Home Explore Help
Sign In
labriqueinternet
/
hotspot_ynh
mirror of https://github.com/labriqueinternet/hotspot_ynh
3
0
Fork 0
Files
Tree: 8015e9a8da
Branches Tags
hotspot_ynh
/
hooks
/
post_iptables_rules

post_iptables_rules 2.2 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657 
  1. #!/bin/bash
    2. 

  2. 

  3. wifi_device=$(ynh_app_setting_get --app=$app --key=wifi_device)
    4. 

  4. captive_portal=$(ynh_app_setting_get --app=$app --key=captive_portal)
    5. 

  5. ip4_prefix=$(ynh_app_setting_get --app=$app --key=ip4_nat_prefix)
    6. 

  6. ip6_prefix=$(ynh_app_setting_get --app=$app --key=ip6_net)
    7. 

  7. 

  8. iptables -w -N hotspot_fwd
    9. 

  9. ip6tables -w -N hotspot_fwd
    10. 

  10. 

  11. if [[ "${captive_portal}" != "1" ]]
    12. 

  12. then
    13. 

  13.     exit 0
    14. 

  14. fi
    15. 

  15. 

  16. for iptables_cmd in iptables ip6tables;
    17. 

  17. do
    18. 

  18.     if [[ "${iptables_cmd}" == "iptables" ]]; then
    19. 

  19.         prefix="${ip4_prefix}"
    20. 

  20.         ip="${ip4_prefix}.1"
    21. 

  21.         subnet="${ip4_prefix}.0/24"
    22. 

  22.     else
    23. 

  23.         prefix="${ip6_prefix}"
    24. 

  24.         ip="${ip6_prefix}1"
    25. 

  25.         subnet="${ip6_prefix}1/64"
    26. 

  26.     fi
    27. 

  27. 

  28.     mac_addresses=$(grep "${prefix}" /etc/hostapd/$app/allowed.csv | cut -d, -f3)
    29. 

  29. 

  30.     # Allow to request 4253 port
    31. 

  31.     $iptables_cmd -w -A INPUT -i "${wifi_device}" -m udp -p udp --dport 4253 -j ACCEPT
    32. 

  32. 

  33.     # Drop all packets going on external internet
    34. 

  34.     $iptables_cmd -w -A hotspot_fwd -s "${subnet}" -j DROP
    35. 

  35. 

  36.     # Force to use the fakeDNS
    37. 

  37.     $iptables_cmd -w -A PREROUTING -i "${wifi_device}" -s "${subnet}" -p udp --dport 53 -j DNAT --to-destination "${ip}:4253"
    38. 

  38. 

  39.     # Make things working with DoH 
    40. 

  40.     # Warning: this rules to ssupport DoH let info in nginx logs on which website the user try to access...
    41. 

  41.     # Only activating 80 and not 443 reduces a bit the issues.
    42. 

  42.     # A better approach could be to list all ips used by domains dedicated to captive portal detection.
    43. 

  43.     $iptables_cmd -w -A PREROUTING -i "${wifi_device}" -s "${subnet}" -p tcp --dport 80 -j DNAT --to-destination "${ip}:80"
    44. 

  44.     #$iptables_cmd -w -A PREROUTING -i "${wifi_device}" -s "${subnet}" -p tcp --dport 443 -j DNAT --to-destination "${ip}:443"
    45. 

  45. 

  46.     # Maybe needed, maybe not (i din't need this when vpn is activated)
    47. 

  47.     #$iptables_cmd -t nat -A POSTROUTING -o "${wifi_device}" -j MASQUERADE
    48. 

  48. 

  49.     # Allow specific mac adress to use external internet
    50. 

  50.     for mac in ${mac_addresses}; do
    51. 

  51.         $iptables_cmd -w -I hotspot_fwd 1 -s "${subnet}" -m mac --mac-source "${mac}" -j ACCEPT
    52. 

  52.         $iptables_cmd -t nat -w -I PREROUTING 1 -i "${wifi_device}" -s "${subnet}" -m mac --mac-source "${mac}" -j ACCEPT
    53. 

  53.     done
    54. 

  54. 

  55.     $iptables_cmd -w -I FORWARD 1 -i "${wifi_device}" -j hotspot_fwd
    56. 

  56. done
    57. 

  57. exit 0
    58.