This page describes the necessary steps to configure data session traffic redirect in YateUCN.
System configuration
Create redirect directory and link the default page to yate redirector script:
mkdir -p /var/www/redir
ln -s /usr/share/yate/scripts/ucn_url_redir.php /var/www/redir/index.php
cat << EOF > /var/www/redir/.htaccess
RewriteEngine On
RewriteBase /
RewriteRule .* index.php [L]
EOF
Configure the WEB server (assuming the redirector is listening on port 888):
cat << EOF > /etc/httpd/conf/sites.d/yate-ucn-redir.conf
Listen 888
<VirtualHost _default_:888>
ServerAdmin root@localhost
ServerName localhost
VirtualDocumentRoot /var/www/redir
DocumentRoot /var/www/redir
Options Indexes FollowSymLinks MultiViews
</VirtualHost>
<Directory “/var/www/redir”>
AllowOverride All
</Directory>
EOF
Configure redirect using iptables (assuming DSCP 252 – 0xFC – is configured in YateUCN to mark redirected traffic):
# Create a new chain in ‘filter’ table
iptables -t filter -N redir
# Accept to forward packets only to specific DNS servers
# This example allows only Google public DNS servers
# You should add the DNS servers configured for all network APNs
iptables -t filter -A redir ! -p udp -j DROP
iptables -t filter -A redir -p udp -m udp ! –dport 53 -j DROP
iptables -t filter -A redir -d 8.8.8.8/32 -j ACCEPT
iptables -t filter -A redir -d 8.8.4.4/32 -j ACCEPT
iptables -t filter -A redir -j DROP
# Send all forwarded DSCP marked traffic to be checked and filtered
iptables -t filter -A FORWARD -i tun-pdn -m dscp –dscp 0x3f -j redir
# Accept to serve only local redirections to the captive portal
iptables -t filter -A INPUT -i tun-pdn -p tcp -m tcp –dport 888 -j ACCEPT
iptables -t filter -A INPUT -i tun-pdn -p tcp -j DROP
iptables -t filter -A INPUT -i tun-pdn -p sctp -j DROP
# Redirect HTTP traffic to local port 888
# Add the local service address LL.LL.LL.LL here (but not 127.0.0.1)
iptables -t nat -A PREROUTING -i tun-pdn -p tcp -m tcp –dport 80 -m dscp –dscp 0x3f -j DNAT –to-destination LL.LL.LL.LL:888
# Reset DSCP for packets going to captive portal so they are not redirected
# Add subclasses of external servers for the captive portal
iptables -t mangle -A PREROUTING -d AA.BB.CC.DD/NN -i tun-pdn -j DSCP –set-dscp 0x00
NOTE: Don’t forget the iptables rules are not persistent: they will be lost on system reboot.
This may be fixed by:
- adding the rules to shell script to be run at system start up. The script should be copied in /etc/init.d directory.
- use iptables-save and redirect its output to a file used by iptables to load rules at system start time:
iptables-save > /etc/sysconfig/iptables
Yate configuration
The configuration file is /etc/yate/ucn/redir_config.php:
<?php
// Configure the URL redirector base path below
// This parameter is mandatory to configure
//$redir_base = “http://redirector.is.not/configured“;
// If data is available these URL parameters will be added: msisdn, imsi, plmn
// Default value: true
//$redir_info = false;
// If available add the old URL to the request as “url” parameter
// This may cause privacy issues (especially if redirecting over HTTP) so use with care
// Default value: false
//$redir_url = true;
?>
A minimum configuration requires to set redir_base.
If redir_info is disabled the redirector script won’t try to obtain a specific IP/URL for redirect from YateUCN. The configured redir_base will be used.
If a specific IP/URL is obtained from YateUCN (e.g. set by an OCS on Diameter Gy/Ro interface) it will replace the one configured in redir_base.
Notes
- IPv6 rules should be added also to support redirect for data sessions using IPv6
- HTTPS redirect may be configured but, usually, it won't work: the local WEB server must be able to present a certificate for requested domain
- If a redirect to URL is returned by YateUCN (this may happen on Diameter Gy/Ro interface) it's IP address(es) MUST be set in iptables rules resetting DSCP for the captive portal