From d30d9dba6d3aba1b79ee04e14a20f7cc66a6a61d Mon Sep 17 00:00:00 2001 From: lars Date: Mon, 16 May 2005 23:37:23 +0000 Subject: [PATCH] first try --- web-splash/update-rules.sh | 40 ++++++++++++++++++++++++++ web-splash/web-splash.conf | 24 ++++++++++++++++ web-splash/web-splash.sh | 59 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 123 insertions(+) create mode 100755 web-splash/update-rules.sh create mode 100644 web-splash/web-splash.conf create mode 100755 web-splash/web-splash.sh diff --git a/web-splash/update-rules.sh b/web-splash/update-rules.sh new file mode 100755 index 0000000..657102c --- /dev/null +++ b/web-splash/update-rules.sh @@ -0,0 +1,40 @@ +#!/bin/sh + +. web-splash.conf + +get_IPs() +# prints out all active forwards line by line +# every line consists of: "Number of Packets" and "IP" +{ + iptables -L "$SPLASH_CHAIN" -vnx | sed "1,2d; s/ */ /g" | cut -d " " -f 2,9 + # get all active forward chains + # remove the first two lines + # remove multiple spaces + # take only the number of packets and the IP +} + + +register_IP() +# add a new allowed IP +{ + `echo "$RULE_ADD" | sed "s/_IP_/$1/g"` +} + + +unregister_IP() +# remove the specified IP +{ + `echo "$RULE_DEL" | sed "s/_IP_/$1/g"` +} + + +refresh_IP_list() +{ + local NUM + local IP + get_IPs | while read NUM IP + do [ "$NUM" = "0" ] && remove_IP "$IP" + done +} + +refresh_IP_list diff --git a/web-splash/web-splash.conf b/web-splash/web-splash.conf new file mode 100644 index 0000000..b86606a --- /dev/null +++ b/web-splash/web-splash.conf @@ -0,0 +1,24 @@ +# this file is not parsed, but simply sourced + +# the source interface (only these packets will be filtered) +IF_SRC=eth1 + +# the server where all first packets get redirected to +SPLASH_SERVER=systemausfall.org + +# templates for the rules to manage forwarding rules (_IP_ will be substituted by the host's IP) +RULE_ADD='$IPT -I $CHAIN_ALL -s _IP_ -j $CHAIN_FORWARD' +RULE_DEL='$IPT -D $CHAIN_ALL -s _IP_ -j $CHAIN_FORWARD' + +# the iptables chain, that contains all forwarded ips +CHAIN_ALL=web_splash +CHAIN_FORWARD=web_splash_forward +CHAIN_REDIRECT=web_splash_reject + +# the iptables action for bad packets (e.g. DROP or REJECT) +REJECT_ACTION=REJECT + +# the location of the iptables program +IPT=/sbin/iptables +[ ! -x "$IPT" ] && IPT=/usr/sbin/iptables + diff --git a/web-splash/web-splash.sh b/web-splash/web-splash.sh new file mode 100755 index 0000000..6f34d31 --- /dev/null +++ b/web-splash/web-splash.sh @@ -0,0 +1,59 @@ +#!/bin/sh + +set -ue + +. web-splash.conf + +remove_old() +{ + # remove the rules from PREROUTING + $IPT -t nat -D PREROUTING -j $CHAIN_ALL + + # empty and remove chains if they exist + for a in $CHAIN_FORWARD $CHAIN_REDIRECT $CHAIN_ALL + do $IPT -F $a 2>/dev/null && $IPT -X $a + done +} + + +init_chains() +{ + # create chains + for a in $CHAIN_FORWARD $CHAIN_REDIRECT $CHAIN_ALL + do $IPT -N $a + done + + # all packets from the specified interface go to the general chain + $IPT -t nat -A PREROUTING -i $IF_SRC -j $CHAIN_ALL + + # default rules for CHAIN_ALL + # excetions will be handled by rules that are inserted before them + $IPT -A $CHAIN_ALL -p tcp --dport 80 -j $CHAIN_REDIRECT + $IPT -A $CHAIN_ALL -p tcp --dport 80 -j ACCEPT + $IPT -A $CHAIN_ALL -j $REJECT_ACTION + + # all registered senders are simply accepted + $IPT -A $CHAIN_FORWARD -j ACCEPT + + # all unregistered senders get redirected + $IPT -A $CHAIN_REDIRECT -j DNAT --to-destination $SPLASH_SERVER + $IPT -A $CHAIN_REDIRECT -j ACCEPT +} + + +ACTION="--help" +[ $# -gt 0 ] && ACTION="$1" + +case "$ACTION" in + start|restart ) + remove_old + init_chains + ;; + stop ) + remove_old + ;; + * ) + echo "Syntax: $0 {start|stop|restart}" + echo + ;; + esac