oXis

Captive Portal OpenWrt

May 31st, 2017
106
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/bash
  2.  
  3. #Modified by oXis for the Wifi Pineapple (OpenWRT)
  4.  
  5. # Written by Sitwon and The Doctor.
  6. # Copyright (C) 2013 Project Byzantium
  7. # This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or any later version.
  8.  
  9. arp () { cat /proc/net/arp; } # arp function
  10.  
  11. IPTABLES=/usr/sbin/iptables
  12. ARP=arp
  13. IP=172.16.42.1
  14.  
  15. case "$1" in
  16.     'init')
  17.  
  18.         # Convert the IP address of the client interface into a netblock.
  19.         CLIENTNET=`echo $IP | sed 's/1$/0\/24/'`
  20.  
  21.         # Exempt traffic which does not originate from the client network.
  22.         $IPTABLES -t mangle -I PREROUTING -p all ! -s $CLIENTNET -j RETURN
  23.  
  24.         # Traffic not coming from an accepted user gets marked 99.
  25.         $IPTABLES -t mangle -A fwmark -j MARK --set-mark 99
  26.  
  27.         # Traffic which has been marked 99 and is headed for 80/TCP or 443/TCP
  28.         # should be redirected to the captive portal web server.
  29.         $IPTABLES -t nat -A prerouting_rule -m mark --mark 99 -p tcp --dport 80 -j DNAT --to-destination $IP:80
  30.         # Need to activate HTTPS on the nginx server of the PineAP, so for now HTTPS traffic is dropped.
  31.         #$IPTABLES -t nat -A prerouting_rule -m mark --mark 99 -p tcp --dport 443 -j DNAT --to-destination $IP:443
  32.  
  33.         # for use with dns spoff
  34.         #$IPTABLES -t filter -A forwarding_rule -p udp --dport 53 -j ACCEPT
  35.         #$IPTABLES -t nat -A prerouting_rule -m mark --mark 99 -p udp --dport 53 -j DNAT --to-destination $IP:53
  36.  
  37.         $IPTABLES -t filter -A input_rule -p tcp --dport 80 -j ACCEPT #Webserver
  38.         #$IPTABLES -t filter -A input_rule -p tcp --dport 443 -j ACCEPT #Webserver
  39.         $IPTABLES -t filter -A input_rule -p tcp --dport 1471 -j ACCEPT #PineAP admin page
  40.         $IPTABLES -t filter -A input_rule -p tcp --dport 22 -j ACCEPT #SSH
  41.  
  42.         # All other traffic which is marked 99 is just dropped
  43.         $IPTABLES -t filter -A forwarding_rule -m mark --mark 99 -j DROP
  44.         # Even on INPUT rule
  45.         $IPTABLES -t filter -A input_rule -m mark --mark 99 -j DROP
  46.  
  47.         exit 0
  48.         ;;
  49.     'add')
  50.         # $2: IP address of client.
  51.         CLIENT=$2
  52.  
  53.         # Isolate the MAC address of the client in question.
  54.         CLIENTMAC=`$ARP -n | grep ':' | grep $CLIENT | awk '{print $4}'`
  55.  
  56.         # Add the MAC address of the client to the whitelist, so it'll be able
  57.         # to access the mesh even if its IP address changes.
  58.         $IPTABLES -t mangle -I fwmark -m mac --mac-source $CLIENTMAC -j RETURN
  59.  
  60.         exit 0
  61.         ;;
  62.     'remove')
  63.         # $2: IP address of client.
  64.         CLIENT=$2
  65.  
  66.         # Isolate the MAC address of the client in question.
  67.         CLIENTMAC=`$ARP -n | grep ':' | grep $CLIENT | awk '{print $4}'`
  68.  
  69.         # Delete the MAC address of the client from the whitelist.
  70.         $IPTABLES -t mangle -D fwmark -m mac --mac-source $CLIENTMAC -j RETURN
  71.  
  72.         exit 0
  73.         ;;
  74.     'purge')
  75.         CLIENTNET=`echo $IP | sed 's/1$/0\/24/'`
  76.         # Purge the user defined chains
  77.         $IPTABLES -t mangle -F fwmark
  78.         $IPTABLES -t nat -F prerouting_rule
  79.         $IPTABLES -t filter -F input_rule
  80.         $IPTABLES -t filter -F forwarding_rule
  81.         $IPTABLES -t mangle -D PREROUTING -p all ! -s $CLIENTNET -j RETURN
  82.  
  83.         #$IPTABLES -t nat -D prerouting_rule -m mark --mark 99 -p udp --dport 53 -j DNAT --to-destination $IP:53
  84.  
  85.         exit 0
  86.         ;;
  87.     'list')
  88.         # Display the currently running IP tables ruleset.
  89.         $IPTABLES --list -t nat -n
  90.         $IPTABLES --list -t mangle -n
  91.         $IPTABLES --list -t filter -n
  92.  
  93.         exit 0
  94.         ;;
  95.     *)
  96.         echo "USAGE: $0 {initialize|add <IP>|remove <IP>|purge|list}"
  97.         exit 0
  98.     esac
RAW Paste Data