1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
/** Initialize the firewall rules
*/
int
iptables_fw_init(
void
)
{
… …
/*
*
* Everything in the NAT table
*
*/
/* Create new chains */
iptables_do_command(
"-t nat -N "
TABLE_WIFIDOG_OUTGOING);
iptables_do_command(
"-t nat -N "
TABLE_WIFIDOG_WIFI_TO_ROUTER);
iptables_do_command(
"-t nat -N "
TABLE_WIFIDOG_WIFI_TO_INTERNET);
iptables_do_command(
"-t nat -N "
TABLE_WIFIDOG_GLOBAL);
iptables_do_command(
"-t nat -N "
TABLE_WIFIDOG_UNKNOWN);
iptables_do_command(
"-t nat -N "
TABLE_WIFIDOG_AUTHSERVERS);
/* Assign links and rules to these new chains */
iptables_do_command(
"-t nat -A PREROUTING -i %s -j "
TABLE_WIFIDOG_OUTGOING, config->gw_interface);
iptables_do_command(
"-t nat -A "
TABLE_WIFIDOG_OUTGOING
" -d %s -j "
TABLE_WIFIDOG_WIFI_TO_ROUTER, config->gw_address);
iptables_do_command(
"-t nat -A "
TABLE_WIFIDOG_WIFI_TO_ROUTER
" -j ACCEPT"
);
iptables_do_command(
"-t nat -A "
TABLE_WIFIDOG_OUTGOING
" -j "
TABLE_WIFIDOG_WIFI_TO_INTERNET);
iptables_do_command(
"-t nat -A "
TABLE_WIFIDOG_WIFI_TO_INTERNET
" -m mark --mark 0x%u -j ACCEPT"
, FW_MARK_KNOWN);
iptables_do_command(
"-t nat -A "
TABLE_WIFIDOG_WIFI_TO_INTERNET
" -m mark --mark 0x%u -j ACCEPT"
, FW_MARK_PROBATION);
iptables_do_command(
"-t nat -A "
TABLE_WIFIDOG_WIFI_TO_INTERNET
" -j "
TABLE_WIFIDOG_UNKNOWN);
iptables_do_command(
"-t nat -A "
TABLE_WIFIDOG_UNKNOWN
" -j "
TABLE_WIFIDOG_AUTHSERVERS);
iptables_do_command(
"-t nat -A "
TABLE_WIFIDOG_UNKNOWN
" -j "
TABLE_WIFIDOG_GLOBAL);
// 将 80 端口的访问重定向(REDIRECT)到 (本路由)网关web服务器的监听端口
iptables_do_command(
"-t nat -A "
TABLE_WIFIDOG_UNKNOWN
" -p tcp --dport 80 -j REDIRECT --to-ports %d"
, gw_port);
/*
*
* Everything in the FILTER table
*
*/
/* Create new chains */
iptables_do_command(
"-t filter -N "
TABLE_WIFIDOG_WIFI_TO_INTERNET);
iptables_do_command(
"-t filter -N "
TABLE_WIFIDOG_AUTHSERVERS);
iptables_do_command(
"-t filter -N "
TABLE_WIFIDOG_LOCKED);
iptables_do_command(
"-t filter -N "
TABLE_WIFIDOG_GLOBAL);
iptables_do_command(
"-t filter -N "
TABLE_WIFIDOG_VALIDATE);
iptables_do_command(
"-t filter -N "
TABLE_WIFIDOG_KNOWN);
iptables_do_command(
"-t filter -N "
TABLE_WIFIDOG_UNKNOWN);
/* Assign links and rules to these new chains */
/* Insert at the beginning */
iptables_do_command(
"-t filter -I FORWARD -i %s -j "
TABLE_WIFIDOG_WIFI_TO_INTERNET, config->gw_interface);
iptables_do_command(
"-t filter -A "
TABLE_WIFIDOG_WIFI_TO_INTERNET
" -m state --state INVALID -j DROP"
);
/* TCPMSS rule for PPPoE */
iptables_do_command(
"-t filter -A "
TABLE_WIFIDOG_WIFI_TO_INTERNET
" -o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu"
, ext_interface);
iptables_do_command(
"-t filter -A "
TABLE_WIFIDOG_WIFI_TO_INTERNET
" -j "
TABLE_WIFIDOG_AUTHSERVERS);
iptables_fw_set_authservers();
iptables_do_command(
"-t filter -A "
TABLE_WIFIDOG_WIFI_TO_INTERNET
" -m mark --mark 0x%u -j "
TABLE_WIFIDOG_LOCKED, FW_MARK_LOCKED);
iptables_load_ruleset(
"filter"
,
"locked-users"
, TABLE_WIFIDOG_LOCKED);
iptables_do_command(
"-t filter -A "
TABLE_WIFIDOG_WIFI_TO_INTERNET
" -j "
TABLE_WIFIDOG_GLOBAL);
iptables_load_ruleset(
"filter"
,
"global"
, TABLE_WIFIDOG_GLOBAL);
iptables_load_ruleset(
"nat"
,
"global"
, TABLE_WIFIDOG_GLOBAL);
iptables_do_command(
"-t filter -A "
TABLE_WIFIDOG_WIFI_TO_INTERNET
" -m mark --mark 0x%u -j "
TABLE_WIFIDOG_VALIDATE, FW_MARK_PROBATION);
iptables_load_ruleset(
"filter"
,
"validating-users"
, TABLE_WIFIDOG_VALIDATE);
iptables_do_command(
"-t filter -A "
TABLE_WIFIDOG_WIFI_TO_INTERNET
" -m mark --mark 0x%u -j "
TABLE_WIFIDOG_KNOWN, FW_MARK_KNOWN);
iptables_load_ruleset(
"filter"
,
"known-users"
, TABLE_WIFIDOG_KNOWN);
iptables_do_command(
"-t filter -A "
TABLE_WIFIDOG_WIFI_TO_INTERNET
" -j "
TABLE_WIFIDOG_UNKNOWN);
iptables_load_ruleset(
"filter"
,
"unknown-users"
, TABLE_WIFIDOG_UNKNOWN);
iptables_do_command(
"-t filter -A "
TABLE_WIFIDOG_UNKNOWN
" -j REJECT --reject-with icmp-port-unreachable"
);
UNLOCK_CONFIG();
return
1;
}
|
1
2
3
4
5
6
7
8
9
10
11
12
|
void
iptables_fw_set_authservers(
void
)
{
const
s_config *config;
t_auth_serv *auth_server;
config = config_get_config();
for
(auth_server = config->auth_servers; auth_server != NULL; auth_server = auth_server->next) {
if
(auth_server->last_ip &&
strcmp
(auth_server->last_ip,
"0.0.0.0"
) != 0) {
iptables_do_command(
"-t filter -A "
TABLE_WIFIDOG_AUTHSERVERS
" -d %s -j ACCEPT"
, auth_server->last_ip);
iptables_do_command(
"-t nat -A "
TABLE_WIFIDOG_AUTHSERVERS
" -d %s -j ACCEPT"
, auth_server->last_ip);
}
}
}
|