codekasten/web-splash/splash-functions.inc
lars 63afdb8052 note for GPL
SPLASH_LIB setting added
2005-05-18 16:21:54 +00:00

95 lines
2.7 KiB
PHP

# this skript is GPL software (http://www.fsf.org/licensing/licenses/gpl.html)
# suggestions and questions to: devel@sumpfralle.de
# homepage: https://systemausfall.org/toolforge/web-splash
#
# this file will be sourced by web-splash.sh
#
remove_old()
{
# remove the rules from PREROUTING
$IPT -t nat -F $CHAIN_FORWARD_CHECK 2>/dev/null && $IPT -t nat -D PREROUTING -i $IF_SRC -j $CHAIN_FORWARD_CHECK
$IPT -t nat -F $CHAIN_REDIRECT 2>/dev/null && $IPT -t nat -D PREROUTING -i $IF_SRC -j $CHAIN_REDIRECT
$IPT -t nat -F $CHAIN_SERVICES 2>/dev/null && $IPT -t nat -D PREROUTING -i $IF_SRC -j $CHAIN_SERVICES
# empty and remove chains if they exist
for a in $CHAIN_FORWARD_ACTION $CHAIN_FORWARD_CHECK $CHAIN_REDIRECT $CHAIN_SERVICES
do $IPT -t nat -F $a 2>/dev/null && $IPT -t nat -X $a
true
done
}
init_chains()
{
# create chains
for a in $CHAIN_FORWARD_ACTION $CHAIN_FORWARD_CHECK $CHAIN_REDIRECT $CHAIN_SERVICES
do $IPT -t nat -N $a
done
# all packets from the specified interface go to the general chain
$IPT -t nat -A PREROUTING -i $IF_SRC -j $CHAIN_SERVICES
$IPT -t nat -A PREROUTING -i $IF_SRC -j $CHAIN_FORWARD_CHECK
$IPT -t nat -A PREROUTING -i $IF_SRC -j $CHAIN_REDIRECT
# rules for CHAIN_REDIRECT
$IPT -t nat -A $CHAIN_REDIRECT -p tcp --dport 80 -j DNAT --to-destination $INTERN_IP
$IPT -t nat -A $CHAIN_REDIRECT -p tcp --dport 80 -j ACCEPT
$IPT -t nat -A $CHAIN_REDIRECT -j $REJECT_ACTION
# all registered senders are simply accepted
$IPT -t nat -A $CHAIN_FORWARD_ACTION -j ACCEPT
# allowed packets (services like dns, dhcp and ssh (to the router only))
$IPT -t nat -A $CHAIN_SERVICES -p udp --dport 53 -j ACCEPT
$IPT -t nat -A $CHAIN_SERVICES -p udp --dport 67 -j ACCEPT
$IPT -t nat -A $CHAIN_SERVICES -p tcp --dport 67 -j ACCEPT
$IPT -t nat -A $CHAIN_SERVICES -p tcp -d $INTERN_IP --dport 22 -j ACCEPT
# user defined "privileged" source IPs
for a in $ALLOW_IP_LIST
do $IPT -t nat -A $CHAIN_SERVICES -s $a -j ACCEPT
done
# user defined forbidden source IPs
for a in $DENY_IP_LIST
do $IPT -t nat -I $CHAIN_SERVICES -s $a -j $REJECT_ACTION
done
}
get_IPs()
# prints out all active forwards line by line
# every line consists of: "Number of Packets" and "IP"
{
iptables -t nat -L "$CHAIN_FORWARD_CHECK" -vnx | sed "1,2d; s/ */ /g" | cut -d " " -f 2,9
# get all active forward chains
# remove the first two lines
# remove multiple spaces
# take only the number of packets and the IP
}
register_IP()
# add a new allowed IP
{
eval `echo "$RULE_ADD" | sed "s/_IP_/$1/g"`
}
unregister_IP()
# remove the specified IP
{
eval `echo "$RULE_DEL" | sed "s/_IP_/$1/g"`
}
refresh_IP_list()
{
local NUM
local IP
get_IPs | while read NUM IP
do [ "$NUM" = "0" ] && unregister_IP "$IP"
done
}