[CoovaChilli] Documentation about xt_coova/ipt-coova/nfcoova

Brian Andrews brian at andrews.org.nz
Mon Jun 13 22:43:00 BST 2016

Hi Pierre

Those filter rules shouldn’t seem useless - things should only work properly when the rules are correct.
The reasons why I would look at rules is that our installs work fine and we had similar issues until our rules were sorted out.
I suspect your rules are too open and traffic is exiting the WAN directly when users are unauthenticated.
Like the rule you have "iptables -I FORWARD -o eth0.1  -j ACCEPT”  that shouldn’t really be there - you only want to accept the unauthenticated ip range in FORWARD - xt_coova will handle the authenticated traffic.
So apart from a few extra rules in INPUT to allow for DHCP, UAM etc your FORWARD rules should be based around:

iptables -A FORWARD_eth0.1 -d -j ACCEPT
iptables -A FORWARD_eth0.1 -s -j ACCEPT
iptables -A FORWARD -d -i eth0.2 -m coova--name chilli --dest  -j ACCEPT
iptables -A FORWARD -s -o eth0.2 -m coova--name chilli --source  -j ACCEPT
iptables -A FORWARD -i eth0.1 -j DROP
iptables -A FORWARD -o eth0.1 -j DROP

> On 13/06/2016, at 10:59 PM, Pierre Parent <pparent at comminter.com> wrote:
> Hi,
> WAN is eth0.2, Lan is eth0.1
> The iptables you sent seem similar don't they?  (except that you filter source 
> and destination ip, but in my case it seems useless).
> To my mind the problem is not likely to come from iptables, since it concern 
> only the phase when the user is unauthenticated. When the user is 
> authenticated everything works well.
> Pierre.
> Le lundi 13 juin 2016 22:43:00, vous avez écrit :
>> Hi,
>> Your rules look quite different to ours which look more like (where eth0 is
>> your WAN):
>> iptables -I FORWARD -o eth0 —src -m coova --name chilli -j
>> ACCEPT iptables -I FORWARD -i eth0 —dst -m coova --name
>> chilli --dest -j ACCEPT
>> What is your WAN interface ? - we have rules for WAN and LAN interfaces.
>> I think I recall David’s initial example config had dhcpif on eth0 but this
>> should have been eth1.
>> -
>> Brian
>>> On 13/06/2016, at 9:09 PM, Pierre Parent <pparent at comminter.com> wrote:
>>> Hi,
>>> I just wanted to precise that I cross-compiled very recent version (
>>> https://github.com/coova/coova-chilli/commit/67aa2f204695aaa23b065f7cd74ed
>>> e7dd992c478 ) and I get exactly the same behavior (problems when
>>> identifying with xt-coova).
>>> I may try to get into the code to debug from within, when I have time.
>>> Enclosed my current Recipe to compile recent version of coova-chilli for
>>> openwrt.
>>> Should I report this bug in github as well?
>>> Pierre.
>>> _______________________________________________
>>> CoovaChilli mailing list
>>> CoovaChilli at brightonchilli.org.uk
>>> https://www.brightonchilli.org.uk/mailman/listinfo/coovachilli

More information about the CoovaChilli mailing list