Configure traffic redirect for data session

This page describes the necessary steps to configure data session traffic redirect in YateUCN.

System configuration

Create redirect directory and link the default page to yate redirector script:

mkdir -p /var/www/redir
ln -s /usr/share/yate/scripts/ucn_url_redir.php /var/www/redir/index.php
cat << EOF > /var/www/redir/.htaccess
RewriteEngine On
RewriteBase /
RewriteRule .* index.php  [L]
EOF

Configure the WEB server (assuming the redirector is listening on port 888):

cat << EOF > /etc/httpd/conf/sites.d/yate-ucn-redir.conf
Listen 888
<VirtualHost _default_:888>
   ServerAdmin root@localhost
   ServerName localhost
   VirtualDocumentRoot /var/www/redir
   DocumentRoot /var/www/redir
   Options Indexes FollowSymLinks MultiViews
</VirtualHost>
<Directory "/var/www/redir">
   AllowOverride All
</Directory>
EOF

Configure redirect using iptables (assuming DSCP 252 – 0xFC – is configured in YateUCN to mark redirected traffic):

# Create a new chain in 'filter' table
iptables -t filter -N redir

# Accept to forward packets only to specific DNS servers
# This example allows only Google public DNS servers
# You should add the DNS servers configured for all network APNs
iptables -t filter -A redir ! -p udp -j DROP
iptables -t filter -A redir -p udp -m udp ! --dport 53 -j DROP
iptables -t filter -A redir -d 8.8.8.8/32 -j ACCEPT
iptables -t filter -A redir -d 8.8.4.4/32 -j ACCEPT
iptables -t filter -A redir -j DROP

# Send all forwarded DSCP marked traffic to be checked and filtered
iptables -t filter -A FORWARD -i tun-pdn -m dscp --dscp 0x3f -j redir

# Accept to serve only local redirections to the captive portal
iptables -t filter -A INPUT -i tun-pdn -p tcp -m tcp --dport 888 -j ACCEPT
iptables -t filter -A INPUT -i tun-pdn -p tcp -j DROP
iptables -t filter -A INPUT -i tun-pdn -p sctp -j DROP

# Redirect HTTP traffic to local port 888
# Add the local service address LL.LL.LL.LL here (but not 127.0.0.1)
iptables -t nat -A PREROUTING -i tun-pdn -p tcp -m tcp --dport 80 -m dscp --dscp 0x3f -j DNAT --to-destination LL.LL.LL.LL:888

# Reset DSCP for packets going to captive portal so they are not redirected
# Add subclasses of external servers for the captive portal
iptables -t mangle -A PREROUTING -d AA.BB.CC.DD/NN -i tun-pdn -j DSCP --set-dscp 0x00

NOTE: Don’t forget the iptables rules are not persistent: they will be lost on system reboot.

This may be fixed by:

  • adding the rules to shell script to be run at system start up. The script should be copied in /etc/init.d directory.
  • use iptables-save and redirect its output to a file used by iptables to load rules at system start time:
iptables-save > /etc/sysconfig/iptables

YateUCN
Unified LTE/GSM+GPRS core network, including SGSN, GGSN, GMSC, MME, SGW, PGW
See the product here ››

Yate configuration

The configuration file is /etc/yate/ucn/redir_config.php:

<?php

// Configure the URL redirector base path below
// This parameter is mandatory to configure
//$redir_base = "http://redirector.is.not/configured";

// If data is available these URL parameters will be added: msisdn, imsi, plmn
// Default value: true
//$redir_info = false;

// If available add the old URL to the request as "url" parameter
// This may cause privacy issues (especially if redirecting over HTTP) so use with care
// Default value: false
//$redir_url = true;

?>

A minimum configuration requires to set redir_base.
If redir_info is disabled the redirector script won’t try to obtain a specific IP/URL for redirect from YateUCN. The configured redir_base will be used.
If a specific IP/URL is obtained from YateUCN (e.g. set by an OCS on Diameter Gy/Ro interface) it will replace the one configured in redir_base.

Notes

  • IPv6 rules should be added also to support redirect for data sessions using IPv6
  • HTTPS redirect may be configured but, usually, it won't work: the local WEB server must be able to present a certificate for requested domain
  • If a redirect to URL is returned by YateUCN (this may happen on Diameter Gy/Ro interface) it's IP address(es) MUST be set in iptables rules resetting DSCP for the captive portal