Pour créer un dépôt OpenWRT pour l'application quid
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

configure_captive.sh 3.6KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170
  1. #!/bin/sh
  2. [ "$ACTION" = ifup -o "$ACTION" = ifupdate ] || exit 0
  3. [ "$ACTION" = ifupdate -a -z "$IFUPDATE_ADDRESSES" -a -z "$IFUPDATE_DATA" ] && exit 0
  4. # configure DNSMASQ pour que le serveur DNS
  5. # reponde toujours l'adresse locale
  6. # configure egalement RFC 7710 Captive-Portal Identification
  7. LAN_ADDRESS=$(uci -q get network.lan.ipaddr)
  8. echo """address=/#/$LAN_ADDRESS
  9. dhcp-option=160,http://$LAN_ADDRESS
  10. dhcp-option-force=160,http://$LAN_ADDRESS
  11. """ > /tmp/dnsmasq.d/quid
  12. # redemarre DNSMASQ
  13. /etc/init.d/dnsmasq restart
  14. # configure le firewall pour :
  15. # - interdire le forward entre lan->wan
  16. # - rediriger le traffic 80 et 443 vers localhost
  17. echo """config defaults
  18. option syn_flood '1'
  19. option input 'ACCEPT'
  20. option output 'ACCEPT'
  21. option forward 'REJECT'
  22. config zone
  23. option name 'lan'
  24. option input 'ACCEPT'
  25. option output 'ACCEPT'
  26. option forward 'ACCEPT'
  27. option network 'lan'
  28. config zone
  29. option name 'wan'
  30. option input 'REJECT'
  31. option output 'ACCEPT'
  32. option forward 'REJECT'
  33. option mtu_fix '1'
  34. option network 'wan wan6 wwan'
  35. config forwarding
  36. option src 'lan'
  37. option dest 'wan'
  38. config rule
  39. option name 'Allow-DHCP-Renew'
  40. option src 'wan'
  41. option proto 'udp'
  42. option dest_port '68'
  43. option target 'ACCEPT'
  44. option family 'ipv4'
  45. config rule
  46. option name 'Allow-Ping'
  47. option src 'wan'
  48. option proto 'icmp'
  49. option icmp_type 'echo-request'
  50. option family 'ipv4'
  51. option target 'ACCEPT'
  52. config rule
  53. option name 'Allow-IGMP'
  54. option src 'wan'
  55. option proto 'igmp'
  56. option family 'ipv4'
  57. option target 'ACCEPT'
  58. config rule
  59. option name 'Allow-DHCPv6'
  60. option src 'wan'
  61. option proto 'udp'
  62. option src_ip 'fc00::/6'
  63. option dest_ip 'fc00::/6'
  64. option dest_port '546'
  65. option family 'ipv6'
  66. option target 'ACCEPT'
  67. config rule
  68. option name 'Allow-MLD'
  69. option src 'wan'
  70. option proto 'icmp'
  71. option src_ip 'fe80::/10'
  72. list icmp_type '130/0'
  73. list icmp_type '131/0'
  74. list icmp_type '132/0'
  75. list icmp_type '143/0'
  76. option family 'ipv6'
  77. option target 'ACCEPT'
  78. config rule
  79. option name 'Allow-ICMPv6-Input'
  80. option src 'wan'
  81. option proto 'icmp'
  82. list icmp_type 'echo-request'
  83. list icmp_type 'echo-reply'
  84. list icmp_type 'destination-unreachable'
  85. list icmp_type 'packet-too-big'
  86. list icmp_type 'time-exceeded'
  87. list icmp_type 'bad-header'
  88. list icmp_type 'unknown-header-type'
  89. list icmp_type 'router-solicitation'
  90. list icmp_type 'neighbour-solicitation'
  91. list icmp_type 'router-advertisement'
  92. list icmp_type 'neighbour-advertisement'
  93. option limit '1000/sec'
  94. option family 'ipv6'
  95. option target 'ACCEPT'
  96. config rule
  97. option name 'Allow-ICMPv6-Forward'
  98. option src 'wan'
  99. option dest '*'
  100. option proto 'icmp'
  101. list icmp_type 'echo-request'
  102. list icmp_type 'echo-reply'
  103. list icmp_type 'destination-unreachable'
  104. list icmp_type 'packet-too-big'
  105. list icmp_type 'time-exceeded'
  106. list icmp_type 'bad-header'
  107. list icmp_type 'unknown-header-type'
  108. option limit '1000/sec'
  109. option family 'ipv6'
  110. option target 'ACCEPT'
  111. config rule
  112. option name 'Allow-IPSec-ESP'
  113. option src 'wan'
  114. option dest 'lan'
  115. option proto 'esp'
  116. option target 'ACCEPT'
  117. config rule
  118. option name 'Allow-ISAKMP'
  119. option src 'wan'
  120. option dest 'lan'
  121. option dest_port '500'
  122. option proto 'udp'
  123. option target 'ACCEPT'
  124. config rule
  125. option enabled '1'
  126. option target 'ACCEPT'
  127. option src 'wan'
  128. option dest 'lan'
  129. config redirect
  130. option target 'DNAT'
  131. option src 'lan'
  132. option dest 'wan'
  133. option proto 'tcp'
  134. option src_dport '80'
  135. option dest_port '80'
  136. option name 'HTTP'
  137. config zone
  138. option name 'lan'
  139. option input 'ACCEPT'
  140. option output 'ACCEPT'
  141. option network 'lan'
  142. option forward 'REJECT'
  143. config include
  144. option path '/etc/firewall.user'
  145. """ > /etc/config/firewall
  146. # redemarre le firewall
  147. /etc/init.d/firewall restart
  148. exit 0