在路由器上啓動 wifidog 之後,wifidog 在啓動時會初始化一堆的防火牆規則,如下:
/** Initialize the firewall rules
*/
int iptables_fw_init(void)
{
const s_config *config;
char * ext_interface = NULL;
int gw_port = 0;
t_trusted_mac *p;
fw_quiet = 0;
LOCK_CONFIG();
config = config_get_config();
gw_port = config->gw_port;
if (config->external_interface) {
ext_interface = safe_strdup(config->external_interface);
} else {
ext_interface = get_ext_iface();
}
if (ext_interface == NULL) {
UNLOCK_CONFIG();
debug(LOG_ERR, "FATAL: no external interface");
return 0;
}
/*
*
* Everything in the MANGLE table
*
*/
/* Create new chains */
iptables_do_command("-t mangle -N " TABLE_WIFIDOG_TRUSTED);
iptables_do_command("-t mangle -N " TABLE_WIFIDOG_OUTGOING);
iptables_do_command("-t mangle -N " TABLE_WIFIDOG_INCOMING);
/* Assign links and rules to these new chains */
iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " TABLE_WIFIDOG_OUTGOING, config->gw_interface);
iptables_do_command("-t mangle -I PREROUTING 1 -i %s -j " TABLE_WIFIDOG_TRUSTED, config->gw_interface);//this rule will be inserted before the prior one
iptables_do_command("-t mangle -I POSTROUTING 1 -o %s -j " TABLE_WIFIDOG_INCOMING, config->gw_interface);
for (p = config->trustedmaclist; p != NULL; p = p->next)
iptables_do_command("-t mangle -A " TABLE_WIFIDOG_TRUSTED " -m mac --mac-source %s -j MARK --set-mark %d", p->mac, FW_MARK_KNOWN);
/*
*
* Everything in the NAT table
*
*/
/* Create new chains */
iptables_do_command("-t nat -N " TABLE_WIFIDOG_OUTGOING);
iptables_do_command("-t nat -N " TABLE_WIFIDOG_WIFI_TO_ROUTER);
iptables_do_command("-t nat -N " TABLE_WIFIDOG_WIFI_TO_INTERNET);
iptables_do_command("-t nat -N " TABLE_WIFIDOG_GLOBAL);
iptables_do_command("-t nat -N " TABLE_WIFIDOG_UNKNOWN);
iptables_do_command("-t nat -N " TABLE_WIFIDOG_AUTHSERVERS);
/* Assign links and rules to these new chains */
iptables_do_command("-t nat -A PREROUTING -i %s -j " TABLE_WIFIDOG_OUTGOING, config->gw_interface);
iptables_do_command("-t nat -A " TABLE_WIFIDOG_OUTGOING " -d %s -j " TABLE_WIFIDOG_WIFI_TO_ROUTER, config->gw_address);
iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_ROUTER " -j ACCEPT");
iptables_do_command("-t nat -A " TABLE_WIFIDOG_OUTGOING " -j " TABLE_WIFIDOG_WIFI_TO_INTERNET);
iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j ACCEPT", FW_MARK_KNOWN);
iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j ACCEPT", FW_MARK_PROBATION);
iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN);
iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_AUTHSERVERS);
iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_GLOBAL);
iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d", gw_port);
/*
*
* Everything in the FILTER table
*
*/
/* Create new chains */
iptables_do_command("-t filter -N " TABLE_WIFIDOG_WIFI_TO_INTERNET);
iptables_do_command("-t filter -N " TABLE_WIFIDOG_AUTHSERVERS);
iptables_do_command("-t filter -N " TABLE_WIFIDOG_LOCKED);
iptables_do_command("-t filter -N " TABLE_WIFIDOG_GLOBAL);
iptables_do_command("-t filter -N " TABLE_WIFIDOG_VALIDATE);
iptables_do_command("-t filter -N " TABLE_WIFIDOG_KNOWN);
iptables_do_command("-t filter -N " TABLE_WIFIDOG_UNKNOWN);
/* Assign links and rules to these new chains */
/* Insert at the beginning */
iptables_do_command("-t filter -I FORWARD -i %s -j " TABLE_WIFIDOG_WIFI_TO_INTERNET, config->gw_interface);
iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m state --state INVALID -j DROP");
/* XXX: Why this? it means that connections setup after authentication
stay open even after the connection is done...
iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m state --state RELATED,ESTABLISHED -j ACCEPT");*/
//Won't this rule NEVER match anyway?!?!? benoitg, 2007-06-23
//iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -i %s -m state --state NEW -j DROP", ext_interface);
/* TCPMSS rule for PPPoE */
iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu", ext_interface);
iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_AUTHSERVERS);
iptables_fw_set_authservers();
iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_LOCKED, FW_MARK_LOCKED);
iptables_load_ruleset("filter", "locked-users", TABLE_WIFIDOG_LOCKED);
iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_GLOBAL);
iptables_load_ruleset("filter", "global", TABLE_WIFIDOG_GLOBAL);
iptables_load_ruleset("nat", "global", TABLE_WIFIDOG_GLOBAL);
iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_VALIDATE, FW_MARK_PROBATION);
iptables_load_ruleset("filter", "validating-users", TABLE_WIFIDOG_VALIDATE);
iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_KNOWN, FW_MARK_KNOWN);
iptables_load_ruleset("filter", "known-users", TABLE_WIFIDOG_KNOWN);
iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN);
iptables_load_ruleset("filter", "unknown-users", TABLE_WIFIDOG_UNKNOWN);
iptables_do_command("-t filter -A " TABLE_WIFIDOG_UNKNOWN " -j REJECT --reject-with icmp-port-unreachable");
UNLOCK_CONFIG();
return 1;
}
在該
防火牆規則的初始化過程中,會首先清除掉已有的防火牆規則,重新創建新的過濾鏈,另外,除了通過iptables_do_command("-t nat -A "TABLE_WIFIDOG_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d",gw_port); 這個命令將 接入設備的 80 端口(HTTP)的訪問重定向至網關自身的 HTTP 的端口之外,還通過iptables_fw_set_authservers(); 函數設置了 鑑權服務器(auth-server)
的防火牆規則:
void iptables_fw_set_authservers(void)
{
const s_config *config;
t_auth_serv *auth_server;
config = config_get_config();
for (auth_server = config->auth_servers; auth_server != NULL; auth_server = auth_server->next) {
if (auth_server->last_ip && strcmp(auth_server->last_ip, "0.0.0.0") != 0) {
iptables_do_command("-t filter -A " TABLE_WIFIDOG_AUTHSERVERS " -d %s -j ACCEPT", auth_server->last_ip);
iptables_do_command("-t nat -A " TABLE_WIFIDOG_AUTHSERVERS " -d %s -j ACCEPT", auth_server->last_ip);
}
}
}
首先從上面的代碼可以看出 wifidog 支持多個鑑權服務器,並且針對每一個鑑權服務器設置瞭如下兩條規則:
1)在filter表中追加一條[任何訪問鑑權服務器都被接受]的WiFiDog_$ID$AuthServers過濾鏈:iptables -t filter -A WiFiDog$ID$AuthServers -d auth-server地址 -j ACCEPT
2)在nat表中追加一條[任何訪問鑑權服務器都被接受]的WiFiDog$ID$AuthServers過濾鏈:iptables -t nat -A WiFiDog$ID$_AuthServers -d auth-server地址 -j ACCEPT
這樣確保可以訪問鑑權服務器,而不是拒絕所有的出口訪問。