Accueil Explorer Aide
Connexion
labriqueinternet
/
hotspot_ynh
miroir de https://github.com/labriqueinternet/hotspot_ynh
3
0
Fork 0
Fichiers
Aborescence: 529c998380
Branches Tags
hotspot_ynh
/
hooks
/
post_iptable_rules

post_iptable_rules 2.3 KB
Historique Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859 
  1. #!/bin/bash
    2. 

  2. 

  3. source /usr/share/yunohost/helpers
    4. 

  4. 

  5. wifi_device=$(ynh_app_setting_get --app=$app --key=wifi_device)
    6. 

  6. captive_portal=$(ynh_app_setting_get --app=$app --key=captive_portal)
    7. 

  7. ip4_prefix=$(ynh_app_setting_get --app=$app --key=ip4_nat_prefix)
    8. 

  8. ip6_prefix=$(ynh_app_setting_get --app=$app --key=ip6_net)
    9. 

  9. 

  10. iptables -w -N hotspot_fwd
    11. 

  11. ip6tables -w -N hotspot_fwd
    12. 

  12. 

  13. if [[ "${captive_portal}" != "1" ]]
    14. 

  14. then
    15. 

  15.     exit 0
    16. 

  16. fi
    17. 

  17. 

  18. for iptables_cmd in iptables ip6tables;
    19. 

  19. do
    20. 

  20.     if [[ "${iptables_cmd}" == "iptables" ]]; then
    21. 

  21.         prefix="${ip4_prefix}"
    22. 

  22.         ip="${ip4_prefix}.1"
    23. 

  23.         subnet="${ip4_prefix}.0/24"
    24. 

  24.     else
    25. 

  25.         prefix="${ip6_prefix}"
    26. 

  26.         ip="${ip6_prefix}1"
    27. 

  27.         subnet="${ip6_prefix}1/64"
    28. 

  28.     fi
    29. 

  29. 

  30.     mac_addresses=$(grep "${prefix}" /etc/hostapd/$app/allowed.csv | cut -d, -f3)
    31. 

  31. 

  32.     # Allow to request 4253 port
    33. 

  33.     $iptables_cmd -w -A INPUT -i "${wifi_device}" -m udp -p udp --dport 4253 -j ACCEPT
    34. 

  34. 

  35.     # Drop all packets going on external internet
    36. 

  36.     $iptables_cmd -w -A hotspot_fwd -s "${subnet}" -j DROP
    37. 

  37. 

  38.     # Force to use the fakeDNS
    39. 

  39.     $iptables_cmd -w -A PREROUTING -i "${wifi_device}" -s "${subnet}" -p udp --dport 53 -j DNAT --to-destination "${ip}:4253"
    40. 

  40. 

  41.     # Make things working with DoH 
    42. 

  42.     # Warning: this rules to ssupport DoH let info in nginx logs on which website the user try to access...
    43. 

  43.     # Only activating 80 and not 443 reduces a bit the issues.
    44. 

  44.     # A better approach could be to list all ips used by domains dedicated to captive portal detection.
    45. 

  45.     $iptables_cmd -w -A PREROUTING -i "${wifi_device}" -s "${subnet}" -p tcp --dport 80 -j DNAT --to-destination "${ip}:80"
    46. 

  46.     #$iptables_cmd -w -A PREROUTING -i "${wifi_device}" -s "${subnet}" -p tcp --dport 443 -j DNAT --to-destination "${ip}:443"
    47. 

  47. 

  48.     # Maybe needed, maybe not (i din't need this when vpn is activated)
    49. 

  49.     #$iptables_cmd -t nat -A POSTROUTING -o "${wifi_device}" -j MASQUERADE
    50. 

  50. 

  51.     # Allow specific mac adress to use external internet
    52. 

  52.     for mac in ${mac_addresses}; do
    53. 

  53.         $iptables_cmd -w -I hotspot_fwd 1 -s "${subnet}" -m mac --mac-source "${mac}" -j ACCEPT
    54. 

  54.         $iptables_cmd -t nat -w -I PREROUTING 1 -i "${wifi_device}" -s "${subnet}" -m mac --mac-source "${mac}" -j ACCEPT
    55. 

  55.     done
    56. 

  56. 

  57.     $iptables_cmd -w -I FORWARD 1 -i "${wifi_device}" -j hotspot_fwd
    58. 

  58. done
    59. 

  59. exit 0
    60.