-
-
Save ajvpot/4d016b2304609b59faa3da7e22063d23 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
IPTABLES=/usr/sbin/iptables | |
DEBUG_RULES_HOOK=/etc/default/debug-firewall-rules.txt | |
LOGGER() { logger -p local4.info -t "system: I firewall:setup:" $@; } | |
if [ ! -x $IPTABLES ]; then | |
echo "$IPTABLES... not found" | |
exit 1 | |
fi | |
# Add default firewall settings here | |
default_firewall_setup () { | |
LOGGER "Setting up default firewall settings" | |
$IPTABLES --flush | |
# Default policy for all chains: DROP | |
$IPTABLES -P INPUT DROP | |
$IPTABLES -P OUTPUT DROP | |
$IPTABLES -P FORWARD DROP | |
# Accept RELATED,ESTABLISHED connections on wlan0 (device initiated) | |
$IPTABLES -A INPUT -i wlan0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT | |
$IPTABLES -A INPUT -i wlan0 -p udp -m state --state ESTABLISHED -j ACCEPT | |
# TPH traffic on wlan0. TPH/phd listens on port 40317 | |
$IPTABLES -A INPUT -i wlan0 -p tcp -m tcp --dport 40317 -j ACCEPT | |
$IPTABLES -A INPUT -i wlan0 -p udp --dport 40317 --sport 40317 -j ACCEPT | |
$IPTABLES -A INPUT -i wlan0 -p udp --dport 40317 --sport 49317 -j ACCEPT | |
$IPTABLES -A INPUT -i wlan0 -p udp --dport 40317 --sport 33434 -j ACCEPT | |
# UPnP: | |
# allow traffic on Dst Port 1900 which are UPnP advertisements and Bye Bye | |
# Allow traffic on Dst Port 50000; these pkts are SSDP search results | |
# SSDP search queries are sent with Src Port 50000 | |
$IPTABLES -A INPUT -i wlan0 -p udp --dport 1900 -j ACCEPT | |
$IPTABLES -A INPUT -i wlan0 -p udp --dport 50000 -j ACCEPT | |
# ICMP. Allow only responses to local connections | |
$IPTABLES -A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT | |
# Add rules for internal debugging use | |
[ -f $DEBUG_RULES_HOOK ] && . $DEBUG_RULES_HOOK | |
# Allow all outgoing traffic on wlan0 | |
$IPTABLES -A OUTPUT -o wlan0 -j ACCEPT | |
# Accept all on the loopback interface | |
$IPTABLES -A INPUT -i lo -j ACCEPT | |
$IPTABLES -A OUTPUT -o lo -j ACCEPT | |
} | |
# Firewall settings for P2P interface | |
# @param $1 P2P Interface name | |
# @param $2 OOBE Server IP address | |
p2p_firewall_start () { | |
if [ $# -lt 2 ]; then | |
LOGGER "Invalid argument on start p2p firewall" | |
exit 1 | |
fi | |
P2PIF=$1 | |
OOBEIP=$2 | |
LOGGER "Setting up P2P firewall settings on $1" | |
# Setup ip tables to reject all non-essential traffic | |
# Redirect all DNS traffic to ourselves. This is necessary when the client device | |
# has a static DNS address configured | |
$IPTABLES -t nat -A PREROUTING -i "$P2PIF" -p udp --dport 53 -j DNAT --to ${OOBEIP} | |
# ACCEPT all DNS traffic | |
$IPTABLES -A INPUT -i "$P2PIF" -p udp --dport 53 -j ACCEPT | |
# ACCEPT all DHCP traffic | |
$IPTABLES -A INPUT -i "$P2PIF" -p udp --dport 67:68 --sport 67:68 -j ACCEPT | |
# ACCEPT all incoming OOBE webserver traffic | |
$IPTABLES -A INPUT -i "$P2PIF" -p tcp --dport 8080 -j ACCEPT | |
$IPTABLES -A INPUT -i "$P2PIF" -p tcp --dport 443 -j ACCEPT | |
# Allow all outgoing traffic | |
$IPTABLES -A OUTPUT -o "$P2PIF" -j ACCEPT | |
} | |
... |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment