#!/bin/bash #Modified by oXis for the Wifi Pineapple (OpenWRT) # Written by Sitwon and The Doctor. # Copyright (C) 2013 Project Byzantium # This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or any later version. arp () { cat /proc/net/arp; } # arp function IPTABLES=/usr/sbin/iptables ARP=arp IP=172.16.42.1 case "$1" in 'init') # Convert the IP address of the client interface into a netblock. CLIENTNET=`echo $IP | sed 's/1$/0\/24/'` # Exempt traffic which does not originate from the client network. $IPTABLES -t mangle -I PREROUTING -p all ! -s $CLIENTNET -j RETURN # Traffic not coming from an accepted user gets marked 99. $IPTABLES -t mangle -A fwmark -j MARK --set-mark 99 # Traffic which has been marked 99 and is headed for 80/TCP or 443/TCP # should be redirected to the captive portal web server. $IPTABLES -t nat -A prerouting_rule -m mark --mark 99 -p tcp --dport 80 -j DNAT --to-destination $IP:80 # Need to activate HTTPS on the nginx server of the PineAP, so for now HTTPS traffic is dropped. #$IPTABLES -t nat -A prerouting_rule -m mark --mark 99 -p tcp --dport 443 -j DNAT --to-destination $IP:443 # for use with dns spoff $IPTABLES -t filter -A forwarding_rule -p udp --dport 53 -j ACCEPT $IPTABLES -t nat -A prerouting_rule -m mark --mark 99 -p udp --dport 53 -j DNAT --to-destination $IP:53 $IPTABLES -t filter -A input_rule -p tcp --dport 80 -j ACCEPT #Webserver #$IPTABLES -t filter -A input_rule -p tcp --dport 443 -j ACCEPT #Webserver $IPTABLES -t filter -A input_rule -p tcp --dport 1471 -j ACCEPT #PineAP admin page $IPTABLES -t filter -A input_rule -p tcp --dport 22 -j ACCEPT #SSH # All other traffic which is marked 99 is just dropped $IPTABLES -t filter -A forwarding_rule -m mark --mark 99 -j DROP # Even on INPUT rule $IPTABLES -t filter -A input_rule -m mark --mark 99 -j DROP exit 0 ;; 'add') # $2: IP address of client. CLIENT=$2 # Isolate the MAC address of the client in question. CLIENTMAC=`$ARP -n | grep ':' | grep $CLIENT | awk '{print $4}'` # Add the MAC address of the client to the whitelist, so it'll be able # to access the mesh even if its IP address changes. $IPTABLES -t mangle -I fwmark -m mac --mac-source $CLIENTMAC -j RETURN $IPTABLES -A INPUT -m mac --mac-source 74:da:38:5a:03:66 -p udp --dport 53 -j ACCEPT exit 0 ;; 'remove') # $2: IP address of client. CLIENT=$2 # Isolate the MAC address of the client in question. CLIENTMAC=`$ARP -n | grep ':' | grep $CLIENT | awk '{print $4}'` # Delete the MAC address of the client from the whitelist. $IPTABLES -t mangle -D fwmark -m mac --mac-source $CLIENTMAC -j RETURN exit 0 ;; 'purge') CLIENTNET=`echo $IP | sed 's/1$/0\/24/'` # Purge the user defined chains $IPTABLES -t mangle -F fwmark $IPTABLES -t nat -F prerouting_rule $IPTABLES -t filter -F input_rule $IPTABLES -t filter -F forwarding_rule $IPTABLES -t mangle -D PREROUTING -p all ! -s $CLIENTNET -j RETURN $IPTABLES -t nat -D prerouting_rule -m mark --mark 99 -p udp --dport 53 -j DNAT --to-destination $IP:53 exit 0 ;; 'list') # Display the currently running IP tables ruleset. $IPTABLES --list -t nat -n $IPTABLES --list -t mangle -n $IPTABLES --list -t filter -n exit 0 ;; *) echo "USAGE: $0 {initialize|add |remove |purge|list}" exit 0 esac