diff options
| -rwxr-xr-x | files/common/etc/firewall.user | 21 | ||||
| -rwxr-xr-x | files/common/etc/fsm/inetable/trans/robinson.enter | 43 | ||||
| -rwxr-xr-x | files/common/etc/fsm/inetable/trans/robinson.leave | 11 |
3 files changed, 57 insertions, 18 deletions
diff --git a/files/common/etc/firewall.user b/files/common/etc/firewall.user new file mode 100755 index 0000000..2f5e3b0 --- /dev/null +++ b/files/common/etc/firewall.user @@ -0,0 +1,21 @@ +#!/bin/sh -e + +# create chains for the robinson fake net (depending on the inetable +# state, this is used to route all TCP traffic to a local web server +# or relay all traffic to the intended target): +# - prerouting_robinson_fake: traffic destinated to the fake net +# - prerouting_robinson_inet: traffic destinated to anything outside +# the robinson net +net_robinson=$(uci get cloud.cur.net_robinson) +net_fake=$( uci get cloud.cur.net_fake) +iptables -t nat -N prerouting_robinson_inet +iptables -t nat -N prerouting_robinson_fake +iptables -t nat -I PREROUTING -i br-mesh ! -d $net_robinson \ + -j prerouting_robinson_inet +iptables -t nat -I PREROUTING -i br-mesh -d $net_fake \ + -j prerouting_robinson_fake + +# reject all packets to the robinson fake net that have not been +# catched by a nat rule in the preceeding chains +iptables -t filter -I forward -d $net_fake \ + -j REJECT --reject-with icmp-net-unreachable diff --git a/files/common/etc/fsm/inetable/trans/robinson.enter b/files/common/etc/fsm/inetable/trans/robinson.enter index e54c6ba..42e97cb 100755 --- a/files/common/etc/fsm/inetable/trans/robinson.enter +++ b/files/common/etc/fsm/inetable/trans/robinson.enter @@ -2,36 +2,51 @@ . ../common.sh # setup random ip -gen_randnet () { - randnet=21.$(($RANDOM % 256)).$(($RANDOM % 256)) +net=$( uci get cloud.cur.net_robinson) +net_fake=$(uci get cloud.cur.net_fake) +prefix=$(ipcalc.sh $net | grep ^PREFIX | cut -f2 -d=) + +gen_randip () { + local r=$RANDOM + randip=$( + ipcalc.sh $net $((($r % 2**(24 - $prefix) - 1) * 2**8 + 1)) 1 \ + | grep ^START | cut -f2 -d= + ) } -gen_randnet -while ! arping -I br-mesh -D -c 5 -q $randnet.1; do - gen_randnet +gen_randip +while ! arping -I br-mesh -D -c 5 -q $randip; do + gen_randip done -mesh_add_ipv4 $randnet.1 255.0.0.0 +mesh_add_ipv4 $randip 255.0.0.0 -# setup dhcp +# setup dhcp, start fake DNS echo " set dhcp.mesh=dhcp -set dhcp.mesh.start=2 +set dhcp.mesh.start=3 set dhcp.mesh.limit=254 set dhcp.mesh.leasetime=60 set dhcp.mesh.interface=mesh +set dhcp.fakedns=domain +set dhcp.fakedns.ip=$(ipcalc.sh $net_fake 1 0 | grep ^START | cut -f2 -d=) +set dhcp.fakedns.name='#' " | uci batch /etc/init.d/dnsmasq restart # disable batman-adv-mangling with DHCP packets batctl gw off -# TODO: start fake dns - # start redirection httpd, add robinson IP to service httpd -echo "http://$randnet.1/robinson.html" > /tmp/redirection_target -enable_httpd redirection $randnet.1:81 -change_service_httpd_listen $randnet.1:80 +echo "http://$randip/robinson.html" > /tmp/redirection_target +enable_httpd redirection $randip:81 +change_service_httpd_listen $randip:80 /etc/init.d/uhttpd restart -# TODO: redirect all inet traffic to local httpd +# redirect all tcp traffic to local httpd, all dns traffic to local NS +iptables -t nat -F prerouting_robinson_fake +iptables -t nat -F prerouting_robinson_inet +iptables -t nat -A prerouting_robinson_inet -p tcp \ + -j DNAT --to-destination $randip:81 +iptables -t nat -A prerouting_robinson_inet -p udp --dport 53 \ + -j DNAT --to-destination $randip:53 diff --git a/files/common/etc/fsm/inetable/trans/robinson.leave b/files/common/etc/fsm/inetable/trans/robinson.leave index 1797e2f..708ee41 100755 --- a/files/common/etc/fsm/inetable/trans/robinson.leave +++ b/files/common/etc/fsm/inetable/trans/robinson.leave @@ -3,17 +3,20 @@ mesh_del_ipv4 -# stop DHCP server +# stop DHCP server & fake DNS uci delete dhcp.mesh +uci delete dhcp.fakedns /etc/init.d/dnsmasq restart -# TODO: stop fake dns - # stop redirection httpd, remove robinson IP from service httpd disable_httpd redirection rm /tmp/redirection_target change_service_httpd_listen /etc/init.d/uhttpd restart +# stop redirecting all inet traffic to local httpd/nameserver +iptables -t nat -F prerouting_robinson_inet -# TODO: stop redirecting all inet traffic to local httpd +# TODO: now that we have internet, send all packets destined to the +# fake net to the intended inet host; for now reject them +iptables -t nat -F prerouting_robinson_fake |