wifidog 源码初分析(1)
来源:互联网 发布:更新语句sql 编辑:程序博客网 时间:2024/06/01 10:30
wifidog 的核心还是依赖于 iptables 防火墙过滤规则来实现的,所以建议对 iptables 有了了解后再去阅读 wifidog 的源码。
在该 防火墙规则的初始化过程中,会首先清除掉已有的防火墙规则,重新创建新的过滤链,另外,除了通过 iptables_do_command("-t nat -A "TABLE_WIFIDOG_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d",gw_port); 这个命令将 接入设备的 80 端口(HTTP)的访问重定向至网关自身的 HTTP 的端口之外,还通过 iptables_fw_set_authservers(); 函数设置了 鉴权服务器(auth-server) 的防火墙规则:
在路由器上启动 wifidog 之后,wifidog 在启动时会初始化一堆的防火墙规则,如下:
/** Initialize the firewall rules*/int iptables_fw_init(void){ … …/* * * Everything in the NAT table * */ /* Create new chains */ iptables_do_command("-t nat -N " TABLE_WIFIDOG_OUTGOING); iptables_do_command("-t nat -N " TABLE_WIFIDOG_WIFI_TO_ROUTER); iptables_do_command("-t nat -N " TABLE_WIFIDOG_WIFI_TO_INTERNET); iptables_do_command("-t nat -N " TABLE_WIFIDOG_GLOBAL); iptables_do_command("-t nat -N " TABLE_WIFIDOG_UNKNOWN); iptables_do_command("-t nat -N " TABLE_WIFIDOG_AUTHSERVERS); /* Assign links and rules to these new chains */ iptables_do_command("-t nat -A PREROUTING -i %s -j " TABLE_WIFIDOG_OUTGOING, config->gw_interface); iptables_do_command("-t nat -A " TABLE_WIFIDOG_OUTGOING " -d %s -j " TABLE_WIFIDOG_WIFI_TO_ROUTER, config->gw_address); iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_ROUTER " -j ACCEPT"); iptables_do_command("-t nat -A " TABLE_WIFIDOG_OUTGOING " -j " TABLE_WIFIDOG_WIFI_TO_INTERNET); iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j ACCEPT", FW_MARK_KNOWN); iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j ACCEPT", FW_MARK_PROBATION); iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN); iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_AUTHSERVERS); iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_GLOBAL); // 将 80 端口的访问重定向(REDIRECT)到 (本路由)网关web服务器的监听端口 iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d", gw_port); /* * * Everything in the FILTER table * */ /* Create new chains */ iptables_do_command("-t filter -N " TABLE_WIFIDOG_WIFI_TO_INTERNET); iptables_do_command("-t filter -N " TABLE_WIFIDOG_AUTHSERVERS); iptables_do_command("-t filter -N " TABLE_WIFIDOG_LOCKED); iptables_do_command("-t filter -N " TABLE_WIFIDOG_GLOBAL); iptables_do_command("-t filter -N " TABLE_WIFIDOG_VALIDATE); iptables_do_command("-t filter -N " TABLE_WIFIDOG_KNOWN); iptables_do_command("-t filter -N " TABLE_WIFIDOG_UNKNOWN); /* Assign links and rules to these new chains */ /* Insert at the beginning */ iptables_do_command("-t filter -I FORWARD -i %s -j " TABLE_WIFIDOG_WIFI_TO_INTERNET, config->gw_interface); iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m state --state INVALID -j DROP"); /* TCPMSS rule for PPPoE */ iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu", ext_interface); iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_AUTHSERVERS); iptables_fw_set_authservers(); iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_LOCKED, FW_MARK_LOCKED); iptables_load_ruleset("filter", "locked-users", TABLE_WIFIDOG_LOCKED); iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_GLOBAL); iptables_load_ruleset("filter", "global", TABLE_WIFIDOG_GLOBAL); iptables_load_ruleset("nat", "global", TABLE_WIFIDOG_GLOBAL); iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_VALIDATE, FW_MARK_PROBATION); iptables_load_ruleset("filter", "validating-users", TABLE_WIFIDOG_VALIDATE); iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_KNOWN, FW_MARK_KNOWN); iptables_load_ruleset("filter", "known-users", TABLE_WIFIDOG_KNOWN); iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN); iptables_load_ruleset("filter", "unknown-users", TABLE_WIFIDOG_UNKNOWN); iptables_do_command("-t filter -A " TABLE_WIFIDOG_UNKNOWN " -j REJECT --reject-with icmp-port-unreachable"); UNLOCK_CONFIG(); return 1;}
在该 防火墙规则的初始化过程中,会首先清除掉已有的防火墙规则,重新创建新的过滤链,另外,除了通过 iptables_do_command("-t nat -A "TABLE_WIFIDOG_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d",gw_port); 这个命令将 接入设备的 80 端口(HTTP)的访问重定向至网关自身的 HTTP 的端口之外,还通过 iptables_fw_set_authservers(); 函数设置了 鉴权服务器(auth-server) 的防火墙规则:
void iptables_fw_set_authservers(void){ const s_config *config; t_auth_serv *auth_server; config = config_get_config(); for (auth_server = config->auth_servers; auth_server != NULL; auth_server = auth_server->next) { if (auth_server->last_ip && strcmp(auth_server->last_ip, "0.0.0.0") != 0) { iptables_do_command("-t filter -A " TABLE_WIFIDOG_AUTHSERVERS " -d %s -j ACCEPT", auth_server->last_ip); iptables_do_command("-t nat -A " TABLE_WIFIDOG_AUTHSERVERS " -d %s -j ACCEPT", auth_server->last_ip); } }}
首先从上面的代码可以看出 wifidog 支持多个 鉴权服务器,并且针对每一个鉴权服务器 设置了如下两条规则:
1)在filter表中追加一条[任何访问鉴权服务器都被接受]的WiFiDog_$ID$_AuthServers过滤链:
iptables -t filter -A WiFiDog_$ID$_AuthServers -d auth-server地址 -j ACCEPT
2)在nat表中追加一条[任何访问鉴权服务器都被接受]的WiFiDog_$ID$_AuthServers过滤链:
iptables -t nat -A WiFiDog_$ID$_AuthServers -d auth-server地址 -j ACCEPT
这样确保可以访问鉴权服务器,而不是拒绝所有的出口访问。
0 0
- wifidog 源码初分析(1)
- wifidog 源码初分析(1)
- wifidog 源码初分析(1)
- wifidog 源码初分析(1)
- wifidog 源码初分析
- wifidog 源码初分析-1-转
- wifidog 源码初分析(2)
- wifidog 源码初分析(3)
- wifidog 源码初分析(4)
- wifidog 源码初分析(一)
- wifidog 源码初分析(二)
- wifidog 源码初分析(三)
- wifidog 源码初分析(2)
- wifidog 源码初分析(3)
- wifidog 源码初分析(4)
- wifidog 源码初分析(4)
- wifidog 源码初分析(3)
- wifidog 源码初分析(2)
- 判断是否两条线段相交
- 软件产品经理的职责
- 数据库设计的三大范式、BCNF、4NF
- oracle获取sql执行计划方法
- IP,TCP 和 HTTP
- wifidog 源码初分析(1)
- 单链表实现多项式加法的头文件(待删改)
- Qt Creator 重要的快捷操作
- Flex和Servlet结合上传文件报错(一)
- 百度API 应用实例之音乐搜索
- wzplayer for ios 针对(mms)优化版本V1.0
- 常见的计算机网络面试题目
- 说明符和限定符
- C++ 程序员自信心曲线图