From ba5151c3bd55d1f55e61e16e8e1d0d121a396ccc Mon Sep 17 00:00:00 2001
From: Gabriel Detraz <detraz@crans.org>
Date: Mon, 12 Jun 2017 03:58:05 +0200
Subject: [PATCH] =?UTF-8?q?Generation=20de=20l'iptables=20+=20injection=20?=
 =?UTF-8?q?et=20retrait=20des=20r=C3=A8gles=20au=20d=C3=A9marage=20du=20se?=
 =?UTF-8?q?rvice=20portail?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 portail_captif/portail_captif.service |  2 ++
 portail_captif/start_portail.py       | 42 +++++++++++++++++++++++++
 portail_captif/stop_portail.py        | 44 +++++++++++++++++++++++++++
 users/models.py                       |  5 +--
 4 files changed, 91 insertions(+), 2 deletions(-)
 create mode 100755 portail_captif/start_portail.py
 create mode 100755 portail_captif/stop_portail.py

diff --git a/portail_captif/portail_captif.service b/portail_captif/portail_captif.service
index 635690f..ab8fd99 100644
--- a/portail_captif/portail_captif.service
+++ b/portail_captif/portail_captif.service
@@ -11,9 +11,11 @@ User=root
 Group=root
 PIDFile=/run/portail_captif.pid
 WorkingDirectory=/var/www/portail_captif/
+ExecStartPre=/usr/bin/python3 /var/www/portail_captif/portail_captif/start_portail.py
 ExecStart=/usr/bin/gunicorn3 portail_captif.wsgi:application --pid=/run/portail_captif.pid --name www-data --user www-data --group www-data --daemon --log-file /var/log/gunicorn/portail_captif.log --log-level=info --bind=unix:///tmp/gunicorn-portail_captif.sock --workers=1
 ExecReload=/bin/kill -s HUP $MAINPID
 ExecStop=/bin/kill -s TERM $MAINPID
+ExecStopPost=/usr/bin/python3 /var/www/portail_captif/portail_captif/stop_portail.py
 Restart=on-failure
 RestartSec=65
 StartLimitInterval=60
diff --git a/portail_captif/start_portail.py b/portail_captif/start_portail.py
new file mode 100755
index 0000000..1b3c91d
--- /dev/null
+++ b/portail_captif/start_portail.py
@@ -0,0 +1,42 @@
+# Copyright © 2017  Gabriel Détraz
+# Copyright © 2017  Goulven Kermarec
+# Copyright © 2017  Augustin Lemesle
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# 
+# Ce script est appellé avant le démarage du portail, il insère les bonnes règles
+# dans l'iptables et active le routage
+
+import os, sys
+
+proj_path = "/var/www/portail_captif/"
+# This is so Django knows where to find stuff.
+os.environ.setdefault("DJANGO_SETTINGS_MODULE", "portail_captif.settings")
+sys.path.append(proj_path)
+
+# This is so my local_settings.py gets loaded.
+os.chdir(proj_path)
+
+from users.models import restore_iptables, apply
+from portail_captif.settings import AUTORIZED_INTERFACES
+
+# Restauration de l'iptables
+restore_iptables()
+# Activation du routage sur les bonnes if
+for interface in AUTORIZED_INTERFACES:
+    apply("echo 1 > /proc/sys/net/ipv6/conf/%s/forwarding" % interface)
+    apply("echo 1 > /proc/sys/net/ipv4/conf/%s/forwarding" % interface)
+
+
diff --git a/portail_captif/stop_portail.py b/portail_captif/stop_portail.py
new file mode 100755
index 0000000..1be4345
--- /dev/null
+++ b/portail_captif/stop_portail.py
@@ -0,0 +1,44 @@
+# Copyright © 2017  Gabriel Détraz
+# Copyright © 2017  Goulven Kermarec
+# Copyright © 2017  Augustin Lemesle
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# 
+# Ce script est appellé avant le démarage du portail, il insère les bonnes règles
+# dans l'iptables et active le routage
+
+import os, sys
+
+proj_path = "/var/www/portail_captif/"
+# This is so Django knows where to find stuff.
+os.environ.setdefault("DJANGO_SETTINGS_MODULE", "portail_captif.settings")
+sys.path.append(proj_path)
+
+# This is so my local_settings.py gets loaded.
+os.chdir(proj_path)
+
+from users.models import restore_iptables, apply
+from portail_captif.settings import AUTORIZED_INTERFACES
+
+# Destruction de l'iptables
+apply("iptables -t nat -F")
+apply("iptables -t filter -F")
+apply("iptables -t mangle  -F")
+# Desactivation du routage sur les bonnes if
+for interface in AUTORIZED_INTERFACES:
+    apply("echo 0 > /proc/sys/net/ipv6/conf/%s/forwarding" % interface)
+    apply("echo 0 > /proc/sys/net/ipv4/conf/%s/forwarding" % interface)
+
+
diff --git a/users/models.py b/users/models.py
index 6f591ed..59dfb39 100644
--- a/users/models.py
+++ b/users/models.py
@@ -30,7 +30,7 @@ from django.utils.functional import cached_property
 
 from macaddress.fields import MACAddressField
 
-from portail_captif.settings import GENERIC_IPSET_COMMAND, IPSET_NAME, REQ_EXPIRE_HRS,FORBIDEN_INTERFACES, SERVER_SELF_IP, AUTORIZED_INTERFACES
+from portail_captif.settings import GENERIC_IPSET_COMMAND, IPSET_NAME, REQ_EXPIRE_HRS,FORBIDEN_INTERFACES, SERVER_SELF_IP, AUTORIZED_INTERFACES, PORTAIL_ACTIVE
 import re, uuid
 import datetime
 
@@ -108,7 +108,8 @@ def gen_nat(ipt):
     ipt.init_nat("CAPTIF", decision="-")
     ipt.jump("nat", "PREROUTING", "CAPTIF")
     ipt.jump("nat", "POSTROUTING", "MASQUERADE")
-    ipt.add("nat", "-A CAPTIF -m set ! --match-set %s src -j DNAT --to-destination %s" % (IPSET_NAME, SERVER_SELF_IP))
+    if PORTAIL_ACTIVE:
+        ipt.add("nat", "-A CAPTIF -m set ! --match-set %s src -j DNAT --to-destination %s" % (IPSET_NAME, SERVER_SELF_IP))
     ipt.jump("nat", "CAPTIF", "RETURN")
     ipt.commit("nat")
     return ipt