cleanup login script, change firewall example

SVN-Revision: 881
This commit is contained in:
Mike Baker 2005-05-13 13:49:48 +00:00
parent 655ea85dec
commit 2ab5d1e15c
2 changed files with 25 additions and 26 deletions

View file

@ -1,21 +1,20 @@
#!/bin/sh
[ "$FAILSAFE" = "true" ] && exec /bin/ash --login
[ -f /etc/sysconf ] && . /etc/sysconf
if [ "$BR2_SYSCONF_TELNET_FAILSAFE_ONLY" = "y" ]; then
if grep '^root:!' /etc/passwd > /dev/null 2>/dev/null; then
echo "You need to set a login password to protect your"
echo "Router from unauthorized access."
echo
echo "Use 'passwd' to set your password."
echo "telnet login will be disabled afterwards,"
echo "You can then login using SSH."
echo
else
echo "Login failed."
exit 0
fi
fi
. /etc/sysconf 2>&-
[ "$FAILSAFE" != "true" ] &&
[ "$BR2_SYSCONF_TELNET_FAILSAFE_ONLY" = "y" ] &&
{
grep '^root:[^!]' /etc/passwd >&- 2>&- &&
{
echo "Login failed."
exit 0
} || {
cat << EOF
=== IMPORTANT ============================
Use 'passwd' to set your login password
this will disable telnet and enable SSH
------------------------------------------
EOF
}
}
exec /bin/ash --login

View file

@ -1,7 +1,7 @@
#!/bin/sh
. /etc/functions.sh
export WAN=$(nvram get wan_ifname)
export LAN=$(nvram get lan_ifname)
WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)
## CLEAR TABLES
for T in filter nat mangle; do
@ -17,8 +17,8 @@ iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule
### Port forwarding
# iptables -t nat -A prerouting_rule -p tcp --dport 22 -j DNAT --to 192.168.1.2
# iptables -A forwarding_rule -p tcp --dport 22 -d 192.168.1.2 -j ACCEPT
# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j DNAT --to 192.168.1.2
# iptables -A forwarding_rule -i $WAN -p tcp --dport 22 -d 192.168.1.2 -j ACCEPT
### INPUT
### (connections with the router as destination)
@ -27,12 +27,12 @@ iptables -t nat -N postrouting_rule
iptables -P INPUT DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --syn --tcp-option \! 2 -j DROP
# allow
iptables -A INPUT -i \! $WAN -j ACCEPT # allow from lan/wifi interfaces
iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
iptables -A INPUT -p 47 -j ACCEPT # allow GRE
iptables -A INPUT -p tcp --syn --tcp-option \! 2 -j DROP
iptables -A INPUT -i \! $WAN -j ACCEPT # allow from lan/wifi interfaces
iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
iptables -A INPUT -p gre -j ACCEPT # allow GRE
#
# insert accept rule or to jump to new accept-check table here
#