wifidog 源碼初分析(一)

wifidog 的核心還是依賴于 iptables 防火墻過濾規則來實現的,所以建議對 iptables 有了了解后再去閱讀 wifidog 的源碼。

在路由器上啟動 wifidog 之后,wifidog 在啟動時會初始化一堆的防火墻規則,如下:

/** Initialize the firewall rules

*/

int iptables_fw_init(void)

{

const s_config *config;

char * ext_interface = NULL;

int gw_port = 0;

t_trusted_mac *p;

fw_quiet = 0;

LOCK_CONFIG();

config = config_get_config();

gw_port = config->gw_port;

if (config->external_interface) {

ext_interface = safe_strdup(config->external_interface);

} else {

ext_interface = get_ext_iface();

}

if (ext_interface == NULL) {

UNLOCK_CONFIG();

debug(LOG_ERR, "FATAL: no external interface");

return 0;

}

/*

*

* Everything in the MANGLE table

*

*/

/* Create new chains */

iptables_do_command("-t mangle -N " TABLE_WIFIDOG_TRUSTED);

iptables_do_command("-t mangle -N " TABLE_WIFIDOG_OUTGOING);

iptables_do_command("-t mangle -N " TABLE_WIFIDOG_INCOMING);

/* Assign links and rules to these new chains */

iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " TABLE_WIFIDOG_OUTGOING, config->gw_interface);

iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " TABLE_WIFIDOG_TRUSTED, config->gw_interface);//this rule will be inserted before the prior one

iptables_do_command("-t mangle -I POSTROUTING 1 -o %s -j " TABLE_WIFIDOG_INCOMING, config->gw_interface);

for (p = config->trustedmaclist; p != NULL; p = p->next)

iptables_do_command("-t mangle -A " TABLE_WIFIDOG_TRUSTED " -m mac --mac-source %s -j MARK --set-mark %d", p->mac, FW_MARK_KNOWN);

/*

*

* Everything in the NAT table

*

*/

/* Create new chains */

iptables_do_command("-t nat -N " TABLE_WIFIDOG_OUTGOING);

iptables_do_command("-t nat -N " TABLE_WIFIDOG_WIFI_TO_ROUTER);

iptables_do_command("-t nat -N " TABLE_WIFIDOG_WIFI_TO_INTERNET);

iptables_do_command("-t nat -N " TABLE_WIFIDOG_GLOBAL);

iptables_do_command("-t nat -N " TABLE_WIFIDOG_UNKNOWN);

iptables_do_command("-t nat -N " TABLE_WIFIDOG_AUTHSERVERS);

/* Assign links and rules to these new chains */

iptables_do_command("-t nat -A PREROUTING -i %s -j " TABLE_WIFIDOG_OUTGOING, config->gw_interface);

iptables_do_command("-t nat -A " TABLE_WIFIDOG_OUTGOING " -d %s -j " TABLE_WIFIDOG_WIFI_TO_ROUTER, config->gw_address);

iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_ROUTER " -j ACCEPT");

iptables_do_command("-t nat -A " TABLE_WIFIDOG_OUTGOING " -j " TABLE_WIFIDOG_WIFI_TO_INTERNET);

iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j ACCEPT", FW_MARK_KNOWN);

iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j ACCEPT", FW_MARK_PROBATION);

iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN);

iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_AUTHSERVERS);

iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_GLOBAL);

iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d", gw_port);

/*

*

* Everything in the FILTER table

*

*/

/* Create new chains */

iptables_do_command("-t filter -N " TABLE_WIFIDOG_WIFI_TO_INTERNET);

iptables_do_command("-t filter -N " TABLE_WIFIDOG_AUTHSERVERS);

iptables_do_command("-t filter -N " TABLE_WIFIDOG_LOCKED);

iptables_do_command("-t filter -N " TABLE_WIFIDOG_GLOBAL);

iptables_do_command("-t filter -N " TABLE_WIFIDOG_VALIDATE);

iptables_do_command("-t filter -N " TABLE_WIFIDOG_KNOWN);

iptables_do_command("-t filter -N " TABLE_WIFIDOG_UNKNOWN);

/* Assign links and rules to these new chains */

/* Insert at the beginning */

iptables_do_command("-t filter -I FORWARD -i %s -j " TABLE_WIFIDOG_WIFI_TO_INTERNET, config->gw_interface);

iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m state --state INVALID -j DROP");

/* XXX: Why this? it means that connections setup after authentication

stay open even after the connection is done...

iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m state --state RELATED,ESTABLISHED -j ACCEPT");*/

//Won't this rule NEVER match anyway?!?!? benoitg, 2007-06-23

//iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -i %s -m state --state NEW -j DROP", ext_interface);

/* TCPMSS rule for PPPoE */

iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu", ext_interface);

iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_AUTHSERVERS);

iptables_fw_set_authservers();

iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_LOCKED, FW_MARK_LOCKED);

iptables_load_ruleset("filter", "locked-users", TABLE_WIFIDOG_LOCKED);

iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_GLOBAL);

iptables_load_ruleset("filter", "global", TABLE_WIFIDOG_GLOBAL);

iptables_load_ruleset("nat", "global", TABLE_WIFIDOG_GLOBAL);

iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_VALIDATE, FW_MARK_PROBATION);

iptables_load_ruleset("filter", "validating-users", TABLE_WIFIDOG_VALIDATE);

iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_KNOWN, FW_MARK_KNOWN);

iptables_load_ruleset("filter", "known-users", TABLE_WIFIDOG_KNOWN);

iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN);

iptables_load_ruleset("filter", "unknown-users", TABLE_WIFIDOG_UNKNOWN);

iptables_do_command("-t filter -A " TABLE_WIFIDOG_UNKNOWN " -j REJECT --reject-with icmp-port-unreachable");

UNLOCK_CONFIG();

return 1;

}

在該 防火墻規則的初始化過程中,會首先清除掉已有的防火墻規則,重新創建新的過濾鏈,另外,除了通過iptables_do_command("-t nat -A "TABLE_WIFIDOG_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d",gw_port); 這個命令將 接入設備的 80 端口(HTTP)的訪問重定向至網關自身的 HTTP 的端口之外,還通過iptables_fw_set_authservers(); 函數設置了 鑒權服務器(auth-server) 的防火墻規則:

void iptables_fw_set_authservers(void)

{

const s_config *config;

t_auth_serv *auth_server;

config = config_get_config();

for (auth_server = config->auth_servers; auth_server != NULL; auth_server = auth_server->next) {

if (auth_server->last_ip && strcmp(auth_server->last_ip, "0.0.0.0") != 0) {

iptables_do_command("-t filter -A " TABLE_WIFIDOG_AUTHSERVERS " -d %s -j ACCEPT", auth_server->last_ip);

iptables_do_command("-t nat -A " TABLE_WIFIDOG_AUTHSERVERS " -d %s -j ACCEPT", auth_server->last_ip);

}

}

}

首先從上面的代碼可以看出 wifidog 支持多個鑒權服務器,并且針對每一個鑒權服務器設置了如下兩條規則:

1)在filter表中追加一條[任何訪問鑒權服務器都被接受]的WiFiDog_$ID$_AuthServers過濾鏈:iptables -t filter -A? WiFiDog_$ID$_AuthServers -d auth-server地址 -j ACCEPT

2)在nat表中追加一條[任何訪問鑒權服務器都被接受]的WiFiDog_$ID$_AuthServers過濾鏈:iptables -t nat -A WiFiDog_$ID$_AuthServers? -d auth-server地址 -j ACCEPT

這樣確保可以訪問鑒權服務器,而不是拒絕所有的出口訪問。

本文由http://www.wifidog.pro/2014/12/08/wifidog%E6%BA%90%E7%A0%81%E5%88%86%E6%9E%90.html整理編輯,轉載請注明出處

最后編輯于
?著作權歸作者所有,轉載或內容合作請聯系作者
平臺聲明:文章內容(如有圖片或視頻亦包括在內)由作者上傳并發布,文章內容僅代表作者本人觀點,簡書系信息發布平臺,僅提供信息存儲服務。

推薦閱讀更多精彩內容

  • 1.安全技術 (1)入侵檢測與管理系統(Intrusion Detection Systems): 特點是不阻斷任...
    尛尛大尹閱讀 2,500評論 0 2
  • 上一篇分析了 接入設備 在接入路由器,并發起首次 HTTP/80 請求到路由器上時,wifidog 是如何將此 H...
    3c937c88e6c0閱讀 1,501評論 0 2
  • **2014真題Directions:Read the following text. Choose the be...
    又是夜半驚坐起閱讀 9,880評論 0 23
  • 2012年研二暑假,我鼓足勇氣一個人只身北上,讓朋友幫忙聯系了住處,去北大修習課程,圓了自己一個北大夢。這是我送給...
    酸爽的橙子閱讀 276評論 0 0
  • 我是奶茶,我有一個百萬粉絲的夢想。沒有受過專業的播音主持訓練,也沒有任何在電臺的從業經驗,只是懷著一顆對于播音和電...
    暖心奶茶閱讀 453評論 1 1