looks good

This commit is contained in:
lars 2005-05-17 00:26:11 +00:00
parent d30d9dba6d
commit 941be53e2b
4 changed files with 93 additions and 82 deletions

View file

@ -0,0 +1,70 @@
remove_old()
{
# remove the rules from PREROUTING
$IPT -t nat -F $CHAIN_FORWARD_CHECK 2>/dev/null && $IPT -t nat -D PREROUTING -i $IF_SRC -j $CHAIN_FORWARD_CHECK
$IPT -t nat -F $CHAIN_REDIRECT 2>/dev/null && $IPT -t nat -D PREROUTING -i $IF_SRC -j $CHAIN_REDIRECT
# empty and remove chains if they exist
for a in $CHAIN_FORWARD_ACTION $CHAIN_FORWARD_CHECK $CHAIN_REDIRECT
do $IPT -t nat -F $a 2>/dev/null && $IPT -t nat -X $a
true
done
}
init_chains()
{
# create chains
for a in $CHAIN_FORWARD_ACTION $CHAIN_FORWARD_CHECK $CHAIN_REDIRECT
do $IPT -t nat -N $a
done
# all packets from the specified interface go to the general chain
$IPT -t nat -A PREROUTING -i $IF_SRC -j $CHAIN_FORWARD_CHECK
$IPT -t nat -A PREROUTING -i $IF_SRC -j $CHAIN_REDIRECT
# rules for CHAIN_REDIRECT
$IPT -t nat -A $CHAIN_REDIRECT -p tcp --dport 80 -j DNAT --to-destination $SPLASH_SERVER
$IPT -t nat -A $CHAIN_REDIRECT -p tcp --dport 80 -j ACCEPT
$IPT -t nat -A $CHAIN_REDIRECT -j $REJECT_ACTION
# all registered senders are simply accepted
$IPT -t nat -A $CHAIN_FORWARD_ACTION -j ACCEPT
}
get_IPs()
# prints out all active forwards line by line
# every line consists of: "Number of Packets" and "IP"
{
iptables -t nat -L "$CHAIN_FORWARD_CHECK" -vnx | sed "1,2d; s/ */ /g" | cut -d " " -f 2,9
# get all active forward chains
# remove the first two lines
# remove multiple spaces
# take only the number of packets and the IP
}
register_IP()
# add a new allowed IP
{
eval `echo "$RULE_ADD" | sed "s/_IP_/$1/g"`
}
unregister_IP()
# remove the specified IP
{
eval `echo "$RULE_DEL" | sed "s/_IP_/$1/g"`
}
refresh_IP_list()
{
local NUM
local IP
get_IPs | while read NUM IP
do [ "$NUM" = "0" ] && unregister_IP "$IP"
done
}

View file

@ -1,40 +1,8 @@
#!/bin/sh #!/bin/sh
. web-splash.conf set -uex
get_IPs() . /etc/web-splash.conf
# prints out all active forwards line by line . /test/splash-functions.inc
# every line consists of: "Number of Packets" and "IP"
{
iptables -L "$SPLASH_CHAIN" -vnx | sed "1,2d; s/ */ /g" | cut -d " " -f 2,9
# get all active forward chains
# remove the first two lines
# remove multiple spaces
# take only the number of packets and the IP
}
register_IP()
# add a new allowed IP
{
`echo "$RULE_ADD" | sed "s/_IP_/$1/g"`
}
unregister_IP()
# remove the specified IP
{
`echo "$RULE_DEL" | sed "s/_IP_/$1/g"`
}
refresh_IP_list()
{
local NUM
local IP
get_IPs | while read NUM IP
do [ "$NUM" = "0" ] && remove_IP "$IP"
done
}
refresh_IP_list refresh_IP_list

View file

@ -3,20 +3,21 @@
# the source interface (only these packets will be filtered) # the source interface (only these packets will be filtered)
IF_SRC=eth1 IF_SRC=eth1
# the server where all first packets get redirected to # the server where all first packets get redirected to (on most
SPLASH_SERVER=systemausfall.org # embedded systems it should be an IP address instead of a name)
SPLASH_SERVER=192.168.1.1
# templates for the rules to manage forwarding rules (_IP_ will be substituted by the host's IP) # templates for the rules to manage forwarding rules (_IP_ will be substituted by the host's IP)
RULE_ADD='$IPT -I $CHAIN_ALL -s _IP_ -j $CHAIN_FORWARD' RULE_ADD='$IPT -t nat -I $CHAIN_FORWARD_CHECK -s _IP_ -j $CHAIN_FORWARD_ACTION'
RULE_DEL='$IPT -D $CHAIN_ALL -s _IP_ -j $CHAIN_FORWARD' RULE_DEL='$IPT -t nat -D $CHAIN_FORWARD_CHECK -s _IP_ -j $CHAIN_FORWARD_ACTION'
# the iptables chain, that contains all forwarded ips # the iptables chain, that contains all forwarded ips
CHAIN_ALL=web_splash CHAIN_FORWARD_CHECK=web_splash_forward_check
CHAIN_FORWARD=web_splash_forward CHAIN_FORWARD_ACTION=web_splash_forward_action
CHAIN_REDIRECT=web_splash_reject CHAIN_REDIRECT=web_splash_redirect
# the iptables action for bad packets (e.g. DROP or REJECT) # the iptables action for bad packets (e.g. DROP or REJECT)
REJECT_ACTION=REJECT REJECT_ACTION=DROP
# the location of the iptables program # the location of the iptables program
IPT=/sbin/iptables IPT=/sbin/iptables

View file

@ -1,45 +1,9 @@
#!/bin/sh #!/bin/sh
set -ue set -uex
. web-splash.conf
remove_old()
{
# remove the rules from PREROUTING
$IPT -t nat -D PREROUTING -j $CHAIN_ALL
# empty and remove chains if they exist
for a in $CHAIN_FORWARD $CHAIN_REDIRECT $CHAIN_ALL
do $IPT -F $a 2>/dev/null && $IPT -X $a
done
}
init_chains()
{
# create chains
for a in $CHAIN_FORWARD $CHAIN_REDIRECT $CHAIN_ALL
do $IPT -N $a
done
# all packets from the specified interface go to the general chain
$IPT -t nat -A PREROUTING -i $IF_SRC -j $CHAIN_ALL
# default rules for CHAIN_ALL
# excetions will be handled by rules that are inserted before them
$IPT -A $CHAIN_ALL -p tcp --dport 80 -j $CHAIN_REDIRECT
$IPT -A $CHAIN_ALL -p tcp --dport 80 -j ACCEPT
$IPT -A $CHAIN_ALL -j $REJECT_ACTION
# all registered senders are simply accepted
$IPT -A $CHAIN_FORWARD -j ACCEPT
# all unregistered senders get redirected
$IPT -A $CHAIN_REDIRECT -j DNAT --to-destination $SPLASH_SERVER
$IPT -A $CHAIN_REDIRECT -j ACCEPT
}
. /etc/web-splash.conf
. /test/splash-functions.inc
ACTION="--help" ACTION="--help"
[ $# -gt 0 ] && ACTION="$1" [ $# -gt 0 ] && ACTION="$1"
@ -52,6 +16,14 @@ case "$ACTION" in
stop ) stop )
remove_old remove_old
;; ;;
register )
[ $# -gt 2 ] && echo "[WEB_SPLASH] too many parameters: only one IP address is allowed" && exit 1
[ $# -lt 2 ] && echo "[WEB_SPLASH] you have to specify an IP address" && exit 2
register_IP "$2"
;;
update )
refresh_IP_list
;;
* ) * )
echo "Syntax: $0 {start|stop|restart}" echo "Syntax: $0 {start|stop|restart}"
echo echo