Tero Karvinen - Articles - Downloads - Courses - Contact

Table of Contents

WeelaPurkki Source Codes

Here are some snippets of WeelaPurkki source code for online viewing. To download, see WeelaPurkki main homepage.

/etc/init.d/weela - NvRam Settings

#!/bin/sh /etc/rc.common
# Weela.net free wifi settings
# (c) 2007 Tero Karvinen http://www.iki.fi/karvinen
 
START=02
 
start() {
	## SSID
	nvram set wl0_ssid="weela.net free internet"
	nvram set wl_ssid="weela.net free internet"
	## Enable wireless
	nvram set wl0_closed=0
	## Change NAT ip address
	# nvram set lan_ipaddr="10.0.0.1"
	# nvram set lan_netmask="255.0.0.0"
	## Save settings
	nvram commit
}
 

Firewall.user - Iptables

#!/bin/sh
# Copyright (C) 2006 OpenWrt.org and 2007 Tero Karvinen www.iki.fi/karvinen
 
iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule
 
# The following chains are for traffic directed at the IP of the 
# WAN interface
 
iptables -F input_wan
iptables -F forwarding_wan
iptables -t nat -F prerouting_wan
 
### Open port to WAN
## -- This allows port 22 to be answered by (dropbear on) the router
# iptables -t nat -A prerouting_wan -p tcp --dport 22 -j ACCEPT 
# iptables        -A input_wan      -p tcp --dport 22 -j ACCEPT
 
### Port forwarding
## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.2
# iptables -t nat -A prerouting_wan -p tcp --dport 8080 -j DNAT --to 192.168.1.2:80
# iptables        -A forwarding_wan -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT
 
### DMZ
## -- Connections to ports not handled above will be forwarded to 192.168.1.2
# iptables -t nat -A prerouting_wan -j DNAT --to 192.168.1.2
# iptables        -A forwarding_wan -d 192.168.1.2 -j ACCEPT
 
## Tero's rules
# Enable essential services (in case ports are closed later)
iptables -A input_rule -p tcp --dport 22 -j ACCEPT
iptables -A input_rule -p tcp --dport 53 -j ACCEPT
# Disable insecure services: unencrypted web admin, telnetd
iptables -A input_rule -p tcp --dport 80 -i lo --source 127.0.0.1 --destination 127.0.0.1 -j ACCEPT
iptables -A input_rule -p tcp --dport 80 -j DROP
iptables -A input_rule -p tcp --dport 23 -j DROP
# Disable all (but ssh that's allowed above)
#iptables -A input_rule -p tcp -j DROP
 
## Block access to local networks (Tero)
# Private blocks (from RFC 1918: Address Allocation for Private Internets)
iptables -A forwarding_rule      --destination 10.0.0.0/255.0.0.0 -j DROP
iptables -A forwarding_rule  --destination 172.16.0.0/255.240.0.0 -j DROP
iptables -A forwarding_rule --destination 192.168.0.0/255.255.0.0 -j DROP
# Raw SMTP access
iptables -A forwarding_rule -p tcp --dport 25 -j DROP
# Samba / Windows SMB/CIFS file sharing - not enabled because this could hide
# problems
#iptables -A forwarding_rule -m multiport -p tcp --ports 137:139 -j DROP
#iptables -A forwarding_rule -m multiport -p udp --ports 137:139 -j DROP
 

Last modified: 2007-11-26. Permanent url: http://www.iki.fi/karvinen/weelapurkki_source_codes.html

Tero Karvinen www.iki.fi/karvinen - Top - Validate HTML - Validate CSS

Tero Karvinen - Articles - Downloads - Courses - Contact