#! /bin/bash # -x # # if [ "$1" != "-n" ] then /bin/bash -n $0 $* || exit 1 # Check op Syntax errors! fi #echo Syntax $0 OK! . /etc/wireless.conf.sh ic='/sbin/ipchains' nm='/usr/local/bin/netmask' echo 0 > /proc/sys/net/ipv4/ip_forward PATH="/sbin:/usr/sbin:/usr/local/sbin/:/root/bin:/usr/local/bin:/usr/bin:/usr/X11R6/bin:/bin:/usr/lib/java/bin:/usr/games/bin:/usr/games:/opt/gnome/bin:/opt/kde/bin:/usr/openwin/bin"; gw=`route -n |grep '^0.0.0.0'|tr -s ' '` if [ "$gw" != "" ] then gw_if=`echo $gw|cut -d ' ' -f 8` # gw. dev. def_gw=`echo $gw|cut -d ' ' -f 2` # def. gw else gw_if=eth0 def_gw=99.99.99.99 fi gwif_ip=`$nm $gw_if i` good_net=`$nm $gw_if m` wifs=`/sbin/ifconfig|cut -d ' ' -f 1|grep -v '^$'|grep -v $gw_if|grep -v lo` wifs_major=`/sbin/ifconfig|cut -d ' ' -f 1|grep -v '^$'|grep -v $gw_if|grep -v lo|grep -v ':'` wif_ip=`$nm wlan0 i` wnet=172.16.0.0/12 tports='22 37 53 80 3128' # ssh,time,domain,http,squid uports='53 3130' # domain,squid modprobe ipchains in="$ic -A input" out="$ic -A output" fw="$ic -A forward" #modprobe ip_masq_autofw #modprobe ip_masq_cuseeme #modprobe ip_masq_ftp #modprobe ip_masq_irc #modprobe ip_masq_mfw #modprobe ip_masq_portfw #modprobe ip_masq_quake #modprobe ip_masq_raudio #modprobe ip_masq_user #modprobe ip_masq_vdolive $ic -F input $ic -F output $ic -F forward echo Default policy $ic -P input REJECT $ic -P output ACCEPT $ic -P forward DENY # pings return $ic -X ######### Incoming echo Incoming $in -i lo -j ACCEPT $in -s 0.0.0.0/0 bootpc -d 255.255.255.255 bootps -p udp -j ACCEPT # DHCP op broadcast $in -s 0.0.0.0/0 bootpc -d 255.255.255.255 bootps -p tcp -j ACCEPT # DHCP op broadcast $in -d 224.0.0.5 -p 89 -j ACCEPT # OSPF $in -d 224.0.0.6 -p 89 -j ACCEPT # OSPF $in -d 224.0.0.5 -p 2 -j ACCEPT # OSPF $in -d 224.0.0.6 -p 2 -j ACCEPT # OSPF for if in $wifs_major do ip=`$nm $if i` $in -s 0.0.0.0/0 bootpc -d $ip bootps -i $if -p udp -j ACCEPT # DHCP op eigen ip $in -s 0.0.0.0/0 bootpc -d $ip bootps -i $if -p tcp -j ACCEPT # DHCP op eigen ip $in -s ! $wnet -i $if -j DENY -l # Spoofing; alleen wnet ip wifs. done for p in $tports do $in -d $gwif_ip $p -p tcp -j ACCEPT # tports op gwif_ip $in -d $wif_ip $p -p tcp -j ACCEPT # tports op wif_ip done for p in $uports do $in -d $gwif_ip $p -p udp -j ACCEPT # uports op gwif_ip $in -d $wif_ip $p -p udp -j ACCEPT # uports op wif_ip done $in -d $good_net -s $wnet ! -y -p tcp -j ACCEPT # established sessions $in -d $gwif_ip ! -y -p tcp -j ACCEPT # established sessions for if in $wifs do ip=`$nm $if i` $in -d $ip -s $wnet ! -y -p tcp -j ACCEPT # established sessions done for if in $wifs $gw_if do ip=`$nm $if i` $in -d $ip 53 -p udp -j ACCEPT # named wel, $in -d $ip --sport 53 -p udp -j ACCEPT # named wel. # Want named source adres wordt door named gekozen afhankelijk van de if. $in -d $ip -p icmp -j ACCEPT # icmp wel. $in -d $ip -p 89 -j ACCEPT # OSPF $in -d $ip -p 2 -j ACCEPT # OSPF $in -d $ip -j REJECT -l # Vangnet done $in -d $wnet -j ACCEPT # dst wireless=okay if [ "$gw_open" != "open" ] then for if in $wifs_major do $in -d ! $good_net -s $wnet -i $if -j ACCEPT # wel naar Internet, niet naar goodnet. done fi #$in --dport 137:139 -j REJECT # Netbios $in -j REJECT -l # vangnet ######### Forward echo forwarding echo 1 > /proc/sys/net/ipv4/ip_forward $fw -d $gwif_ip ! -y -p tcp -j ACCEPT # established sessions for if in $wifs do ip=`$nm $if i` $fw -d $ip -s $wnet ! -y -p tcp -j ACCEPT # established sessions done $fw -s $good_net -d $wnet -j MASQ # dst wireless=okay if [ "$gw_open" != "open" ] then $fw -d ! $good_net -i $gw_if -j MASQ # naar Internet = okay fi $fw -j REJECT -l # vangnet ######### #ipchains -nxvL