codekasten/web-splash/web-splash-functions.inc

# this skript is GPL software (http://www.fsf.org/licensing/licenses/gpl.html)
# suggestions and questions to: devel@sumpfralle.de
# homepage: https://systemausfall.org/toolforge/web-splash
#
# this file will be sourced by web-splash.sh
#

remove_old()
{
	# remove the rules from PREROUTING
	$IPT -t nat -F $CHAIN_FORWARD_CHECK 2>/dev/null && $IPT -t nat -D PREROUTING -i $IF_SRC -j $CHAIN_FORWARD_CHECK
	$IPT -t nat -F $CHAIN_REDIRECT 2>/dev/null && $IPT -t nat -D PREROUTING -i $IF_SRC -j $CHAIN_REDIRECT
	$IPT -t nat -F $CHAIN_SERVICES 2>/dev/null && $IPT -t nat -D PREROUTING -i $IF_SRC -j $CHAIN_SERVICES

	# remove the rule from FORWARD
	$IPT -F $CHAIN_RETURN 2>/dev/null && $IPT -D FORWARD -o $IF_SRC -j $CHAIN_RETURN
	
	# empty and remove chains if they exist (from POSTROUTING)
	for a in $CHAIN_FORWARD_ACTION $CHAIN_FORWARD_CHECK $CHAIN_REDIRECT $CHAIN_SERVICES
		do	$IPT -t nat -F $a 2>/dev/null && $IPT -t nat -X $a
			true
	  done

	# empty and remove chains if they exist (from FORWARD)
	for a in $CHAIN_RETURN
		do	$IPT -F $a 2>/dev/null && $IPT -X $a
			true
	  done
}


init_chains()
{
	# create chains (in nat table)
	for a in $CHAIN_FORWARD_ACTION $CHAIN_FORWARD_CHECK $CHAIN_REDIRECT $CHAIN_SERVICES
		do	$IPT -t nat -N $a
	  done
	
	# create chains (in filter table)
	for a in $CHAIN_RETURN
		do	$IPT -N $a
	  done
	
	# all packets from the specified interface go to the web-splash-chains first
	# "-I" means insert before every other chain -> inserting reverse ordered
	$IPT -t nat -I PREROUTING -i $IF_SRC -j $CHAIN_REDIRECT
	$IPT -t nat -I PREROUTING -i $IF_SRC -j $CHAIN_FORWARD_CHECK
	$IPT -t nat -I PREROUTING -i $IF_SRC -j $CHAIN_SERVICES

	# add a "counting" chain for return packets
	# it does nothing - except providing a counter for returned bytes
	$IPT -I FORWARD -o $IF_SRC -j $CHAIN_RETURN

	# rules for CHAIN_REDIRECT
	$IPT -t nat -A $CHAIN_REDIRECT -p tcp --dport 80 -j DNAT --to-destination $INTERN_IP
	$IPT -t nat -A $CHAIN_REDIRECT -p tcp --dport 80 -j ACCEPT
	$IPT -t nat -A $CHAIN_REDIRECT -j $REJECT_ACTION

	# all registered senders are simply accepted
	$IPT -t nat -A $CHAIN_FORWARD_ACTION -j ACCEPT

	# allowed packets (services like dns, dhcp and ssh (to the router only))
	$IPT -t nat -A $CHAIN_SERVICES -p udp --dport 53 -j ACCEPT
	$IPT -t nat -A $CHAIN_SERVICES -p udp --dport 67 -j ACCEPT
	$IPT -t nat -A $CHAIN_SERVICES -p tcp --dport 67 -j ACCEPT
	$IPT -t nat -A $CHAIN_SERVICES -p tcp -d $INTERN_IP --dport 22 -j ACCEPT

	# user defined "privileged" source IPs
	for a in $ALLOW_IP_LIST
		do	$IPT -t nat -A $CHAIN_SERVICES -s $a -j ACCEPT
	  done

	# user defined forbidden source IPs
	for a in $DENY_IP_LIST
		do	$IPT -t nat -I $CHAIN_SERVICES -s $a -j $REJECT_ACTION
	  done
}


get_IP_list()
# prints out all active forwarding IPs
{
	$IPT -t nat -L "$CHAIN_FORWARD_CHECK" -vnx | sed "1,2d; s/  */ /g" | cut -d " " -f 9
	# get all active forward chains
	# remove the first two lines
	# remove multiple spaces
	# take only the IP
}


register_IP()
# add a new allowed IP
{
	if get_IP_list | grep -q "^$1$"
		then	echo "die IP $1 war bereits freigeschaltet!"
		else	eval `echo "$RULE_ADD" | sed "s/_IP_/$1/g"`
	  fi
}


unregister_IP()
# remove the specified IP
{
	if get_IP_list | grep -q "^$1$"
		then	eval `echo "$RULE_DEL" | sed "s/_IP_/$1/g"`
		else	echo "die IP $1 war nicht freigeschaltet!"
	  fi
}


update_IP_list()
# remove inactive IPs from the forwarding list
{
	local IP
	get_IPs | while read IP
		do	[ `get_IP_traffic $IP` -gt 0 ] && unregister_IP "$IP"
	  done
}

get_IP_traffic()
{
	local IP="$1"
	local out_traffic="`$IPT -t nat -L \"$CHAIN_FORWARD_CHECK\" -vnx | sed '1,2d; s/  */ /g' | cut -d ' ' -f 3,9 | grep \" $IP$\" | cut -d ' ' -f 1`"
	local in_traffic="`$IPT -L \"$CHAIN_RETURN\" -vnx | sed '1,2d; s/  */ /g' | cut -d ' ' -f 3,9 | grep \" $IP$\" | cut -d ' ' -f 1`"
	if [ -n "$in_traffic" -a -n "$out_traffic" ]
		then	echo $((in_traffic+out_traffic))
		else	echo 0
	  fi
}