Personalizar la fonera

La fonera puede que no sea el mejor trasto geek para pasarse un rato hackeando (en el sentido de sacarle nuevas funciones etc..) por su hardware limitado, pero aun asi algo se podrà hacer verdad?

Hasta que dd-wrt soporte la fonera (si es que deciden soportarla) deberemos apañarselas nosotros, como se dice en la jerga hacker, "show me the code", que tiene el sentido de: si no està hecho me lo hago ;)..

He estado trasteando con la fonera y como ya puse en mi blog , la quiero convertir en un bridge y a ver que mas funcionalidades se le pueden poner, el tema del bridge ya està controlado porque ya vi harà unos dias como configurar las 2 interfaces br i elazarlas, si no quereis complicaros la vida hay un script hecho...
--------------------------------------

Aqui va:

/etc/firewall.fon

# Firewall script, specific for OpenWrt: permits traffic from chilli clients to Internet restricts inter-interfaces traffic
. /etc/functions.sh
. /tmp/network-configconfig_load fon

WL=”$wifi_ifname”
WAN=”$wan_ifname”
LAN=”$lan_ifname”

iptables -N NET_ACCESS 2>&- >&-
iptables -F NET_ACCESS

# WAN_HOOK will contain rules to restrict traffic to the wan network
iptables -N WAN_HOOK 2>&- >&-

# ChilliSpot
iptables -A NET_ACCESS -p tcp –dport 3990 -j ACCEPT

# DNS is always allowed from the tunnel
iptables -A NET_ACCESS -p udp –dport 53 -j ACCEPT
iptables -A NET_ACCESS -p tcp –dport 53 -j ACCEPT

# Access control for the hotspot
config_get wan access hotspot_wan
enabled “$wan” 0 || iptables -A NET_ACCESS -j WAN_HOOK

config_get lan access hotspot_lan
if enabled “$lan” 0; then
iptables -t nat -A POSTROUTING -o “$LAN” -j MASQUERADE
else
iptables -A NET_ACCESS -o “$lan_ifname” -j DROP
fi

config_get wan access lan_wan
enabled “$wan” 1 || iptables -I FORWARD 1 -i “$LAN” -o “$WAN” -j WAN_HOOK

# allow regular wan traffic
[ -z “$WAN” ] || {
iptables -A NET_ACCESS -o “$WAN” -j ACCEPT
iptables -A NET_ACCESS -i “$WAN” -j ACCEPT
}

iptables -A NET_ACCESS -o “$LAN” -j ACCEPT
iptables -A NET_ACCESS -i “$LAN” -j ACCEPT

# drop everything that we haven’t explicitly allowed
iptables -A NET_ACCESS -j DROP

# — INPUT PART –
iptables -N INPUT_CFG 2>&- >&-
iptables -F INPUT_CFG 2>&- >&-
iptables -I INPUT 1 -i tun0 -p tcp –dport 80 -j DROP
iptables -I INPUT 2 -i “$LAN” -j INPUT_CFG
iptables -I INPUT 3 -i tun0 -j NET_ACCESS

# — FORWARD PART –
iptables -I forwarding_rule 1 -i “$LAN” -j INPUT_CFG
iptables -I forwarding_rule 2 -o “$LAN” -j INPUT_CFG
iptables -I forwarding_rule 3 -i tun0 -j NET_ACCESS
iptables -I forwarding_rule 4 -o tun0 -j NET_ACCESS

# Drop all unmanaged traffic from the public interface
iptables -t nat -A PREROUTING -i “$WL” -j DROP

ACTION=ifup INTERFACE=wan sh /etc/hotplug.d/iface/20-firewall

--------------------------------------

/etc/config/qos

# QoS configuration for OpenWrt

# INTERFACES:

config interface hotspot
option classgroup “Default”
option enabled 0
option upload 512
option download 512
option device tun0

config interface wan
option classgroup “Default”
option enabled 0
option upload 128
option download 1024

# RULES:
config classify
option target “Bulk”
option ipp2p “all”
config classify
option target “Bulk”
option layer7 “edonkey”
config classify
option target “Bulk”
option layer7 “bittorrent”
config classify
option target “Priority”
option layer7 “irc”
config classify
option target “Priority”
option ports “22,53#8243;
config classify
option target “Normal”
option proto “tcp”
option ports “20,21,25,80,110,443,993,995#8243;
config classify
option target “Express”
option ports “5190#8243;
config default
option target “Express”
option proto “udp”
option pktsize “-500#8243;
config reclassify
option target “Priority”
option proto “icmp”
config default
option target “Bulk”
option portrange “1024-65535#8243;
config reclassify
option target “Priority”
option proto “tcp”
option pktsize “-128#8243;
option mark “!Bulk”
option tcpflags “SYN”
config reclassify
option target “Priority”
option proto “tcp”
option pktsize “-128#8243;
option mark “!Bulk”
option tcpflags “ACK”

# Don’t change the stuff below unless you
# really know what it means :)

config classgroup “Default”
option classes “Priority Express Normal Bulk”
option default “Normal”

config class “Priority”
option packetsize 300
option packetdelay 10
option maxsize 400
option avgrate 40
option linksharing 75
config class “Priority_down”
option packetsize 1500
option avgrate 20

config class “Express”
option packetsize 1300
option packetdelay 15
option maxsize 800
option avgrate 30
option linksharing 80

config class “Normal”
option packetsize 1500
option packetdelay 150
option avgrate 20
option linksharing 30
config class “Normal_down”
option avgrate 30

config class “Bulk”
option linksharing 10
config class “Bulk_down”
option avgrate 15
option limitrate 85

--------------------------------------

/etc/config/fon

# Syntax:
#
# config
# option
#
# Network Interfaces: (config network )
# available sections: lan, wan, hotspot
# available options:
# - mode: operation mode (static, dhcp, pppoe, pptp)
# (depending on mode):
# - static: ipaddr, netmask, gateway
# - dhcp: (optional) ipaddr
# - pppoe: username, password
# - pptp: username, password, server
#
# Wireless Settings: (config wifi )
# available sections: public, private
# available options:
# - essid
# (private only)
# - encryption: wpa, wpa2, mixed (optionally append /tkip, /aes or /tkip+aes)
# - password

. /etc/functions.sh # this line always needs to be present

config network lan
option mode static
option ipaddr ‘192.168.10.1#8242;
option netmask ‘255.255.255.0#8242;
option dhcp ‘0#8242;

config network wan
option mode ‘’
option ipaddr ‘192.168.1.50#8242;
option netmask ‘255.255.255.0#8242;
option gateway ‘192.168.1.102#8242;
option dns ‘192.168.1.102#8242;

config wifi public
option essid ‘vicent’

config wifi private
option essid ‘Hortanet’
option encryption ‘open’
option wpa_crypto tkip+aes
option password $(get_serial)

config firewall access
option lan_wan ‘1#8242;
option hotspot_wan ‘1#8242;
option hotspot_lan ‘1#8242;

config wifi advanced
option bgmode ‘mixed’
option channel ‘02#8242;
--------------------------------------
/etc/firewall.user

#!/bin/sh
# Copyright (C) 2006 OpenWrt.org

. /tmp/network-config

WAN=”$wan_ifname”
LAN=”$lan_ifname”

iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule

### BIG FAT DISCLAIMER
## The “-i $WAN” is used to match packets that come in via the $WAN interface.
## it WILL NOT MATCH packets sent from the $WAN ip address — you won’t be able
## to see the effects from within the LAN.

### Open port to WAN
## — This allows port 22 to be answered by (dropbear on) the router
# iptableSiIpTABLEs -t nat -A prerouting_rule -i $WAN -p tcp –dport 22 -j ACCEPT
# IPTables -A input_rule -i $WAN -p tcp –dport 22 -j ACCEPT
iptables -A input_rule -i $WAN -p tcp –dport 22 -j ACCEPT

iptables -t nat -A preouting_rule -i $WAN -p tcp –dport 22 -j ACCEPT
### Port forwarding
## — This forwards port 8080 on the WAN to port 80 on 192.168.1.2
# iptables -t nat -A prerouting_rule -i $WAN -p tcp –dport 8080 -j DNAT –to 192.168.1.2:80
# iptables -A forwarding_rule -i $WAN -p tcp –dport 80 -d 192.168.1.2 -j ACCEPT

### DMZ
## — Connections to ports not handled above will be forwarded to 192.168.1.2
# iptables -t nat -A prerouting_rule -i $WAN -j DNAT –to 192.168.1.2
# iptables -A forwarding_rule -i $WAN -d 192.168.1.2 -j ACCEPT
--------------------------------------

Como podeis ver los archivos de configuracion de openwrt son bastante completitos...

Otro archivo de configuracion que me interesa es el del chillispot, chillispot es un portal captivo, en este caso hace que cuando los usuarios se conecten por tu interfaz publica deban autentificarse con fon... Ahi va el archivo...
---------------------------------------------------
radiusserver1 radius01.fon.com radiusserver2 radius02.fon.com radiussecret garrafon dhcpif eth1 uamsecret garrafon uamanydns uamallowed www.martinvarsavsky.net,www.google.com,www.flickr.com,

static.flickr.com,video.google.com,216.239.51.0/24,66.249.81.0/24

uamallowed www.fon.com,www.paypal.com,www.paypalobjects.com,www.skype.com

,66.249.93.0/24,72.14.207.0/24,72.14.209.0/24,84.96.67.128/24,213.91.9.0/

24,80.118.99.0/24 uamallowed shop.fon.co.kr,secure.nuguya.com,inilite.inicis.com uamserver (link roto)
--------------------------------------

Hay muchisimos mas, como por ejemplo el /etc/banner, que si modificamos podremos cambiar el mensaje de bienvenida de la fonera, yo lo he dejado asi. mas geek.

Toda esta informacion es para incitar al desarrollo y a la experimentacion con vuestras foneras ;) ya que creo que es otra cosa que puede ofrecernos este aparatito, el aprender como funciona un sistema linux (en este caso openwrt) endebido.

Saludos