[CoovaChilli] Documentation about xt_coova/ipt-coova/nfcoova

Pierre Parent pparent at comminter.com
Tue Jun 14 09:46:32 BST 2016


Hi Brian,

Thanks a lot for your message. 

Unfortunately using your iptables give even worst results: I can't connect to 
the distant portal (the connection is constantly restarted, because of bad 
headers).  I'll try around few iptables modification to see if it can solve the 
problem. 

My impression is that the problems arises exactly at the moment where chili 
stops intercepting packets in order to let xt_coova kernel module handle it. I 
have the felling that at that moment, switching between two modes causes 
failure in already established TCP connections (both to 11.1.0.1 and to the 
distant portal). Which would explain why when doing a second attempt and a 
reconnection everything works fine.

Pierre.

ps:
my current iptables giving the result in wget-log:

iptables -F FORWARD
iptables -I FORWARD -j DROP
iptables -I FORWARD -o eth0.1 -d 10.1.0.0/16 -m coova --name chilli --dest  -j 
ACCEPT
iptables -I FORWARD -i eth0.1 -s 10.1.0.0/16 -m coova --name chilli -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I FORWARD -d distant-portail.com -j ACCEPT

Le mardi 14 juin 2016, 09:43:00 Brian Andrews a écrit :
> Hi Pierre
> 
> Those filter rules shouldn’t seem useless - things should only work properly
> when the rules are correct. The reasons why I would look at rules is that
> our installs work fine and we had similar issues until our rules were
> sorted out. I suspect your rules are too open and traffic is exiting the
> WAN directly when users are unauthenticated. Like the rule you have
> "iptables -I FORWARD -o eth0.1  -j ACCEPT”  that shouldn’t really be there
> - you only want to accept the unauthenticated ip range in FORWARD -
> xt_coova will handle the authenticated traffic. So apart from a few extra
> rules in INPUT to allow for DHCP, UAM etc your FORWARD rules should be
> based around:
> 
> iptables -A FORWARD_eth0.1 -d 11.1.0.1/24 -j ACCEPT
> iptables -A FORWARD_eth0.1 -s 11.1.0.1/24 -j ACCEPT
> iptables -A FORWARD -d 10.1.0.0/24 -i eth0.2 -m coova--name chilli --dest 
> -j ACCEPT iptables -A FORWARD -s 10.1.0.0/24 -o eth0.2 -m coova--name
> chilli --source  -j ACCEPT iptables -A FORWARD -i eth0.1 -j DROP
> iptables -A FORWARD -o eth0.1 -j DROP
> 
> 
> -
> Brian
> 
> > On 13/06/2016, at 10:59 PM, Pierre Parent <pparent at comminter.com> wrote:
> > 
> > Hi,
> > 
> > WAN is eth0.2, Lan is eth0.1
> > 
> > The iptables you sent seem similar don't they?  (except that you filter
> > source and destination ip, but in my case it seems useless).
> > 
> > To my mind the problem is not likely to come from iptables, since it
> > concern only the phase when the user is unauthenticated. When the user is
> > authenticated everything works well.
> > 
> > Pierre.
> > 
> > Le lundi 13 juin 2016 22:43:00, vous avez écrit :
> >> Hi,
> >> 
> >> Your rules look quite different to ours which look more like (where eth0
> >> is
> >> your WAN):
> >> 
> >> iptables -I FORWARD -o eth0 —src 192.168.1.0/24 -m coova --name chilli -j
> >> ACCEPT iptables -I FORWARD -i eth0 —dst 192.168.1.0/24 -m coova --name
> >> chilli --dest -j ACCEPT
> >> 
> >> What is your WAN interface ? - we have rules for WAN and LAN interfaces.
> >> 
> >> I think I recall David’s initial example config had dhcpif on eth0 but
> >> this
> >> should have been eth1.
> >> 
> >> -
> >> Brian
> >> 
> >>> On 13/06/2016, at 9:09 PM, Pierre Parent <pparent at comminter.com> wrote:
> >>> 
> >>> Hi,
> >>> 
> >>> I just wanted to precise that I cross-compiled very recent version (
> >>> https://github.com/coova/coova-chilli/commit/67aa2f204695aaa23b065f7cd74
> >>> ed
> >>> e7dd992c478 ) and I get exactly the same behavior (problems when
> >>> identifying with xt-coova).
> >>> 
> >>> I may try to get into the code to debug from within, when I have time.
> >>> 
> >>> Enclosed my current Recipe to compile recent version of coova-chilli for
> >>> openwrt.
> >>> 
> >>> Should I report this bug in github as well?
> >>> 
> >>> Pierre.
> >>> _______________________________________________
> >>> CoovaChilli mailing list
> >>> CoovaChilli at brightonchilli.org.uk
> >>> https://www.brightonchilli.org.uk/mailman/listinfo/coovachilli




More information about the CoovaChilli mailing list