*
* (c) Alan Hourihane, 2003
*
- * $Id: wirelessctrl.c,v 1.2.2.5 2005/07/11 10:56:47 franck78 Exp $
- *
*/
#include "libsmooth.h"
char blue_dev[STRING_SIZE] = "";
char command[STRING_SIZE];
-void exithandler(void)
-{
- /* added comment mark to the drop rules to be able to collect the bytes by the collectd */
- if(strlen(blue_dev))
- {
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
- safe_system(command);
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
- safe_system(command);
- }
-
- if (fd)
- fclose(fd);
+void exithandler(void) {
+ /* added comment mark to the drop rules to be able to collect the bytes by the collectd */
+ if (strlen(blue_dev) > 0) {
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
+ safe_system(command);
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
+ safe_system(command);
+ }
+
+ if (fd)
+ fclose(fd);
}
-int main(void)
-{
- char green_dev[STRING_SIZE] = "";
- char buffer[STRING_SIZE];
- char *index, *ipaddress, *macaddress, *enabled;
- struct keyvalue *kv = NULL;
-
- if (!(initsetuid()))
- exit(1);
-
- /* flush wireless iptables */
- safe_system("/sbin/iptables -F WIRELESSINPUT > /dev/null 2> /dev/null");
- safe_system("/sbin/iptables -F WIRELESSFORWARD > /dev/null 2> /dev/null");
-
- memset(buffer, 0, STRING_SIZE);
-
- /* Init the keyvalue structure */
- kv=initkeyvalues();
-
- /* Read in the current values */
- if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))
- {
- fprintf(stderr, "Cannot read ethernet settings\n");
- exit(1);
- }
-
- /* Read in the firewall values */
- if (!readkeyvalues(kv, CONFIG_ROOT "/optionsfw/settings"))
- {
- fprintf(stderr, "Cannot read optionsfw settings\n");
- exit(1);
- }
-
- /* Get the GREEN interface details */
- if(!findkey(kv, "GREEN_DEV", green_dev))
- {
- fprintf(stderr, "Cannot read GREEN_DEV\n");
- exit(1);
- }
- if (!VALID_DEVICE(green_dev))
- {
- fprintf(stderr, "Bad GREEN_DEV: %s\n", green_dev);
- exit(1);
- }
- /* Get the BLUE interface details */
- if(!findkey(kv, "BLUE_DEV", blue_dev))
- {
- fprintf(stderr, "Cannot read BLUE_DEV\n");
- exit(1);
- }
- if (strlen(blue_dev) && !VALID_DEVICE(blue_dev))
- {
- fprintf(stderr, "Bad BLUE_DEV: %s\n", blue_dev);
- exit(1);
- }
- if(! strlen(blue_dev) > 0)
- {
- fprintf(stderr, "No BLUE interface\n");
- exit(0);
- }
-
- if ((fd = fopen(CONFIG_ROOT "/wireless/nodrop", "r")))
- return 0;
-
- /* register exit handler to ensure the block rule is always present */
- atexit(exithandler);
-
- if (!(fd = fopen(CONFIG_ROOT "/wireless/config", "r")))
- {
- exit(0);
- }
-
- /* restrict blue access tp the proxy port */
- if(findkey(kv, "DROPPROXY", buffer) && strcmp(buffer,"off")){
- /* Read the proxy values */
- if (!readkeyvalues(kv, CONFIG_ROOT "/proxy/settings") || !(findkey(kv, "PROXY_PORT", buffer)))
- {
- fprintf(stderr, "Cannot read proxy settings\n");
- exit(1);
- }
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p tcp ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev, buffer);
- safe_system(command);
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p tcp ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev, buffer);
- safe_system(command);
- }
-
- /* not allow blue to acces a samba server running on local fire*/
- if(findkey(kv, "DROPSAMBA", buffer) && strcmp(buffer,"off")){
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p tcp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
- safe_system(command);
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p tcp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
- safe_system(command);
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p udp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
- safe_system(command);
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p udp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
- safe_system(command);
- }
-
- while (fgets(buffer, STRING_SIZE, fd))
- {
- buffer[strlen(buffer) - 1] = 0;
-
- index = strtok(buffer, ",");
- ipaddress = strtok(NULL, ",");
- macaddress = strtok(NULL, ",");
- enabled = strtok(NULL, ",");
-
- if (!strncmp(enabled, "on", 2)) {
-
- /* both specified, added security */
- if ((strlen(macaddress) == 17) &&
- (VALID_IP_AND_MASK(ipaddress))) {
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev);
- safe_system(command);
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j RETURN", macaddress, ipaddress, blue_dev);
- safe_system(command);
- } else {
-
- /* correctly formed mac address is 17 chars */
- if (strlen(macaddress) == 17) {
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev);
- safe_system(command);
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j RETURN", macaddress, blue_dev);
- safe_system(command);
- }
-
- if (VALID_IP_AND_MASK(ipaddress)) {
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev);
- safe_system(command);
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j RETURN", ipaddress, blue_dev);
- safe_system(command);
- }
- }
- }
+int main(void) {
+ char green_dev[STRING_SIZE] = "";
+ char buffer[STRING_SIZE];
+ char *index, *ipaddress, *macaddress, *enabled;
+ struct keyvalue *kv = NULL;
+
+ if (!(initsetuid()))
+ exit(1);
+
+ /* flush wireless iptables */
+ safe_system("/sbin/iptables -F WIRELESSINPUT > /dev/null 2> /dev/null");
+ safe_system("/sbin/iptables -F WIRELESSFORWARD > /dev/null 2> /dev/null");
+
+ memset(buffer, 0, STRING_SIZE);
+
+ /* Init the keyvalue structure */
+ kv=initkeyvalues();
+
+ /* Read in the current values */
+ if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) {
+ fprintf(stderr, "Cannot read ethernet settings\n");
+ exit(1);
+ }
+
+ /* Read in the firewall values */
+ if (!readkeyvalues(kv, CONFIG_ROOT "/optionsfw/settings")) {
+ fprintf(stderr, "Cannot read optionsfw settings\n");
+ exit(1);
+ }
+
+ /* Get the GREEN interface details */
+ if (findkey(kv, "GREEN_DEV", green_dev) > 0) {
+ if (!VALID_DEVICE(green_dev)) {
+ fprintf(stderr, "Bad GREEN_DEV: %s\n", green_dev);
+ exit(1);
+ }
+ }
+
+ /* Get the BLUE interface details */
+ if (findkey(kv, "BLUE_DEV", blue_dev) > 0) {
+ if ((strlen(blue_dev) > 0) && !VALID_DEVICE(blue_dev)) {
+ fprintf(stderr, "Bad BLUE_DEV: %s\n", blue_dev);
+ exit(1);
+ }
+ }
+
+ if (strlen(blue_dev) == 0) {
+ exit(0);
+ }
+
+ if ((fd = fopen(CONFIG_ROOT "/wireless/nodrop", "r")))
+ return 0;
+
+ /* register exit handler to ensure the block rule is always present */
+ atexit(exithandler);
+
+ if (!(fd = fopen(CONFIG_ROOT "/wireless/config", "r"))) {
+ exit(0);
+ }
+
+ /* restrict blue access tp the proxy port */
+ if (findkey(kv, "DROPPROXY", buffer) && strcmp(buffer,"off") == 0) {
+ /* Read the proxy values */
+ if (!readkeyvalues(kv, CONFIG_ROOT "/proxy/settings") || !(findkey(kv, "PROXY_PORT", buffer))) {
+ fprintf(stderr, "Cannot read proxy settings\n");
+ exit(1);
+ }
+
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p tcp ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev, buffer);
+ safe_system(command);
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p tcp ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev, buffer);
+ safe_system(command);
+ }
+
+ /* not allow blue to acces a samba server running on local fire*/
+ if(findkey(kv, "DROPSAMBA", buffer) && strcmp(buffer,"off")){
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p tcp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
+ safe_system(command);
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p tcp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
+ safe_system(command);
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p udp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev);
+ safe_system(command);
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p udp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev);
+ safe_system(command);
+ }
+
+ while (fgets(buffer, STRING_SIZE, fd)) {
+ buffer[strlen(buffer) - 1] = 0;
+
+ index = strtok(buffer, ",");
+ ipaddress = strtok(NULL, ",");
+ macaddress = strtok(NULL, ",");
+ enabled = strtok(NULL, ",");
+
+ if (strncmp(enabled, "on", 2) != 0) {
+ /* both specified, added security */
+ if ((strlen(macaddress) == 17) && (VALID_IP_AND_MASK(ipaddress))) {
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev);
+ safe_system(command);
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j RETURN", macaddress, ipaddress, blue_dev);
+ safe_system(command);
+ } else {
+ /* correctly formed mac address is 17 chars */
+ if (strlen(macaddress) == 17) {
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev);
+ safe_system(command);
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j RETURN", macaddress, blue_dev);
+ safe_system(command);
}
- /* with this rule you can disable the logging of the dropped wireless input packets*/
- if(!findkey(kv, "DROPWIRELESSINPUT", buffer) || strcmp(buffer,"off")){
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j LOG --log-prefix 'DROP_Wirelessinput'", blue_dev);
- safe_system(command);
+ if (VALID_IP_AND_MASK(ipaddress)) {
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev);
+ safe_system(command);
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j RETURN", ipaddress, blue_dev);
+ safe_system(command);
}
- /* with this rule you can disable the logging of the dropped wireless forward packets*/
- if(!findkey(kv, "DROPWIRELESSFORWARD", buffer) || strcmp(buffer,"off")){
- snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j LOG --log-prefix 'DROP_Wirelessforward'", blue_dev);
- safe_system(command);
- }
-
- return 0;
+ }
+ }
+ }
+
+ /* with this rule you can disable the logging of the dropped wireless input packets*/
+ if (!findkey(kv, "DROPWIRELESSINPUT", buffer) || strcmp(buffer,"off") == 0) {
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j LOG --log-prefix 'DROP_Wirelessinput'", blue_dev);
+ safe_system(command);
+ }
+
+ /* with this rule you can disable the logging of the dropped wireless forward packets*/
+ if (!findkey(kv, "DROPWIRELESSFORWARD", buffer) || strcmp(buffer,"off") == 0) {
+ snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j LOG --log-prefix 'DROP_Wirelessforward'", blue_dev);
+ safe_system(command);
+ }
+
+ return 0;
}
projects / people / teissler / ipfire-2.x.git / commitdiff
