ajvpot/setup-firewall.sh Secret

## setup-firewall.sh
#!/bin/bash

IPTABLES=/usr/sbin/iptables
DEBUG_RULES_HOOK=/etc/default/debug-firewall-rules.txt

LOGGER() { logger -p local4.info -t "system: I firewall:setup:" $@; }

if [ ! -x $IPTABLES ]; then
    echo "$IPTABLES... not found"
    exit 1
fi

# Add default firewall settings here
default_firewall_setup () {
    LOGGER "Setting up default firewall settings"
    $IPTABLES --flush

    # Default policy for all chains: DROP
    $IPTABLES -P INPUT DROP
    $IPTABLES -P OUTPUT DROP
    $IPTABLES -P FORWARD DROP

    # Accept RELATED,ESTABLISHED connections on wlan0 (device initiated)
    $IPTABLES -A INPUT -i wlan0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
    $IPTABLES -A INPUT -i wlan0 -p udp -m state --state ESTABLISHED -j ACCEPT

    # TPH traffic on wlan0. TPH/phd listens on port 40317
    $IPTABLES -A INPUT -i wlan0 -p tcp -m tcp --dport 40317 -j ACCEPT
    $IPTABLES -A INPUT -i wlan0 -p udp --dport 40317 --sport 40317 -j ACCEPT
    $IPTABLES -A INPUT -i wlan0 -p udp --dport 40317 --sport 49317 -j ACCEPT
    $IPTABLES -A INPUT -i wlan0 -p udp --dport 40317 --sport 33434 -j ACCEPT

    # UPnP:
    # allow traffic on Dst Port 1900 which are UPnP advertisements and Bye Bye
    # Allow traffic on Dst Port 50000; these pkts are SSDP search results
    # SSDP search queries are sent with Src Port 50000
    $IPTABLES -A INPUT -i wlan0  -p udp --dport 1900 -j ACCEPT
    $IPTABLES -A INPUT -i wlan0  -p udp --dport 50000 -j ACCEPT


    # ICMP. Allow only responses to local connections
    $IPTABLES -A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT

    # Add rules for internal debugging use
    [ -f $DEBUG_RULES_HOOK ] && . $DEBUG_RULES_HOOK

    # Allow all outgoing traffic on wlan0
    $IPTABLES -A OUTPUT -o wlan0 -j ACCEPT

    # Accept all on the loopback interface
    $IPTABLES -A INPUT -i lo -j ACCEPT
    $IPTABLES -A OUTPUT -o lo -j ACCEPT
}

# Firewall settings for P2P interface
# @param $1 P2P Interface name
# @param $2 OOBE Server IP address
p2p_firewall_start () {
    if [ $# -lt 2 ]; then
        LOGGER "Invalid argument on start p2p firewall"
        exit 1
    fi

    P2PIF=$1
    OOBEIP=$2

    LOGGER "Setting up P2P firewall settings on $1"
    # Setup ip tables to reject all non-essential traffic
    # Redirect all DNS traffic to ourselves. This is necessary when the client device
    # has a static DNS address configured
    $IPTABLES -t nat -A PREROUTING -i "$P2PIF" -p udp --dport 53 -j DNAT --to ${OOBEIP}
    # ACCEPT all DNS traffic
    $IPTABLES -A INPUT -i "$P2PIF" -p udp --dport 53 -j ACCEPT
    # ACCEPT all DHCP traffic
    $IPTABLES -A INPUT -i "$P2PIF" -p udp --dport 67:68 --sport 67:68 -j ACCEPT
    # ACCEPT all incoming OOBE webserver traffic
    $IPTABLES -A INPUT -i "$P2PIF" -p tcp --dport 8080 -j ACCEPT
    $IPTABLES -A INPUT -i "$P2PIF" -p tcp --dport 443 -j ACCEPT

    # Allow all outgoing traffic
    $IPTABLES -A OUTPUT -o "$P2PIF" -j ACCEPT
}
...
	#!/bin/bash

	IPTABLES=/usr/sbin/iptables
	DEBUG_RULES_HOOK=/etc/default/debug-firewall-rules.txt

	LOGGER() { logger -p local4.info -t "system: I firewall:setup:" $@; }

	if [ ! -x $IPTABLES ]; then
	echo "$IPTABLES... not found"
	exit 1
	fi

	# Add default firewall settings here
	default_firewall_setup () {
	LOGGER "Setting up default firewall settings"
	$IPTABLES --flush

	# Default policy for all chains: DROP
	$IPTABLES -P INPUT DROP
	$IPTABLES -P OUTPUT DROP
	$IPTABLES -P FORWARD DROP

	# Accept RELATED,ESTABLISHED connections on wlan0 (device initiated)
	$IPTABLES -A INPUT -i wlan0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
	$IPTABLES -A INPUT -i wlan0 -p udp -m state --state ESTABLISHED -j ACCEPT

	# TPH traffic on wlan0. TPH/phd listens on port 40317
	$IPTABLES -A INPUT -i wlan0 -p tcp -m tcp --dport 40317 -j ACCEPT
	$IPTABLES -A INPUT -i wlan0 -p udp --dport 40317 --sport 40317 -j ACCEPT
	$IPTABLES -A INPUT -i wlan0 -p udp --dport 40317 --sport 49317 -j ACCEPT
	$IPTABLES -A INPUT -i wlan0 -p udp --dport 40317 --sport 33434 -j ACCEPT

	# UPnP:
	# allow traffic on Dst Port 1900 which are UPnP advertisements and Bye Bye
	# Allow traffic on Dst Port 50000; these pkts are SSDP search results
	# SSDP search queries are sent with Src Port 50000
	$IPTABLES -A INPUT -i wlan0 -p udp --dport 1900 -j ACCEPT
	$IPTABLES -A INPUT -i wlan0 -p udp --dport 50000 -j ACCEPT


	# ICMP. Allow only responses to local connections
	$IPTABLES -A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT

	# Add rules for internal debugging use
	[ -f $DEBUG_RULES_HOOK ] && . $DEBUG_RULES_HOOK

	# Allow all outgoing traffic on wlan0
	$IPTABLES -A OUTPUT -o wlan0 -j ACCEPT

	# Accept all on the loopback interface
	$IPTABLES -A INPUT -i lo -j ACCEPT
	$IPTABLES -A OUTPUT -o lo -j ACCEPT
	}

	# Firewall settings for P2P interface
	# @param $1 P2P Interface name
	# @param $2 OOBE Server IP address
	p2p_firewall_start () {
	if [ $# -lt 2 ]; then
	LOGGER "Invalid argument on start p2p firewall"
	exit 1
	fi

	P2PIF=$1
	OOBEIP=$2

	LOGGER "Setting up P2P firewall settings on $1"
	# Setup ip tables to reject all non-essential traffic
	# Redirect all DNS traffic to ourselves. This is necessary when the client device
	# has a static DNS address configured
	$IPTABLES -t nat -A PREROUTING -i "$P2PIF" -p udp --dport 53 -j DNAT --to ${OOBEIP}
	# ACCEPT all DNS traffic
	$IPTABLES -A INPUT -i "$P2PIF" -p udp --dport 53 -j ACCEPT
	# ACCEPT all DHCP traffic
	$IPTABLES -A INPUT -i "$P2PIF" -p udp --dport 67:68 --sport 67:68 -j ACCEPT
	# ACCEPT all incoming OOBE webserver traffic
	$IPTABLES -A INPUT -i "$P2PIF" -p tcp --dport 8080 -j ACCEPT
	$IPTABLES -A INPUT -i "$P2PIF" -p tcp --dport 443 -j ACCEPT

	# Allow all outgoing traffic
	$IPTABLES -A OUTPUT -o "$P2PIF" -j ACCEPT
	}
	...