[CoovaChilli] Documentation about xt_coova/ipt-coova/nfcoova

Pierre Parent pparent at comminter.com
Wed Feb 8 16:23:48 GMT 2017


Small correction, the script should be as follow (REJECT changed in DROP):

----------------Lancher-------------------------------------------------------
#!/bin/sh

killall chilli
chilli -c /etc/chilli_xt.conf &
ifconfig eth0.1 10.1.0.1

iptables -F 
iptables -F -t nat

iptables -I INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 

iptables -I FORWARD -i eth0.1 -m coova --name chilli  -j ACCEPT
iptables -I FORWARD -o eth0.1   -m coova --name chilli --dest   -j ACCEPT

iptables -I INPUT -d 192.168.111.1 -j ACCEPT
iptables -I INPUT -d 192.168.111.1 -i eth0.1  -j DROP
iptables -I INPUT -d 10.1.0.1 -j ACCEPT
iptables -I FORWARD -d portail.xxxxxx.com -j ACCEPT
iptables -I FORWARD -s portail.xxxxxx.com -j ACCEPT
iptables -I FORWARD -d 1.1.1.1 -j ACCEPT

iptables -A FORWARD -j DROP

IP_WAN=$(ifconfig eth0.2 | grep inet | awk '{print $2}'  | cut -d: -f2)

iptables -I POSTROUTING -t nat -s 10.1.0.0/24 -j SNAT --to-source $IP_WAN

----------------------------------------------------------------------------------------------------------------------



Le mercredi 8 février 2017, 14:11:52 Pierre Parent a écrit :
> Hi,
> 
> I finally found the solution to my problem (see older posts). It seems that
> very packet from the uam server was received with a duplicate.
> 
> Adding the following iptable solves the problem (when 192.168.111.1 is
> the uam server) :
> 
> iptables -I INPUT -d 192.168.111.1 -i eth0.1  -j DROP
> 
> Enclosed my final working config.
> 
> Hope it can help!
> 
> Pierre.
> 
> ----------------Lancher-----------------------------------------------------
> -- #!/bin/sh
> 
> killall chilli
> chilli -c /etc/chilli_xt.conf &
> ifconfig eth0.1 10.1.0.1
> 
> iptables -F
> iptables -F -t nat
> 
> iptables -I INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
> iptables -I FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
> 
> iptables -I FORWARD -i eth0.1 -m coova --name chilli  -j ACCEPT
> iptables -I FORWARD -o eth0.1   -m coova --name chilli --dest   -j ACCEPT
> 
> iptables -I INPUT -d 192.168.111.1 -j ACCEPT
> iptables -I INPUT -d 192.168.111.1 -i eth0.1  -j DROP
> iptables -I INPUT -d 10.1.0.1 -j ACCEPT
> iptables -I FORWARD -d portail.xxxxxx.com -j ACCEPT
> iptables -I FORWARD -s portail.xxxxxx.com -j ACCEPT
> iptables -I FORWARD -d 1.1.1.1 -j ACCEPT
> 
> iptables -A FORWARD -j REJECT
> 
> IP_WAN=$(ifconfig eth0.2 | grep inet | awk '{print $2}'  | cut -d: -f2)
> 
> iptables -I POSTROUTING -t nat -s 10.1.0.0/24 -j SNAT --to-source $IP_WAN
> 
> ----------------------------------------------------------------------------
> ------------------------------------------
> 
> ---------chilli_xt.conf-----------------------------------------------------
> -- radiusserver1   "192.168.8.90"
> radiusserver2   "192.168.8.90"
> radiussecret    "xxxxxxxxxxx"
> radiusauthport  1812
> radiusacctport  1813
> 
> # UAM
> uamserver       "http://xxxxxxxxxxx/"
> uamport         3990
> uamhomepage     http://xxxxxxxxxxx/
> uamlogoutip     1.1.1.1
> 
> 
> net 10.1.0.0/16
> dynip 10.1.0.0/24
> statip 10.1.1.0/24
> 
> uamlisten  192.168.111.1
> uamallowed 192.168.111.1
> dhcplisten 10.1.0.1
> dhcpstart 10
> uamaliasname chilli
> ipup=
> ipdown=
> 
> dhcpif eth0.1
> uamdomain coova.org
> cmdsock /var/run/chilli.sock
> kname chilli
> 
> uamsecret "xxxxxxxxxxx"
> 
> dns1            "10.1.0.1"
> 
> uamdomain
> www.paypal.com,www.sandbox.paypal.com,www.paypalobjects.com,paypalo
> bjects.com,paypal.112.2o7.net,developer.paypal.com,evsecure-
> ocsp.verisign.com,evsecure-crl.verisign.com,102.112.2o7.n
> uamallowed      0.0.0.0/0:110
> uamallowed      0.0.0.0/0:143
> uamallowed      0.0.0.0/0:587
> uamallowed      0.0.0.0/0:993
> uamallowed      0.0.0.0/0:995
> 
> radiusnasid     xxxxxxxxxxx
> nasmac xxxxxxxxxxx
> 
> redirssl
> sslkeyfile      /etc/chilli/server.key
> sslcertfile     /etc/chilli/server.crt
> 
> Le jeudi 16 juin 2016, 08:51:51 Brian Andrews a écrit :
> > That Access-Reject via Radius can’t be helping
> > 
> > coova-chilli[1993]: redir_main handling Access-Reject
> > 
> > I’d resolve that first and then see if redir works.
> > 
> > -
> > brian
> > 
> > > On 15/06/2016, at 8:25 PM, Pierre Parent <pparent at comminter.com>
> 
> wrote:
> > > <log-chilli.txt>
> 
> _______________________________________________
> CoovaChilli mailing list
> CoovaChilli at brightonchilli.org.uk
> https://www.brightonchilli.org.uk/mailman/listinfo/coovachilli




More information about the CoovaChilli mailing list