hak5/nano-tetra-modules
1
0
Fork 0
mirror of https://github.com/hak5/nano-tetra-modules.git synced 2025-10-29 16:58:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
nano-tetra-modules/EvilPortal/executable/executable
Josh 30826cc50e EvilPortal: Update to 3.0 (#29) 
🎉 🎉
2018-06-29 11:01:22 +10:00

99 lines
3.8 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
#Modified by oXis for the Wifi Pineapple (OpenWRT)
# Written by Sitwon and The Doctor.
# Copyright (C) 2013 Project Byzantium
# This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or any later version.
arp () { cat /proc/net/arp; } # arp function
IPTABLES=/usr/sbin/iptables
ARP=arp
IP=172.16.42.1
case "$1" in
'init')
# Convert the IP address of the client interface into a netblock.
CLIENTNET=`echo $IP | sed 's/1$/0\/24/'`
# Exempt traffic which does not originate from the client network.
$IPTABLES -t mangle -I PREROUTING -p all ! -s $CLIENTNET -j RETURN
# Traffic not coming from an accepted user gets marked 99.
$IPTABLES -t mangle -A fwmark -j MARK --set-mark 99
# Traffic which has been marked 99 and is headed for 80/TCP or 443/TCP
# should be redirected to the captive portal web server.
$IPTABLES -t nat -A prerouting_rule -m mark --mark 99 -p tcp --dport 80 -j DNAT --to-destination $IP:80
# Need to activate HTTPS on the nginx server of the PineAP, so for now HTTPS traffic is dropped.
#$IPTABLES -t nat -A prerouting_rule -m mark --mark 99 -p tcp --dport 443 -j DNAT --to-destination $IP:443
# for use with dns spoff
$IPTABLES -t filter -A forwarding_rule -p udp --dport 53 -j ACCEPT
$IPTABLES -t nat -A prerouting_rule -m mark --mark 99 -p udp --dport 53 -j DNAT --to-destination $IP:53
$IPTABLES -t filter -A input_rule -p tcp --dport 80 -j ACCEPT #Webserver
#$IPTABLES -t filter -A input_rule -p tcp --dport 443 -j ACCEPT #Webserver
$IPTABLES -t filter -A input_rule -p tcp --dport 1471 -j ACCEPT #PineAP admin page
$IPTABLES -t filter -A input_rule -p tcp --dport 22 -j ACCEPT #SSH
# All other traffic which is marked 99 is just dropped
$IPTABLES -t filter -A forwarding_rule -m mark --mark 99 -j DROP
# Even on INPUT rule
$IPTABLES -t filter -A input_rule -m mark --mark 99 -j DROP
exit 0
;;
'add')
# $2: IP address of client.
CLIENT=$2
# Isolate the MAC address of the client in question.
CLIENTMAC=`$ARP -n | grep ':' | grep $CLIENT | awk '{print $4}'`
# Add the MAC address of the client to the whitelist, so it'll be able
# to access the mesh even if its IP address changes.
$IPTABLES -t mangle -I fwmark -m mac --mac-source $CLIENTMAC -j RETURN
$IPTABLES -A INPUT -m mac --mac-source 74:da:38:5a:03:66 -p udp --dport 53 -j ACCEPT
exit 0
;;
'remove')
# $2: IP address of client.
CLIENT=$2
# Isolate the MAC address of the client in question.
CLIENTMAC=`$ARP -n | grep ':' | grep $CLIENT | awk '{print $4}'`
# Delete the MAC address of the client from the whitelist.
$IPTABLES -t mangle -D fwmark -m mac --mac-source $CLIENTMAC -j RETURN
exit 0
;;
'purge')
CLIENTNET=`echo $IP | sed 's/1$/0\/24/'`
# Purge the user defined chains
$IPTABLES -t mangle -F fwmark
$IPTABLES -t nat -F prerouting_rule
$IPTABLES -t filter -F input_rule
$IPTABLES -t filter -F forwarding_rule
$IPTABLES -t mangle -D PREROUTING -p all ! -s $CLIENTNET -j RETURN
$IPTABLES -t nat -D prerouting_rule -m mark --mark 99 -p udp --dport 53 -j DNAT --to-destination $IP:53
exit 0
;;
'list')
# Display the currently running IP tables ruleset.
$IPTABLES --list -t nat -n
$IPTABLES --list -t mangle -n
$IPTABLES --list -t filter -n
exit 0
;;
*)
echo "USAGE: $0 {initialize|add <IP>|remove <IP>|purge|list}"
exit 0
esac
Reference in New Issue View Git Blame Copy Permalink