YunoHost-Apps/hotspot_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/hotspot_ynh.git synced 2024-09-03 19:25:53 +02:00
Code Issues Activity Actions
hotspot_ynh/hooks/post_iptables_rules
HgO 359b6fb9d4 fix path for allowed.csv
2024-08-17 00:51:49 +02:00

57 lines
2.2 KiB
Bash
Raw Permalink Blame History

#!/bin/bash
wifi_device=$(ynh_app_setting_get --app=$app --key=wifi_device)
captive_portal=$(ynh_app_setting_get --app=$app --key=captive_portal)
ip4_prefix=$(ynh_app_setting_get --app=$app --key=ip4_nat_prefix)
ip6_prefix=$(ynh_app_setting_get --app=$app --key=ip6_net)
iptables -w -N hotspot_fwd
ip6tables -w -N hotspot_fwd
if [[ "${captive_portal}" != "1" ]]
then
exit 0
fi
for iptables_cmd in iptables ip6tables;
do
if [[ "${iptables_cmd}" == "iptables" ]]; then
prefix="${ip4_prefix}"
ip="${ip4_prefix}.1"
subnet="${ip4_prefix}.0/24"
else
prefix="${ip6_prefix}"
ip="${ip6_prefix}1"
subnet="${ip6_prefix}1/64"
fi
mac_addresses=$(grep "${prefix}" /etc/hostapd/$app/allowed.csv | cut -d, -f3)
# Allow to request 4253 port
$iptables_cmd -w -A INPUT -i "${wifi_device}" -m udp -p udp --dport 4253 -j ACCEPT
# Drop all packets going on external internet
$iptables_cmd -w -A hotspot_fwd -s "${subnet}" -j DROP
# Force to use the fakeDNS
$iptables_cmd -w -A PREROUTING -i "${wifi_device}" -s "${subnet}" -p udp --dport 53 -j DNAT --to-destination "${ip}:4253"
# Make things working with DoH
# Warning: this rules to ssupport DoH let info in nginx logs on which website the user try to access...
# Only activating 80 and not 443 reduces a bit the issues.
# A better approach could be to list all ips used by domains dedicated to captive portal detection.
$iptables_cmd -w -A PREROUTING -i "${wifi_device}" -s "${subnet}" -p tcp --dport 80 -j DNAT --to-destination "${ip}:80"
#$iptables_cmd -w -A PREROUTING -i "${wifi_device}" -s "${subnet}" -p tcp --dport 443 -j DNAT --to-destination "${ip}:443"
# Maybe needed, maybe not (i din't need this when vpn is activated)
#$iptables_cmd -t nat -A POSTROUTING -o "${wifi_device}" -j MASQUERADE
# Allow specific mac adress to use external internet
for mac in ${mac_addresses}; do
$iptables_cmd -w -I hotspot_fwd 1 -s "${subnet}" -m mac --mac-source "${mac}" -j ACCEPT
$iptables_cmd -t nat -w -I PREROUTING 1 -i "${wifi_device}" -s "${subnet}" -m mac --mac-source "${mac}" -j ACCEPT
done
$iptables_cmd -w -I FORWARD 1 -i "${wifi_device}" -j hotspot_fwd
done
exit 0
Reference in a new issue View git blame Copy permalink