mesh firewall

src/freedombone

@@ -432,7 +432,7 @@ TOX_COMMIT='73b2144edcfd1ca617e9054479b66ab0c0361a14'
 TOX_BOOTSTRAP_ID_FILE=/var/lib/tox-bootstrapd/pubkey.txt
 # These are some default nodes, but you can replace them with trusted nodes
 # as you prefer. See https://wiki.tox.im/Nodes
-TOX_NODE=
+TOX_NODES=
 #TOX_NODES=(
 #  '192.254.75.102,2607:5600:284::2,33445,951C88B7E75C867418ACDB5D273821372BB5BD652740BCDF623A4FA293E75D2F,Tox RELENG,US'
 #  '144.76.60.215,2a01:4f8:191:64d6::1,33445,04119E835DF3E78BACF0F84235B300546AF8B936F035185E2A8E9E0A67C8924F,sonOfRa,DE'
@@ -1235,7 +1235,7 @@ function read_configuration {
             TLS_TIME_SOURCE2=$(grep "TLS_TIME_SOURCE2" $CONFIGURATION_FILE | awk -F '=' '{print $2}')
         fi
     fi
-	echo "System type: $SYSTEM_TYPE"
+    echo "System type: $SYSTEM_TYPE"
 }
 
 function set_default_onion_domains {

src/freedombone-image-customise

@@ -69,6 +69,8 @@ SSH_PORT=2222
 # Whether sites are accessible only within a Tor browser
 ONION_ONLY="no"
 
+WIFI_INTERFACE='wlan0'
+
 enable_eatmydata_override() {
     chroot $rootdir apt-get install --no-install-recommends -y eatmydata
     if [ -x $rootdir/usr/bin/eatmydata ] && \
@@ -391,7 +393,7 @@ mesh_avahi() {
     echo '</service-group>' >> $rootdir/etc/avahi/services/ssh.service
 
     # keep the daemon running
-	WATCHDOG_SCRIPT_NAME="keepon"
+    WATCHDOG_SCRIPT_NAME="keepon"
     echo '' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
     echo '# keep avahi daemon running' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
     echo 'AVAHI_RUNNING=$(pgrep avahi-daemon > /dev/null && echo Running)' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
@@ -400,10 +402,10 @@ mesh_avahi() {
     echo '  echo -n $CURRENT_DATE >> $LOGFILE' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
     echo '  echo " Avahi daemon restarted" >> $LOGFILE' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
     echo 'fi' >> $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
-	chmod +x $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
+    chmod +x $rootdir/usr/bin/$WATCHDOG_SCRIPT_NAME
 }
 
-function mesh_batman {
+mesh_batman() {
     chroot "$rootdir" apt-get -y install iproute bridge-utils libnetfilter-conntrack3 batctl
     chroot "$rootdir" apt-get -y install python-dev libevent-dev ebtables python-pip git
     chroot "$rootdir" apt-get -y install wireless-tools rfkill
@@ -412,11 +414,11 @@ function mesh_batman {
         echo 'batman_adv' >> $rootdir/etc/modules
     fi
 
-	if [ -f /usr/local/bin/${PROJECT_NAME}-mesh-batman ]; then
+    if [ -f /usr/local/bin/${PROJECT_NAME}-mesh-batman ]; then
         cp /usr/local/bin/${PROJECT_NAME}-mesh-batman $rootdir/var/lib/batman
-	else
+    else
         cp /usr/bin/${PROJECT_NAME}-mesh-batman $rootdir/var/lib/batman
-	fi
+    fi
 
     echo '[Unit]' > $rootdir/etc/systemd/system/batman.service
     echo 'Description=B.A.T.M.A.N. Advanced' >> $rootdir/etc/systemd/system/batman.service
@@ -435,7 +437,78 @@ function mesh_batman {
     chroot "$rootdir" systemctl enable batman
 }
 
-function mesh_tox_node {
+mesh_firewall() {
+    TOX_PORT=33445
+    ZERONET_PORT=15441
+    TRACKER_PORT=6969
+    FIREWALL_FILENAME=$rootdir/etc/systemd/system/meshfirewall.service
+    MESH_FIREWALL_SCRIPT=/usr/bin/mesh-firewall
+
+    echo '#!/bin/bash' > $rootdir/$MESH_FIREWALL_SCRIPT
+    echo 'iptables -P INPUT ACCEPT' >> $rootdir/$MESH_FIREWALL_SCRIPT
+    echo 'ip6tables -P INPUT ACCEPT' >> $rootdir/$MESH_FIREWALL_SCRIPT
+    echo 'iptables -F' >> $rootdir/$MESH_FIREWALL_SCRIPT
+    echo 'ip6tables -F' >> $rootdir/$MESH_FIREWALL_SCRIPT
+    echo 'iptables -t nat -F' >> $rootdir/$MESH_FIREWALL_SCRIPT
+    echo 'ip6tables -t nat -F' >> $rootdir/$MESH_FIREWALL_SCRIPT
+    echo 'iptables -X' >> $rootdir/$MESH_FIREWALL_SCRIPT
+    echo 'ip6tables -X' >> $rootdir/$MESH_FIREWALL_SCRIPT
+    echo 'iptables -P INPUT DROP' >> $rootdir/$MESH_FIREWALL_SCRIPT
+    echo 'ip6tables -P INPUT DROP' >> $rootdir/$MESH_FIREWALL_SCRIPT
+    echo 'iptables -A INPUT -i lo -j ACCEPT' >> $rootdir/$MESH_FIREWALL_SCRIPT
+    echo 'iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT' >> $rootdir/$MESH_FIREWALL_SCRIPT
+    echo '' >> $rootdir/$MESH_FIREWALL_SCRIPT
+    echo '# Make sure incoming tcp connections are SYN packets' >> $rootdir/$MESH_FIREWALL_SCRIPT
+    echo 'iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP' >> $rootdir/$MESH_FIREWALL_SCRIPT
+    echo '' >> $rootdir/$MESH_FIREWALL_SCRIPT
+    echo '# Drop packets with incoming fragments' >> $rootdir/$MESH_FIREWALL_SCRIPT
+    echo 'iptables -A INPUT -f -j DROP' >> $rootdir/$MESH_FIREWALL_SCRIPT
+    echo '' >> $rootdir/$MESH_FIREWALL_SCRIPT
+    echo '# Drop bogons' >> $rootdir/$MESH_FIREWALL_SCRIPT
+    echo 'iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP' >> $rootdir/$MESH_FIREWALL_SCRIPT
+    echo 'iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP' >> $rootdir/$MESH_FIREWALL_SCRIPT
+    echo 'iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP' >> $rootdir/$MESH_FIREWALL_SCRIPT
+    echo '' >> $rootdir/$MESH_FIREWALL_SCRIPT
+    echo '# Incoming malformed NULL packets:' >> $rootdir/$MESH_FIREWALL_SCRIPT
+    echo 'iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP' >> $rootdir/$MESH_FIREWALL_SCRIPT
+    echo '' >> $rootdir/$MESH_FIREWALL_SCRIPT
+    echo "iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT" >> $rootdir/$MESH_FIREWALL_SCRIPT
+    echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $ZERONET_PORT -j ACCEPT" >> $rootdir/$MESH_FIREWALL_SCRIPT
+    echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $ZERONET_PORT -j ACCEPT" >> $rootdir/$MESH_FIREWALL_SCRIPT
+    echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $TRACKER_PORT -j ACCEPT" >> $rootdir/$MESH_FIREWALL_SCRIPT
+    echo "iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $TRACKER_PORT -j ACCEPT" >> $rootdir/$MESH_FIREWALL_SCRIPT
+    echo "iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport 1900 -j ACCEPT" >> $rootdir/$MESH_FIREWALL_SCRIPT
+    chmod +x $rootdir/$MESH_FIREWALL_SCRIPT
+
+    echo '[Unit]' > $FIREWALL_FILENAME
+    echo 'Description=Mesh Firewall' >> $FIREWALL_FILENAME
+    echo '' >> $FIREWALL_FILENAME
+    echo '[Service]' >> $FIREWALL_FILENAME
+    echo 'Type=oneshot' >> $FIREWALL_FILENAME
+    echo "ExecStart=$MESH_FIREWALL_SCRIPT" >> $FIREWALL_FILENAME
+    echo 'RemainAfterExit=no' >> $FIREWALL_FILENAME
+    echo '' >> $FIREWALL_FILENAME
+    echo 'TimeoutSec=30' >> $FIREWALL_FILENAME
+    echo '' >> $FIREWALL_FILENAME
+    echo '[Install]' >> $FIREWALL_FILENAME
+    echo 'WantedBy=multi-user.target' >> $FIREWALL_FILENAME
+    chroot "$rootdir" systemctl enable meshfirewall
+}
+
+mesh_tox_node() {
+    TOX_REPO='git://github.com/irungentoo/toxcore.git'
+    TOX_COMMIT='73b2144edcfd1ca617e9054479b66ab0c0361a14'
+    TOX_BOOTSTRAP_ID_FILE=/var/lib/tox-bootstrapd/pubkey.txt
+    # These are some default nodes, but you can replace them with trusted nodes
+    # as you prefer. See https://wiki.tox.im/Nodes
+    TOX_NODES=
+    #TOX_NODES=(
+    #  '192.254.75.102,2607:5600:284::2,33445,951C88B7E75C867418ACDB5D273821372BB5BD652740BCDF623A4FA293E75D2F,Tox RELENG,US'
+    #  '144.76.60.215,2a01:4f8:191:64d6::1,33445,04119E835DF3E78BACF0F84235B300546AF8B936F035185E2A8E9E0A67C8924F,sonOfRa,DE'
+    #)
+    iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT
+    save_firewall_settings
+
     chroot "$rootdir" apt-get -y install build-essential libtool autotools-dev
     chroot "$rootdir" apt-get -y install automake checkinstall check git yasm
     chroot "$rootdir" apt-get -y install libsodium13 libsodium-dev libcap2-bin
@@ -543,29 +616,30 @@ initialise_mesh() {
     if [[ $VARIANT != "mesh" ]]; then
         return
     fi
+    mesh_firewall
     mesh_avahi
-	mesh_batman
-
-	#MESH_SERVICE='mesh-setup.service'
-    #MESH_SETUP_DAEMON=$rootdir/etc/systemd/system/$MESH_SERVICE
-
-    #echo '[Unit]' > $MESH_SETUP_DAEMON
-    #echo 'Description=Initial mesh router configuration' >> $MESH_SETUP_DAEMON
-    #echo 'After=syslog.target' >> $MESH_SETUP_DAEMON
-    #echo 'After=network.target' >> $MESH_SETUP_DAEMON
-    #echo '[Service]' >> $MESH_SETUP_DAEMON
-    #echo 'Type=simple' >> $MESH_SETUP_DAEMON
-    #echo 'User=root' >> $MESH_SETUP_DAEMON
-    #echo 'Group=root' >> $MESH_SETUP_DAEMON
-    #echo 'WorkingDirectory=/root' >> $MESH_SETUP_DAEMON
-    #echo "ExecStart=/usr/local/bin/${PROJECT_NAME}-image-mesh > /var/log/mesh-setup.log" >> $MESH_SETUP_DAEMON
-    #echo '' >> $MESH_SETUP_DAEMON
-    #echo 'TimeoutSec=99999' >> $MESH_SETUP_DAEMON
-    #echo '' >> $MESH_SETUP_DAEMON
-    #echo '[Install]' >> $MESH_SETUP_DAEMON
-    #echo 'WantedBy=multi-user.target' >> $MESH_SETUP_DAEMON
-
-    #chroot "$rootdir" systemctl enable $MESH_SERVICE
+    mesh_batman
+    #mesh_tox_node
+
+    MESH_SERVICE='mesh-setup.service'
+    MESH_SETUP_DAEMON=$rootdir/etc/systemd/system/$MESH_SERVICE
+
+    echo '[Unit]' > $MESH_SETUP_DAEMON
+    echo 'Description=Initial mesh router configuration' >> $MESH_SETUP_DAEMON
+    echo 'After=syslog.target' >> $MESH_SETUP_DAEMON
+    echo 'After=network.target' >> $MESH_SETUP_DAEMON
+    echo '[Service]' >> $MESH_SETUP_DAEMON
+    echo 'Type=simple' >> $MESH_SETUP_DAEMON
+    echo 'User=root' >> $MESH_SETUP_DAEMON
+    echo 'Group=root' >> $MESH_SETUP_DAEMON
+    echo 'WorkingDirectory=/root' >> $MESH_SETUP_DAEMON
+    echo "ExecStart=/usr/local/bin/${PROJECT_NAME}-image-mesh > /var/log/mesh-setup.log" >> $MESH_SETUP_DAEMON
+    echo '' >> $MESH_SETUP_DAEMON
+    echo 'TimeoutSec=99999' >> $MESH_SETUP_DAEMON
+    echo '' >> $MESH_SETUP_DAEMON
+    echo '[Install]' >> $MESH_SETUP_DAEMON
+    echo 'WantedBy=multi-user.target' >> $MESH_SETUP_DAEMON
+    chroot "$rootdir" systemctl enable $MESH_SERVICE
 }
 
 # Set to true/false to control if eatmydata is used during build