From 3e134eda1c51740c1cc3824e940dceb05bbee358 Mon Sep 17 00:00:00 2001 From: lars Date: Tue, 17 May 2005 10:11:28 +0000 Subject: [PATCH] now it works --- web-splash/splash-functions.inc | 24 ++++++++++++++++--- .../index.html} | 0 web-splash/web-splash.cgi | 5 ++-- web-splash/web-splash.conf | 12 +++++++--- web-splash/web-splash.sh | 4 ++-- 5 files changed, 35 insertions(+), 10 deletions(-) rename web-splash/{splash-page.html => splash-site/index.html} (100%) diff --git a/web-splash/splash-functions.inc b/web-splash/splash-functions.inc index ade0591..8196581 100644 --- a/web-splash/splash-functions.inc +++ b/web-splash/splash-functions.inc @@ -3,9 +3,10 @@ remove_old() # remove the rules from PREROUTING $IPT -t nat -F $CHAIN_FORWARD_CHECK 2>/dev/null && $IPT -t nat -D PREROUTING -i $IF_SRC -j $CHAIN_FORWARD_CHECK $IPT -t nat -F $CHAIN_REDIRECT 2>/dev/null && $IPT -t nat -D PREROUTING -i $IF_SRC -j $CHAIN_REDIRECT + $IPT -t nat -F $CHAIN_SERVICES 2>/dev/null && $IPT -t nat -D PREROUTING -i $IF_SRC -j $CHAIN_SERVICES # empty and remove chains if they exist - for a in $CHAIN_FORWARD_ACTION $CHAIN_FORWARD_CHECK $CHAIN_REDIRECT + for a in $CHAIN_FORWARD_ACTION $CHAIN_FORWARD_CHECK $CHAIN_REDIRECT $CHAIN_SERVICES do $IPT -t nat -F $a 2>/dev/null && $IPT -t nat -X $a true done @@ -15,21 +16,38 @@ remove_old() init_chains() { # create chains - for a in $CHAIN_FORWARD_ACTION $CHAIN_FORWARD_CHECK $CHAIN_REDIRECT + for a in $CHAIN_FORWARD_ACTION $CHAIN_FORWARD_CHECK $CHAIN_REDIRECT $CHAIN_SERVICES do $IPT -t nat -N $a done # all packets from the specified interface go to the general chain + $IPT -t nat -A PREROUTING -i $IF_SRC -j $CHAIN_SERVICES $IPT -t nat -A PREROUTING -i $IF_SRC -j $CHAIN_FORWARD_CHECK $IPT -t nat -A PREROUTING -i $IF_SRC -j $CHAIN_REDIRECT # rules for CHAIN_REDIRECT - $IPT -t nat -A $CHAIN_REDIRECT -p tcp --dport 80 -j DNAT --to-destination $SPLASH_SERVER + $IPT -t nat -A $CHAIN_REDIRECT -p tcp --dport 80 -j DNAT --to-destination $INTERN_IP $IPT -t nat -A $CHAIN_REDIRECT -p tcp --dport 80 -j ACCEPT $IPT -t nat -A $CHAIN_REDIRECT -j $REJECT_ACTION # all registered senders are simply accepted $IPT -t nat -A $CHAIN_FORWARD_ACTION -j ACCEPT + + # allowed packets (services like dns, dhcp and ssh (to the router only)) + $IPT -t nat -A $CHAIN_SERVICES -p udp --dport 53 -j ACCEPT + $IPT -t nat -A $CHAIN_SERVICES -p udp --dport 67 -j ACCEPT + $IPT -t nat -A $CHAIN_SERVICES -p tcp --dport 67 -j ACCEPT + $IPT -t nat -A $CHAIN_SERVICES -p tcp -d $INTERN_IP --dport 22 -j ACCEPT + + # user defined "privileged" source IPs + for a in $ALLOW_IP_LIST + do $IPT -t nat -A $CHAIN_SERVICES -s $a -j ACCEPT + done + + # user defined forbidden source IPs + for a in $DENY_IP_LIST + do $IPT -t nat -I $CHAIN_SERVICES -s $a -j $REJECT_ACTION + done } diff --git a/web-splash/splash-page.html b/web-splash/splash-site/index.html similarity index 100% rename from web-splash/splash-page.html rename to web-splash/splash-site/index.html diff --git a/web-splash/web-splash.cgi b/web-splash/web-splash.cgi index 35d9c92..93377f0 100755 --- a/web-splash/web-splash.cgi +++ b/web-splash/web-splash.cgi @@ -1,9 +1,10 @@ #!/bin/sh +. /etc/web-splash.conf + echo "Content-type: text/html" echo cat "$SPLASH_DOCUMENT" -#/test/web-splash.sh register -set | sed "s/$/
/" +"$SPLASH_BIN/web-splash.sh" register "$REMOTE_ADDR" diff --git a/web-splash/web-splash.conf b/web-splash/web-splash.conf index 3b1d0e6..1a4c76e 100644 --- a/web-splash/web-splash.conf +++ b/web-splash/web-splash.conf @@ -3,13 +3,16 @@ # the source interface (only these packets will be filtered) IF_SRC=eth1 -# the server where all first packets get redirected to (on most -# embedded systems it should be an IP address instead of a name) -SPLASH_SERVER=192.168.1.1 +# intern IP address auf the network, where web-splash will be used +INTERN_IP=192.168.1.1 # name of the local file that should be displayed by the cgi SPLASH_DOCUMENT=/test/splash-page.html +# allowed and denied IPs - separete by spaces +ALLOW_IP_LIST="" +DENY_IP_LIST="" + # templates for the rules to manage forwarding rules (_IP_ will be substituted by the host's IP) RULE_ADD='$IPT -t nat -I $CHAIN_FORWARD_CHECK -s _IP_ -j $CHAIN_FORWARD_ACTION' RULE_DEL='$IPT -t nat -D $CHAIN_FORWARD_CHECK -s _IP_ -j $CHAIN_FORWARD_ACTION' @@ -18,6 +21,7 @@ RULE_DEL='$IPT -t nat -D $CHAIN_FORWARD_CHECK -s _IP_ -j $CHAIN_FORWARD_ACTION' CHAIN_FORWARD_CHECK=web_splash_forward_check CHAIN_FORWARD_ACTION=web_splash_forward_action CHAIN_REDIRECT=web_splash_redirect +CHAIN_SERVICES=web_splash_services # the iptables action for bad packets (e.g. DROP or REJECT) REJECT_ACTION=DROP @@ -26,3 +30,5 @@ REJECT_ACTION=DROP IPT=/sbin/iptables [ ! -x "$IPT" ] && IPT=/usr/sbin/iptables +# path to the web-splash scripts +SPLASH_BIN=/test diff --git a/web-splash/web-splash.sh b/web-splash/web-splash.sh index 0a41d77..4fc1a58 100755 --- a/web-splash/web-splash.sh +++ b/web-splash/web-splash.sh @@ -1,9 +1,9 @@ #!/bin/sh -set -uex +set -ue . /etc/web-splash.conf -. /test/splash-functions.inc +. "$SPLASH_BIN/splash-functions.inc" ACTION="--help" [ $# -gt 0 ] && ACTION="$1"