因爲最近公司內部有個關於路由器的項目使用了該開源項目做Demo,安裝配置很簡單,但是對運行機制不是太瞭解,所以抽了點時間初步對 wifidog 的源碼進行了分析。
(對於 wifidog 是什麼開源項目,以及如何安裝配置,就不做解釋了,直接 Google 吧)。
另外,wifidog 的核心還是依賴於 iptables 防火牆過濾規則來實現的,所以建議對 iptables 有了瞭解後再去閱讀 wifidog 的源碼。
在路由器上啓動 wifidog 之後,wifidog 在啓動時會初始化一堆的防火牆規則,如下:
/** Initialize the firewall rules */ int iptables_fw_init(void) { … … /* * * Everything in the NAT table * */ /* Create new chains */ iptables_do_command("-t nat -N " TABLE_WIFIDOG_OUTGOING); iptables_do_command("-t nat -N " TABLE_WIFIDOG_WIFI_TO_ROUTER); iptables_do_command("-t nat -N " TABLE_WIFIDOG_WIFI_TO_INTERNET); iptables_do_command("-t nat -N " TABLE_WIFIDOG_GLOBAL); iptables_do_command("-t nat -N " TABLE_WIFIDOG_UNKNOWN); iptables_do_command("-t nat -N " TABLE_WIFIDOG_AUTHSERVERS); /* Assign links and rules to these new chains */ iptables_do_command("-t nat -A PREROUTING -i %s -j " TABLE_WIFIDOG_OUTGOING, config->gw_interface); iptables_do_command("-t nat -A " TABLE_WIFIDOG_OUTGOING " -d %s -j " TABLE_WIFIDOG_WIFI_TO_ROUTER, config->gw_address); iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_ROUTER " -j ACCEPT"); iptables_do_command("-t nat -A " TABLE_WIFIDOG_OUTGOING " -j " TABLE_WIFIDOG_WIFI_TO_INTERNET); iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j ACCEPT", FW_MARK_KNOWN); iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j ACCEPT", FW_MARK_PROBATION); iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN); iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_AUTHSERVERS); iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_GLOBAL); // 將 80 端口的訪問重定向(REDIRECT)到 (本路由)網關web服務器的監聽端口 iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d", gw_port); /* * * Everything in the FILTER table * */ /* Create new chains */ iptables_do_command("-t filter -N " TABLE_WIFIDOG_WIFI_TO_INTERNET); iptables_do_command("-t filter -N " TABLE_WIFIDOG_AUTHSERVERS); iptables_do_command("-t filter -N " TABLE_WIFIDOG_LOCKED); iptables_do_command("-t filter -N " TABLE_WIFIDOG_GLOBAL); iptables_do_command("-t filter -N " TABLE_WIFIDOG_VALIDATE); iptables_do_command("-t filter -N " TABLE_WIFIDOG_KNOWN); iptables_do_command("-t filter -N " TABLE_WIFIDOG_UNKNOWN); /* Assign links and rules to these new chains */ /* Insert at the beginning */ iptables_do_command("-t filter -I FORWARD -i %s -j " TABLE_WIFIDOG_WIFI_TO_INTERNET, config->gw_interface); iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m state --state INVALID -j DROP"); /* TCPMSS rule for PPPoE */ iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu", ext_interface); iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_AUTHSERVERS); iptables_fw_set_authservers(); iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_LOCKED, FW_MARK_LOCKED); iptables_load_ruleset("filter", "locked-users", TABLE_WIFIDOG_LOCKED); iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_GLOBAL); iptables_load_ruleset("filter", "global", TABLE_WIFIDOG_GLOBAL); iptables_load_ruleset("nat", "global", TABLE_WIFIDOG_GLOBAL); iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_VALIDATE, FW_MARK_PROBATION); iptables_load_ruleset("filter", "validating-users", TABLE_WIFIDOG_VALIDATE); iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_KNOWN, FW_MARK_KNOWN); iptables_load_ruleset("filter", "known-users", TABLE_WIFIDOG_KNOWN); iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN); iptables_load_ruleset("filter", "unknown-users", TABLE_WIFIDOG_UNKNOWN); iptables_do_command("-t filter -A " TABLE_WIFIDOG_UNKNOWN " -j REJECT --reject-with icmp-port-unreachable"); UNLOCK_CONFIG(); return 1; }
在該 防火牆規則的初始化過程中,會首先清除掉已有的防火牆規則,重新創建新的過濾鏈,另外,除了通過 iptables_do_command("-t nat -A "TABLE_WIFIDOG_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d",gw_port); 這個命令將 接入設備的 80 端口(HTTP)的訪問重定向至網關自身的 HTTP 的端口之外,還通過 iptables_fw_set_authservers(); 函數設置了 鑑權服務器(auth-server) 的防火牆規則:
void iptables_fw_set_authservers(void) { const s_config *config; t_auth_serv *auth_server; config = config_get_config(); for (auth_server = config->auth_servers; auth_server != NULL; auth_server = auth_server->next) { if (auth_server->last_ip && strcmp(auth_server->last_ip, "0.0.0.0") != 0) { iptables_do_command("-t filter -A " TABLE_WIFIDOG_AUTHSERVERS " -d %s -j ACCEPT", auth_server->last_ip); iptables_do_command("-t nat -A " TABLE_WIFIDOG_AUTHSERVERS " -d %s -j ACCEPT", auth_server->last_ip); } } }
首先從上面的代碼可以看出 wifidog 支持多個 鑑權服務器,並且針對每一個鑑權服務器 設置瞭如下兩條規則:
1)在filter表中追加一條[任何訪問鑑權服務器都被接受]的WiFiDog_$ID$_AuthServers過濾鏈:
iptables -t filter -A WiFiDog_$ID$_AuthServers -d auth-server地址 -j ACCEPT |
2)在nat表中追加一條[任何訪問鑑權服務器都被接受]的WiFiDog_$ID$_AuthServers過濾鏈:
iptables -t nat -A WiFiDog_$ID$_AuthServers -d auth-server地址 -j ACCEPT |
這樣確保可以訪問鑑權服務器,而不是拒絕所有的出口訪問。