Materiale fuss-captive-portal

debian/changelog

+fuss-server (4.0-11) lenny; urgency=low
+
+  * New firewall and config for Captive Portal
+
+ -- Simone Piccardi <piccardi@truelite.it>  Wed, 25 Jan 2012 14:38:41 +0100
+
 fuss-server (4.0-10) lenny; urgency=low
 
   * Removed apt-listbugs dep to avoid CDD building failure

firewall

-#!/bin/sh
+#!/bin/bash
 #
 ### BEGIN INIT INFO
 # Provides:          firewall
@@ -30,7 +30,6 @@
 
 MYNAME="$0"
 
-
 # Kill me on all errors
 set -e
 
@@ -57,6 +56,31 @@ SERVICES_ALLOW=$BASE_DIR/firewall-external-services
 PORT_REACH_HOSTS=$BASE_DIR/firewall-allowed-wan-host-services
 
 
+##
+## Added for captive portal management
+##
+CP_CFG_FILE=$BASE_DIR/fuss-captive-portal.conf
+if [ -f "$CP_CFG_FILE" ]; then
+    . "$CP_CFG_FILE"
+    if [ -n "$HS_NET" ]; then 
+	HS_NETWORK=$(netmask -s $HS_NET|cut -d/ -f1)
+	HS_NETMASK=$(netmask -s $HS_NET|cut -d/ -f2)
+	HS_UAMLISTEN=$(echo $HS_NETWORK|cut -d. -f1-3).$(( $(echo $HS_NETWORK|cut -d. -f 4) +1 ))
+    fi
+    echo "Captive Portal configuration detected in $CP_CFG_FILE"
+    echo HS_NET=$HS_NET
+    echo HS_NETMASK=$HS_NETMASK
+    echo HS_NETWORK=$HS_NETWORK
+    echo HS_UAMLISTEN=$HS_UAMLISTEN
+else
+    # erase just to be sure
+    #echo "no captive portal configuration ($CP_CFG_FILE not present)"
+    HS_LANIF=''
+    HS_NET=''
+    HS_NETWORK=''
+    HS_NETMASK=''
+fi
+
 ##
 ## Function to block a set of hosts
 ##
@@ -171,7 +195,7 @@ modprobe ip_conntrack_sip
 
 
 case $1 in
-  start|restart|reload|force-reload)
+  start)
     echo "Starting firewall, local network/s: $LOCALNET"
 
     # Clean all
@@ -222,7 +246,7 @@ case $1 in
 	$IPT -A INPUT -s $i -m state --state NEW -p tcp --dport 3128 -j DROP
 	$IPT -A INPUT -s $i -m state --state NEW -j ACCEPT
     done
-    # SSH ha accesso consentito dappertutto
+    # SSH always open
     $IPT -A INPUT -j allowed
     if [ ! -z "$EXTERN_IFACE" ]; then
 	$IPT -A INPUT -i $EXTERN_IFACE -m state --state NEW -j services
@@ -230,6 +254,8 @@ case $1 in
     $IPT -A INPUT -p tcp --dport 22 -j ACCEPT
     $IPT -A INPUT -j DROP
 
+    echo -n "INPUT -- " 
+
     ##
     ## OUTPUT
     ##
@@ -239,21 +265,52 @@ case $1 in
     $IPT -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
     $IPT -A OUTPUT -j DROP
 
+    echo -n "OUTPUT -- " 
+
     ##
     ## FORWARD
     ##
     $IPT -A FORWARD -j allowed
     if [ ! -z "$EXTERN_IFACE" ]; then
-	$IPT -A FORWARD -o $EXTERN_IFACE -s $LOCALNET -m state --state NEW -j outside
+	for i in $LOCALNET; do
+	$IPT -A FORWARD -o $EXTERN_IFACE -s $i -m state --state NEW -j outside
+	done
+	# optional if captive portal is present
+	if [ -n "$HS_NET" ]; then
+	    $IPT -A FORWARD -o $EXTERN_IFACE -s $HS_NET -m state --state NEW -j outside
+	fi
     fi
     $IPT -A FORWARD -j DROP
 
+    echo -n "FORWARD -- " 
 
     ##
     ## POSTROUTING
     ##
     # masquerade outgoing packages
-    $IPT -t nat -A POSTROUTING -o $EXTERN_IFACE -s $LOCALNET -j MASQUERADE  
+    for i in $LOCALNET; do
+	$IPT -t nat -A POSTROUTING -o $EXTERN_IFACE -s $i -j MASQUERADE  
+    done
+    if [ -n "$HS_NET" ]; then
+	$IPT -t nat -A POSTROUTING -o $EXTERN_IFACE -s $HS_NET -j MASQUERADE 
+    fi
+
+    echo "POSTROUTING" 
+
+    ##
+    ## Coova chilli specific start setup
+    ##
+    # optional if captive portal is present
+    if  [ -n "$HS_NET" -a -x /etc/fuss-server/chilli-up.sh ]; then
+	TUNTAP=$(ip route|grep $HS_NET|awk '{print $3}')
+	if [ -n "$TUNTAP" ]; then
+	    echo "starting chilli rules"
+	    /etc/fuss-server/chilli-up.sh
+	    $IPT -I INPUT -i $TUNTAP -p tcp --dport 8081 -j ACCEPT
+	else
+	    echo "chilli is down, skipping"
+	fi
+    fi
 
     # END
     exit 0
@@ -261,13 +318,21 @@ case $1 in
 
   stop) 
     echo "Stopping firewall, local network/s: $LOCALNET"
+
+    # if chilli then stop
+    if [ -n "$HS_NET" -a -x /etc/fuss-server/chilli-down.sh ]; then
+	echo "stopping chilli rules"
+	/etc/fuss-server/chilli-down.sh
+    fi
+
     # Clean all
+    echo cleaning all
     $IPT -F
     $IPT -t mangle -F
     $IPT -t nat -F
-    $IPT -X allowed  || true
-    $IPT -X services || true
-    $IPT -X outside  || true
+    $IPT -X allowed  2>/dev/null || true
+    $IPT -X services 2>/dev/null || true
+    $IPT -X outside  2>/dev/null || true
 
     #
     # Revert on/off some kernel features
@@ -281,10 +346,15 @@ case $1 in
     exit 0
     ;;
 
+   restart|reload|force-reload)
+	$0 stop
+	$0 start
+	;;
+
   *)
-    echo "Usage: $0 {stop|start|restart|reload|force-reload}"
-    exit 1
-    ;;
+	echo "Usage: $0 {stop|start|restart|reload|force-reload}"
+	exit 1
+	;;
 
 esac
 

fuss-server.8

@@ -14,22 +14,9 @@ create a configuratione for the FUSS server.
 .SH OPTIONS
 .TP
 .B create
-Add access for the service.
+Configure all service and create file needed to run as a FUSS server.
 .TP
-.B del
-Delete access for the service.
-.TP
-.B rpc
-The operation concern an RPC service.
-.TP
-.B tcp
-The operation concern a TCP service.
-.TP
-.B udp
-The operation concern an UDP service.
-.TP
-.B value
-the numeric value of an RPC service (if used with rpc) or of a TCP or UDP port
-(if used with those protocols).
+.B purge
+Purge all FUSS server specific file, to consent a clean use of create
 .SH FILES
 /etc/fuss-server/*

scripts/insertusers.py

@@ -103,5 +103,6 @@ for user in users:
     pipe.write("%s\n" % passwd)
     pipe.close()
 
-    dumpfile.write("%s\t\t%s\t\t%s\n" % (name,username,passwd))
+    if optval.has_key('-f'):
+        dumpfile.write("%s\t\t%s\t\t%s\n" % (name,username,passwd))