首页 > 代码库 > wifidog 源码初分析(1)-转

wifidog 源码初分析(1)-转

wifidog 的核心还是依赖于 iptables 防火墙过滤规则来实现的,所以建议对 iptables 有了了解后再去阅读 wifidog 的源码。

在路由器上启动 wifidog 之后,wifidog 在启动时会初始化一堆的防火墙规则,如下:

[cpp] view plaincopy在CODE上查看代码片派生到我的代码片

  1. /** Initialize the firewall rules
  2. */
  3. int iptables_fw_init(void)  
  4. {  
  5.     … …  
  6. /*
  7.      *
  8.      * Everything in the NAT table
  9.      *
  10.      */
  11. /* Create new chains */
  12.     iptables_do_command("-t nat -N " TABLE_WIFIDOG_OUTGOING);  
  13.     iptables_do_command("-t nat -N " TABLE_WIFIDOG_WIFI_TO_ROUTER);  
  14.     iptables_do_command("-t nat -N " TABLE_WIFIDOG_WIFI_TO_INTERNET);  
  15.     iptables_do_command("-t nat -N " TABLE_WIFIDOG_GLOBAL);  
  16.     iptables_do_command("-t nat -N " TABLE_WIFIDOG_UNKNOWN);  
  17.     iptables_do_command("-t nat -N " TABLE_WIFIDOG_AUTHSERVERS);  
  18. /* Assign links and rules to these new chains */
  19.     iptables_do_command("-t nat -A PREROUTING -i %s -j " TABLE_WIFIDOG_OUTGOING, config->gw_interface);  
  20.     iptables_do_command("-t nat -A " TABLE_WIFIDOG_OUTGOING " -d %s -j " TABLE_WIFIDOG_WIFI_TO_ROUTER, config->gw_address);  
  21.     iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_ROUTER " -j ACCEPT");  
  22.     iptables_do_command("-t nat -A " TABLE_WIFIDOG_OUTGOING " -j " TABLE_WIFIDOG_WIFI_TO_INTERNET);  
  23.     iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j ACCEPT", FW_MARK_KNOWN);  
  24.     iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j ACCEPT", FW_MARK_PROBATION);  
  25.     iptables_do_command("-t nat -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN);  
  26.     iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_AUTHSERVERS);  
  27.     iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j " TABLE_WIFIDOG_GLOBAL);  
  28. // 将 80 端口的访问重定向(REDIRECT)到 (本路由)网关web服务器的监听端口
  29.     iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d", gw_port);  
  30. /*
  31.      *
  32.      * Everything in the FILTER table
  33.      *
  34.      */
  35. /* Create new chains */
  36.     iptables_do_command("-t filter -N " TABLE_WIFIDOG_WIFI_TO_INTERNET);  
  37.     iptables_do_command("-t filter -N " TABLE_WIFIDOG_AUTHSERVERS);  
  38.     iptables_do_command("-t filter -N " TABLE_WIFIDOG_LOCKED);  
  39.     iptables_do_command("-t filter -N " TABLE_WIFIDOG_GLOBAL);  
  40.     iptables_do_command("-t filter -N " TABLE_WIFIDOG_VALIDATE);  
  41.     iptables_do_command("-t filter -N " TABLE_WIFIDOG_KNOWN);  
  42.     iptables_do_command("-t filter -N " TABLE_WIFIDOG_UNKNOWN);  
  43. /* Assign links and rules to these new chains */
  44. /* Insert at the beginning */
  45.     iptables_do_command("-t filter -I FORWARD -i %s -j " TABLE_WIFIDOG_WIFI_TO_INTERNET, config->gw_interface);  
  46.     iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m state --state INVALID -j DROP");  
  47. /* TCPMSS rule for PPPoE */
  48.     iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu", ext_interface);  
  49.     iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_AUTHSERVERS);  
  50.     iptables_fw_set_authservers();  
  51.     iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_LOCKED, FW_MARK_LOCKED);  
  52.     iptables_load_ruleset("filter", "locked-users", TABLE_WIFIDOG_LOCKED);  
  53.     iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_GLOBAL);  
  54.     iptables_load_ruleset("filter", "global", TABLE_WIFIDOG_GLOBAL);  
  55.     iptables_load_ruleset("nat", "global", TABLE_WIFIDOG_GLOBAL);  
  56.     iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_VALIDATE, FW_MARK_PROBATION);  
  57.     iptables_load_ruleset("filter", "validating-users", TABLE_WIFIDOG_VALIDATE);  
  58.     iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -m mark --mark 0x%u -j " TABLE_WIFIDOG_KNOWN, FW_MARK_KNOWN);  
  59.     iptables_load_ruleset("filter", "known-users", TABLE_WIFIDOG_KNOWN);  
  60.     iptables_do_command("-t filter -A " TABLE_WIFIDOG_WIFI_TO_INTERNET " -j " TABLE_WIFIDOG_UNKNOWN);  
  61.     iptables_load_ruleset("filter", "unknown-users", TABLE_WIFIDOG_UNKNOWN);  
  62.     iptables_do_command("-t filter -A " TABLE_WIFIDOG_UNKNOWN " -j REJECT --reject-with icmp-port-unreachable");  
  63.     UNLOCK_CONFIG();  
  64. return 1;  

在该 防火墙规则的初始化过程中,会首先清除掉已有的防火墙规则,重新创建新的过滤链,另外,除了通过iptables_do_command("-t nat -A "TABLE_WIFIDOG_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d",gw_port); 这个命令将 接入设备的 80 端口(HTTP)的访问重定向至网关自身的 HTTP 的端口之外,还通过iptables_fw_set_authservers(); 函数设置了 鉴权服务器(auth-server) 的防火墙规则:

[cpp] view plaincopy在CODE上查看代码片派生到我的代码片

  1. void iptables_fw_set_authservers(void)  
  2. {  
  3. const s_config *config;  
  4.     t_auth_serv *auth_server;  
  5.     config = config_get_config();  
  6. for (auth_server = config->auth_servers; auth_server != NULL; auth_server = auth_server->next) {  
  7. if (auth_server->last_ip && strcmp(auth_server->last_ip, "0.0.0.0") != 0) {  
  8.             iptables_do_command("-t filter -A " TABLE_WIFIDOG_AUTHSERVERS " -d %s -j ACCEPT", auth_server->last_ip);  
  9.             iptables_do_command("-t nat -A " TABLE_WIFIDOG_AUTHSERVERS " -d %s -j ACCEPT", auth_server->last_ip);  
  10.         }  
  11.     }  

首先从上面的代码可以看出 wifidog 支持多个 鉴权服务器,并且针对每一个鉴权服务器 设置了如下两条规则:

1)在filter表中追加一条[任何访问鉴权服务器都被接受]的WiFiDog_$ID$_AuthServers过滤链:

iptables -t filter -A  WiFiDog_$ID$_AuthServers -d auth-server地址 -j ACCEPT

2)在nat表中追加一条[任何访问鉴权服务器都被接受]的WiFiDog_$ID$_AuthServers过滤链:

iptables -t nat -A WiFiDog_$ID$_AuthServers  -d auth-server地址 -j ACCEPT

这样确保可以访问鉴权服务器,而不是拒绝所有的出口访问。