dc77ec18584d315685053a279a74763afe98a7f3
[people/teissler/ipfire-2.x.git] / src / misc-progs / wirelessctrl.c
1 /* IPCop helper program - wirelessctrl
2 *
3 * This program is distributed under the terms of the GNU General Public
4 * Licence. See the file COPYING for details.
5 *
6 * (c) Alan Hourihane, 2003
7 *
8 */
9
10 #include "libsmooth.h"
11 #include <stdio.h>
12 #include <stdlib.h>
13 #include <unistd.h>
14 #include <fcntl.h>
15 #include <string.h>
16 #include <sys/types.h>
17 #include <sys/stat.h>
18 #include <signal.h>
19 #include "setuid.h"
20 #include <errno.h>
21
22 FILE *fd = NULL;
23 char blue_dev[STRING_SIZE] = "";
24 char command[STRING_SIZE];
25
26 void exithandler(void) {
27 /* added comment mark to the drop rules to be able to collect the bytes by the collectd */
28 if (strlen(blue_dev) > 0) {
29 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
30 safe_system(command);
31 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
32 safe_system(command);
33 }
34
35 if (fd)
36 fclose(fd);
37 }
38
39 int main(void) {
40 char green_dev[STRING_SIZE] = "";
41 char buffer[STRING_SIZE];
42 char *index, *ipaddress, *macaddress, *enabled;
43 struct keyvalue *kv = NULL;
44
45 if (!(initsetuid()))
46 exit(1);
47
48 /* flush wireless iptables */
49 safe_system("/sbin/iptables -F WIRELESSINPUT > /dev/null 2> /dev/null");
50 safe_system("/sbin/iptables -F WIRELESSFORWARD > /dev/null 2> /dev/null");
51
52 memset(buffer, 0, STRING_SIZE);
53
54 /* Init the keyvalue structure */
55 kv=initkeyvalues();
56
57 /* Read in the current values */
58 if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) {
59 fprintf(stderr, "Cannot read ethernet settings\n");
60 exit(1);
61 }
62
63 /* Read in the firewall values */
64 if (!readkeyvalues(kv, CONFIG_ROOT "/optionsfw/settings")) {
65 fprintf(stderr, "Cannot read optionsfw settings\n");
66 exit(1);
67 }
68
69 /* Get the GREEN interface details */
70 if (!findkey(kv, "GREEN_DEV", green_dev)) {
71 fprintf(stderr, "Cannot read GREEN_DEV\n");
72 exit(1);
73 }
74
75 if (!VALID_DEVICE(green_dev)) {
76 fprintf(stderr, "Bad GREEN_DEV: %s\n", green_dev);
77 exit(1);
78 }
79
80 /* Get the BLUE interface details */
81 if (!findkey(kv, "BLUE_DEV", blue_dev)) {
82 fprintf(stderr, "Cannot read BLUE_DEV\n");
83 exit(1);
84 }
85
86 if ((strlen(blue_dev) > 0) && !VALID_DEVICE(blue_dev)) {
87 fprintf(stderr, "Bad BLUE_DEV: %s\n", blue_dev);
88 exit(1);
89 }
90
91 if (!strlen(blue_dev) > 0) {
92 fprintf(stderr, "No BLUE interface\n");
93 exit(0);
94 }
95
96 if ((fd = fopen(CONFIG_ROOT "/wireless/nodrop", "r")))
97 return 0;
98
99 /* register exit handler to ensure the block rule is always present */
100 atexit(exithandler);
101
102 if (!(fd = fopen(CONFIG_ROOT "/wireless/config", "r"))) {
103 exit(0);
104 }
105
106 /* restrict blue access tp the proxy port */
107 if (findkey(kv, "DROPPROXY", buffer) && strcmp(buffer,"off") == 0) {
108 /* Read the proxy values */
109 if (!readkeyvalues(kv, CONFIG_ROOT "/proxy/settings") || !(findkey(kv, "PROXY_PORT", buffer))) {
110 fprintf(stderr, "Cannot read proxy settings\n");
111 exit(1);
112 }
113
114 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p tcp ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev, buffer);
115 safe_system(command);
116 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p tcp ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev, buffer);
117 safe_system(command);
118 }
119
120 /* not allow blue to acces a samba server running on local fire*/
121 if(findkey(kv, "DROPSAMBA", buffer) && strcmp(buffer,"off")){
122 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p tcp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
123 safe_system(command);
124 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p tcp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
125 safe_system(command);
126 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p udp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
127 safe_system(command);
128 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p udp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
129 safe_system(command);
130 }
131
132 while (fgets(buffer, STRING_SIZE, fd)) {
133 buffer[strlen(buffer) - 1] = 0;
134
135 index = strtok(buffer, ",");
136 ipaddress = strtok(NULL, ",");
137 macaddress = strtok(NULL, ",");
138 enabled = strtok(NULL, ",");
139
140 if (strncmp(enabled, "on", 2) != 0) {
141 /* both specified, added security */
142 if ((strlen(macaddress) == 17) && (VALID_IP_AND_MASK(ipaddress))) {
143 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev);
144 safe_system(command);
145 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j RETURN", macaddress, ipaddress, blue_dev);
146 safe_system(command);
147 } else {
148 /* correctly formed mac address is 17 chars */
149 if (strlen(macaddress) == 17) {
150 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev);
151 safe_system(command);
152 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j RETURN", macaddress, blue_dev);
153 safe_system(command);
154 }
155
156 if (VALID_IP_AND_MASK(ipaddress)) {
157 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev);
158 safe_system(command);
159 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j RETURN", ipaddress, blue_dev);
160 safe_system(command);
161 }
162 }
163 }
164 }
165
166 /* with this rule you can disable the logging of the dropped wireless input packets*/
167 if (!findkey(kv, "DROPWIRELESSINPUT", buffer) || strcmp(buffer,"off") == 0) {
168 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j LOG --log-prefix 'DROP_Wirelessinput'", blue_dev);
169 safe_system(command);
170 }
171
172 /* with this rule you can disable the logging of the dropped wireless forward packets*/
173 if (!findkey(kv, "DROPWIRELESSFORWARD", buffer) || strcmp(buffer,"off") == 0) {
174 snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j LOG --log-prefix 'DROP_Wirelessforward'", blue_dev);
175 safe_system(command);
176 }
177
178 return 0;
179 }