#!/bin/bash
########################
# name: firewall.sh
# author: folkert
# date: dec2k3
#######################################
#
# sets up the netfilter facility for use with the hotspot authorization
# scheme and offers a frontend for other scripts to authorize/deauthorize
# access for hosts with a given IP/MAC combination.
#
###############################################################################
IPTABLES=/share/hotspot/sbin/iptables
WIFI_SELF="10.11.12.13"
WIFI_NET="10.11.12.0/24"
WIFI_DEV="wlan0"
INET_SELF="172.23.5.12"
INET_NET="172.23.5.0/27"
INET_DEV="eth0"
NS1="213.148.129.10"
NS2="213.148.130.10"
usage()
{
echo "usage:"
echo "$0 reset"
echo "$0 show"
echo "$0 show auth"
echo "$0 addClient IP MAC"
echo "$0 delClient IP MAC"
echo "$0 addServer IP"
echo "$0 delServer IP"
exit 1;
}
fferror()
{
echo "^_^'"
echo "error setting netfilter: $1"
exit $1
}
case "$1" in
reset)
#flush and zero all tables
for TABLE in filter nat mangle; do
for SWITCH in F X Z; do
$IPTABLES -t $TABLE -$SWITCH
done
done
#create filter chain for accepting authenticated clients
$IPTABLES -t filter -N FCLIENT
#create filter chain for accepting allowed destination websites
$IPTABLES -t filter -N FSERVER
#create filter chain for not rerouting authenticated clients
$IPTABLES -t nat -N DCLIENT
#create filter chain for not rerouting allowed servers
$IPTABLES -t nat -N DSERVER
#create filter chain for routing from authenticated clients
$IPTABLES -t nat -N SCLIENT
#create filter chain for routing to allowed servers
$IPTABLES -t nat -N SSERVER
#default filter policy is DROP
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P OUTPUT DROP
$IPTABLES -t filter -P FORWARD DROP
#allow all local traffic
$IPTABLES -t filter -A INPUT -i lo0 -j ACCEPT
$IPTABLES -t filter -A OUTPUT -o lo0 -j ACCEPT
#allow all icmp traffic self<->wifi
$IPTABLES -t filter -A INPUT -i $WIFI_DEV -s $WIFI_NET -d $WIFI_SELF -p icmp -j ACCEPT
$IPTABLES -t filter -A OUTPUT -o $WIFI_DEV -s $WIFI_SELF -d $WIFI_NET -p icmp -j ACCEPT
#allow dhcp traffic self<->wifi
$IPTABLES -t filter -A INPUT -i $WIFI_DEV -s 0.0.0.0/0 -d 255.255.255.255 -p udp --dport 67:68 -j ACCEPT
$IPTABLES -t filter -A OUTPUT -o $WIFI_DEV -s $WIFI_SELF -d $WIFI_NET -p udp --sport 67:68 -j ACCEPT
#allow all web traffic self<->wifi
for PORT in 80 443; do
$IPTABLES -t filter -A INPUT -i $WIFI_DEV -s $WIFI_NET -d $WIFI_SELF -p tcp --dport $PORT -j ACCEPT
$IPTABLES -t filter -A OUTPUT -o $WIFI_DEV -s $WIFI_SELF -d $WIFI_NET -p tcp --sport $PORT -j ACCEPT
done
### ENABLE IF USING OWN DNS FSERVER ###
#
# #allow dns traffic self<->wifi
# $IPTABLES -t filter -A INPUT -i $WIFI_DEV -s $WIFI_NET -d $WIFI_SELF -p udp --dport 53 -j ACCEPT
# $IPTABLES -t filter -A OUTPUT -o $WIFI_DEV -s $WIFI_SELF -d $WIFI_NET -p udp --sport 53 -j ACCEPT
# #allow dns traffic self<->dns
# for NS in $NS1 $NS2; do
# $IPTABLES -t filter -A OUTPUT -o $INET_DEV -s $INET_SELF -d $NS -p udp --dport 53 -j ACCEPT
# $IPTABLES -t filter -A INPUT -i $INET_DEV -s $NS -d $INET_SELF -p udp --sport 53 -j ACCEPT
# done;
#
### /ENABLE ###########################
### DISABLE IF USING OWN DNS FSERVER ###
#
for NS in $NS1 $NS2; do
#allow wifi->dns
$IPTABLES -t filter -A FORWARD -i $WIFI_DEV -o $INET_DEV -s $WIFI_NET -d $NS -p udp --dport 53 -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $INET_DEV -o $WIFI_DEV -s $NS -d $WIFI_NET -p udp --sport 53 -j ACCEPT
#enable source network address translation for dns
$IPTABLES -t nat -A POSTROUTING -s $WIFI_NET -p udp --dport 53 -d $NS -o $INET_DEV -j SNAT --to $INET_SELF
done
#
### /DISABLE ##########################
### DISABLE THE FOLLOWING BEFORE DEPLOYING THE UNIT IN THE FIELD ###
#
#allow all telnet and smb traffic to/from self
for PORT in 23 139; do
$IPTABLES -t filter -A INPUT -p tcp --dport $PORT -j ACCEPT
$IPTABLES -t filter -A OUTPUT -p tcp --sport $PORT -j ACCEPT
done
#
### /DISABLE #######################################################
#check for wifi->allowed servers
$IPTABLES -t filter -A FORWARD -i $WIFI_DEV -o $INET_DEV -s $WIFI_NET -j FSERVER
#check for allowed clients -> inet
$IPTABLES -t filter -A FORWARD -i $WIFI_DEV -o $INET_DEV -s $WIFI_NET -j FCLIENT
#reject all other clients
$IPTABLES -t filter -A FORWARD -i $WIFI_DEV -o $INET_DEV -s $WIFI_NET -j REJECT --reject-with icmp-net-prohibited
#allow established connections wifi<->inet
$IPTABLES -t filter -A FORWARD -i $INET_DEV -o $WIFI_DEV -d $WIFI_NET -m state --state ESTABLISHED -j ACCEPT
#snat traffic from authenticated clients
$IPTABLES -t nat -A POSTROUTING -s $WIFI_NET -d ! $WIFI_NET -j SCLIENT
#snat traffic to allowed servers
$IPTABLES -t nat -A POSTROUTING -s $WIFI_NET -d ! $WIFI_NET -j SSERVER
#do not dnat traffic from authenticated clients
$IPTABLES -t nat -A PREROUTING -i $WIFI_DEV -d ! $WIFI_SELF -j DCLIENT
#do not dnat web traffic allowed servers
$IPTABLES -t nat -A PREROUTING -i $WIFI_DEV -d ! $WIFI_SELF -j DSERVER
#enable dnat to self for all web traffic
for PORT in 80 443; do
$IPTABLES -t nat -A PREROUTING -i $WIFI_DEV -d ! $WIFI_SELF -p tcp --dport $PORT -j DNAT --to $WIFI_SELF
done
### DISABLE THE FOLLOWING BEFORE DEPLOYING THE UNIT IN THE FIELD ###
#
#log all other packets
#$IPTABLES -t filter -A INPUT -j LOG --log-level warning --log-prefix " >>INPUT<< "
#$IPTABLES -t filter -A OUTPUT -j LOG --log-level warning --log-prefix " <
#
### /DISABLE #######################################################
#add default REJECT rule (just more polite than DROP)
for CHAIN in INPUT OUTPUT FORWARD; do
$IPTABLES -t filter -A $CHAIN -j REJECT;
done
;;
addClient)
[ "ff"$2 != "ff" ] || usage; [ "ff"$3 != "ff" ] || usage;
#allow client
$IPTABLES -t filter -A FCLIENT -s $2 -m mac --mac-source $3 -j ACCEPT || fferror $?
$IPTABLES -t nat -A DCLIENT -s $2 -m mac --mac-source $3 -j ACCEPT || fferror $?
$IPTABLES -t nat -A SCLIENT -s $2 -d ! $WIFI_NET -j SNAT --to $INET_SELF || fferror $?
echo "added Client: IP $2 MAC $3";
;;
delClient)
[ "ff"$2 != "ff" ] || usage; [ "ff"$3 != "ff" ] || usage;
$IPTABLES -t filter -D FCLIENT -s $2 -m mac --mac-source $3 -j ACCEPT || fferror $?
$IPTABLES -t nat -D DCLIENT -s $2 -m mac --mac-source $3 -j ACCEPT || fferror $?
$IPTABLES -t nat -D SCLIENT -s $2 -d ! $WIFI_NET -j SNAT --to $INET_SELF || fferror $?
echo "removed Client: IP $2 MAC $3";
;;
addServer)
[ "ff"$2 != "ff" ] || usage;
$IPTABLES -t filter -A FSERVER -s $WIFI_NET -d $2 -j ACCEPT || fferror $?
$IPTABLES -t nat -A DSERVER -s $WIFI_NET -d $2 -j ACCEPT || fferror $?
$IPTABLES -t nat -A SSERVER -s $WIFI_NET -d $2 -j SNAT --to $INET_SELF || fferror $?
echo "added Server: IP $2";
;;
delServer)
[ "ff"$2 != "ff" ] || usage;
$IPTABLES -t filter -D FSERVER -s $WIFI_NET -d $2 -j ACCEPT || fferror $?
$IPTABLES -t nat -D DSERVER -s $WIFI_NET -d $2 -j ACCEPT || fferror $?
$IPTABLES -t nat -D SSERVER -s $WIFI_NET -d $2 -j SNAT --to $INET_SELF || fferror $?
echo "removed Server: IP $2";
;;
show)
case "$2" in
mangle)
echo "___mangle_______________________________________"
$IPTABLES -t mangle --list -n
echo; echo;
;;
nat)
echo "___nat__________________________________________"
$IPTABLES -t nat --list -n
echo; echo;
;;
filter)
echo "___filter_______________________________________"
$IPTABLES -t filter --list -n
echo; echo;
;;
auth)
echo "___clients______________________________________"
$IPTABLES -t filter --list FCLIENT -n
$IPTABLES -t nat --list DCLIENT -n
$IPTABLES -t nat --list SCLIENT -n
echo "___servers______________________________________"
$IPTABLES -t filter --list FSERVER -n
$IPTABLES -t nat --list DSERVER -n
$IPTABLES -t nat --list SSERVER -n
;;
*)
echo "___mangle_______________________________________"
$IPTABLES -t mangle --list -n
echo; echo;
echo "___nat__________________________________________"
$IPTABLES -t nat --list -n
echo; echo;
echo "___filter_______________________________________"
$IPTABLES -t filter --list -n
echo; echo;
esac
;;
*)
usage;
;;
esac
exit
阅读(2476) | 评论(0) | 转发(0) |
