Configure traffic redirect for data session

This page describes the necessary steps to configure data session traffic redirect in YateUCN.

System configuration

Create redirect directory and link the default page to yate redirector script:

mkdir -p /var/www/redir
ln -s /usr/share/yate/scripts/ucn_url_redir.php /var/www/redir/index.php
cat << EOF > /var/www/redir/.htaccess
RewriteEngine On
RewriteBase /
RewriteRule .* index.php [L]
EOF

Configure the WEB server (assuming the redirector is listening on port 888):

cat << EOF > /etc/httpd/conf/sites.d/yate-ucn-redir.conf
Listen 888
<VirtualHost _default_:888>
   ServerAdmin root@localhost
   ServerName localhost
   VirtualDocumentRoot /var/www/redir
   DocumentRoot /var/www/redir
   Options Indexes FollowSymLinks MultiViews
</VirtualHost>
<Directory “/var/www/redir”>
   AllowOverride All
</Directory>
EOF

Configure redirect using iptables (assuming DSCP 252 – 0xFC – is configured in YateUCN to mark redirected traffic):

# Create a new chain in ‘filter’ table
iptables -t filter -N redir

# Accept to forward packets only to specific DNS servers
# This example allows only Google public DNS servers
# You should add the DNS servers configured for all network APNs
iptables -t filter -A redir ! -p udp -j DROP
iptables -t filter -A redir -p udp -m udp ! –dport 53 -j DROP
iptables -t filter -A redir -d 8.8.8.8/32 -j ACCEPT
iptables -t filter -A redir -d 8.8.4.4/32 -j ACCEPT
iptables -t filter -A redir -j DROP

# Send all forwarded DSCP marked traffic to be checked and filtered
iptables -t filter -A FORWARD -i tun-pdn -m dscp –dscp 0x3f -j redir

# Accept to serve only local redirections to the captive portal
iptables -t filter -A INPUT -i tun-pdn -p tcp -m tcp –dport 888 -j ACCEPT
iptables -t filter -A INPUT -i tun-pdn -p tcp -j DROP
iptables -t filter -A INPUT -i tun-pdn -p sctp -j DROP

# Redirect HTTP traffic to local port 888
# Add the local service address LL.LL.LL.LL here (but not 127.0.0.1)
iptables -t nat -A PREROUTING -i tun-pdn -p tcp -m tcp –dport 80 -m dscp –dscp 0x3f -j DNAT –to-destination LL.LL.LL.LL:888

# Reset DSCP for packets going to captive portal so they are not redirected
# Add subclasses of external servers for the captive portal
iptables -t mangle -A PREROUTING -d AA.BB.CC.DD/NN -i tun-pdn -j DSCP –set-dscp 0x00

NOTE: Don’t forget the iptables rules are not persistent: they will be lost on system reboot.

This may be fixed by:

iptables-save > /etc/sysconfig/iptables

Yate configuration

The configuration file is /etc/yate/ucn/redir_config.php:

<?php

// Configure the URL redirector base path below
// This parameter is mandatory to configure
//$redir_base = “http://redirector.is.not/configured“;

// If data is available these URL parameters will be added: msisdn, imsi, plmn
// Default value: true
//$redir_info = false;

// If available add the old URL to the request as “url” parameter
// This may cause privacy issues (especially if redirecting over HTTP) so use with care
// Default value: false
//$redir_url = true;

?>

A minimum configuration requires to set redir_base.
If redir_info is disabled the redirector script won’t try to obtain a specific IP/URL for redirect from YateUCN. The configured redir_base will be used.
If a specific IP/URL is obtained from YateUCN (e.g. set by an OCS on Diameter Gy/Ro interface) it will replace the one configured in redir_base.

Notes

Our solutions