Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

removes useless and outdated notes

  • Loading branch information...
commit 6da8a9b2cf24ecb060ff28c1b41465fec766fe9a 1 parent 1d7e0be
Davide Guerri authored

Showing 1 changed file with 0 additions and 190 deletions. Show diff stats Hide diff stats

  1. +0 190 DEV-NOTES.rdoc
190 DEV-NOTES.rdoc
Source Rendered
... ... @@ -1,190 +0,0 @@
1   -== Byte counters
2   -
3   -Create 2 different rules for input and OUTPUT:
4   -
5   - iptables -A FORWARD -s <client ip> -m mac --mac-source <client mac> -j MARK --set-mark <user tc UP mark>
6   - iptables -A FORWARD -d <client ip> <client mac> -j MARK --set-mark <user tc DOWN mark>
7   -
8   -== Layout regole iptables
9   -
10   -RAILSCP_PREROUTING_NAT: Services redirect chain (e.g.: DNS FORWARDER)
11   -
12   - # Max mark (32bit) 0xFFFFFFFF
13   - # Mark mask: 0xZXXYYYYY
14   - # Z = 2 / 3 (10 / 11 bin) mark & 0x20000000 == 0x20000000 <=> rails CP marks
15   - # 2 --> From client mark & 0x30000000 == 0x20000000 <=> from clients
16   - # 3 --> To client mark & 0x30000000 == 0x30000000 <=> to clients
17   - # XX = CP id (255 different) mark & 0x3FF00000 == 0x3XX00000
18   - # == 0x2XX00000
19   - # YYYYY = Client ID (131071 clients) mark & 0x300FFFFF == 0x300YYYYY <=> from client YYYYY
20   - # == 0x200YYYYY <=> to client YYYYY
21   -
22   -
23   - ## Rules to be create at application start
24   -
25   - # CP redirection / port forwarding
26   - iptables -t nat -I PREROUTING 1 -j RAILSCP_PREROUTING_NAT
27   - # Filtering
28   - iptables -t filter -I FORWARD 1 -j RAILSCP_FORWARDING_FILTER
29   - # NAT / Masquerade
30   - iptables -t nat -I POSTROUTING 1 -j RAILSCP_POSTROUTING_NAT
31   -
32   - ## CP redirection / port forwarding
33   - iptables -N RAILSCP_PREROUTING_NAT
34   - # For each defined CP
35   - iptables -A RAILSCP_PREROUTING_NAT -i "$CPInterface" -j "RAILSCP_DNAT_$CPId"
36   - iptables -A RAILSCP_PREROUTING_NAT -i "$CPInterface" -j "RAILSCP_AUTHED_$CPId"
37   -
38   - # If the packet is marked by railscp, skip redirections
39   - iptables -N RAILSCP_PREROUTING_NAT
40   - # For each defined CP
41   - iptables -A RAILSCP_PREROUTING_NAT -i "$CPInterface" -m connmark --mark 0x20000000/0x20000000 -j RETURN
42   - iptables -A RAILSCP_PREROUTING_NAT -i "$CPInterface" -j RAILSCP_REDIR
43   -
44   - # Redirection rules
45   - # For each defined CP
46   - iptables -N "RAILSCP_REDIR_$CPId"
47   - iptables -F "RAILSCP_REDIR_$CPId"
48   - iptables -A "RAILSCP_REDIR_$CPId" -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:<port>
49   - iptables -A "RAILSCP_REDIR_$CPId" -p tcp --dport 443 -j DNAT --to-destination 127.0.0.1:<port ssl>
50   -
51   - # Force DNS requestst to be served by the local forwarder
52   - # For each defined CP
53   - iptables -N "RAILSCP_DNAT_$CPId"
54   - iptables -F "RAILSCP_DNAT_$CPId"
55   - iptables -A "RAILSCP_DNAT_$CPId" -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:53
56   - iptables -A "RAILSCP_DNAT_$CPId" -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:53
57   -
58   - # Authenticated users goes here! Note the --mac-source option
59   - # For each defined CP
60   - iptables -N "RAILSCP_AUTHED_$CPId"
61   - iptables -F "RAILSCP_AUTHED_$CPId"
62   - iptables -A "RAILSCP_AUTHED_$CPId" -s <client ip> -m mac --mac-source <client mac> -j MARK --set-mark 0xHHHHHHHH
63   - iptables -A "RAILSCP_AUTHED_$CPId" -d <client ip> <client mac> -j MARK --set-mark 0xJJJJJJJJ
64   -
65   - ## Filtering
66   - iptables -N RAILSCP_FORWARDING_FILTER
67   - iptables -F RAILSCP_FORWARDING_FILTER
68   - # For each defined CP
69   - iptables -A RAILSCP_FORWARDING_FILTER -i "$CPInterface" -m connmark --mark 0x20000000/0x20000000 -j RETURN
70   - iptables -A RAILSCP_FORWARDING_FILTER -i "$CPInterface" -j DROP
71   -
72   - ## NAT / Masquerade
73   - # For each defined CP
74   - iptables -N RAILSCP_POSTROUTING_NAT
75   - iptables -A RAILSCP_POSTROUTING_NAT -i "$CPInterface" -j RETURN
76   -
77   -
78   - ## Cleaning rules
79   - iptables -F RAILSCP_PREROUTING_NAT
80   - iptables -F RAILSCP_FORWARDING_FILTER
81   - iptables -F RAILSCP_POSTROUTING_NAT
82   -
83   -
84   - # Above commands should be run as shell/ruby/whatever scripts chmod'd to 0510 and chown'd to root.www-data
85   -
86   -== Radius Accounting/Auth
87   -
88   -called station id = nas mac address <--- MAC of first eth interface!
89   -calling station id client mac address
90   -
91   - switch($radiusvendor) {
92   -
93   - case 'cisco':
94   - $calledstationid = $clientmac;
95   - $callingstationid = $clientip;
96   - break;
97   -
98   - default:
99   - $calledstationid = $nas_mac;
100   - $callingstationid = $clientmac;
101   - }
102   -
103   -
104   -
105   -== Obtaining a mac address from an IP address
106   -
107   -2 ways
108   -
109   -1. via SNMP
110   -
111   - require 'snmp'
112   -
113   - ip_address = "194.242.230.6"
114   -
115   - snmp_server_ip = "localhost"
116   - snmp_community = "public"
117   - snmp_version = :SNMPv2c
118   -
119   - begin
120   - manager = SNMP::Manager.new( :Host => snmp_server_ip,
121   - :Port => 161,
122   - :Community => snmp_community,
123   - :Version => :SNMPv2c,
124   - :Timeout => 1,
125   - :Retries => 2,
126   - :MibModules => ["RFC1213-MIB"])
127   -
128   - response = manager.get("RFC1213-MIB::atPhysAddress.2.1.#{ip_address}")
129   - if (response.error_status == :noError) and (response.varbind_list[0].value != SNMP::NoSuchInstance)
130   - mac_address = response.varbind_list[0].value.unpack("H2"*6).join(":")
131   - else
132   - mac_address = nil
133   - end
134   - rescue
135   - mac_address = nil
136   - end
137   -
138   - puts mac_address
139   -
140   -=== CONS
141   - - require 'snmpd' running on directly a connected machine
142   - - slower than ARP approach
143   -
144   -=== PROS
145   - - calling process doesn't need to run on a machine directly connected to the host with the IP we're using
146   - - multiplatform (as long as the platform can run snmpd and supports 'RFC1213-MIB' mib )
147   -
148   -
149   -2. via ARP
150   -
151   - ip_address = "194.242.230.6"
152   - arp_command = "arp -n #{ip_address}"
153   - regexp = /\A.+\s+ether\s+(([0-9a-f]{2}:){5}[0-9a-f]{2})\s/
154   -
155   -
156   - mac_address = nil
157   - open("|"+arp_command).each do |line|
158   - if line =~ regexp
159   - mac_address = $1
160   - break
161   - end
162   - end
163   -
164   - puts mac_address
165   -
166   -
167   -=== CONS
168   - - calling process has to run on a machine directly connected to the host with the IP we're using
169   - - linux only (although we can use different command and regexp for different platforms...)
170   -
171   -=== PROS
172   - - no extra software required
173   - - faster than SNMP approach
174   -
175   -
176   -== Autenticazione e house keeping utenze
177   -
178   -
179   - 1) Access-Request
180   - 2) Accounting START
181   -
182   - n) Polling:
183   -n+1) Accounting Interim-Update
184   -n+2) Access-Request
185   -
186   - Se fallisce:
187   - Accounting STOP
188   -
189   - http://portmasters.com/tech/docs/radius/accounting.html
190   -

0 comments on commit 6da8a9b

Please sign in to comment.
Something went wrong with that request. Please try again.