NAP6官方旗舰店
搜索
发新帖
午饭无线 推广广告R7800 完胜 华硕路由器NETGEAR Vs ASUS T-Mobile定制版NETGEAR团购
开启左侧

wifidog认证功能源码初分析(1)

[复制链接]
1021 0

马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。

您需要 登录 才可以下载或查看,没有帐号?立即注册

x
wifidog 的核心还是依赖于 iptables 防火墙过滤规则来实现的,所以建议对 iptables 有了了解后再去阅读 wifidog 的源码。
在路由器上启动 wifidog 之后,wifidog 在启动时会初始化一堆的防火墙规则,如下:
  1. /** Initialize the firewall rules
  2. */
  3. int iptables_fw_init(void)
  4. {
  5.     const s_config *config;
  6.     char * ext_interface = NULL;
  7.     int gw_port = 0;
  8.     t_trusted_mac *p;

  9.     fw_quiet = 0;

  10.     LOCK_CONFIG();
  11.     config = config_get_config();
  12.     gw_port = config->gw_port;
  13.     if (config->external_interface) {
  14.             ext_interface = safe_strdup(config->external_interface);
  15.     } else {
  16.             ext_interface = get_ext_iface();
  17.     }

  18.     if (ext_interface == NULL) {
  19.             UNLOCK_CONFIG();
  20.             debug(LOG_ERR, "FATAL: no external interface");
  21.             return 0;
  22.     }
  23.     /*
  24.      *
  25.      * Everything in the MANGLE table
  26.      *
  27.      */

  28.     /* Create new chains */
  29.     iptables_do_command("-t mangle -N " TABLE_WIFIDOG_TRUSTED);
  30.     iptables_do_command("-t mangle -N " TABLE_WIFIDOG_OUTGOING);
  31.     iptables_do_command("-t mangle -N " TABLE_WIFIDOG_INCOMING);

  32.     /* Assign links and rules to these new chains */
  33.     iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " TABLE_WIFIDOG_OUTGOING, config->gw_interface);
  34.     iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " TABLE_WIFIDOG_TRUSTED, config->gw_interface);//this rule will be inserted before the prior one
  35.     iptables_do_command("-t mangle -I POSTROUTING 1 -o %s -j " TABLE_WIFIDOG_INCOMING, config->gw_interface);

  36.     for (p = config->trustedmaclist; p != NULL; p = p->next)
  37.             iptables_do_command("-t mangle -A " TABLE_WIFIDOG_TRUSTED " -m mac --mac-source %s -j MARK --set-mark %d", p->mac, FW_MARK_KNOWN);

  38.     /*
  39.      *
  40.      * Everything in the NAT table
  41.      *
  42.      */

  43.     /* Create new chains */
  44.     iptables_do_command("-t nat -N " TABLE_WIFIDOG_OUTGOING);
  45.     iptables_do_command("-t nat -N " TABLE_WIFIDOG_WIFI_TO_ROUTER);
  46.     iptables_do_command("-t nat -N " TABLE_WIFIDOG_WIFI_TO_INTERNET);
  47.     iptables_do_command("-t nat -N " TABLE_WIFIDOG_GLOBAL);
  48.     iptables_do_command("-t nat -N " TABLE_WIFIDOG_UNKNOWN);
  49.     iptables_do_command("-t nat -N " TABLE_WIFIDOG_AUTHSERVERS);

  50.     /* Assign links and rules to these new chains */
  51.     iptables_do_command("-t nat -A PREROUTING -i %s -j " TABLE_WIFIDOG_OUTGOING, config->gw_interface);

  52.     iptables_do_command("-t nat -A " TABLE_WIFIDOG_OUTGOING " -d %s -j " TABLE_WIFIDOG_WIFI_TO_ROUTER, config->gw_address);
  53.     iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_ROUTER " -j ACCEPT");

  54.     iptables_do_command("-t nat -A " TABLE_WIFIDOG_OUTGOING " -j " TABLE_WIFIDOG_WIFI_TO_INTERNET);
  55.     iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j ACCEPT", FW_MARK_KNOWN);
  56.     iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j ACCEPT", FW_MARK_PROBATION);
  57.     iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN);

  58.     iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_AUTHSERVERS);
  59.     iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_GLOBAL);
  60.     iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d", gw_port);


  61.     /*
  62.      *
  63.      * Everything in the FILTER table
  64.      *
  65.      */

  66.     /* Create new chains */
  67.     iptables_do_command("-t filter -N " TABLE_WIFIDOG_WIFI_TO_INTERNET);
  68.     iptables_do_command("-t filter -N " TABLE_WIFIDOG_AUTHSERVERS);
  69.     iptables_do_command("-t filter -N " TABLE_WIFIDOG_LOCKED);
  70.     iptables_do_command("-t filter -N " TABLE_WIFIDOG_GLOBAL);
  71.     iptables_do_command("-t filter -N " TABLE_WIFIDOG_VALIDATE);
  72.     iptables_do_command("-t filter -N " TABLE_WIFIDOG_KNOWN);
  73.     iptables_do_command("-t filter -N " TABLE_WIFIDOG_UNKNOWN);

  74.     /* Assign links and rules to these new chains */

  75.     /* Insert at the beginning */
  76.     iptables_do_command("-t filter -I FORWARD -i %s -j " TABLE_WIFIDOG_WIFI_TO_INTERNET, config->gw_interface);


  77.     iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m state --state INVALID -j DROP");

  78.     /* XXX: Why this? it means that connections setup after authentication
  79.        stay open even after the connection is done...
  80.        iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m state --state RELATED,ESTABLISHED -j ACCEPT");*/

  81.     //Won't this rule NEVER match anyway?!?!? benoitg, 2007-06-23
  82.     //iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -i %s -m state --state NEW -j DROP", ext_interface);

  83.     /* TCPMSS rule for PPPoE */
  84.     iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu", ext_interface);

  85.     iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_AUTHSERVERS);
  86.     iptables_fw_set_authservers();

  87.     iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_LOCKED, FW_MARK_LOCKED);
  88.     iptables_load_ruleset("filter", "locked-users", TABLE_WIFIDOG_LOCKED);

  89.     iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_GLOBAL);
  90.     iptables_load_ruleset("filter", "global", TABLE_WIFIDOG_GLOBAL);
  91.     iptables_load_ruleset("nat", "global", TABLE_WIFIDOG_GLOBAL);

  92.     iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_VALIDATE, FW_MARK_PROBATION);
  93.     iptables_load_ruleset("filter", "validating-users", TABLE_WIFIDOG_VALIDATE);

  94.     iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_KNOWN, FW_MARK_KNOWN);
  95.     iptables_load_ruleset("filter", "known-users", TABLE_WIFIDOG_KNOWN);

  96.     iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN);
  97.     iptables_load_ruleset("filter", "unknown-users", TABLE_WIFIDOG_UNKNOWN);
  98.     iptables_do_command("-t filter -A " TABLE_WIFIDOG_UNKNOWN " -j REJECT --reject-with icmp-port-unreachable");

  99.     UNLOCK_CONFIG();
  100.     return 1;
  101. }
复制代码
在该 防火墙规则的初始化过程中,会首先清除掉已有的防火墙规则,重新创建新的过滤链,另外,除了通过iptables_do_command("-t nat -A "TABLE_WIFIDOG_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d",gw_port); 这个命令将 接入设备的 80 端口(HTTP)的访问重定向至网关自身的 HTTP 的端口之外,还通过iptables_fw_set_authservers(); 函数设置了 鉴权服务器(auth-server) 的防火墙规则:
  1. void iptables_fw_set_authservers(void)
  2. {
  3.     const s_config *config;
  4.     t_auth_serv *auth_server;

  5.     config = config_get_config();

  6.     for (auth_server = config->auth_servers; auth_server != NULL; auth_server = auth_server->next) {
  7.         if (auth_server->last_ip && strcmp(auth_server->last_ip, "0.0.0.0") != 0) {
  8.             iptables_do_command("-t filter -A " TABLE_WIFIDOG_AUTHSERVERS " -d %s -j ACCEPT", auth_server->last_ip);
  9.             iptables_do_command("-t nat -A " TABLE_WIFIDOG_AUTHSERVERS " -d %s -j ACCEPT", auth_server->last_ip);
  10.         }
  11.     }
  12. }
复制代码
首先从上面的代码可以看出 wifidog 支持多个鉴权服务器,并且针对每一个鉴权服务器设置了如下两条规则:
1)在filter表中追加一条[任何访问鉴权服务器都被接受]的WiFiDog_$ID$AuthServers过滤链:iptables -t filter -A WiFiDog$ID$AuthServers -d auth-server地址 -j ACCEPT
2)在nat表中追加一条[任何访问鉴权服务器都被接受]的WiFiDog$ID$AuthServers过滤链:iptables -t nat -A WiFiDog$ID$_AuthServers -d auth-server地址 -j ACCEPT
这样确保可以访问鉴权服务器,而不是拒绝所有的出口访问。

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表