Skip to content

leoelan/lisg

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Linux ISG

This repo is fork of Linux ISG project from Oleg A. Arkhangelsky.

It is based on a non-original copy of source code recovered from old archive. Previously this code was published under GNU License so there is no problem to restore it in public.

Changes

  • Restore (write from scratch) match userspace library because it was lost during recovery
  • Linux kernel version 4.19+ is supported

TODO

  • The code is really full of global spinlocks and currently do not scale well on multi-CPU servers. I will try to rewrite it with a new lockless techniques in future.
  • A userspace daemon should be rewritten because perl is not fast enought in case of creating lots of new sessions per second.
  • IPv6 support is fully absent. I think that shoud be fixed.

INSTALL

cd /opt
git clone https://github.com/junjunk/lisg.git

apt install -y linux-headers-$(uname -r) iptables-dev build-essential
OR
apt-get -y install linux-headers-$(uname -r) iptables-dev build-essential

cpan install Net::Radius::Packet

chmod 777 /opt/lisg/kernel/configure && /opt/lisg/kernel/configure && make clean && make && make install
modprobe ipt_ISG
echo ipt_ISG >> /etc/modules

traffic is not dropping during the authorization of freeradius:
modprobe ipt_ISG tg_deny_action=1

Usage

Session initiation and shaping

Use iptables to setup rules in FORWARD chain to specify how to init session

iptables -A FORWARD -s 192.0.0.0/24 -j ISG --session-init
iptables -A FORWARD -d 192.0.0.0/24 -j ISG

This commands will advise ISG module to initiate session for every IP address from 192.0.0.0/24 network and to policy traffic to 192.0.0.0/24 network in case of active session

Redirect to authorization

uncomment on the config.pl

#$cfg{unauth_service_name_list} = [ "AREDIR" ];

#$cfg{srv}{REDIR}{type} = "tagger";

#$cfg{srv}{REDIR}{traffic_classes} = [ "ALL_OTHER" ];

-A PREROUTING -m isg --service-name REDIR -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 192.168.0.1

This command will make DNAT for every HTTP packet that found in ISG with service REDIRECT. Possible usage to redirect to authorization web-site.

Additional documentation can be found by your favorite search engine

Releases

No releases published

Packages

No packages published

Languages