now it works

web-splash/splash-functions.inc

@@ -3,9 +3,10 @@ remove_old()
 	# remove the rules from PREROUTING
 	$IPT -t nat -F $CHAIN_FORWARD_CHECK 2>/dev/null && $IPT -t nat -D PREROUTING -i $IF_SRC -j $CHAIN_FORWARD_CHECK
 	$IPT -t nat -F $CHAIN_REDIRECT 2>/dev/null && $IPT -t nat -D PREROUTING -i $IF_SRC -j $CHAIN_REDIRECT
+	$IPT -t nat -F $CHAIN_SERVICES 2>/dev/null && $IPT -t nat -D PREROUTING -i $IF_SRC -j $CHAIN_SERVICES
 	
 	# empty and remove chains if they exist
-	for a in $CHAIN_FORWARD_ACTION $CHAIN_FORWARD_CHECK $CHAIN_REDIRECT
+	for a in $CHAIN_FORWARD_ACTION $CHAIN_FORWARD_CHECK $CHAIN_REDIRECT $CHAIN_SERVICES
 		do	$IPT -t nat -F $a 2>/dev/null && $IPT -t nat -X $a
 			true
 	  done
@@ -15,21 +16,38 @@ remove_old()
 init_chains()
 {
 	# create chains
-	for a in $CHAIN_FORWARD_ACTION $CHAIN_FORWARD_CHECK $CHAIN_REDIRECT
+	for a in $CHAIN_FORWARD_ACTION $CHAIN_FORWARD_CHECK $CHAIN_REDIRECT $CHAIN_SERVICES
 		do	$IPT -t nat -N $a
 	  done
 	
 	# all packets from the specified interface go to the general chain
+	$IPT -t nat -A PREROUTING -i $IF_SRC -j $CHAIN_SERVICES
 	$IPT -t nat -A PREROUTING -i $IF_SRC -j $CHAIN_FORWARD_CHECK
 	$IPT -t nat -A PREROUTING -i $IF_SRC -j $CHAIN_REDIRECT
 
 	# rules for CHAIN_REDIRECT
-	$IPT -t nat -A $CHAIN_REDIRECT -p tcp --dport 80 -j DNAT --to-destination $SPLASH_SERVER
+	$IPT -t nat -A $CHAIN_REDIRECT -p tcp --dport 80 -j DNAT --to-destination $INTERN_IP
 	$IPT -t nat -A $CHAIN_REDIRECT -p tcp --dport 80 -j ACCEPT
 	$IPT -t nat -A $CHAIN_REDIRECT -j $REJECT_ACTION
 
 	# all registered senders are simply accepted
 	$IPT -t nat -A $CHAIN_FORWARD_ACTION -j ACCEPT
+
+	# allowed packets (services like dns, dhcp and ssh (to the router only))
+	$IPT -t nat -A $CHAIN_SERVICES -p udp --dport 53 -j ACCEPT
+	$IPT -t nat -A $CHAIN_SERVICES -p udp --dport 67 -j ACCEPT
+	$IPT -t nat -A $CHAIN_SERVICES -p tcp --dport 67 -j ACCEPT
+	$IPT -t nat -A $CHAIN_SERVICES -p tcp -d $INTERN_IP --dport 22 -j ACCEPT
+
+	# user defined "privileged" source IPs
+	for a in $ALLOW_IP_LIST
+		do	$IPT -t nat -A $CHAIN_SERVICES -s $a -j ACCEPT
+	  done
+
+	# user defined forbidden source IPs
+	for a in $DENY_IP_LIST
+		do	$IPT -t nat -I $CHAIN_SERVICES -s $a -j $REJECT_ACTION
+	  done
 }
 
 

web-splash/web-splash.cgi

@@ -1,9 +1,10 @@
 #!/bin/sh
 
+. /etc/web-splash.conf
+
 echo "Content-type: text/html"
 echo
 
 cat "$SPLASH_DOCUMENT"
 
-#/test/web-splash.sh register
-set | sed "s/$/<br>/"
+"$SPLASH_BIN/web-splash.sh" register "$REMOTE_ADDR"

web-splash/web-splash.conf

@@ -3,13 +3,16 @@
 # the source interface (only these packets will be filtered)
 IF_SRC=eth1
 
-# the server where all first packets get redirected to (on most
-# embedded systems it should be an IP address instead of a name)
-SPLASH_SERVER=192.168.1.1
+# intern IP address auf the network, where web-splash will be used
+INTERN_IP=192.168.1.1
 
 # name of the local file that should be displayed by the cgi
 SPLASH_DOCUMENT=/test/splash-page.html
 
+# allowed and denied IPs - separete by spaces
+ALLOW_IP_LIST=""
+DENY_IP_LIST=""
+
 # templates for the rules to manage forwarding rules (_IP_ will be substituted by the host's IP)
 RULE_ADD='$IPT -t nat -I $CHAIN_FORWARD_CHECK -s _IP_ -j $CHAIN_FORWARD_ACTION'
 RULE_DEL='$IPT -t nat -D $CHAIN_FORWARD_CHECK -s _IP_ -j $CHAIN_FORWARD_ACTION'
@@ -18,6 +21,7 @@ RULE_DEL='$IPT -t nat -D $CHAIN_FORWARD_CHECK -s _IP_ -j $CHAIN_FORWARD_ACTION'
 CHAIN_FORWARD_CHECK=web_splash_forward_check
 CHAIN_FORWARD_ACTION=web_splash_forward_action
 CHAIN_REDIRECT=web_splash_redirect
+CHAIN_SERVICES=web_splash_services
 
 # the iptables action for bad packets (e.g. DROP or REJECT)
 REJECT_ACTION=DROP
@@ -26,3 +30,5 @@ REJECT_ACTION=DROP
 IPT=/sbin/iptables
 [ ! -x "$IPT" ] && IPT=/usr/sbin/iptables
 
+# path to the web-splash scripts
+SPLASH_BIN=/test

web-splash/web-splash.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
 
-set -uex
+set -ue
 
 . /etc/web-splash.conf
-. /test/splash-functions.inc
+. "$SPLASH_BIN/splash-functions.inc"
 
 ACTION="--help"
 [ $# -gt 0 ] && ACTION="$1"