Commit 6dc9aef5 authored by Simone Piccardi's avatar Simone Piccardi
Browse files

Materiale fuss-captive-portal

parent eeb8fb18
fuss-server (4.0-11) lenny; urgency=low
* New firewall and config for Captive Portal
-- Simone Piccardi <piccardi@truelite.it> Wed, 25 Jan 2012 14:38:41 +0100
fuss-server (4.0-10) lenny; urgency=low
* Removed apt-listbugs dep to avoid CDD building failure
......
#!/bin/sh
#!/bin/bash
#
### BEGIN INIT INFO
# Provides: firewall
......@@ -30,7 +30,6 @@
MYNAME="$0"
# Kill me on all errors
set -e
......@@ -57,6 +56,31 @@ SERVICES_ALLOW=$BASE_DIR/firewall-external-services
PORT_REACH_HOSTS=$BASE_DIR/firewall-allowed-wan-host-services
##
## Added for captive portal management
##
CP_CFG_FILE=$BASE_DIR/fuss-captive-portal.conf
if [ -f "$CP_CFG_FILE" ]; then
. "$CP_CFG_FILE"
if [ -n "$HS_NET" ]; then
HS_NETWORK=$(netmask -s $HS_NET|cut -d/ -f1)
HS_NETMASK=$(netmask -s $HS_NET|cut -d/ -f2)
HS_UAMLISTEN=$(echo $HS_NETWORK|cut -d. -f1-3).$(( $(echo $HS_NETWORK|cut -d. -f 4) +1 ))
fi
echo "Captive Portal configuration detected in $CP_CFG_FILE"
echo HS_NET=$HS_NET
echo HS_NETMASK=$HS_NETMASK
echo HS_NETWORK=$HS_NETWORK
echo HS_UAMLISTEN=$HS_UAMLISTEN
else
# erase just to be sure
#echo "no captive portal configuration ($CP_CFG_FILE not present)"
HS_LANIF=''
HS_NET=''
HS_NETWORK=''
HS_NETMASK=''
fi
##
## Function to block a set of hosts
##
......@@ -171,7 +195,7 @@ modprobe ip_conntrack_sip
case $1 in
start|restart|reload|force-reload)
start)
echo "Starting firewall, local network/s: $LOCALNET"
# Clean all
......@@ -222,7 +246,7 @@ case $1 in
$IPT -A INPUT -s $i -m state --state NEW -p tcp --dport 3128 -j DROP
$IPT -A INPUT -s $i -m state --state NEW -j ACCEPT
done
# SSH ha accesso consentito dappertutto
# SSH always open
$IPT -A INPUT -j allowed
if [ ! -z "$EXTERN_IFACE" ]; then
$IPT -A INPUT -i $EXTERN_IFACE -m state --state NEW -j services
......@@ -230,6 +254,8 @@ case $1 in
$IPT -A INPUT -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -j DROP
echo -n "INPUT -- "
##
## OUTPUT
##
......@@ -239,21 +265,52 @@ case $1 in
$IPT -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -j DROP
echo -n "OUTPUT -- "
##
## FORWARD
##
$IPT -A FORWARD -j allowed
if [ ! -z "$EXTERN_IFACE" ]; then
$IPT -A FORWARD -o $EXTERN_IFACE -s $LOCALNET -m state --state NEW -j outside
for i in $LOCALNET; do
$IPT -A FORWARD -o $EXTERN_IFACE -s $i -m state --state NEW -j outside
done
# optional if captive portal is present
if [ -n "$HS_NET" ]; then
$IPT -A FORWARD -o $EXTERN_IFACE -s $HS_NET -m state --state NEW -j outside
fi
fi
$IPT -A FORWARD -j DROP
echo -n "FORWARD -- "
##
## POSTROUTING
##
# masquerade outgoing packages
$IPT -t nat -A POSTROUTING -o $EXTERN_IFACE -s $LOCALNET -j MASQUERADE
for i in $LOCALNET; do
$IPT -t nat -A POSTROUTING -o $EXTERN_IFACE -s $i -j MASQUERADE
done
if [ -n "$HS_NET" ]; then
$IPT -t nat -A POSTROUTING -o $EXTERN_IFACE -s $HS_NET -j MASQUERADE
fi
echo "POSTROUTING"
##
## Coova chilli specific start setup
##
# optional if captive portal is present
if [ -n "$HS_NET" -a -x /etc/fuss-server/chilli-up.sh ]; then
TUNTAP=$(ip route|grep $HS_NET|awk '{print $3}')
if [ -n "$TUNTAP" ]; then
echo "starting chilli rules"
/etc/fuss-server/chilli-up.sh
$IPT -I INPUT -i $TUNTAP -p tcp --dport 8081 -j ACCEPT
else
echo "chilli is down, skipping"
fi
fi
# END
exit 0
......@@ -261,13 +318,21 @@ case $1 in
stop)
echo "Stopping firewall, local network/s: $LOCALNET"
# if chilli then stop
if [ -n "$HS_NET" -a -x /etc/fuss-server/chilli-down.sh ]; then
echo "stopping chilli rules"
/etc/fuss-server/chilli-down.sh
fi
# Clean all
echo cleaning all
$IPT -F
$IPT -t mangle -F
$IPT -t nat -F
$IPT -X allowed || true
$IPT -X services || true
$IPT -X outside || true
$IPT -X allowed 2>/dev/null || true
$IPT -X services 2>/dev/null || true
$IPT -X outside 2>/dev/null || true
#
# Revert on/off some kernel features
......@@ -281,10 +346,15 @@ case $1 in
exit 0
;;
restart|reload|force-reload)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {stop|start|restart|reload|force-reload}"
exit 1
;;
echo "Usage: $0 {stop|start|restart|reload|force-reload}"
exit 1
;;
esac
......@@ -14,22 +14,9 @@ create a configuratione for the FUSS server.
.SH OPTIONS
.TP
.B create
Add access for the service.
Configure all service and create file needed to run as a FUSS server.
.TP
.B del
Delete access for the service.
.TP
.B rpc
The operation concern an RPC service.
.TP
.B tcp
The operation concern a TCP service.
.TP
.B udp
The operation concern an UDP service.
.TP
.B value
the numeric value of an RPC service (if used with rpc) or of a TCP or UDP port
(if used with those protocols).
.B purge
Purge all FUSS server specific file, to consent a clean use of create
.SH FILES
/etc/fuss-server/*
......@@ -103,5 +103,6 @@ for user in users:
pipe.write("%s\n" % passwd)
pipe.close()
dumpfile.write("%s\t\t%s\t\t%s\n" % (name,username,passwd))
if optval.has_key('-f'):
dumpfile.write("%s\t\t%s\t\t%s\n" % (name,username,passwd))
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment