function build() { $sock = new sockets(); $unix = new unix(); $EnableArticaHotSpot = $sock->GET_INFO("EnableArticaHotSpot"); $SquidHotSpotPort = $sock->GET_INFO("SquidHotSpotPort"); $ArticaHotSpotPort = $sock->GET_INFO("ArticaHotSpotPort"); $ArticaSSLHotSpotPort = $sock->GET_INFO("ArticaSSLHotSpotPort"); $ArticaSplashHotSpotPort = $sock->GET_INFO("ArticaSplashHotSpotPort"); $ArticaSplashHotSpotPortSSL = $sock->GET_INFO("ArticaSplashHotSpotPortSSL"); $ArticaHotSpotInterface = $sock->GET_INFO("ArticaHotSpotInterface"); $EnableArticaHotSpotCAS = $sock->GET_INFO("EnableArticaHotSpotCAS"); if (!is_numeric($EnableArticaHotSpotCAS)) { $EnableArticaHotSpotCAS = 0; } $HospotHTTPServerName = trim($sock->GET_INFO("HospotHTTPServerName")); if ($ArticaHotSpotPort == 0) { $ArticaHotSpotPort = rand(38000, 64000); $sock->SET_INFO("ArticaHotSpotPort", $ArticaHotSpotPort); } if ($ArticaSSLHotSpotPort == 0) { $ArticaSSLHotSpotPort = rand(38500, 64000); $sock->SET_INFO("ArticaSSLHotSpotPort", $ArticaSSLHotSpotPort); } if ($ArticaHotSpotInterface == null) { $ArticaHotSpotInterface = "eth0"; } if (!is_numeric($ArticaSplashHotSpotPort)) { $ArticaSplashHotSpotPort = 16080; } if (!is_numeric($ArticaSplashHotSpotPortSSL)) { $ArticaSplashHotSpotPortSSL = 16443; } $unix = new unix(); $NETWORK_ALL_INTERFACES = $unix->NETWORK_ALL_INTERFACES(); $ipaddr = $NETWORK_ALL_INTERFACES[$ArticaHotSpotInterface]["IPADDR"]; $GLOBALS["HOSTPOT_WEB_INTERFACE"] = $ipaddr; $time = time(); $suffixTables = "-m comment --comment \"ArticaHotSpot-{$time}\""; $q = new mysql_squid_builder(); $ipClass = new IP(); $iptables = $unix->find_program("iptables"); defaults_ports(); $f[] = ebtables_rules(); if ($GLOBALS["EBTABLES"]) { $GLOBALS["MARKHTTP"] = null; $GLOBALS["MARKHTTPS"] = null; } if (!$GLOBALS["EBTABLES"]) { $f[] = "{$iptables} -t mangle -N internet -m comment --comment ArticaHotSpot-{$time}"; $f[] = "{$iptables} -t mangle -N internssl -m comment --comment ArticaHotSpot-{$time}"; $f[] = "{$iptables} -t mangle -A internet -j MARK --set-mark 99 -m comment --comment ArticaHotSpot-{$time}"; $f[] = "{$iptables} -t mangle -A internssl -j MARK --set-mark 98 -m comment --comment ArticaHotSpot-{$time}"; } if ($GLOBALS["OUTPUT"]) { echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} C.A.S : {$EnableArticaHotSpotCAS}\n"; } $Squid_http_address = "127.0.0.1:{$ArticaHotSpotPort}"; $webserver_http_address = "{$ipaddr}:{$ArticaSplashHotSpotPort}"; $c = 0; if ($EnableArticaHotSpotCAS == 1) { $ArticaHotSpotCASHost = $sock->GET_INFO("ArticaHotSpotCASHost"); $ArticaHotSpotCASPort = $sock->GET_INFO("ArticaHotSpotCASPort"); $f[] = whitelist_destination($ArticaHotSpotCASHost); } $sql = "SELECT * FROM `hotspot_whitelist`"; $results = $q->QUERY_SQL($sql); if (!$q->ok) { if ($GLOBALS["OUTPUT"]) { echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} {$q->mysql_error}\n"; } return; } $Total = mysql_num_rows($results); if ($GLOBALS["OUTPUT"]) { echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} {$Total} whitelisted websites\n"; } while ($ligne = mysql_fetch_assoc($results)) { $f[] = whitelist_webserver($ligne["ipaddr"], $ligne["port"], $ligne["ssl"]); } $sql = "SELECT * FROM `hotspot_networks` WHERE hotspoted=0"; $results = $q->QUERY_SQL($sql); if (!$q->ok) { if ($GLOBALS["OUTPUT"]) { echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} {$q->mysql_error}\n"; } return; } $Total = mysql_num_rows($results); if ($GLOBALS["OUTPUT"]) { echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} {$Total} whitelisted\n"; } while ($ligne = mysql_fetch_assoc($results)) { $pattern = $ligne["pattern"]; if ($ipClass->IsvalidMAC($pattern)) { $c++; $f[] = redirect_mac_to_proxy($pattern); continue; } if ($ipClass->isIPAddressOrRange($pattern)) { $c++; if ($GLOBALS["OUTPUT"]) { echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} Whitelist IP: {$pattern} {$ArticaHotSpotPort}/{$ArticaSSLHotSpotPort}\n"; } $f[] = redirect_ip_to_proxy($pattern); continue; } if ($GLOBALS["OUTPUT"]) { echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} Unkown `{$pattern}`\n"; } } $sql = "SELECT * FROM `hotspot_networks` WHERE hotspoted=1"; $results = $q->QUERY_SQL($sql); if (!$q->ok) { if ($GLOBALS["OUTPUT"]) { echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} {$q->mysql_error}\n"; } return; } $Total = mysql_num_rows($results); if ($GLOBALS["OUTPUT"]) { echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} {$Total} hotspoted\n"; } while ($ligne = mysql_fetch_assoc($results)) { $pattern = $ligne["pattern"]; $restrict_web = $ligne["restrict_web"]; if ($ipClass->IsvalidMAC($pattern)) { $c++; if ($GLOBALS["OUTPUT"]) { echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} hostpot MAC: {$pattern} {$ipaddr}:{$ArticaSplashHotSpotPort}/{$ipaddr}:{$ArticaSplashHotSpotPortSSL}\n"; } $f[] = redirect_mac_to_splash($pattern, $restrict_web); continue; } if ($ipClass->isIPAddressOrRange($pattern)) { $c++; if ($GLOBALS["OUTPUT"]) { echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} hostpot IP: {$pattern} {$ipaddr}:{$ArticaSplashHotSpotPort} - {$ipaddr}:{$ArticaSplashHotSpotPortSSL}\n"; } $f[] = redirect_ip_to_splash($pattern, $restrict_web); continue; } if ($GLOBALS["OUTPUT"]) { echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} Unkown `{$pattern}`\n"; } } if ($GLOBALS["OUTPUT"]) { echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} {$c} rule(s)\n"; } if ($c == 0) { $f[] = redirect_ip_to_splash("0.0.0.0/0"); } $f[] = "{$iptables} -t nat -A POSTROUTING -j MASQUERADE {$suffixTables}"; @file_put_contents("/etc/artica-postfix/hotspot.conf", @implode("\n", $f)); }
function iptables_rules() { $squid = new squidbee(); $unix = new unix(); $sock = new sockets(); $SquidBinIpaddr = trim($sock->GET_INFO("SquidBinIpaddr")); if ($SquidBinIpaddr == null) { $SquidBinIpaddr = "0.0.0.0"; } $UseTProxyMode = intval($sock->GET_INFO("UseTProxyMode")); $EnableArticaHotSpot = $sock->GET_INFO("EnableArticaHotSpot"); $ssl_port = $squid->get_ssl_port(); if (!is_numeric($squid->listen_port)) { $squid->listen_port = 3128; } $listen_ssl_port = $squid->listen_port + 1; $SSL_BUMP = $squid->SSL_BUMP; $iptables = $unix->find_program("iptables"); $GLOBALS["IPTABLESBIN"] = $iptables; $sysctl = $unix->find_program("sysctl"); $ips = $unix->ifconfig_interfaces_list(); $KernelSendRedirects = $sock->GET_INFO("KernelSendRedirects"); if (!is_numeric($KernelSendRedirects)) { $KernelSendRedirects = 1; } if (!is_numeric($EnableArticaHotSpot)) { $EnableArticaHotSpot = 0; } $EnableNatProxy = intval($sock->GET_INFO("EnableNatProxy")); $NatProxyServer = $sock->GET_INFO("NatProxyServer"); $NatProxyPort = intval($sock->GET_INFO("NatProxyPort")); echo "Starting......: " . date("H:i:s") . " Squid iptables Rules: UseTProxyMode.....:{$UseTProxyMode}\n"; if ($UseTProxyMode == 1) { disable_transparent(); iptables_wccp_delete_all(); $php = $unix->LOCATE_PHP5_BIN(); echo "Starting......: " . date("H:i:s") . " Squid running Tproxy Mode\n"; system("{$php} /usr/share/artica-postfix/exec.squid.tproxy.php"); echo "Starting......: " . date("H:i:s") . " Squid running TProxy script...\n"; shell_exec("/etc/init.d/tproxy start"); return; } $php = $unix->LOCATE_PHP5_BIN(); $GLOBALS["echobin"] = $unix->find_program("echo"); $MARKLOG = "-m comment --comment \"ArticaSquidTransparent\""; $sh = array(); $sh[] = script_startfile(); build_progress("Creating rules...", 35); $sh[] = "{$GLOBALS["echobin"]} \"Patching kernel\""; $sh[] = "{$sysctl} -w net.ipv4.ip_forward=1 2>&1"; $sh[] = "{$sysctl} -w net.ipv4.conf.default.send_redirects={$KernelSendRedirects} 2>&1"; $sh[] = "{$sysctl} -w net.ipv4.conf.all.send_redirects={$KernelSendRedirects} 2>&1"; if (is_file("/proc/sys/net/ipv4/conf/eth0/send_redirects")) { $sh[] = "{$sysctl} -w net.ipv4.conf.eth0.send_redirects={$KernelSendRedirects} 2>&1"; } $sh[] = "{$php} /usr/share/artica-postfix/exec.squid.transparent.delete.php || true"; $sh[] = ebtables_rules(); $sh[] = "{$GLOBALS["echobin"]} \"Enable rules\""; $sh[] = "{$iptables} -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT {$MARKLOG} || true"; if (!$GLOBALS["EBTABLES"]) { $sh[] = "{$GLOBALS["echobin"]} \"Add internetT dictionary\""; $sh[] = "{$iptables} -t mangle -N internetT {$MARKLOG} || true"; $sh[] = "{$GLOBALS["echobin"]} \"Add internsslT dictionary\""; $sh[] = "{$iptables} -t mangle -N internsslT {$MARKLOG} || true"; $sh[] = "{$GLOBALS["echobin"]} \"Add mangle MARK 97 for internsslT\""; $sh[] = "{$iptables} -t mangle -A internsslT -j MARK --set-mark 97 {$MARKLOG} || true"; $sh[] = "{$GLOBALS["echobin"]} \"Add mangle MARK 96 for internetT\""; $sh[] = "{$iptables} -t mangle -A internetT -j MARK --set-mark 96 {$MARKLOG} || true"; } $sh[] = "{$iptables} -t nat -A OUTPUT --match owner --uid-owner squid -p tcp -j ACCEPT {$MARKLOG}"; $sh[] = "{$iptables} -t nat -A OUTPUT --match owner --uid-owner squid -p tcp -j ACCEPT {$MARKLOG}"; $sh[] = "{$iptables} -t nat -I POSTROUTING -p tcp --dport 80 -j MASQUERADE {$MARKLOG}"; $sh[] = "{$iptables} -t nat -I POSTROUTING -p tcp --dport 443 -j MASQUERADE {$MARKLOG}"; $sql = "SELECT * FROM transparent_networks WHERE `enabled`=1 ORDER BY zOrder"; $q = new mysql_squid_builder(); $results = $q->QUERY_SQL($sql); while ($ligne = mysql_fetch_assoc($results)) { $transparent = $ligne["transparent"]; $block = $ligne["block"]; if ($ligne["destination_port"] == 0) { $ligne["destination_port"] = 80; if ($ligne["ssl"] == 1) { $ligne["destination_port"] == 443; } } if ($ligne["destination_port"] == 443) { $ligne["ssl"] = 1; } if ($ligne["destination_port"] == 80) { $ligne["ssl"] = 0; } if ($block == 1) { $sh[] = pattern_to_www($ligne); continue; } if ($transparent == 0) { $sh[] = pattern_to_direct($ligne); continue; } $sh[] = pattern_to_proxy($ligne, $squid->listen_port, $ssl_port); } if ($EnableNatProxy == 1) { $sh[] = "{$iptables} -t nat -I PREROUTING -s {$NatProxyServer}/32 -p tcp -m tcp --dport 80 {$MARKLOG} -j RETURN"; $sh[] = "{$iptables} -t nat -I PREROUTING -s {$NatProxyServer}/32 -p tcp -m tcp --dport 443 {$MARKLOG} -j RETURN"; } $sh[] = ChildsProxys(); $sh[] = script_endfile(); build_progress("Writing script...", 45); @file_put_contents("/etc/init.d/tproxy", @implode("\n", $sh)); build_progress("Installing script...", 48); script_install(); }