#!/bin/sh # # debugging # set -x # # binaries # TC=/sbin/tc IPTABLES=/sbin/iptables # # variables # WIFIFACE=ath0 INETFACE=eth2 LANIFACE=eth3 CHANNEL=9 ESSID="doom" KEY="000A-BABE-0A7E-DEAD-BEEF-3141-59" WIPADDR="10.1.1.1" WNETMASK="255.255.255.0" WBROADCAST="10.1.1.255" WNETWORK="10.1.1.0" DNLD=150Kbit # DOWNLOAD Limit DWEIGHT=15Kbit # DOWNLOAD Weight Factor ~ 1/10 of DOWNLOAD Limit UPLD=12Kbit # UPLOAD Limit UWEIGHT=1Kbit # UPLOAD Weight Factor # # cleanup if needed # function cleanup() { /etc/init.d/dhcp3-server stop } # # Set up the wireless card # function wifi_up() { wlanconfig ${WIFIFACE} destroy # needed for madwifi thingy sleep 1 wlanconfig ${WIFIFACE} create wlandev wifi0 wlanmode ap sleep 1 iwconfig ${WIFIFACE} mode master sleep 1 ifconfig ${WIFIFACE} ${WIPADDR} broadcast ${WBROADCAST} netmask ${WNETMASK} sleep 1 iwconfig ${WIFIFACE} essid ${ESSID} sleep 1 iwconfig ${WIFIFACE} channel ${CHANNEL} sleep 1 iwconfig ${WIFIFACE} key ${KEY} } # # dhcpd # function dhcp() { #dhcpd3 -pf /var/run/dhcpd.run /etc/init.d/dhcp3-server start } # # traffic control # function tc_start() { $TC qdisc add dev $WIFIFACE root handle 11: cbq bandwidth 100Mbit avpkt 1000 mpu 64 $TC class add dev $WIFIFACE parent 11:0 classid 11:1 cbq rate $DNLD weight $DWEIGHT allot 1514 prio 1 avpkt 1000 bounded $TC filter add dev $WIFIFACE parent 11:0 protocol ip handle 4 fw flowid 11:1 $TC qdisc add dev $INETFACE root handle 10: cbq bandwidth 10Mbit avpkt 1000 mpu 64 $TC class add dev $INETFACE parent 10:0 classid 10:1 cbq rate $UPLD weight $UWEIGHT allot 1514 prio 1 avpkt 1000 bounded $TC filter add dev $INETFACE parent 10:0 protocol ip handle 3 fw flowid 10:1 } function tc_stop() { $TC qdisc del dev $WIFIFACE root $TC qdisc del dev $INETFACE root } function tc_show() { echo "" echo "$WIFIFACE:" $TC qdisc show dev $WIFIFACE $TC class show dev $WIFIFACE $TC filter show dev $WIFIFACE echo "" echo "$INETFACE:" $TC qdisc show dev $INETFACE $TC class show dev $INETFACE $TC filter show dev $INETFACE echo "" } # # firewall # function firewall() { echo 1 > /proc/sys/net/ipv4/ip_forward # Disable response to broadcasts. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Don't accept source routed packets. echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Disable ICMP redirect acceptance. echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Enable bad error message protection echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Log spoofed packets, source routed packets, redirect packets echo 1 > /proc/sys/net/ipv4/conf/all/log_martians $IPTABLES -F $IPTABLES -X $IPTABLES -Z $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD DROP # Loopback - Allow unlimited traffic $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT # Drop all invalid packets $IPTABLES -A INPUT -m state --state INVALID -j DROP $IPTABLES -A OUTPUT -m state --state INVALID -j DROP $IPTABLES -A FORWARD -m state --state INVALID -j DROP # Masquerade $IPTABLES -t nat -A POSTROUTING -o $INETFACE -j MASQUERADE # SYN-Flooding Protection $IPTABLES -N syn-flood $IPTABLES -A syn-flood -m limit --limit 1/second --limit-burst 4 -j RETURN $IPTABLES -A syn-flood -j DROP # UDP-Flooding protection $IPTABLES -N udp-flood $IPTABLES -A udp-flood -m limit --limit 4/second --limit-burst 4 -j RETURN $IPTABLES -A udp-flood -j DROP # INPUT filters $IPTABLES -A INPUT -i $WIFIFACE -p tcp --tcp-flags SYN,RST,ACK,FIN SYN,ACK -j syn-flood # SYN flood # Make sure that new TCP connections are SYN packets $IPTABLES -A INPUT -i $WIFIFACE -p tcp ! --syn -m state --state NEW -j DROP $IPTABLES -A INPUT -i $WIFIFACE -p udp -j udp-flood $IPTABLES -A INPUT -i $WIFIFACE -f -j DROP # drop fragments # Forwarding rules $IPTABLES -A FORWARD -i $WIFIFACE -s 10.1.1.200 -j ACCEPT # allow kali $IPTABLES -A FORWARD -i $WIFIFACE -s 10.1.1.3 -j ACCEPT # allow kali $IPTABLES -A FORWARD -i $WIFIFACE -s 10.1.1.2 -j ACCEPT # allow vorian $IPTABLES -A FORWARD -i $WIFIFACE -s ! 10.1.1.0/24 -j DROP # must be from network $IPTABLES -A FORWARD -i $WIFIFACE -d 192.168.2.1 -j ACCEPT # access router $IPTABLES -A FORWARD -i $WIFIFACE -d 192.168.2.0/24 -j DROP # drop for local network $IPTABLES -A FORWARD -i $WIFIFACE -p tcp ! --syn -m state --state NEW -j DROP $IPTABLES -A FORWARD -i $WIFIFACE -p tcp --syn -j syn-flood # SYN flood $IPTABLES -A FORWARD -i $WIFIFACE -p udp -j udp-flood # UDP flood $IPTABLES -A FORWARD -i $WIFIFACE -f -j DROP $IPTABLES -A FORWARD -i $WIFIFACE -j ACCEPT $IPTABLES -A FORWARD -o $WIFIFACE -j ACCEPT $IPTABLES -nvL } # # core script # case "$1" in start) cleanup sleep 1 wifi_up sleep 1 dhcp sleep 1 firewall ;; stop) cleanup ;; restart) cleanup sleep 1 wifi_up sleep 1 dhcp sleep 1 # restart tc tc_stop sleep 1 tc_start # firewall firewall ;; reload) cleanup sleep 1 dhcp sleep 1 # restart tc tc_stop sleep 1 tc_start # firewall firewall ;; *) echo "Usage is: $0 {start|stop|restart|reload}" ;; esac exit 0