wifidog 源码初分析(1)
来源:互联网 发布:汕头网页美工培训 编辑:程序博客网 时间:2024/06/05 09:03
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
/** Initialize the firewall rules
*/
int
iptables_fw_init(
void
)
{
… …
/*
*
* Everything in the NAT table
*
*/
/* Create new chains */
iptables_do_command(
"-t nat -N "
TABLE_WIFIDOG_OUTGOING);
iptables_do_command(
"-t nat -N "
TABLE_WIFIDOG_WIFI_TO_ROUTER);
iptables_do_command(
"-t nat -N "
TABLE_WIFIDOG_WIFI_TO_INTERNET);
iptables_do_command(
"-t nat -N "
TABLE_WIFIDOG_GLOBAL);
iptables_do_command(
"-t nat -N "
TABLE_WIFIDOG_UNKNOWN);
iptables_do_command(
"-t nat -N "
TABLE_WIFIDOG_AUTHSERVERS);
/* Assign links and rules to these new chains */
iptables_do_command(
"-t nat -A PREROUTING -i %s -j "
TABLE_WIFIDOG_OUTGOING, config->gw_interface);
iptables_do_command(
"-t nat -A "
TABLE_WIFIDOG_OUTGOING
" -d %s -j "
TABLE_WIFIDOG_WIFI_TO_ROUTER, config->gw_address);
iptables_do_command(
"-t nat -A "
TABLE_WIFIDOG_WIFI_TO_ROUTER
" -j ACCEPT"
);
iptables_do_command(
"-t nat -A "
TABLE_WIFIDOG_OUTGOING
" -j "
TABLE_WIFIDOG_WIFI_TO_INTERNET);
iptables_do_command(
"-t nat -A "
TABLE_WIFIDOG_WIFI_TO_INTERNET
" -m mark --mark 0x%u -j ACCEPT"
, FW_MARK_KNOWN);
iptables_do_command(
"-t nat -A "
TABLE_WIFIDOG_WIFI_TO_INTERNET
" -m mark --mark 0x%u -j ACCEPT"
, FW_MARK_PROBATION);
iptables_do_command(
"-t nat -A "
TABLE_WIFIDOG_WIFI_TO_INTERNET
" -j "
TABLE_WIFIDOG_UNKNOWN);
iptables_do_command(
"-t nat -A "
TABLE_WIFIDOG_UNKNOWN
" -j "
TABLE_WIFIDOG_AUTHSERVERS);
iptables_do_command(
"-t nat -A "
TABLE_WIFIDOG_UNKNOWN
" -j "
TABLE_WIFIDOG_GLOBAL);
// 将 80 端口的访问重定向(REDIRECT)到 (本路由)网关web服务器的监听端口
iptables_do_command(
"-t nat -A "
TABLE_WIFIDOG_UNKNOWN
" -p tcp --dport 80 -j REDIRECT --to-ports %d"
, gw_port);
/*
*
* Everything in the FILTER table
*
*/
/* Create new chains */
iptables_do_command(
"-t filter -N "
TABLE_WIFIDOG_WIFI_TO_INTERNET);
iptables_do_command(
"-t filter -N "
TABLE_WIFIDOG_AUTHSERVERS);
iptables_do_command(
"-t filter -N "
TABLE_WIFIDOG_LOCKED);
iptables_do_command(
"-t filter -N "
TABLE_WIFIDOG_GLOBAL);
iptables_do_command(
"-t filter -N "
TABLE_WIFIDOG_VALIDATE);
iptables_do_command(
"-t filter -N "
TABLE_WIFIDOG_KNOWN);
iptables_do_command(
"-t filter -N "
TABLE_WIFIDOG_UNKNOWN);
/* Assign links and rules to these new chains */
/* Insert at the beginning */
iptables_do_command(
"-t filter -I FORWARD -i %s -j "
TABLE_WIFIDOG_WIFI_TO_INTERNET, config->gw_interface);
iptables_do_command(
"-t filter -A "
TABLE_WIFIDOG_WIFI_TO_INTERNET
" -m state --state INVALID -j DROP"
);
/* TCPMSS rule for PPPoE */
iptables_do_command(
"-t filter -A "
TABLE_WIFIDOG_WIFI_TO_INTERNET
" -o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu"
, ext_interface);
iptables_do_command(
"-t filter -A "
TABLE_WIFIDOG_WIFI_TO_INTERNET
" -j "
TABLE_WIFIDOG_AUTHSERVERS);
iptables_fw_set_authservers();
iptables_do_command(
"-t filter -A "
TABLE_WIFIDOG_WIFI_TO_INTERNET
" -m mark --mark 0x%u -j "
TABLE_WIFIDOG_LOCKED, FW_MARK_LOCKED);
iptables_load_ruleset(
"filter"
,
"locked-users"
, TABLE_WIFIDOG_LOCKED);
iptables_do_command(
"-t filter -A "
TABLE_WIFIDOG_WIFI_TO_INTERNET
" -j "
TABLE_WIFIDOG_GLOBAL);
iptables_load_ruleset(
"filter"
,
"global"
, TABLE_WIFIDOG_GLOBAL);
iptables_load_ruleset(
"nat"
,
"global"
, TABLE_WIFIDOG_GLOBAL);
iptables_do_command(
"-t filter -A "
TABLE_WIFIDOG_WIFI_TO_INTERNET
" -m mark --mark 0x%u -j "
TABLE_WIFIDOG_VALIDATE, FW_MARK_PROBATION);
iptables_load_ruleset(
"filter"
,
"validating-users"
, TABLE_WIFIDOG_VALIDATE);
iptables_do_command(
"-t filter -A "
TABLE_WIFIDOG_WIFI_TO_INTERNET
" -m mark --mark 0x%u -j "
TABLE_WIFIDOG_KNOWN, FW_MARK_KNOWN);
iptables_load_ruleset(
"filter"
,
"known-users"
, TABLE_WIFIDOG_KNOWN);
iptables_do_command(
"-t filter -A "
TABLE_WIFIDOG_WIFI_TO_INTERNET
" -j "
TABLE_WIFIDOG_UNKNOWN);
iptables_load_ruleset(
"filter"
,
"unknown-users"
, TABLE_WIFIDOG_UNKNOWN);
iptables_do_command(
"-t filter -A "
TABLE_WIFIDOG_UNKNOWN
" -j REJECT --reject-with icmp-port-unreachable"
);
UNLOCK_CONFIG();
return
1;
}
1
2
3
4
5
6
7
8
9
10
11
12
void
iptables_fw_set_authservers(
void
)
{
const
s_config *config;
t_auth_serv *auth_server;
config = config_get_config();
for
(auth_server = config->auth_servers; auth_server != NULL; auth_server = auth_server->next) {
if
(auth_server->last_ip &&
strcmp
(auth_server->last_ip,
"0.0.0.0"
) != 0) {
iptables_do_command(
"-t filter -A "
TABLE_WIFIDOG_AUTHSERVERS
" -d %s -j ACCEPT"
, auth_server->last_ip);
iptables_do_command(
"-t nat -A "
TABLE_WIFIDOG_AUTHSERVERS
" -d %s -j ACCEPT"
, auth_server->last_ip);
}
}
}
0 0
- wifidog 源码初分析(1)
- wifidog 源码初分析(1)
- wifidog 源码初分析(1)
- wifidog 源码初分析(1)
- wifidog 源码初分析
- wifidog 源码初分析-1-转
- wifidog 源码初分析(2)
- wifidog 源码初分析(3)
- wifidog 源码初分析(4)
- wifidog 源码初分析(一)
- wifidog 源码初分析(二)
- wifidog 源码初分析(三)
- wifidog 源码初分析(2)
- wifidog 源码初分析(3)
- wifidog 源码初分析(4)
- wifidog 源码初分析(4)
- wifidog 源码初分析(3)
- wifidog 源码初分析(2)
- 函数式编程
- 使用elasticsearch1.5.2实现查找附近的人
- 关于_WIN32_WINNT的含义
- python脚本 用sqoop把mysql数据导入hive
- 个人创业书笔记
- wifidog 源码初分析(1)
- HTML<frame>标签的使用
- AndroidStudio 使用Release签名进行Debug
- 枚举小结
- 一步一步实现iOS微信自动抢红包(非越狱)
- Oct week2
- 用Jersey开发RESTful服务
- 省市县三级联动xml
- javaScript & jquery完美判断图片是否加载完毕