Fitxers de configuració de la fonera.

Aci teniu varios fitxers de configuració interna de la fonera, els publique per si algú té interés en vore com funcionen algunes parts i no té ninguna a mà.

/etc/firewall.fon

# Firewall script, specific for OpenWrt: permits traffic from chilli clients to Internet restricts inter-interfaces traffic
. /etc/functions.sh
. /tmp/network-configconfig_load fon

WL=”$wifi_ifname”
WAN=”$wan_ifname”
LAN=”$lan_ifname”

iptables -N NET_ACCESS 2>&- >&-
iptables -F NET_ACCESS

# WAN_HOOK will contain rules to restrict traffic to the wan network
iptables -N WAN_HOOK 2>&- >&-

# ChilliSpot
iptables -A NET_ACCESS -p tcp –dport 3990 -j ACCEPT

# DNS is always allowed from the tunnel
iptables -A NET_ACCESS -p udp –dport 53 -j ACCEPT
iptables -A NET_ACCESS -p tcp –dport 53 -j ACCEPT

# Access control for the hotspot
config_get wan access hotspot_wan
enabled “$wan” 0 || iptables -A NET_ACCESS -j WAN_HOOK

config_get lan access hotspot_lan
if enabled “$lan” 0; then
iptables -t nat -A POSTROUTING -o “$LAN” -j MASQUERADE
else
iptables -A NET_ACCESS -o “$lan_ifname” -j DROP
fi

config_get wan access lan_wan
enabled “$wan” 1 || iptables -I FORWARD 1 -i “$LAN” -o “$WAN” -j WAN_HOOK

# allow regular wan traffic
[ -z “$WAN” ] || {
iptables -A NET_ACCESS -o “$WAN” -j ACCEPT
iptables -A NET_ACCESS -i “$WAN” -j ACCEPT
}

iptables -A NET_ACCESS -o “$LAN” -j ACCEPT
iptables -A NET_ACCESS -i “$LAN” -j ACCEPT

# drop everything that we haven’t explicitly allowed
iptables -A NET_ACCESS -j DROP

# — INPUT PART —
iptables -N INPUT_CFG 2>&- >&-
iptables -F INPUT_CFG 2>&- >&-
iptables -I INPUT 1 -i tun0 -p tcp –dport 80 -j DROP
iptables -I INPUT 2 -i “$LAN” -j INPUT_CFG
iptables -I INPUT 3 -i tun0 -j NET_ACCESS

# — FORWARD PART —
iptables -I forwarding_rule 1 -i “$LAN” -j INPUT_CFG
iptables -I forwarding_rule 2 -o “$LAN” -j INPUT_CFG
iptables -I forwarding_rule 3 -i tun0 -j NET_ACCESS
iptables -I forwarding_rule 4 -o tun0 -j NET_ACCESS

# Drop all unmanaged traffic from the public interface
iptables -t nat -A PREROUTING -i “$WL” -j DROP

ACTION=ifup INTERFACE=wan sh /etc/hotplug.d/iface/20-firewall

/etc/config/qos 

# QoS configuration for OpenWrt

# INTERFACES:

config interface hotspot
option classgroup       “Default”
option enabled          0
option upload           512
option download         512
option device           tun0

config interface wan
option classgroup  “Default”
option enabled      0
option upload       128
option download     1024

# RULES:
config classify
option target       “Bulk”
option ipp2p        “all”
config classify
option target       “Bulk”
option layer7       “edonkey”
config classify
option target       “Bulk”
option layer7       “bittorrent”
config classify
option target       “Priority”
option layer7       “irc”
config classify
option target       “Priority”
option ports        “22,53”
config classify
option target       “Normal”
option proto        “tcp”
option ports        “20,21,25,80,110,443,993,995”
config classify
option target       “Express”
option ports        “5190”
config default
option target       “Express”
option proto        “udp”
option pktsize      “-500”
config reclassify
option target       “Priority”
option proto        “icmp”
config default
option target       “Bulk”
option portrange    “1024-65535”
config reclassify
option target       “Priority”
option proto        “tcp”
option pktsize      “-128”
option mark         “!Bulk”
option tcpflags     “SYN”
config reclassify
option target       “Priority”
option proto        “tcp”
option pktsize      “-128”
option mark             “!Bulk”
option tcpflags     “ACK”

# Don’t change the stuff below unless you
# really know what it means 🙂

config classgroup “Default”
option classes      “Priority Express Normal Bulk”
option default      “Normal”

config class “Priority”
option packetsize  300
option packetdelay 10
option maxsize     400
option avgrate     40
option linksharing 75
config class “Priority_down”
option packetsize  1500
option avgrate     20

config class “Express”
option packetsize  1300
option packetdelay 15
option maxsize     800
option avgrate     30
option linksharing 80

config class “Normal”
option packetsize  1500
option packetdelay 150
option avgrate     20
option linksharing 30
config class “Normal_down”
option avgrate     30

config class “Bulk”
option linksharing 10
config class “Bulk_down”
option avgrate     15
option limitrate   85

/etc/config/fon

# Syntax:
#
# config

#       option   
#
# Network Interfaces: (config network

)
#   available sections: lan, wan, hotspot
#       available options:
#               – mode: operation mode (static, dhcp, pppoe, pptp)
#               (depending on mode):
#               – static: ipaddr, netmask, gateway
#               – dhcp: (optional) ipaddr
#               – pppoe: username, password
#               – pptp: username, password, server
#
# Wireless Settings: (config wifi

)
#       available sections: public, private
#       available options:
#               – essid
#               (private only)
#               – encryption: wpa, wpa2, mixed (optionally append /tkip, /aes or /tkip+aes)
#               – password

. /etc/functions.sh # this line always needs to be present

config network lan
option  mode    static
option ipaddr   ‘192.168.10.1’
option netmask  ‘255.255.255.0’
option dhcp     ‘0’

config network wan
option mode     ”
option ipaddr   ‘192.168.1.50’
option netmask  ‘255.255.255.0’
option gateway  ‘192.168.1.102’
option dns      ‘192.168.1.102’

config wifi public
option essid    ‘vicent’

config wifi private
option essid    ‘Hortanet’
option encryption       ‘open’
option  wpa_crypto      tkip+aes
option  password        $(get_serial)

config firewall access
option lan_wan  ‘1’
option hotspot_wan      ‘1’
option hotspot_lan      ‘1’

config wifi advanced
option bgmode   ‘mixed’
option channel  ’02’

/etc/firewall.user 
#!/bin/sh
# Copyright (C) 2006 OpenWrt.org

. /tmp/network-config

WAN=”$wan_ifname”
LAN=”$lan_ifname”

iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule

### BIG FAT DISCLAIMER
## The “-i $WAN” is used to match packets that come in via the $WAN interface.
## it WILL NOT MATCH packets sent from the $WAN ip address — you won’t be able
## to see the effects from within the LAN.

### Open port to WAN
## — This allows port 22 to be answered by (dropbear on) the router
# iptableSiIpTABLEs -t nat -A prerouting_rule -i $WAN -p tcp –dport 22 -j ACCEPT
# IPTables        -A input_rule      -i $WAN -p tcp –dport 22 -j ACCEPT
iptables        -A input_rule      -i $WAN -p tcp –dport 22 -j ACCEPT

iptables -t nat -A preouting_rule -i $WAN -p tcp –dport 22 -j ACCEPT
### Port forwarding
## — This forwards port 8080 on the WAN to port 80 on 192.168.1.2
# iptables -t nat -A prerouting_rule -i $WAN -p tcp –dport 8080 -j DNAT –to 192.168.1.2:80
# iptables        -A forwarding_rule -i $WAN -p tcp –dport 80 -d 192.168.1.2 -j ACCEPT

### DMZ
## — Connections to ports not handled above will be forwarded to 192.168.1.2
# iptables -t nat -A prerouting_rule -i $WAN -j DNAT –to 192.168.1.2
# iptables        -A forwarding_rule -i $WAN -d 192.168.1.2 -j ACCEPT

Crec que ja hi ha prou per hui 😉

Feu un comentari