fgets(buffer, STRING_SIZE, fd))
139 {
140 buffer[strlen(buffer) - 1] = 0;
141
142 index = strtok(buffer, ",");
143 ipaddress = strtok(NULL, ",");
144 macaddress = strtok(NULL, ",");
145 enabled = strtok(NULL, ",");
146
147 if (!strncmp(enabled, "on", 2)) {
148
149 /* both specified, added security */
150 if ((strlen(macaddress) == 17) &&
151 (VALID_IP(ipaddress))) {
152 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev);
153 safe_system(command);
154 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -o ! %s -j ACCEPT", macaddress, ipaddress, blue_dev, green_dev);
155 safe_system(command);
156 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j DMZHOLES", macaddress, ipaddress, blue_dev);
157 safe_system(command);
158 } else {
159
160 /* correctly formed mac address is 17 chars */
161 if (strlen(macaddress) == 17) {
162 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev);
163 safe_system(command);
164 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -o ! %s -j ACCEPT", macaddress, blue_dev, green_dev);
165 safe_system(command);
166 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j DMZHOLES", macaddress, blue_dev);
167 safe_system(command);
168 }
169
170 if (VALID_IP(ipaddress)) {
171 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev);
172 safe_system(command);
173 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -o ! %s -j ACCEPT", ipaddress, blue_dev, green_dev);
174 safe_system(command);
175 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j DMZHOLES", ipaddress, blue_dev);
176 safe_system(command);
177 }
178 }
179 }
180 }
181
182 /* with this rule you can disable the logging of the dropped wireless input packets*/
183 if(!findkey(kv, "DROPWIRELESSINPUT", buffer) || strcmp(buffer,"off")){
184 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j LOG --log-prefix 'DROP_Wirelessinput'", blue_dev);
185 safe_system(command);
186 }
187 /* with this rule you can disable the logging of the dropped wireless forward packets*/
188 if(!findkey(kv, "DROPWIRELESSFORWARD", buffer) || strcmp(buffer,"off")){
189 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j LOG --log-prefix 'DROP_Wirelessforward'", blue_dev);
190 safe_system(command);
191 }
192
193 return 0;
900832fa 194}