now it works

This commit is contained in:
lars 2005-05-17 10:11:28 +00:00
parent b196b7ecd0
commit 3e134eda1c
5 changed files with 35 additions and 10 deletions

View file

@ -3,9 +3,10 @@ remove_old()
# remove the rules from PREROUTING # remove the rules from PREROUTING
$IPT -t nat -F $CHAIN_FORWARD_CHECK 2>/dev/null && $IPT -t nat -D PREROUTING -i $IF_SRC -j $CHAIN_FORWARD_CHECK $IPT -t nat -F $CHAIN_FORWARD_CHECK 2>/dev/null && $IPT -t nat -D PREROUTING -i $IF_SRC -j $CHAIN_FORWARD_CHECK
$IPT -t nat -F $CHAIN_REDIRECT 2>/dev/null && $IPT -t nat -D PREROUTING -i $IF_SRC -j $CHAIN_REDIRECT $IPT -t nat -F $CHAIN_REDIRECT 2>/dev/null && $IPT -t nat -D PREROUTING -i $IF_SRC -j $CHAIN_REDIRECT
$IPT -t nat -F $CHAIN_SERVICES 2>/dev/null && $IPT -t nat -D PREROUTING -i $IF_SRC -j $CHAIN_SERVICES
# empty and remove chains if they exist # empty and remove chains if they exist
for a in $CHAIN_FORWARD_ACTION $CHAIN_FORWARD_CHECK $CHAIN_REDIRECT for a in $CHAIN_FORWARD_ACTION $CHAIN_FORWARD_CHECK $CHAIN_REDIRECT $CHAIN_SERVICES
do $IPT -t nat -F $a 2>/dev/null && $IPT -t nat -X $a do $IPT -t nat -F $a 2>/dev/null && $IPT -t nat -X $a
true true
done done
@ -15,21 +16,38 @@ remove_old()
init_chains() init_chains()
{ {
# create chains # create chains
for a in $CHAIN_FORWARD_ACTION $CHAIN_FORWARD_CHECK $CHAIN_REDIRECT for a in $CHAIN_FORWARD_ACTION $CHAIN_FORWARD_CHECK $CHAIN_REDIRECT $CHAIN_SERVICES
do $IPT -t nat -N $a do $IPT -t nat -N $a
done done
# all packets from the specified interface go to the general chain # all packets from the specified interface go to the general chain
$IPT -t nat -A PREROUTING -i $IF_SRC -j $CHAIN_SERVICES
$IPT -t nat -A PREROUTING -i $IF_SRC -j $CHAIN_FORWARD_CHECK $IPT -t nat -A PREROUTING -i $IF_SRC -j $CHAIN_FORWARD_CHECK
$IPT -t nat -A PREROUTING -i $IF_SRC -j $CHAIN_REDIRECT $IPT -t nat -A PREROUTING -i $IF_SRC -j $CHAIN_REDIRECT
# rules for CHAIN_REDIRECT # rules for CHAIN_REDIRECT
$IPT -t nat -A $CHAIN_REDIRECT -p tcp --dport 80 -j DNAT --to-destination $SPLASH_SERVER $IPT -t nat -A $CHAIN_REDIRECT -p tcp --dport 80 -j DNAT --to-destination $INTERN_IP
$IPT -t nat -A $CHAIN_REDIRECT -p tcp --dport 80 -j ACCEPT $IPT -t nat -A $CHAIN_REDIRECT -p tcp --dport 80 -j ACCEPT
$IPT -t nat -A $CHAIN_REDIRECT -j $REJECT_ACTION $IPT -t nat -A $CHAIN_REDIRECT -j $REJECT_ACTION
# all registered senders are simply accepted # all registered senders are simply accepted
$IPT -t nat -A $CHAIN_FORWARD_ACTION -j ACCEPT $IPT -t nat -A $CHAIN_FORWARD_ACTION -j ACCEPT
# allowed packets (services like dns, dhcp and ssh (to the router only))
$IPT -t nat -A $CHAIN_SERVICES -p udp --dport 53 -j ACCEPT
$IPT -t nat -A $CHAIN_SERVICES -p udp --dport 67 -j ACCEPT
$IPT -t nat -A $CHAIN_SERVICES -p tcp --dport 67 -j ACCEPT
$IPT -t nat -A $CHAIN_SERVICES -p tcp -d $INTERN_IP --dport 22 -j ACCEPT
# user defined "privileged" source IPs
for a in $ALLOW_IP_LIST
do $IPT -t nat -A $CHAIN_SERVICES -s $a -j ACCEPT
done
# user defined forbidden source IPs
for a in $DENY_IP_LIST
do $IPT -t nat -I $CHAIN_SERVICES -s $a -j $REJECT_ACTION
done
} }

View file

@ -1,9 +1,10 @@
#!/bin/sh #!/bin/sh
. /etc/web-splash.conf
echo "Content-type: text/html" echo "Content-type: text/html"
echo echo
cat "$SPLASH_DOCUMENT" cat "$SPLASH_DOCUMENT"
#/test/web-splash.sh register "$SPLASH_BIN/web-splash.sh" register "$REMOTE_ADDR"
set | sed "s/$/<br>/"

View file

@ -3,13 +3,16 @@
# the source interface (only these packets will be filtered) # the source interface (only these packets will be filtered)
IF_SRC=eth1 IF_SRC=eth1
# the server where all first packets get redirected to (on most # intern IP address auf the network, where web-splash will be used
# embedded systems it should be an IP address instead of a name) INTERN_IP=192.168.1.1
SPLASH_SERVER=192.168.1.1
# name of the local file that should be displayed by the cgi # name of the local file that should be displayed by the cgi
SPLASH_DOCUMENT=/test/splash-page.html SPLASH_DOCUMENT=/test/splash-page.html
# allowed and denied IPs - separete by spaces
ALLOW_IP_LIST=""
DENY_IP_LIST=""
# templates for the rules to manage forwarding rules (_IP_ will be substituted by the host's IP) # templates for the rules to manage forwarding rules (_IP_ will be substituted by the host's IP)
RULE_ADD='$IPT -t nat -I $CHAIN_FORWARD_CHECK -s _IP_ -j $CHAIN_FORWARD_ACTION' RULE_ADD='$IPT -t nat -I $CHAIN_FORWARD_CHECK -s _IP_ -j $CHAIN_FORWARD_ACTION'
RULE_DEL='$IPT -t nat -D $CHAIN_FORWARD_CHECK -s _IP_ -j $CHAIN_FORWARD_ACTION' RULE_DEL='$IPT -t nat -D $CHAIN_FORWARD_CHECK -s _IP_ -j $CHAIN_FORWARD_ACTION'
@ -18,6 +21,7 @@ RULE_DEL='$IPT -t nat -D $CHAIN_FORWARD_CHECK -s _IP_ -j $CHAIN_FORWARD_ACTION'
CHAIN_FORWARD_CHECK=web_splash_forward_check CHAIN_FORWARD_CHECK=web_splash_forward_check
CHAIN_FORWARD_ACTION=web_splash_forward_action CHAIN_FORWARD_ACTION=web_splash_forward_action
CHAIN_REDIRECT=web_splash_redirect CHAIN_REDIRECT=web_splash_redirect
CHAIN_SERVICES=web_splash_services
# the iptables action for bad packets (e.g. DROP or REJECT) # the iptables action for bad packets (e.g. DROP or REJECT)
REJECT_ACTION=DROP REJECT_ACTION=DROP
@ -26,3 +30,5 @@ REJECT_ACTION=DROP
IPT=/sbin/iptables IPT=/sbin/iptables
[ ! -x "$IPT" ] && IPT=/usr/sbin/iptables [ ! -x "$IPT" ] && IPT=/usr/sbin/iptables
# path to the web-splash scripts
SPLASH_BIN=/test

View file

@ -1,9 +1,9 @@
#!/bin/sh #!/bin/sh
set -uex set -ue
. /etc/web-splash.conf . /etc/web-splash.conf
. /test/splash-functions.inc . "$SPLASH_BIN/splash-functions.inc"
ACTION="--help" ACTION="--help"
[ $# -gt 0 ] && ACTION="$1" [ $# -gt 0 ] && ACTION="$1"