Table of Contents
WeelaPurkki Source Codes
Here are some snippets of WeelaPurkki source code for online viewing. To download, see WeelaPurkki main homepage.
/etc/init.d/weela – NvRam Settings
#!/bin/sh /etc/rc.common # Weela.net free wifi settings # (c) 2007 Tero Karvinen http://www.iki.fi/karvinen START=02 start() { ## SSID nvram set wl0_ssid="weela.net free internet" nvram set wl_ssid="weela.net free internet" ## Enable wireless nvram set wl0_closed=0 ## Change NAT ip address # nvram set lan_ipaddr="10.0.0.1" # nvram set lan_netmask="255.0.0.0" ## Save settings nvram commit }
Firewall.user – Iptables
#!/bin/sh # Copyright (C) 2006 OpenWrt.org and 2007 Tero Karvinen www.iki.fi/karvinen iptables -F input_rule iptables -F output_rule iptables -F forwarding_rule iptables -t nat -F prerouting_rule iptables -t nat -F postrouting_rule # The following chains are for traffic directed at the IP of the # WAN interface iptables -F input_wan iptables -F forwarding_wan iptables -t nat -F prerouting_wan ### Open port to WAN ## -- This allows port 22 to be answered by (dropbear on) the router # iptables -t nat -A prerouting_wan -p tcp --dport 22 -j ACCEPT # iptables -A input_wan -p tcp --dport 22 -j ACCEPT ### Port forwarding ## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.2 # iptables -t nat -A prerouting_wan -p tcp --dport 8080 -j DNAT --to 192.168.1.2:80 # iptables -A forwarding_wan -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT ### DMZ ## -- Connections to ports not handled above will be forwarded to 192.168.1.2 # iptables -t nat -A prerouting_wan -j DNAT --to 192.168.1.2 # iptables -A forwarding_wan -d 192.168.1.2 -j ACCEPT ## Tero's rules # Enable essential services (in case ports are closed later) iptables -A input_rule -p tcp --dport 22 -j ACCEPT iptables -A input_rule -p tcp --dport 53 -j ACCEPT # Disable insecure services: unencrypted web admin, telnetd iptables -A input_rule -p tcp --dport 80 -i lo --source 127.0.0.1 --destination 127.0.0.1 -j ACCEPT iptables -A input_rule -p tcp --dport 80 -j DROP iptables -A input_rule -p tcp --dport 23 -j DROP # Disable all (but ssh that's allowed above) #iptables -A input_rule -p tcp -j DROP ## Block access to local networks (Tero) # Private blocks (from RFC 1918: Address Allocation for Private Internets) iptables -A forwarding_rule --destination 10.0.0.0/255.0.0.0 -j DROP iptables -A forwarding_rule --destination 172.16.0.0/255.240.0.0 -j DROP iptables -A forwarding_rule --destination 192.168.0.0/255.255.0.0 -j DROP # Raw SMTP access iptables -A forwarding_rule -p tcp --dport 25 -j DROP # Samba / Windows SMB/CIFS file sharing - not enabled because this could hide # problems #iptables -A forwarding_rule -m multiport -p tcp --ports 137:139 -j DROP #iptables -A forwarding_rule -m multiport -p udp --ports 137:139 -j DROP