# this skript is GPL software (http://www.fsf.org/licensing/licenses/gpl.html) # suggestions and questions to: devel@sumpfralle.de # homepage: https://systemausfall.org/toolforge/web-splash # # this file will be sourced by web-splash.sh # remove_old() { # remove the rules from PREROUTING $IPT -t nat -F $CHAIN_FORWARD_CHECK 2>/dev/null && $IPT -t nat -D PREROUTING -i $IF_SRC -j $CHAIN_FORWARD_CHECK $IPT -t nat -F $CHAIN_REDIRECT 2>/dev/null && $IPT -t nat -D PREROUTING -i $IF_SRC -j $CHAIN_REDIRECT $IPT -t nat -F $CHAIN_SERVICES 2>/dev/null && $IPT -t nat -D PREROUTING -i $IF_SRC -j $CHAIN_SERVICES # remove the rule from FORWARD $IPT -F $CHAIN_RETURN 2>/dev/null && $IPT -D FORWARD -o $IF_SRC -j $CHAIN_RETURN # empty and remove chains if they exist (from POSTROUTING) for a in $CHAIN_FORWARD_ACTION $CHAIN_FORWARD_CHECK $CHAIN_REDIRECT $CHAIN_SERVICES do $IPT -t nat -F $a 2>/dev/null && $IPT -t nat -X $a true done # empty and remove chains if they exist (from FORWARD) for a in $CHAIN_RETURN do $IPT -F $a 2>/dev/null && $IPT -X $a true done } init_chains() { # create chains (in nat table) for a in $CHAIN_FORWARD_ACTION $CHAIN_FORWARD_CHECK $CHAIN_REDIRECT $CHAIN_SERVICES do $IPT -t nat -N $a done # create chains (in filter table) for a in $CHAIN_RETURN do $IPT -N $a done # all packets from the specified interface go to the web-splash-chains first # "-I" means insert before every other chain -> inserting reverse ordered $IPT -t nat -I PREROUTING -i $IF_SRC -j $CHAIN_REDIRECT $IPT -t nat -I PREROUTING -i $IF_SRC -j $CHAIN_FORWARD_CHECK $IPT -t nat -I PREROUTING -i $IF_SRC -j $CHAIN_SERVICES # add a "counting" chain for return packets # it does nothing - except providing a counter for returned bytes $IPT -I FORWARD -o $IF_SRC -j $CHAIN_RETURN # rules for CHAIN_REDIRECT $IPT -t nat -A $CHAIN_REDIRECT -p tcp --dport 80 -j DNAT --to-destination $INTERN_IP $IPT -t nat -A $CHAIN_REDIRECT -p tcp --dport 80 -j ACCEPT $IPT -t nat -A $CHAIN_REDIRECT -j $REJECT_ACTION # all registered senders are simply accepted $IPT -t nat -A $CHAIN_FORWARD_ACTION -j ACCEPT # allowed packets (services like dns, dhcp and ssh (to the router only)) $IPT -t nat -A $CHAIN_SERVICES -p udp --dport 53 -j ACCEPT $IPT -t nat -A $CHAIN_SERVICES -p udp --dport 67 -j ACCEPT $IPT -t nat -A $CHAIN_SERVICES -p tcp --dport 67 -j ACCEPT $IPT -t nat -A $CHAIN_SERVICES -p tcp -d $INTERN_IP --dport 22 -j ACCEPT # user defined "privileged" source IPs for a in $ALLOW_IP_LIST do $IPT -t nat -A $CHAIN_SERVICES -s $a -j ACCEPT done # user defined forbidden source IPs for a in $DENY_IP_LIST do $IPT -t nat -I $CHAIN_SERVICES -s $a -j $REJECT_ACTION done } get_IPs() # prints out all active forwards line by line # every line consists of: "Number of Packets" and "IP" { iptables -t nat -L "$CHAIN_FORWARD_CHECK" -vnx | sed "1,2d; s/ */ /g" | cut -d " " -f 2,9 # get all active forward chains # remove the first two lines # remove multiple spaces # take only the number of packets and the IP } register_IP() # add a new allowed IP { eval `echo "$RULE_ADD" | sed "s/_IP_/$1/g"` } unregister_IP() # remove the specified IP { eval `echo "$RULE_DEL" | sed "s/_IP_/$1/g"` } refresh_IP_list() { local NUM local IP get_IPs | while read NUM IP do [ "$NUM" = "0" ] && unregister_IP "$IP" done }