diff -Nur -x '*.orig' -x '*.rej' smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli00setup mezzanine_patched_smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli00setup --- smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli00setup 1970-01-01 01:00:00.000000000 +0100 +++ mezzanine_patched_smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli00setup 2008-08-26 22:29:42.000000000 +0200 @@ -0,0 +1,20 @@ +{ + +# Compute the first IP of the network +our $net = ${'chilli'}{'net'} || '10.1.0.0/255.255.255.0'; +my @netaddr = split(/\//,$net); +my $netaddr = $netaddr[0]; +my @nums = split(/\./,$netaddr); +my $i = 0; +our $chillip = ''; +foreach (@nums){ + $chillip .= $_."." if ($i ne '3'); + $chillip .= "1" if ($i eq '3'); + $i++; +} + +our $tundev = ${'chilli'}{'tundev'} || 'tun0'; +our $chilliport = ${'chilli'}{'TCPPort'} || '3990'; + +$OUT .= ''; +} diff -Nur -x '*.orig' -x '*.rej' smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli10stop mezzanine_patched_smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli10stop --- smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli10stop 1970-01-01 01:00:00.000000000 +0100 +++ mezzanine_patched_smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli10stop 2008-08-26 22:29:42.000000000 +0200 @@ -0,0 +1,43 @@ +{ +$OUT .=<<"HERE"; + +# This will flush any existing rules for coova-chilli +stopChilli()\{ + CHAIN='IN_FROM_CHILLI' + STATE=\$(/sbin/iptables -L -n | grep -c \$CHAIN) + if [ \$STATE -ge 1 ]; then + /sbin/iptables -D INPUT -i $tundev -j \$CHAIN + /sbin/iptables -F \$CHAIN + /sbin/iptables -X \$CHAIN + fi + CHAIN='OUT_TO_CHILLI' + STATE=\$(/sbin/iptables -L -n | grep -c \$CHAIN) + if [ \$STATE -ge 1 ]; then + /sbin/iptables -D OUTPUT -o $tundev -j \$CHAIN + /sbin/iptables -F \$CHAIN + /sbin/iptables -X \$CHAIN + fi + CHAIN='FORWARD_FROM_CHILLI' + STATE=\$(/sbin/iptables -L -n | grep -c \$CHAIN) + if [ \$STATE -ge 1 ]; then + /sbin/iptables -D FORWARD -i $tundev -j \$CHAIN + /sbin/iptables -F \$CHAIN + /sbin/iptables -X \$CHAIN + fi + CHAIN='FORWARD_TO_CHILLI' + STATE=\$(/sbin/iptables -L -n | grep -c \$CHAIN) + if [ \$STATE -ge 1 ]; then + /sbin/iptables -D FORWARD -o $tundev -j \$CHAIN + /sbin/iptables -F \$CHAIN + /sbin/iptables -X \$CHAIN + fi + CHAIN='PREROUTING_FROM_CHILLI' + STATE=\$(/sbin/iptables -t nat -L -n | grep -c \$CHAIN) + if [ \$STATE -ge 1 ]; then + /sbin/iptables -D PREROUTING -t nat -i $tundev -j \$CHAIN + /sbin/iptables -t nat -F \$CHAIN + /sbin/iptables -t nat -X \$CHAIN + fi +\} +HERE +} diff -Nur -x '*.orig' -x '*.rej' smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli20input mezzanine_patched_smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli20input --- smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli20input 1970-01-01 01:00:00.000000000 +0100 +++ mezzanine_patched_smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli20input 2008-08-26 22:29:42.000000000 +0200 @@ -0,0 +1,46 @@ +{ + +$OUT .=<<"HERE"; + +# Input (from the wireless client to the server) +inFromChilli()\{ + /sbin/iptables -N IN_FROM_CHILLI + /sbin/iptables -A IN_FROM_CHILLI -j state_chk + # DHCP requests are allowed + /sbin/iptables -A IN_FROM_CHILLI -p udp --dport 67:68 --sport 67:68 -s 0.0.0.0 -d 255.255.255.255 -j ACCEPT + /sbin/iptables -A IN_FROM_CHILLI -s ! $net -j denylog + # Allow wireless clients to ping the server + /sbin/iptables -A IN_FROM_CHILLI -p icmp --icmp-type echo-request -j ACCEPT + # Mandatory services for chilli (https, coova-chill) +# /sbin/iptables -A IN_FROM_CHILLI -p tcp --dport ${'httpd-e-smith'}{'TCPPort'} --syn -j ACCEPT + /sbin/iptables -A IN_FROM_CHILLI -p tcp --dport ${'modSSL'}{'TCPPort'} --syn -j ACCEPT + /sbin/iptables -A IN_FROM_CHILLI -p tcp --dport $chilliport --syn -j ACCEPT +HERE + +foreach (split(/[;,]/, ${'chilli'}{'AllowedServices'} || '')){ + my $service = $_; + next if ((${"$service"}{'status'} || 'disabled') ne 'enabled'); + my @tcpports = split(/[;,]/, (${"$service"}{'TCPPort'} || '').",".(${"$service"}{'TCPPorts'} || '')); + my @udpports = split(/[;,]/, (${"$service"}{'UDPPort'} || '').",".(${"$service"}{'UDPPorts'} || '')); + if (@tcpports > 0){ + foreach(@tcpports){ + $OUT .= " # Acces to $service is allowed:\n" . + " /sbin/iptables -A IN_FROM_CHILLI -p tcp --dport $_ --syn -j ACCEPT\n" if ($_ ne ''); + } + } + if (@udpports > 0){ + foreach(@udpports){ + $OUT .= " # Acces to $service is allowed:\n" . + " /sbin/iptables -A IN_FROM_CHILLI -p udp --dport $_ -j ACCEPT\n" if ($_ ne ''); + } + } + # Special case for pptp, which uses GRE proto + if ($service eq 'pptpd'){ + $OUT .= " /sbin/iptables -A IN_FROM_CHILLI -p 47 -j gre-in\n"; + $OUT .= " /sbin/iptables -I gre-in -s $net -j ACCEPT\n"; + } +} + +$OUT .= " /sbin/iptables -A IN_FROM_CHILLI -j denylog\n\}\n"; + +} diff -Nur -x '*.orig' -x '*.rej' smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli30output mezzanine_patched_smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli30output --- smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli30output 1970-01-01 01:00:00.000000000 +0100 +++ mezzanine_patched_smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli30output 2008-08-26 22:29:42.000000000 +0200 @@ -0,0 +1,14 @@ +{ + +$OUT .=<<"HERE"; + +# Output (from the server to the wireless clients) +outToChilli()\{ + /sbin/iptables -N OUT_TO_CHILLI + /sbin/iptables -A OUT_TO_CHILLI -j state_chk + /sbin/iptables -A OUT_TO_CHILLI -p icmp --icmp-type echo-request -j ACCEPT + /sbin/iptables -A OUT_TO_CHILLI -j denylog +\} +HERE + +} diff -Nur -x '*.orig' -x '*.rej' smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli40forwardFrom mezzanine_patched_smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli40forwardFrom --- smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli40forwardFrom 1970-01-01 01:00:00.000000000 +0100 +++ mezzanine_patched_smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli40forwardFrom 2008-08-26 22:29:42.000000000 +0200 @@ -0,0 +1,45 @@ +{ + +$OUT .=<<"HERE"; + +# Forward from chilli (from the wireless clients to the internet) +forwardFromChilli()\{ + /sbin/iptables -N FORWARD_FROM_CHILLI + /sbin/iptables -A FORWARD_FROM_CHILLI -j state_chk + /sbin/iptables -A FORWARD_FROM_CHILLI -s ! $net -j denylog + /sbin/iptables -A FORWARD_FROM_CHILLI -p icmp --icmp-type echo-request -j ACCEPT +HERE + +# Allow services specidied in AllowedOutgoing + +foreach (split(/[;,]/, ${'chilli'}{'AllowedOutgoing'} || '')){ + my $ReIpNum = qr{([01]?\d\d?|2[0-4]\d|25[0-5])}; + my $ReIpAddr = qr{($ReIpNum\.$ReIpNum\.$ReIpNum\.$ReIpNum)|any|ANY|\*}; + my $RePort = qr/\d{1,4}|[0-6]\d{4}|any|ANY|\*/; + # Check the rules has the form proto:remote_host:remote_port + next unless /^(tcp|TCP|udp|UDP):${ReIpAddr}:${RePort}$/; + my @params = split(/:/, $_); + my $proto = $params[0]; + my $host = $params[1]; + my $dport = $params[2]; + $OUT .= " # $_ is allowed:\n"; + $OUT .= " /sbin/iptables -A FORWARD_FROM_CHILLI "; + $OUT .= "-p $proto "; + $OUT .= "-d $host " if ($host !~ /(any|\*)/i); + $OUT .= "--dport $dport " if ($dport !~ /(any|\*)/i); + $OUT .= "--syn " if ($proto =~ /tcp/i); + $OUT .= "-j ACCEPT\n" +} + +# Allow the two dns servers specified +$OUT .= " # Allow dns requests to ${'chilli'}{'dns1'}\n" . + " /sbin/iptables -A FORWARD_FROM_CHILLI -p udp --dport 53 -d ${'chilli'}{'dns1'} -j ACCEPT\n" + if ((${'chilli'}{'dns1'} || '') ne ''); + +$OUT .= " # Allow dns requests to ${'chilli'}{'dns2'}\n" . + " /sbin/iptables -A FORWARD_FROM_CHILLI -p udp --dport 53 -d ${'chilli'}{'dns2'} -j ACCEPT\n" + if ((${'chilli'}{'dns2'} || '') ne ''); + +$OUT .= " /sbin/iptables -A FORWARD_FROM_CHILLI -j denylog\n\}\n"; + +} diff -Nur -x '*.orig' -x '*.rej' smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli45forwardTo mezzanine_patched_smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli45forwardTo --- smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli45forwardTo 1970-01-01 01:00:00.000000000 +0100 +++ mezzanine_patched_smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli45forwardTo 2008-08-26 22:29:42.000000000 +0200 @@ -0,0 +1,14 @@ +{ + +$OUT .=<<"HERE"; + +# Forward to (from the local network or the internet to the wireless clients) +forwardToChilli()\{ + /sbin/iptables -N FORWARD_TO_CHILLI + /sbin/iptables -A FORWARD_TO_CHILLI -j state_chk + /sbin/iptables -A FORWARD_TO_CHILLI -p icmp --icmp-type destination-unreachable -j ACCEPT + /sbin/iptables -A FORWARD_TO_CHILLI -j denylog +\} +HERE + +} diff -Nur -x '*.orig' -x '*.rej' smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli50prerouting mezzanine_patched_smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli50prerouting --- smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli50prerouting 1970-01-01 01:00:00.000000000 +0100 +++ mezzanine_patched_smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli50prerouting 2008-08-26 22:29:42.000000000 +0200 @@ -0,0 +1,24 @@ +{ + +$OUT .=<<"HERE"; + +# Prerouting from chilli (before the server routes paquets from wireless clients) +preroutingFromChilli()\{ + /sbin/iptables -N PREROUTING_FROM_CHILLI -t nat + /sbin/iptables -A PREROUTING_FROM_CHILLI -t nat -d $LocalIP -j DNAT --to $chillip +HERE + +$OUT .=" /sbin/iptables -A PREROUTING_FROM_CHILLI -t nat -d $ExternalIP -j DNAT --to $chillip\n" if $ExternalIP; + +# Redirect also addresses specified in RedirectToChilli + +foreach my $ip (split(/[;,]/,(${'chilli'}{'RedirectToChilli'} || ''))){ + my $ReIpNum = qr{([01]?\d\d?|2[0-4]\d|25[0-5])}; + my $ReIpAddr = qr{($ReIpNum\.$ReIpNum\.$ReIpNum\.$ReIpNum)}; + # Check the $ip is a valid ip address + next unless $ip =~ /^${ReIpAddr}$/; + $OUT .=" /sbin/iptables -A PREROUTING_FROM_CHILLI -t nat -d $ip -j DNAT --to $chillip\n"; +} +$OUT .= "\}\n"; + +} diff -Nur -x '*.orig' -x '*.rej' smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli60start mezzanine_patched_smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli60start --- smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli60start 1970-01-01 01:00:00.000000000 +0100 +++ mezzanine_patched_smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli60start 2008-08-26 22:29:42.000000000 +0200 @@ -0,0 +1,20 @@ +{ + +$OUT .=<<"HERE"; + +# Send the paquets from and to chilli to the correct chains +startChilli()\{ + inFromChilli + outToChilli + preroutingFromChilli + forwardFromChilli + forwardToChilli + /sbin/iptables -I INPUT -i $tundev -j IN_FROM_CHILLI + /sbin/iptables -I OUTPUT -o $tundev -j OUT_TO_CHILLI + /sbin/iptables -I FORWARD -o $tundev -j FORWARD_TO_CHILLI + /sbin/iptables -I FORWARD -i $tundev -j FORWARD_FROM_CHILLI + /sbin/iptables -I PREROUTING -t nat -i $tundev -j PREROUTING_FROM_CHILLI +\} +HERE + +} diff -Nur -x '*.orig' -x '*.rej' smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/60ChilliRules mezzanine_patched_smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/60ChilliRules --- smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/60ChilliRules 2008-08-26 22:33:38.000000000 +0200 +++ mezzanine_patched_smeserver-coova-chilli-0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/60ChilliRules 1970-01-01 01:00:00.000000000 +0100 @@ -1,77 +0,0 @@ -{ -# Compute the first IP of the network -my $net = $chilli{'net'} || '10.1.0.0/255.255.255.0'; -my @netaddr = split(/\//,$net); -my $netaddr = $netaddr[0]; -my @nums = split(/\./,$netaddr); -my $i = 0; -my $chillip = ''; -foreach (@nums){ - $chillip .= $_."." if ($i ne '3'); - $chillip .= "1" if ($i eq '3'); - $i++; -} - -my $tundev = $chilli{'tundev'} || 'tun0'; -my $chilliport = $chilli{'TCPPort'} || '3990'; - -if ($chilli{'status'} eq 'enabled'){ -$OUT =<