Ejemplo n.º 1
0
void start_privoxy(void)
{
	if (!nvram_match("privoxy_enable", "1"))
		return;

	int mode = 0;
	char *ip = nvram_safe_get("lan_ipaddr");

	sysprintf("grep -q nobody /etc/passwd || echo \"nobody:*:65534:65534:nobody:/var:/bin/false\" >> /etc/passwd");
	mkdir("/var/log/privoxy", 0777);
	
	char *wan = get_wan_ipaddr();
	if (nvram_match("privoxy_transp_enable", "1")) {
		sysprintf("iptables -t nat -D PREROUTING -p tcp -d ! %s --dport 80 -j REDIRECT --to-port 8118", wan);
		sysprintf("iptables -t nat -I PREROUTING -p tcp -d ! %s --dport 80 -j REDIRECT --to-port 8118", wan);
		mode = 1;
	}

	FILE *fp = fopen("/tmp/privoxy.conf", "wb");

	if (nvram_match("privoxy_advanced", "1") && nvram_invmatch("privoxy_conf", "")) {
		fprintf(fp, "%s", nvram_safe_get("privoxy_conf"));
	} else {
		fprintf(fp, "confdir /etc/privoxy\n"
			"logdir /var/log/privoxy\n"
			"actionsfile match-all.action\n"
			"actionsfile default.action\n"
			"actionsfile user.action\n"
			"filterfile default.filter\n"
			"logfile logfile\n"
			"listen-address  %s:8118\n"
			"toggle  1\n"
			"enable-remote-toggle  0\n"
			"enable-remote-http-toggle  0\n"
			"enable-edit-actions 0\n"
			"buffer-limit 4096\n"
			"accept-intercepted-requests %d\n" 
			"split-large-forms 0\n" 
			"keep-alive-timeout 5\n" 
			"socket-timeout 300\n" 
			"max-client-connections 64\n" 
			"handle-as-empty-doc-returns-ok 1\n", ip, mode);
	}
	fclose(fp);
	eval("privoxy", "/tmp/privoxy.conf");
	syslog(LOG_INFO, "Privoxy : privoxy started\n");
	return;
}
Ejemplo n.º 2
0
void main_config(void)
{
	int log_level = 0;
	log_level = atoi(nvram_safe_get("log_level"));
	mkdir("/tmp/chilli", 0700);

	FILE *fp = fopen("/tmp/chilli/ip-up.sh", "wb");
	if (fp == NULL)
		return;

	if (log_level >= 1)
		sprintf(log_drop, "%s", "logdrop");
	else
		sprintf(log_drop, "%s", "DROP");
	if (log_level >= 2)
		sprintf(log_accept, "%s", "logaccept");
	else
		sprintf(log_accept, "%s", TARG_PASS);
	if (log_level >= 1)
		sprintf(log_reject, "%s", "logreject");
	else
		sprintf(log_reject, "%s", TARG_RST);

/*	if we have a gw traffic will go there.
		but if we dont have any gw we might use chilli on a local network only 
		also we need to allow traffic in/outgoing to chilli*/
	fprintf(fp, "#!/bin/sh\n");
	fprintf(fp, "iptables -I INPUT -i tun0 -j %s\n",log_accept);
	fprintf(fp, "iptables -I FORWARD -i tun0 -j %s\n",log_accept);
	fprintf(fp, "iptables -I FORWARD -o tun0 -j %s\n",log_accept);
	// clamp when fw clamping is off	
	if (nvram_invmatch("filter", "on"))
		fprintf(fp, "iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n");
	//	secure chilli interface
	if (nvram_match("hotss_enable", "1")
		&& nvram_invmatch("hotss_interface", "br0"))
			fprintf(fp, "iptables -t nat -I PREROUTING -i %s ! -s %s -j %s\n", 
				nvram_safe_get("hotss_interface"), 
				nvram_safe_get("hotss_net"), log_drop);
	if (nvram_match("chilli_enable", "1")
		&& nvram_invmatch("chilli_interface", "br0"))
			fprintf(fp, "iptables -t nat -I PREROUTING -i %s ! -s %s -j %s\n", 
				nvram_safe_get("chilli_interface"), 
				nvram_safe_get("chilli_net"), log_drop);

		// MASQUERADE chilli/hotss
	if (nvram_match("wan_proto", "disabled")) {
		if (nvram_match("hotss_enable", "1")
			&& strlen(nvram_safe_get("hotss_net")) > 0)
				fprintf(fp, "iptables -t nat -I POSTROUTING -s %s -j MASQUERADE\n",
						nvram_safe_get("hotss_net"));
		else if (nvram_match("chilli_enable", "1")
			&& strlen(nvram_safe_get("chilli_net")) > 0)
				fprintf(fp, "iptables -t nat -I POSTROUTING -s %s -j MASQUERADE\n",
						nvram_safe_get("chilli_net"));
		else if (nvram_match("hotss_enable", "1") 
			|| nvram_match("chilli_enable", "1"))
				fprintf(fp, "iptables -t nat -I POSTROUTING -s 192.168.182.0/24 -j MASQUERADE\n");
		}
	else {
		if (nvram_match("hotss_enable", "1")
			&& strlen(nvram_safe_get("hotss_net")) > 0)
				fprintf(fp, "iptables -t nat -I POSTROUTING -s %s -j SNAT --to-source=%s\n",
						nvram_safe_get("hotss_net"), get_wan_ipaddr());
		else if (nvram_match("chilli_enable", "1")
				&& strlen(nvram_safe_get("chilli_net")) > 0)
				fprintf(fp, "iptables -t nat -I POSTROUTING -s %s -j SNAT --to-source=%s\n",
						nvram_safe_get("chilli_net"), get_wan_ipaddr());
		else if (nvram_match("hotss_enable", "1") 
			|| nvram_match("chilli_enable", "1"))
				fprintf(fp, "iptables -t nat -I POSTROUTING -s 192.168.182.0/24 -j SNAT --to-source=%s\n",
						get_wan_ipaddr());
						}
	fclose(fp);
						
	fp = fopen("/tmp/chilli/ip-down.sh", "wb");
	if (fp == NULL)
		return;

	fprintf(fp, "#!/bin/sh\n");
	fprintf(fp, "iptables -D INPUT -i tun0 -j logaccept\n");
	fprintf(fp, "iptables -D FORWARD -i tun0 -j logaccept\n");
	fprintf(fp, "iptables -D FORWARD -o tun0 -j logaccept\n");
	if (nvram_invmatch("filter", "on"))
		fprintf(fp, "iptables -D FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n");
	if (nvram_match("hotss_enable", "1")
		&& nvram_invmatch("hotss_interface", "br0"))
			fprintf(fp, "iptables -t nat -D PREROUTING -i %s ! -s %s -j %s\n", 
				nvram_safe_get("hotss_interface"), 
				nvram_safe_get("hotss_net"), log_drop);
	if (nvram_match("chilli_enable", "1")
		&& nvram_invmatch("chilli_interface", "br0"))
			fprintf(fp, "iptables -t nat -D PREROUTING -i %s ! -s %s -j %s\n", 
				nvram_safe_get("chilli_interface"), 
				nvram_safe_get("chilli_net"), log_drop);

		// MASQUERADE chilli/hotss
	if (nvram_match("wan_proto", "disabled")) {
		if (nvram_match("hotss_enable", "1")
			&& strlen(nvram_safe_get("hotss_net")) > 0)
				fprintf(fp, "iptables -t nat -D POSTROUTING -s %s -j MASQUERADE\n",
						nvram_safe_get("hotss_net"));
		else if (nvram_match("chilli_enable", "1")
			&& strlen(nvram_safe_get("chilli_net")) > 0)
				fprintf(fp, "iptables -t nat -D POSTROUTING -s %s -j MASQUERADE\n",
						nvram_safe_get("chilli_net"));
		else if (nvram_match("hotss_enable", "1") 
			|| nvram_match("chilli_enable", "1"))
				fprintf(fp, "iptables -t nat -D POSTROUTING -s 192.168.182.0/24 -j MASQUERADE\n");
		}
	else {
		if (nvram_match("hotss_enable", "1")
			&& strlen(nvram_safe_get("hotss_net")) > 0)
				fprintf(fp, "iptables -t nat -D POSTROUTING -s %s -j SNAT --to-source=%s\n",
						nvram_safe_get("hotss_net"), get_wan_ipaddr());
		else if (nvram_match("chilli_enable", "1")
				&& strlen(nvram_safe_get("chilli_net")) > 0)
				fprintf(fp, "iptables -t nat -D POSTROUTING -s %s -j SNAT --to-source=%s\n",
						nvram_safe_get("chilli_net"), get_wan_ipaddr());
		else if (nvram_match("hotss_enable", "1") 
			|| nvram_match("chilli_enable", "1"))
				fprintf(fp, "iptables -t nat -D POSTROUTING -s 192.168.182.0/24 -j SNAT --to-source=%s\n",
						get_wan_ipaddr());
						}
	fclose(fp);
	
	chmod("/tmp/chilli/ip-up.sh", 0750);
	chmod("/tmp/chilli/ip-down.sh", 0750);
}
Ejemplo n.º 3
0
void main_config(void)
{
	char *chillinet;
	int log_level = 0;
	FILE *fp;
	log_level = atoi(nvram_safe_get("log_level"));
	mkdir("/tmp/chilli", 0700);

	if (!(fp = fopen("/tmp/chilli/ip-up.sh", "w"))) {
		perror("/tmp/chilli/ip-up.sh");
		return;
	}

	if (log_level >= 1)
		sprintf(log_drop, "%s", "logdrop");
	else
		sprintf(log_drop, "%s", "DROP");
	if (log_level >= 2)
		sprintf(log_accept, "%s", "logaccept");
	else
		sprintf(log_accept, "%s", TARG_PASS);
	if (log_level >= 1)
		sprintf(log_reject, "%s", "logreject");
	else
		sprintf(log_reject, "%s", TARG_RST);

	if (nvram_match("hotss_enable", "1")) {
		if (strlen(nvram_safe_get("hotss_net")) > 0)
			chillinet = nvram_safe_get("hotss_net");
		else
			chillinet = "192.168.182.0/24";
	}
	if (nvram_match("chilli_enable", "1")
	    && nvram_match("hotss_enable", "0")) {
		if (strlen(nvram_safe_get("chilli_net")) > 0)
			chillinet = nvram_safe_get("chilli_net");
		else
			chillinet = "192.168.182.0/24";
	}

/*	if we have a gw traffic will go there.
	but if we dont have any gw we might use chilli on a local network only 
	also we need to allow traffic in/outgoing to chilli*/
	fprintf(fp, "#!/bin/sh\n");
	fprintf(fp, "iptables -D INPUT -i tun0 -j %s\n", log_accept);
	fprintf(fp, "iptables -D FORWARD -i tun0 -j %s\n", log_accept);
	fprintf(fp, "iptables -D FORWARD -o tun0 -j %s\n", log_accept);
	fprintf(fp, "iptables -I INPUT -i tun0 -j %s\n", log_accept);
	fprintf(fp, "iptables -I FORWARD -i tun0 -j %s\n", log_accept);
	fprintf(fp, "iptables -I FORWARD -o tun0 -j %s\n", log_accept);
	//      secure chilli interface, only usefull if ! br0
	if (nvram_match("chilli_enable", "1")
	    && nvram_match("hotss_enable", "0")
	    && nvram_invmatch("chilli_interface", "br0")) {
		fprintf(fp, "iptables -t nat -D PREROUTING -i %s ! -s %s -j %s\n", nvram_safe_get("chilli_interface"), chillinet, log_drop);
		fprintf(fp, "iptables -t nat -I PREROUTING -i %s ! -s %s -j %s\n", nvram_safe_get("chilli_interface"), chillinet, log_drop);
	}
	if (nvram_match("chilli_enable", "1")
	    && nvram_match("hotss_enable", "1")
	    && nvram_invmatch("hotss_interface", "br0")) {
		fprintf(fp, "iptables -t nat -D PREROUTING -i %s ! -s %s -j %s\n", nvram_safe_get("hotss_interface"), chillinet, log_drop);
		fprintf(fp, "iptables -t nat -I PREROUTING -i %s ! -s %s -j %s\n", nvram_safe_get("hotss_interface"), chillinet, log_drop);
	} 
	// MASQUERADE chilli/hotss
	if (nvram_match("wan_proto", "disabled")) {
		fprintf(fp, "iptables -D FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n");
		fprintf(fp, "iptables -t nat -D POSTROUTING -s %s -j MASQUERADE\n", chillinet);
		fprintf(fp, "iptables -I FORWARD 1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n");	// clamp when fw clamping is off   
		fprintf(fp, "iptables -t nat -I POSTROUTING -s %s -j MASQUERADE\n", chillinet);
	} else {
		fprintf(fp, "iptables -t nat -D POSTROUTING -o %s -s %s -j SNAT --to-source=%s\n", nvram_safe_get("wan_iface"), chillinet, get_wan_ipaddr());
		fprintf(fp, "iptables -t nat -I POSTROUTING -o %s -s %s -j SNAT --to-source=%s\n", nvram_safe_get("wan_iface"), chillinet, get_wan_ipaddr());
	}
	// enable Reverse Path Filtering to prevent double outgoing packages
	if (nvram_match("chilli_enable", "1")
		&& nvram_match("hotss_enable", "0")) {
		fprintf(fp, "echo 1 > /proc/sys/net/ipv4/conf/%s/rp_filter\n", nvram_safe_get("chilli_interface"));
	}
	if (nvram_match("chilli_enable", "1")
		&& nvram_match("hotss_enable", "1")) {
		fprintf(fp, "echo 1 > /proc/sys/net/ipv4/conf/%s/rp_filter\n", nvram_safe_get("hotss_interface"));
	}
	fclose(fp);

	if (!(fp = fopen("/tmp/chilli/ip-down.sh", "w"))) {
		perror("/tmp/chilli/ip-down.sh");
		return;
	}

	fprintf(fp, "#!/bin/sh\n");
	fprintf(fp, "iptables -D INPUT -i tun0 -j %s\n", log_accept);
	fprintf(fp, "iptables -D FORWARD -i tun0 -j %s\n", log_accept);
	fprintf(fp, "iptables -D FORWARD -o tun0 -j %s\n", log_accept);
	if (nvram_match("chilli_enable", "1")
	    && nvram_match("hotss_enable", "0")
	    && nvram_invmatch("chilli_interface", "br0"))
		fprintf(fp, "iptables -t nat -D PREROUTING -i %s ! -s %s -j %s\n", nvram_safe_get("chilli_interface"), chillinet, log_drop);
	if (nvram_match("chilli_enable", "1")
	    && nvram_match("hotss_enable", "1")
	    && nvram_invmatch("hotss_interface", "br0"))
		fprintf(fp, "iptables -t nat -D PREROUTING -i %s ! -s %s -j %s\n", nvram_safe_get("hotss_interface"), chillinet, log_drop);
	if (nvram_match("wan_proto", "disabled")) {
		fprintf(fp, "iptables -D FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n");
		fprintf(fp, "iptables -t nat -D POSTROUTING -s %s -j MASQUERADE\n", chillinet);
	} else
		fprintf(fp, "iptables -t nat -D POSTROUTING -o %s -s %s -j SNAT --to-source=%s\n", nvram_safe_get("wan_iface"), chillinet, get_wan_ipaddr());
	fclose(fp);

	chmod("/tmp/chilli/ip-up.sh", 0700);
	chmod("/tmp/chilli/ip-down.sh", 0700);

	//  use usb/jffs for connection scripts if available
	if ((nvram_match("usb_enable", "1")
	     && nvram_match("usb_storage", "1")
	     && nvram_match("usb_automnt", "1")
	     && nvram_match("usb_mntpoint", "jffs"))
	    || (nvram_match("enable_jffs2", "1")
		&& nvram_match("jffs_mounted", "1")
		&& nvram_match("sys_enable_jffs2", "1"))) {
		mkdir("/jffs/etc", 0700);
		mkdir("/jffs/etc/chilli", 0700);
		if (!(fp = fopen("/jffs/etc/chilli/con-up.sh", "r"))) {	// dont overwrite
			fp = fopen("/jffs/etc/chilli/con-up.sh", "w");
			if (fp == NULL)
				return;
			fprintf(fp, "#!/bin/sh\n");
			fclose(fp);
		}
		if (!(fp = fopen("/jffs/etc/chilli/con-down.sh", "r"))) {
			fp = fopen("/jffs/etc/chilli/con-up.sh", "w");
			if (fp == NULL)
				return;
			fprintf(fp, "#!/bin/sh\n");
			fclose(fp);
		}
		chmod("/jffs/etc/chilli/con-up.sh", 0700);
		chmod("/jffs/etc/chilli/con-down.sh", 0700);
	}
}
Ejemplo n.º 4
0
void stop_privoxy(void)
{
	char *wan = get_wan_ipaddr();
	sysprintf("iptables -t nat -D PREROUTING -p tcp -d ! %s --dport 80 -j REDIRECT --to-port 8118", wan);
	stop_process("privoxy", "privoxy");
}