From 114aa8d1119568feeccfb669dd22ceaf17d696e8 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Fri, 20 Feb 2009 00:38:37 +0000 Subject: [PATCH] applications/luci-splash: firewall fixes --- .../luci-splash/root/etc/init.d/luci_splash | 27 +++++++++++++------ modules/freifunk/root/etc/firewall.freifunk | 6 +++++ 2 files changed, 25 insertions(+), 8 deletions(-) diff --git a/applications/luci-splash/root/etc/init.d/luci_splash b/applications/luci-splash/root/etc/init.d/luci_splash index 85ea8ecaa..1d6e98814 100755 --- a/applications/luci-splash/root/etc/init.d/luci_splash +++ b/applications/luci-splash/root/etc/init.d/luci_splash @@ -17,10 +17,11 @@ iface_add() { [ -n "$netmask" ] || return 0 eval "$(ipcalc.sh $ipaddr $netmask)" - - iptables -t nat -A zone_${zone}_prerouting -s "$NETWORK/$PREFIX" -p ! tcp -j luci_splash_portal - iptables -t nat -A zone_${zone}_prerouting -s "$NETWORK/$PREFIX" -d ! "$ipaddr" -j luci_splash_portal - iptables -t nat -A zone_${zone}_prerouting -s "$NETWORK/$PREFIX" -d "$ipaddr" -p tcp -m multiport ! --dport 22,80,443 -j luci_splash_portal + + iptables -t nat -A prerouting_${zone} -j luci_splash_prerouting + iptables -t nat -A luci_splash_prerouting -s "$NETWORK/$PREFIX" -p ! tcp -j luci_splash_portal + iptables -t nat -A luci_splash_prerouting -s "$NETWORK/$PREFIX" -d ! "$ipaddr" -j luci_splash_portal + iptables -t nat -A luci_splash_prerouting -s "$NETWORK/$PREFIX" -d "$ipaddr" -p tcp -m multiport ! --dport 22,80,443 -j luci_splash_portal } blacklist_add() { @@ -44,9 +45,9 @@ start() { config_load luci_splash ### Create subchains - iptables -t nat -N luci_splash iptables -t nat -N luci_splash_portal iptables -t nat -N luci_splash_leases + iptables -t nat -N luci_splash_prerouting ### Build the main and portal rule config_foreach blacklist_add blacklist @@ -70,16 +71,26 @@ start() { start-stop-daemon -S -b -q -x /usr/bin/luci-splashd } -stop() { +iface_del() { + config_get zone "$1" zone + [ -n "$zone" ] || return 0 + iptables -t nat -D prerouting_${zone} -j luci_splash_prerouting +} + +stop() { + ### Clear interface rules + config_load luci_splash + config_foreach iface_del iface + ### Clear subchains iptables -t nat -F luci_splash_leases iptables -t nat -F luci_splash_portal - iptables -t nat -F luci_splash + iptables -t nat -F luci_splash_prerouting ### Delete subchains iptables -t nat -X luci_splash_leases iptables -t nat -X luci_splash_portal - iptables -t nat -X luci_splash + iptables -t nat -X luci_splash_prerouting ### Stop the splash httpd start-stop-daemon -K -q -x /usr/bin/luci-splashd diff --git a/modules/freifunk/root/etc/firewall.freifunk b/modules/freifunk/root/etc/firewall.freifunk index 663fc615a..c70ac3a2a 100644 --- a/modules/freifunk/root/etc/firewall.freifunk +++ b/modules/freifunk/root/etc/firewall.freifunk @@ -13,6 +13,8 @@ apply_advanced() { local accept_source_route config_get_bool tcp_ecn $1 tcp_ecn 1 + config_get ip_conntrack_max $1 ip_conntrack_max + config_get_bool tcp_westwood $1 tcp_westwood 0 config_get_bool tcp_window_scaling $1 tcp_window_scaling 1 config_get_bool accept_redirects $1 accept_redirects 0 config_get_bool accept_source_route $1 accept_source_route 0 @@ -24,6 +26,8 @@ apply_advanced() { sysctl -w net.ipv4.tcp_ecn=$tcp_ecn >/dev/null sysctl -w net.ipv4.tcp_window_scaling=$tcp_window_scaling >/dev/null + sysctl -w net.ipv4.tcp_westwood=$tcp_westwood >/dev/null + sysctl -w net.ipv4.ip_conntrack_max=$ip_conntrack_max >/dev/null for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo $accept_redirects > $f @@ -51,3 +55,5 @@ apply_nat_fix() { uci_set_state firewall core loaded 1 config_foreach fw_addif interface config_foreach apply_nat_fix interface + +[ -x /etc/init.d/luci_splash ] && /etc/init.d/luci_splash start -- 2.25.1