From 941be53e2b4abd5a3c162fa79b61ab95cff03e5c Mon Sep 17 00:00:00 2001 From: lars Date: Tue, 17 May 2005 00:26:11 +0000 Subject: [PATCH] looks good --- web-splash/splash-functions.inc | 70 +++++++++++++++++++++++++++++++++ web-splash/update-rules.sh | 38 ++---------------- web-splash/web-splash.conf | 17 ++++---- web-splash/web-splash.sh | 50 ++++++----------------- 4 files changed, 93 insertions(+), 82 deletions(-) create mode 100644 web-splash/splash-functions.inc diff --git a/web-splash/splash-functions.inc b/web-splash/splash-functions.inc new file mode 100644 index 0000000..ade0591 --- /dev/null +++ b/web-splash/splash-functions.inc @@ -0,0 +1,70 @@ +remove_old() +{ + # remove the rules from PREROUTING + $IPT -t nat -F $CHAIN_FORWARD_CHECK 2>/dev/null && $IPT -t nat -D PREROUTING -i $IF_SRC -j $CHAIN_FORWARD_CHECK + $IPT -t nat -F $CHAIN_REDIRECT 2>/dev/null && $IPT -t nat -D PREROUTING -i $IF_SRC -j $CHAIN_REDIRECT + + # empty and remove chains if they exist + for a in $CHAIN_FORWARD_ACTION $CHAIN_FORWARD_CHECK $CHAIN_REDIRECT + do $IPT -t nat -F $a 2>/dev/null && $IPT -t nat -X $a + true + done +} + + +init_chains() +{ + # create chains + for a in $CHAIN_FORWARD_ACTION $CHAIN_FORWARD_CHECK $CHAIN_REDIRECT + do $IPT -t nat -N $a + done + + # all packets from the specified interface go to the general chain + $IPT -t nat -A PREROUTING -i $IF_SRC -j $CHAIN_FORWARD_CHECK + $IPT -t nat -A PREROUTING -i $IF_SRC -j $CHAIN_REDIRECT + + # rules for CHAIN_REDIRECT + $IPT -t nat -A $CHAIN_REDIRECT -p tcp --dport 80 -j DNAT --to-destination $SPLASH_SERVER + $IPT -t nat -A $CHAIN_REDIRECT -p tcp --dport 80 -j ACCEPT + $IPT -t nat -A $CHAIN_REDIRECT -j $REJECT_ACTION + + # all registered senders are simply accepted + $IPT -t nat -A $CHAIN_FORWARD_ACTION -j ACCEPT +} + + +get_IPs() +# prints out all active forwards line by line +# every line consists of: "Number of Packets" and "IP" +{ + iptables -t nat -L "$CHAIN_FORWARD_CHECK" -vnx | sed "1,2d; s/ */ /g" | cut -d " " -f 2,9 + # get all active forward chains + # remove the first two lines + # remove multiple spaces + # take only the number of packets and the IP +} + + +register_IP() +# add a new allowed IP +{ + eval `echo "$RULE_ADD" | sed "s/_IP_/$1/g"` +} + + +unregister_IP() +# remove the specified IP +{ + eval `echo "$RULE_DEL" | sed "s/_IP_/$1/g"` +} + + +refresh_IP_list() +{ + local NUM + local IP + get_IPs | while read NUM IP + do [ "$NUM" = "0" ] && unregister_IP "$IP" + done +} + diff --git a/web-splash/update-rules.sh b/web-splash/update-rules.sh index 657102c..493152e 100755 --- a/web-splash/update-rules.sh +++ b/web-splash/update-rules.sh @@ -1,40 +1,8 @@ #!/bin/sh -. web-splash.conf +set -uex -get_IPs() -# prints out all active forwards line by line -# every line consists of: "Number of Packets" and "IP" -{ - iptables -L "$SPLASH_CHAIN" -vnx | sed "1,2d; s/ */ /g" | cut -d " " -f 2,9 - # get all active forward chains - # remove the first two lines - # remove multiple spaces - # take only the number of packets and the IP -} - - -register_IP() -# add a new allowed IP -{ - `echo "$RULE_ADD" | sed "s/_IP_/$1/g"` -} - - -unregister_IP() -# remove the specified IP -{ - `echo "$RULE_DEL" | sed "s/_IP_/$1/g"` -} - - -refresh_IP_list() -{ - local NUM - local IP - get_IPs | while read NUM IP - do [ "$NUM" = "0" ] && remove_IP "$IP" - done -} +. /etc/web-splash.conf +. /test/splash-functions.inc refresh_IP_list diff --git a/web-splash/web-splash.conf b/web-splash/web-splash.conf index b86606a..2a49071 100644 --- a/web-splash/web-splash.conf +++ b/web-splash/web-splash.conf @@ -3,20 +3,21 @@ # the source interface (only these packets will be filtered) IF_SRC=eth1 -# the server where all first packets get redirected to -SPLASH_SERVER=systemausfall.org +# the server where all first packets get redirected to (on most +# embedded systems it should be an IP address instead of a name) +SPLASH_SERVER=192.168.1.1 # templates for the rules to manage forwarding rules (_IP_ will be substituted by the host's IP) -RULE_ADD='$IPT -I $CHAIN_ALL -s _IP_ -j $CHAIN_FORWARD' -RULE_DEL='$IPT -D $CHAIN_ALL -s _IP_ -j $CHAIN_FORWARD' +RULE_ADD='$IPT -t nat -I $CHAIN_FORWARD_CHECK -s _IP_ -j $CHAIN_FORWARD_ACTION' +RULE_DEL='$IPT -t nat -D $CHAIN_FORWARD_CHECK -s _IP_ -j $CHAIN_FORWARD_ACTION' # the iptables chain, that contains all forwarded ips -CHAIN_ALL=web_splash -CHAIN_FORWARD=web_splash_forward -CHAIN_REDIRECT=web_splash_reject +CHAIN_FORWARD_CHECK=web_splash_forward_check +CHAIN_FORWARD_ACTION=web_splash_forward_action +CHAIN_REDIRECT=web_splash_redirect # the iptables action for bad packets (e.g. DROP or REJECT) -REJECT_ACTION=REJECT +REJECT_ACTION=DROP # the location of the iptables program IPT=/sbin/iptables diff --git a/web-splash/web-splash.sh b/web-splash/web-splash.sh index 6f34d31..0a41d77 100755 --- a/web-splash/web-splash.sh +++ b/web-splash/web-splash.sh @@ -1,45 +1,9 @@ #!/bin/sh -set -ue - -. web-splash.conf - -remove_old() -{ - # remove the rules from PREROUTING - $IPT -t nat -D PREROUTING -j $CHAIN_ALL - - # empty and remove chains if they exist - for a in $CHAIN_FORWARD $CHAIN_REDIRECT $CHAIN_ALL - do $IPT -F $a 2>/dev/null && $IPT -X $a - done -} - - -init_chains() -{ - # create chains - for a in $CHAIN_FORWARD $CHAIN_REDIRECT $CHAIN_ALL - do $IPT -N $a - done - - # all packets from the specified interface go to the general chain - $IPT -t nat -A PREROUTING -i $IF_SRC -j $CHAIN_ALL - - # default rules for CHAIN_ALL - # excetions will be handled by rules that are inserted before them - $IPT -A $CHAIN_ALL -p tcp --dport 80 -j $CHAIN_REDIRECT - $IPT -A $CHAIN_ALL -p tcp --dport 80 -j ACCEPT - $IPT -A $CHAIN_ALL -j $REJECT_ACTION - - # all registered senders are simply accepted - $IPT -A $CHAIN_FORWARD -j ACCEPT - - # all unregistered senders get redirected - $IPT -A $CHAIN_REDIRECT -j DNAT --to-destination $SPLASH_SERVER - $IPT -A $CHAIN_REDIRECT -j ACCEPT -} +set -uex +. /etc/web-splash.conf +. /test/splash-functions.inc ACTION="--help" [ $# -gt 0 ] && ACTION="$1" @@ -52,6 +16,14 @@ case "$ACTION" in stop ) remove_old ;; + register ) + [ $# -gt 2 ] && echo "[WEB_SPLASH] too many parameters: only one IP address is allowed" && exit 1 + [ $# -lt 2 ] && echo "[WEB_SPLASH] you have to specify an IP address" && exit 2 + register_IP "$2" + ;; + update ) + refresh_IP_list + ;; * ) echo "Syntax: $0 {start|stop|restart}" echo