#!/bin/sh # /etc/bridge #**************************************************************************** #.- 20070320 version #.- Script modified by Victor Escudero , #.- based on the excellent work of Antonio Anselmi (http://www.blogin.it) #.- #**************************************************************************** #---------------------------------------------------------------------------- # setup_env. Function that setups environment setup_env () { # Set the default values of all environment variables here logDir=/var/log tmpDir=/tmp acl_list=/etc/acl_list.conf myself=`basename $0` logFile=$logDir/$myself.log datevar=$(date) IWCONFIG=/usr/sbin/iwconfig IFCONFIG=/sbin/ifconfig WLANCONFIG=/usr/sbin/wlanconfig IWPRIV=/usr/sbin/iwpriv NETFILTER=/usr/sbin/iptables ROUTE=/sbin/route #.- showresults=0 #.- rm -f /tmp/results # echo "$datevar: start" >> $logFile if [ -f /etc/config/bridge.conf ]; then . /etc/config/bridge.conf else echo "/etc/config/bridge.conf not found" echo "/etc/config/bridge.conf not found" >> $logFile echo "stop and exit" >> $logFile exit 1 fi # ip_forward is enabled by default in fonera configuration # echo 1 > /proc/sys/net/ipv4/ip_forward # stop daemons local web=httpd local cron=crond local dns=dnsmasq #.- local wpasupplicant=wpa_supplicant local hostap=hostapd #.- # If you are not willing to use the web interface, you might want to uncomment this lines #if [ ! -z "$( pidof $web )" ]; then # kill $(pidof $web) > /dev/null #fi if [ ! -z "$( pidof $cron )" ]; then kill $(pidof $cron) > /dev/null fi if [ ! -z "$( pidof $dns )" ]; then kill $(pidof $dns) >> /dev/null fi killall -9 udhcpc > /dev/null #.- If you've run this script before maybe wpa_supplicant could be running if [ ! -z "$( pidof $wpasupplicant )" ]; then kill $(pidof $wpasupplicant) >> /dev/null fi #.- Maybe hostapd is running because of Whisher signal if [ ! -z "$( pidof $hostap )" ]; then kill $(pidof $hostap) >> /dev/null fi # flush_netfilter tables $NETFILTER -F $NETFILTER -P INPUT ACCEPT $NETFILTER -P OUTPUT ACCEPT $NETFILTER -P FORWARD ACCEPT $NETFILTER -t nat -F echo "netfilter tables flushed" >> $logFile } # setup_env #------------------------------------------------------------------------------- # hardening Function that sets some TCP/IP parameters hardening () { if [ $khard == 1 ]; then # Disable tcp_sack support echo "0" > /proc/sys/net/ipv4/tcp_sack # Disable TCP window_scaling echo "0" > /proc/sys/net/ipv4/tcp_window_scaling # Disable source routing echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route echo "0" > /proc/sys/net/ipv4/conf/lo/accept_source_route echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_source_route echo "0" > /proc/sys/net/ipv4/conf/ath0/accept_source_route echo "0" > /proc/sys/net/ipv4/conf/ath1/accept_source_route echo "0" > /proc/sys/net/ipv4/conf/default/accept_source_route # Enable TCP SYN Cookie potection echo "1" > /proc/sys/net/ipv4/tcp_syncookies # No ICMP Redirect echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects echo "0" > /proc/sys/net/ipv4/conf/lo/accept_redirects echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_redirects echo "0" > /proc/sys/net/ipv4/conf/ath0/accept_redirects echo "0" > /proc/sys/net/ipv4/conf/ath1/accept_redirects echo "0" > /proc/sys/net/ipv4/conf/default/accept_redirects # Enable IP spoofing protection echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter echo "1" > /proc/sys/net/ipv4/conf/lo/rp_filter echo "1" > /proc/sys/net/ipv4/conf/eth0/rp_filter echo "1" > /proc/sys/net/ipv4/conf/ath0/rp_filter echo "1" > /proc/sys/net/ipv4/conf/ath1/rp_filter echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter echo "fonera hardened" >> $logFile fi if [ $klog == 1 ]; then echo "1" > /proc/sys/net/ipv4/conf/all/log_martians = 1 echo "1" > /proc/sys/net/ipv4/conf/lo/log_martians = 1 echo "1" > /proc/sys/net/ipv4/conf/eth0/log_martians = 1 echo "1" > /proc/sys/net/ipv4/conf/ath0/log_martians = 1 echo "1" > /proc/sys/net/ipv4/conf/ath1/log_martians = 1 echo "1" > /proc/sys/net/ipv4/conf/default/log_martians = 1 echo "logging malicious packests activated" >> $logFile fi } # hardening #------------------------------------------------------------------------------- create_AP () { # bring up first (!) VAP ath0 as Access Point $WLANCONFIG ath0 destroy $WLANCONFIG ath0 create wlandev wifi0 wlanmode ap echo "created VAP ath0 as AP" >> $logFile } # create_AP #------------------------------------------------------------------------------- create_STA () { # bring up VAP ath1 as station managed (no hardware beacon timers) $WLANCONFIG ath1 destroy $WLANCONFIG ath1 create wlandev wifi0 wlanmode sta nosbeacon echo "created VAP ath1 as station" >> $logFile } # create_STA #------------------------------------------------------------------------------- create_MONITOR () { # bring up VAP ath2 in monitor mode $IFCONFIG ath2 >/dev/null 2>&1 # Test if ath2 exist from a previous run if [ $? == 0 ]; then $WLANCONFIG ath2 destroy fi case $kheaders in 11) # Only 802.11 headers echo '801' > /proc/sys/net/ath0/dev_type ;; 2) # Prism2 headers echo '802' > /proc/sys/net/ath0/dev_type ;; 3) # Radiotap headers echo '803' > /proc/sys/net/ath0/dev_type ;; 4) # Atheros Descriptors echo '804' > /proc/sys/net/ath0/dev_type ;; esac $WLANCONFIG ath2 create wlandev wifi0 wlanmode monitor $IFCONFIG ath2 up echo "created VAP ath2 as monitor" >> $logFile } # create_MONITOR #------------------------------------------------------------------------------- # catchExternalESSID. Function that sets our ESSID as relay of the external AP catchExternalESSID() { $IWCONFIG ath1 | grep ESSID > /tmp/bridge_tmp INI=32 FIN=$(cat /tmp/bridge_tmp | wc -c) : $((FIN = $FIN - 4)) SSID_ath0=$(cut /tmp/bridge_tmp -c $INI-$FIN) SSID_ath0="relay_$SSID_ath0" } # catchExternalESSID #------------------------------------------------------------------------------- # setup_wpa_ath0. Function that sets wpa/wpa2 encryption on ath0 (our AP) setup_wpa_ath0 () { if [ ! -z "$( pidof hostapd )" ]; then kill $(pidof hostapd) >> /dev/null fi cat > /tmp/hostapd_repeater.conf <> $logFile ;; 2) #targeted external AP via WEP key in hex $IWCONFIG ath0 key $WepKeyHex_ath0 echo "ath0 hex WEP key: "$WepKeyHex_ath0 >> $logFile ;; esac if [ $ath0_authmode == 2 ]; then $IWPRIV ath0 authmode $ath0_authmode fi if [ $kwpa == 1 ]; then setup_wpa_ath0 fi # enable 802.11 SSID broadcasting on ath0 $IWPRIV ath0 hide_ssid 0 if [ $hideSSID == 1 ]; then $IWPRIV ath0 hide_ssid 1 fi # ACL management case $aclMode in 1) # only allow MACSs in the ACL list $IWPRIV ath0 maccmd 3 $IWPRIV ath0 maccmd 1 for i in $(cat $acl_list); do $IWPRIV ath0 addmac $i done ;; 2) # only deny MACs in the ACL list $IWPRIV ath0 maccmd 3 $IWPRIV ath0 maccmd 2 for i in $(cat $acl_list); do $IWPRIV ath0 addmac $i done ;; *) # no ACL checking is performed $IWPRIV ath0 maccmd 0 ;; esac } # setup_AP #------------------------------------------------------------------------------- # setup_STA. Function that setup ath1 as repeater setup_STA () { case $ath1_mode in 2) #targeted external AP by SSID $IWCONFIG ath1 mode managed essid $TargetSsid echo "ath1 via SSID: "$TargetSsid >> $logFile ;; 3) #targeted external AP by MAC $IWCONFIG ath1 mode managed ap $TargetMac echo "ath1 via MAC: "$TargetMac >> $logFile ;; 4) #targeted external AP via WPA-PSK $IWCONFIG ath1 mode managed essid $TargetWpa #.- $IFCONFIG ath1 $IP_ath1 netmask $MASK_ath1 up $IFCONFIG ath1 up #.- You must let wpa_supplicant do its job in the background wpa_supplicant -iath1 -c/etc/wpa_supplicant.conf -B echo "ath1 interface via WPA PSK" >> $logFile ;; 5) #targeted external AP via WEP (ascii key) if [ $WepKeyAscii_ath1 ]; then $IWCONFIG ath1 key "s:$WepKeyAscii_ath1" else echo "error: ascii WEP key not configured" >> $logFile exit 1 fi ;; 6) #targeted external AP via WEP (hex key) if [ $WepKeyHex_ath1 ]; then $IWCONFIG ath1 key "$WepKeyHex_ath1" else echo "error: WEP hex key not configured" >> $logFile exit 1 fi ;; esac if [ $ath1_mode == 5 ] || [ $ath1_mode == 6 ] ; then # We look for target ssid or AP if [ $TargetWepSsid ]; then $IWCONFIG ath1 mode managed essid $TargetWepSsid else if [ $TargetWepMac ]; then $IWCONFIG ath1 mode managed ap $TargetWepMac else echo "No target AP for WEP, we will scan the strongest AP" >> $logFile fi fi if [ $ath1_authmode == 2 ]; then $IWPRIV ath1 authmode $ath1_authmode fi echo "ath1 interface via WEP" >> $logFile fi # IP config for ath1 if [ $ath1_mode == 1 ] || [ $ath1_dhcp == 1 ] ; then # Dyanamic IP configuration echo "waiting 5 seconds to let dhcp gathers info from the AP through ath1 ..." /sbin/udhcpc -b -i ath1 >> $logFile sleep 5 $IWCONFIG ath1 | grep ESSID | awk '"external AP " {print $4}' >> $logFile echo "ath1 interface via external dhcp" >> $logFile else # static IP configuration $IFCONFIG ath1 $IP_ath1 netmask $MASK_ath1 up $ROUTE del default $ROUTE add default gw $DFGW echo "nameserver " $NAMESERVER1 > /etc/resolv.conf echo "nameserver " $NAMESERVER2 >> /etc/resolv.conf echo "nameserver " $NAMESERVER3 >> /etc/resolv.conf fi # $NETFILTER -t nat -A POSTROUTING -o ath1 -j MASQUERADE } # setup_STA #------------------------------------------------------------------------------- # setup_2ifaces. Function that sets up 2 IP interface (eth0 and ath0) setup_2ifaces () { $IFCONFIG br0 >/dev/null 2>&1 # Test if br0 exist from a previous run if [ $? == 0 ]; then $IFCONFIG br0 down brctl delbr br0 fi # static eth0 IP configuration $IFCONFIG eth0 $IP_eth0 netmask $MASK_eth0 up echo "eth0 interface: "$IP_eth0/$MASK_eth0 >> $logFile # static ath0 IP configuration $IFCONFIG ath0 $IP_ath0 netmask $MASK_ath0 up echo "ath0 interface: "$IP_ath0/$MASK_ath0 >> $logFile } # setup_2ifaces #------------------------------------------------------------------------------- # setup_bridge. Function that setup a bridge between eth0 and ath0 setup_bridge () { $IFCONFIG br0 >/dev/null 2>&1 # Test if br0 exist from a previous running if [ $? == 0 ]; then $IFCONFIG br0 down brctl delbr br0 fi $IFCONFIG eth0 0.0.0.0 up $IFCONFIG ath0 0.0.0.0 up # bring up a bridge called br0 brctl addbr br0 brctl addif br0 eth0 brctl addif br0 ath0 # static br0 IP configuration $IFCONFIG br0 $IP_br0 netmask $MASK_br0 up echo "br0 interface: "$IP_br0/$MASK_br0 >> $logFile } # setup bridge #------------------------------------------------------------------------------- # std_routing. Standard routing std_routing () { # forwarding between the subnets echo 1 > /proc/sys/net/ipv4/ip_forward $NETFILTER -t nat -A POSTROUTING -o ath1 -j MASQUERADE # support for p2p if [ $btorrent == 1 ]; then BTports="6890 6891 6892 6893 6894 6895 6896 6897 6898 6899" for pt in $BTports; do $NETFILTER -t nat -A PREROUTING -i ath1 -p tcp --dport $pt -j DNAT --to $IP_client_btorrent:$pt done fi if [ $xmule == 1 ]; then echo "32752" > /proc/sys/net/ipv4/netfilter/ip_conntrack_max $NETFILTER -t nat -A PREROUTING -i ath1 -p tcp --dport 4662 -j DNAT --to $IP_client_xmule:4662 $NETFILTER -t nat -A PREROUTING -i ath1 -p udp --dport 4672 -j DNAT --to $IP_client_xmule:4672 fi } # std_routing #------------------------------------------------------------------------------- # main #------------------------------------------------------------------------------- clear # learn environment setup_env # WIRELESS setup: # create ath0 as Access Point create_AP setup_AP if ! [ $only_AP == 1 ]; then # create ath1 as Station create_STA setup_STA fi setup_AP # Maybe in the first run we did not knew the right essid # IP (ath0 and eth0) setup: # two separated interfaces (ath0+eth0) or a bridge (br0) if [ $bridge_mode == 1 ]; then setup_bridge $NETFILTER -t nat -A POSTROUTING -o br0 -j MASQUERADE else setup_2ifaces $NETFILTER -t nat -A POSTROUTING -o eth0 -j MASQUERADE $NETFILTER -t nat -A POSTROUTING -o ath0 -j MASQUERADE fi # create ath2 as monitor, but only after the other interfaces are # up and if the variable ModeMonitor=1 if [ $modeMonitor == 1 ]; then create_MONITOR fi # hardening some TCP/IP parameters hardening # and setting some netfilter rules std_routing # start DHCP if [ $kdhcp == 1 ]; then # /usr/sbin/dnsmasq -a $IP_dhcp if [ $bridge_mode == 1 ]; then /usr/sbin/dnsmasq --interface=br0 -C /etc/dnsmasq_repeater-br0.conf else /usr/sbin/dnsmasq --interface=eth0 -C /etc/dnsmasq_repeater-eth0.conf /usr/sbin/dnsmasq --interface=ath0 -C /etc/dnsmasq_repeater-ath0.conf fi fi # so, show results $IWCONFIG > /tmp/results $IFCONFIG >> /tmp/results clear if [ $showresults == 1 ]; then /bin/more /tmp/results fi exit 0 # Enjoy your Fonera !!