Skip to content

Commit

Permalink
Merge pull request #1 from yn/dev-0.5
Browse files Browse the repository at this point in the history
Dev 0.5
  • Loading branch information
yn authored Dec 18, 2022
2 parents a2f7fca + 7169037 commit 70af3fb
Show file tree
Hide file tree
Showing 3 changed files with 96 additions and 17 deletions.
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ Please add
- **netmask** (**required**): Subnet mask of the network
- **broadcast** (**required**): Broadcast address of the network
- **interface** (_optional_): Which wlan card to use. Default: wlan0
- **virtual_interface** (_optional_): If set (e.g. to wlan1) a new virtual interface will be used as access point, leaving the wlan0 interface working as station.
- **isolation** (_optional_): Enable or disable network isolation. 0 = disable, 1 = enable. Defaults to disabled. Note: If the DNS server is provided by a local router, it will not be accessible inside the AP network. In that case you should set the _client_dns_override_ option to an external DNS, e.g. 8.8.8.8.
- **hide_ssid** (_optional_): Whether SSID is visible or hidden. 0 = visible, 1 = hidden. Defaults to visible
- **dhcp** (_optional_): Enable or disable DHCP server. 0 = disable, 1 = enable. Defaults to disabled
- **dhcp_start_addr** (_optional_): Start address for DHCP range. Required if DHCP enabled
Expand Down
4 changes: 4 additions & 0 deletions hassio-access-point/config.json
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@
"netmask": "255.255.255.0",
"broadcast": "192.168.99.255",
"interface": "wlan0",
"virtual_interface": "",
"isolation": "0",
"hide_ssid": "0",
"dhcp": "0",
"dhcp_start_addr": "192.168.99.10",
Expand All @@ -42,6 +44,8 @@
"netmask": "str",
"broadcast": "str",
"interface": "str",
"isolation": "str",
"virtual_interface": "str",
"hide_ssid": "int",
"dhcp": "int",
"dhcp_start_addr": "str",
Expand Down
107 changes: 90 additions & 17 deletions hassio-access-point/run.sh
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,36 @@ term_handler(){
ifdown $INTERFACE
ip link set $INTERFACE down
ip addr flush dev $INTERFACE
if [ ${#VINTERFACE} -ne 0 ]; then
iw dev $INTERFACE del
fi
cleanup_iptables
exit 0
}


function cleanup_iptables() {
if [ ${#VINTERFACE} -ne 0 ]; then
iptables -t nat -D POSTROUTING -o $BASE_INTERFACE -j MASQUERADE
fi
iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -D PREROUTING -i $INTERFACE -j ACCEPT
iptables -D INPUT -i $INTERFACE -j DROP
iptables -D INPUT -i $INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
if [ ${#VINTERFACE} -ne 0 ]; then
wifi_net=$(ip addr show $BASE_INTERFACE | grep inet | awk '{print $2}')
if [ ${#wifi_net} -ne 0 ]; then
iptables -D FORWARD -i $INTERFACE -o $BASE_INTERFACE -d ${wifi_net} -j DROP
fi
fi
eth_net=$(ip addr show eth0 | grep 'inet ' | awk '{print $2}')
if [ ${#eth_net} -ne 0 ]; then
iptables -D FORWARD -i $INTERFACE -o eth0 -d ${eth_net} -j DROP
fi
iptables -D INPUT -p udp -i $INTERFACE --dport 67 -j ACCEPT
}


# Logging function to set verbosity of output to addon log
logger(){
msg=$1
Expand All @@ -27,11 +54,12 @@ ADDRESS=$(jq --raw-output ".address" $CONFIG_PATH)
NETMASK=$(jq --raw-output ".netmask" $CONFIG_PATH)
BROADCAST=$(jq --raw-output ".broadcast" $CONFIG_PATH)
INTERFACE=$(jq --raw-output ".interface" $CONFIG_PATH)
VINTERFACE=$(jq --raw-output ".virtual_interface" $CONFIG_PATH)
ISOLATION=$(jq --raw-output ".isolation" $CONFIG_PATH)
HIDE_SSID=$(jq --raw-output ".hide_ssid" $CONFIG_PATH)
DHCP=$(jq --raw-output ".dhcp" $CONFIG_PATH)
DHCP_START_ADDR=$(jq --raw-output ".dhcp_start_addr" $CONFIG_PATH)
DHCP_END_ADDR=$(jq --raw-output ".dhcp_end_addr" $CONFIG_PATH)
DNSMASQ_CONFIG_OVERRIDE=$(jq --raw-output '.dnsmasq_config_override | join(" ")' $CONFIG_PATH)
ALLOW_MAC_ADDRESSES=$(jq --raw-output '.allow_mac_addresses | join(" ")' $CONFIG_PATH)
DENY_MAC_ADDRESSES=$(jq --raw-output '.deny_mac_addresses | join(" ")' $CONFIG_PATH)
DEBUG=$(jq --raw-output '.debug' $CONFIG_PATH)
Expand All @@ -45,6 +73,12 @@ if [ ${#INTERFACE} -eq 0 ]; then
INTERFACE="wlan0"
fi

# If we use a virtual interface, INTERFACE points to the base interface
if [ ${#VINTERFACE} -ne 0 ]; then
BASE_INTERFACE="${INTERFACE}"
INTERFACE="${VINTERFACE}"
fi

# Set debug as 0 if not specified in config
if [ ${#DEBUG} -eq 0 ]; then
DEBUG=0
Expand All @@ -58,6 +92,15 @@ logger "Add to /etc/network/interfaces: iface $INTERFACE inet static" 1
# Create and add our interface to interfaces file
echo "iface $INTERFACE inet static"$'\n' >> /etc/network/interfaces

# Create virtual interface if needed
if [ ${#VINTERFACE} -ne 0 ]; then
# If using virtual interface, channel must be the same as the base interface
CHANNEL=$(iw dev $BASE_INTERFACE info | grep channel | awk '{print $2}')
# Create virtual interface
logger "Run command: iw dev $BASE_INTERFACE interface add $INTERFACE type __ap" 1
iw dev $BASE_INTERFACE interface add $INTERFACE type __ap
fi

logger "Run command: nmcli dev set $INTERFACE managed no" 1
nmcli dev set $INTERFACE managed no

Expand Down Expand Up @@ -96,6 +139,11 @@ if [ $DHCP -ne 1 ]; then
DHCP=0
fi

# Sanitise config value for isolation
if [ $ISOLATION -ne 1 ]; then
ISOLATION=0
fi

if [[ -n $error ]]; then
exit 1
fi
Expand Down Expand Up @@ -197,7 +245,6 @@ if [ $DHCP -eq 1 ]; then
echo "$dns_string"$'\n' >> /dnsmasq.conf
logger "Add DNS: $dns_string" 0
fi

fi

# Append override options to dnsmasq.conf
Expand All @@ -209,25 +256,44 @@ if [ $DHCP -eq 1 ]; then
logger "Add to dnsmasq.conf: $override" 0
done
fi

# Setup Client Internet Access
if [ $CLIENT_INTERNET_ACCESS -eq 1 ]; then

## Route traffic
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -P FORWARD ACCEPT
iptables -F FORWARD
fi

else
logger "# DHCP not enabled. Skipping dnsmasq" 1
# Setup Client Internet Access
## No DHCP == No DNS. Must be set manually on client.
## Step 1: Routing
if [ $CLIENT_INTERNET_ACCESS -eq 1 ]; then
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -P FORWARD ACCEPT
iptables -F FORWARD
fi

# Setup Client Internet Access
if [ $CLIENT_INTERNET_ACCESS -eq 1 ]; then
## Route traffic
if [ ${#VINTERFACE} -ne 0 ]; then
iptables -t nat -A POSTROUTING -o $BASE_INTERFACE -j MASQUERADE
fi
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -P FORWARD ACCEPT
iptables -F FORWARD
fi

# Setup network isolation
if [ $ISOLATION -eq 1 ]; then
# Do not pass packets coming from AP to docker
iptables -t nat -I PREROUTING -i $INTERFACE -j ACCEPT
# Accept only locally-initiated traffic
iptables -I INPUT -i $INTERFACE -j DROP
iptables -I INPUT -i $INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
if [ ${#VINTERFACE} -ne 0 ]; then
# Prevent access to local wifi network from AP network
wifi_net=$(ip addr show $BASE_INTERFACE | grep inet | awk '{print $2}')
if [ ${#wifi_net} -ne 0 ]; then
iptables -I FORWARD -i $INTERFACE -o $BASE_INTERFACE -d ${wifi_net} -j DROP
fi
fi
# Prevent access to local eth network from AP network
eth_net=$(ip addr show eth0 | grep 'inet ' | awk '{print $2}')
if [ ${#eth_net} -ne 0 ]; then
iptables -I FORWARD -i $INTERFACE -o eth0 -d ${eth_net} -j DROP
fi
# Allow access to local DHCP server
iptables -I INPUT -p udp -i $INTERFACE --dport 67 -j ACCEPT
fi

# Start dnsmasq if DHCP is enabled in config
Expand All @@ -236,10 +302,17 @@ if [ $DHCP -eq 1 ]; then
killall -q dnsmasq; dnsmasq -C /dnsmasq.conf
fi

if [ ${#VINTERFACE} -ne 0 ]; then
# Don't know why it is needed, but hostapd fails later on without this delay
sleep 10
fi

logger "## Starting hostapd daemon" 1
# If debug level is greater than 1, start hostapd in debug mode
if [ $DEBUG -gt 1 ]; then
killall -q hostapd; hostapd -d /hostapd.conf & wait ${!}
else
killall -q hostapd; hostapd /hostapd.conf & wait ${!}
fi

term_handler

0 comments on commit 70af3fb

Please sign in to comment.