#!/bin/sh

MITM_IFACE=wlan1

# do not redirect through mallory: 
# calls to dhcp server
UDP_EXCLUDE=67
# calls to sshd
TCP_EXCLUDE=22
#TCP_EXCLUDE=22,3389

if [ x$1 = x-h -o x$1 = x-? -o x$1 = x--help ]; then
 echo "start/stop redirection for mallory; (excluded udp ports: $UDP_EXCLUDE; excluded tcp ports: $TCP_EXCLUDE)"
 echo "usage: ipt.sh [start | stop [interface]]; default: ipt.sh start $MITM_IFACE"
fi

if [ $# -ge 2 ]; then
 MITM_IFACE=$2
 echo using $MITM_IFACE as mitm interface
fi

if [ x$1 = xstop ]; then A=-D; else A=-A; fi

# block dhcp lease refresh crossing interfaces; required?
if ! iptables -L |grep -A 5 FORWARD |grep DROP |grep -q bootps; then
 iptables -I FORWARD -p udp --dport 67:68 -j DROP
 iptables -I FORWARD -p udp --sport 67:68 -j DROP
fi

# enable dhcp on wlan1 interfaces
iptables -L |grep -A 5 INPUT |grep ACCEPT |grep -q bootps || iptables -I INPUT -p udp --dport 67:68 -i $MITM_IFACE -j ACCEPT
iptables -L |grep -A 5 OUTPUT |grep ACCEPT |grep -q bootps || iptables -I OUTPUT -p udp --sport 67:68 -o $MITM_IFACE -j ACCEPT


# redirection for mallory
while true; do
 # already redirected?
 if iptables -L -t nat |grep -A 5 PREROUTING |grep REDIRECT |grep -q 20755; then
  # stop of redirection requested? else do nothing
  [ x$1 = xstop ] || break
 else
  # not redirected and stop requested? do nothing
  [ x$1 = xstop ] && break
 fi
 if [ x = x$TCP_EXCLUDE ]; then
  iptables -t nat $A PREROUTING -j REDIRECT -i $MITM_IFACE -p tcp -m tcp --to-ports 20755
 else
  iptables -t nat $A PREROUTING -j REDIRECT -i $MITM_IFACE -p tcp -m multiport ! --dports $TCP_EXCLUDE --to-ports 20755
 fi
 if [ x = x$UDP_EXCLUDE ]; then
  iptables -t nat $A PREROUTING -j REDIRECT -i $MITM_IFACE -p udp -m udp --to-ports 20755
 else
  iptables -t nat $A PREROUTING -j REDIRECT -i $MITM_IFACE -p udp -m multiport ! --dports $UDP_EXCLUDE --to-ports 20755
 fi
 break
done