[CoovaChilli] Documentation about xt_coova/ipt-coova/nfcoova
brian at andrews.org.nz
Mon Jun 13 22:43:00 BST 2016
Those filter rules shouldn’t seem useless - things should only work properly when the rules are correct.
The reasons why I would look at rules is that our installs work fine and we had similar issues until our rules were sorted out.
I suspect your rules are too open and traffic is exiting the WAN directly when users are unauthenticated.
Like the rule you have "iptables -I FORWARD -o eth0.1 -j ACCEPT” that shouldn’t really be there - you only want to accept the unauthenticated ip range in FORWARD - xt_coova will handle the authenticated traffic.
So apart from a few extra rules in INPUT to allow for DHCP, UAM etc your FORWARD rules should be based around:
iptables -A FORWARD_eth0.1 -d 220.127.116.11/24 -j ACCEPT
iptables -A FORWARD_eth0.1 -s 18.104.22.168/24 -j ACCEPT
iptables -A FORWARD -d 10.1.0.0/24 -i eth0.2 -m coova--name chilli --dest -j ACCEPT
iptables -A FORWARD -s 10.1.0.0/24 -o eth0.2 -m coova--name chilli --source -j ACCEPT
iptables -A FORWARD -i eth0.1 -j DROP
iptables -A FORWARD -o eth0.1 -j DROP
> On 13/06/2016, at 10:59 PM, Pierre Parent <pparent at comminter.com> wrote:
> WAN is eth0.2, Lan is eth0.1
> The iptables you sent seem similar don't they? (except that you filter source
> and destination ip, but in my case it seems useless).
> To my mind the problem is not likely to come from iptables, since it concern
> only the phase when the user is unauthenticated. When the user is
> authenticated everything works well.
> Le lundi 13 juin 2016 22:43:00, vous avez écrit :
>> Your rules look quite different to ours which look more like (where eth0 is
>> your WAN):
>> iptables -I FORWARD -o eth0 —src 192.168.1.0/24 -m coova --name chilli -j
>> ACCEPT iptables -I FORWARD -i eth0 —dst 192.168.1.0/24 -m coova --name
>> chilli --dest -j ACCEPT
>> What is your WAN interface ? - we have rules for WAN and LAN interfaces.
>> I think I recall David’s initial example config had dhcpif on eth0 but this
>> should have been eth1.
>>> On 13/06/2016, at 9:09 PM, Pierre Parent <pparent at comminter.com> wrote:
>>> I just wanted to precise that I cross-compiled very recent version (
>>> e7dd992c478 ) and I get exactly the same behavior (problems when
>>> identifying with xt-coova).
>>> I may try to get into the code to debug from within, when I have time.
>>> Enclosed my current Recipe to compile recent version of coova-chilli for
>>> Should I report this bug in github as well?
>>> CoovaChilli mailing list
>>> CoovaChilli at brightonchilli.org.uk
More information about the CoovaChilli