Changes between Version 3 and Version 4 of doc/developer/WiFiDog_V2

Show
Ignore:
Timestamp:
03/25/08 22:16:56 (14 years ago)
Author:
papril
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • doc/developer/WiFiDog_V2

    v3 v4  
    4646XML or YAML would have been great, but I tried to use Syck (http://whytheluckystiff.net/syck/) and it didn't seem trivial to use, it looks like it supports a stream parser, we need something more like a DOM to find values returned. 
    4747 
    48 JSON (with json-c-0.7) gives us that in C and is quite elegant. 
     48JSON (with json-c-0.7 http://oss.metaparadigm.com/json-c/) gives us that in C and is quite elegant. 
    4949 
    5050Here's how we can generate JSON: 
     
    7676 
    7777This will retrieve the string value of "node_id" at the first level in the tree. 
     78 
     79=== Firewall rules (Linux) === 
     80We used to use MARKs to tag what traffic is known, unknown or in validation. 
     81 
     82Now, traffic should be simply known or unknown, specific deny rules (for example, nothing but 80) should be sent as "deny acl rules". 
     83 
     84We should try to stop using MARKs, as we only have 255 (it wouldn't be trivial or good I think to track "who has which mark", and have a limite of 255). 
     85 
     86Here's what I experienced, it's not complete but I'm posting anyway: 
     87{{{ 
     88/* Everything from LAN to WAN interface */ 
     89iptables -t filter -N wd_lan2wan 
     90/* Default rules (example, deny TCP 25 always) */ 
     91iptables -t filter -N wd_lan2wan_fromauth 
     92/* Allowed clients (we can track outgoing traffic here */ 
     93iptables -t filter -N wd_lan2wan_clients 
     94/* The last REJECT rule (unknown trafic) */ 
     95iptables -t filter -N wd_lan2wan_defaults 
     96/* For incoming stats */ 
     97iptables -t filter -N wd_incoming_stats 
     98 
     99/* Insert the "catch everything from lan to wan" */ 
     100iptables -t filter -I FORWARD 1 -i LAN_INTERFACE -o WAN_INTERFACE -j wd_lan2wan 
     101/* 
     102  * Insert the incoming stats rule _ON TOP_ (we'll RETURN in this chain so we still go to the next chains 
     103  * 
     104  * We do not seem to be able to track incoming traffic by mac address, needs the IP 
     105  */ 
     106iptables -t filter -I FORWARD 1 -j wd_incoming_stats 
     107/* 1. Global settings (drop going to port 25 for everyone) 
     108iptables -t filter -A wd_lan2wan -j wd_lan2wan_fromauth 
     109/* 2. Allowed clients and specific client rules (and outgoing bandwidth) */ 
     110iptables -t filter -A wd_lan2wan -j wd_lan2wan_clients 
     111/* 3. Deny rule */ 
     112iptables -t filter -A wd_lan2wan -j wd_lan2wan_defaults 
     113 
     114/* We can only do the redirect to local port 2060 in the PREROUTING or OUTPUT chains in the "nat" table */ 
     115iptables -t nat -N wd_redirect 
     116iptables -t nat -I PREROUTING 1 -j wd_redirect 
     117 
     118/* For pppoe to work properly..... make sure we have this, even though the router will probably have it, we just have to insert ourselves at the right places? */ 
     119iptables -t filter -A wd_lan2wan -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 
     120 
     121/* Allow DNS please */ 
     122iptables -t filter -A wd_lan2wan_defaults -p tcp --dport 53 -j ACCEPT 
     123iptables -t filter -A wd_lan2wan_defaults -p udp --dport 53 -j ACCEPT 
     124 
     125/* Allow auth server */ 
     126iptables -t filter -A wd_lan2wan_defaults -d AUTHSERV_HOSTNAME -j ACCEPT 
     127 
     128/* Base "reject" rule */ 
     129iptables -t filter -A wd_lan2wan_defaults -j REJECT 
     130 
     131/* Redirect to local wifidog port 2060 
     132iptables -t nat -A wd_redirect -p tcp --dport 80 -j REDIRECT --to-ports 2060 
     133}}} 
     134 
     135Almost all of this works, but we have to find the right recipe.