Configure traffic redirect for data session

From YateBTS
Jump to: navigation, search

This page describes the necessary steps to configure data session traffic redirect in YateUCN.

System configuration

Create redirect directory and link the default page to yate redirector script:

mkdir -p /var/www/redir
ln -s /usr/share/yate/scripts/ucn_url_redir.php /var/www/redir/index.php
cat << EOF > /var/www/redir/.htaccess
RewriteEngine On
RewriteBase /
RewriteRule .* index.php  [L]
EOF

Configure the WEB server (assuming the redirector is listening on port 888):

cat << EOF > /etc/httpd/conf/sites.d/yate-ucn-redir.conf
Listen 888
<VirtualHost _default_:888>
   ServerAdmin root@localhost
   ServerName localhost
   VirtualDocumentRoot /var/www/redir
   DocumentRoot /var/www/redir
   Options Indexes FollowSymLinks MultiViews
</VirtualHost>
<Directory "/var/www/redir">
   AllowOverride All
</Directory>
EOF

Configure redirect using iptables (assuming DSCP 252 - 0xFC - is configured in YateUCN to mark redirected traffic):

# Create a new chain in 'filter' table
iptables -t filter -N redir

# Accept to forward packets only to specific DNS servers
# This example allows only Google public DNS servers
# You should add the DNS servers configured for all network APNs
iptables -t filter -A redir ! -p udp -j DROP
iptables -t filter -A redir -p udp -m udp ! --dport 53 -j DROP
iptables -t filter -A redir -d 8.8.8.8/32 -j ACCEPT
iptables -t filter -A redir -d 8.8.4.4/32 -j ACCEPT
iptables -t filter -A redir -j DROP

# Send all forwarded DSCP marked traffic to be checked and filtered
iptables -t filter -A FORWARD -i tun-pdn -m dscp --dscp 0x3f -j redir

# Accept to serve only local redirections to the captive portal
iptables -t filter -A INPUT -i tun-pdn -p tcp -m tcp --dport 888 -j ACCEPT
iptables -t filter -A INPUT -i tun-pdn -p tcp -j DROP
iptables -t filter -A INPUT -i tun-pdn -p sctp -j DROP

# Redirect HTTP traffic to local port 888
# Add the local service address LL.LL.LL.LL here (but not 127.0.0.1)
iptables -t nat -A PREROUTING -i tun-pdn -p tcp -m tcp --dport 80 -m dscp --dscp 0x3f -j DNAT --to-destination LL.LL.LL.LL:888

# Reset DSCP for packets going to captive portal so they are not redirected
# Add subclasses of external servers for the captive portal
iptables -t mangle -A PREROUTING -d AA.BB.CC.DD/NN -i tun-pdn -j DSCP --set-dscp 0x00

NOTE: Don't forget the iptables rules are not persistent: they will be lost on system reboot.
This may be fixed by:

  • adding the rules to shell script to be run at system start up. The script should be copied in /etc/init.d directory.
  • use iptables-save and redirect its output to a file used by iptables to load rules at system start time:
iptables-save > /etc/sysconfig/iptables

Yate configuration

The configuration file is /etc/yate/ucn/redir_config.php:

<?php

// Configure the URL redirector base path below
// This parameter is mandatory to configure
//$redir_base = "http://redirector.is.not/configured";

// If data is available these URL parameters will be added: msisdn, imsi, plmn
// Default value: true
//$redir_info = false;

// If available add the old URL to the request as "url" parameter
// This may cause privacy issues (especially if redirecting over HTTP) so use with care
// Default value: false
//$redir_url = true;

?>

A minimum configuration requires to set redir_base.
If redir_info is disabled the redirector script won't try to obtain a specific IP/URL for redirect from YateUCN. The configured redir_base will be used.
If a specific IP/URL is obtained from YateUCN (e.g. set by an OCS on Diameter Gy/Ro interface) it will replace the one configured in redir_base.

Notes

  • IPv6 rules should be added also to support redirect for data sessions using IPv6
  • HTTPS redirect may be configured but, usually, it won't work: the local WEB server must be able to present a certificate for requested domain
  • If a redirect to URL is returned by YateUCN (this may happen on Diameter Gy/Ro interface) it's IP address(es) MUST be set in iptables rules resetting DSCP for the captive portal