i think this suggestion allowing tun0 input and forward is not working
anymore suggestions????
Pages 1
You are not logged in. Please login or register.
Chillispot Forum → Posts by dannymagat
Pages 1
i think this suggestion allowing tun0 input and forward is not working
anymore suggestions????
VPN connection works in England and in France.
If you have a firewall, it must allow DNS, HTTP, HTTPS requests and allow access to UDP 500 (isakmp), protocol IP 50 (ESP) et UDP 4500 (for NAT traversal) ports.
how to allow all this in my IPTABLES?
thanks is advance!
check my firewall setup on my openwrt chillispot box
IT WORKS FOR ME!!! when the user expired, it close all ports! specially ssh
====================================
= filename: /etc/init.d/S45firewal =
= =
====================================
#!/bin/sh
## Please make changes in /etc/firewall.user
${FAILSAFE:+exit}
. /etc/functions.sh
WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)
## CLEAR TABLES
for T in filter nat; do
iptables -t $T -F
iptables -t $T -X
done
iptables -N input_rule
iptables -N output_rule
iptables -N forwarding_rule
iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule
### INPUT
### (connections with the router as destination)
# base case
iptables -P INPUT DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A INPUT -j input_rule
# allow
iptables -A INPUT -i \! $WAN -j ACCEPT # allow from lan/wifi interfaces
#iptables -A INPUT -p icmp -j ACCEPT # allow ICM
iptables -A INPUT -p gre -j ACCEPT # allow GRE
# reject (what to do with anything not allowed earlier)
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
#iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
### OUTPUT
### (connections with the router as source)
# base case
iptables -P OUTPUT DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A OUTPUT -j output_rule
# allow
iptables -A OUTPUT -j ACCEPT #allow everything out
# reject (what to do with anything not allowed earlier)
iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
### FORWARDING
### (connections routed through the router)
# base case
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A FORWARD -j forwarding_rule
# allow
iptables -A FORWARD -i br0 -o br0 -j ACCEPT
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
# reject (what to do with anything not allowed earlier)
# uses the default -P DROP
### MASQ
iptables -t nat -A PREROUTING -j prerouting_rule
iptables -t nat -A POSTROUTING -j postrouting_rule
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
## USER RULES
[ -f /etc/firewall.user ] && . /etc/firewall.user
===================================
= =
= filename:/etc/firewall/ssh =
===================================
#!/bin/sh
. /etc/functions.sh
WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT
iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT
=it's strange in myserver, i use phpradmin to manage it....
in my phpradmin it's accept and when i see radiusd -X it's acceptted too
but when i using radtest alisa alisa localhost 0 testing123
the reply massage is rejectted
n_n,.....
Does this error show only when you are check username alisa ? if YES then there might be something wrong with your database
check maybe you have more than 1 username alisa on your radcheck -
To allow access to secure websites (such as https://www.example.com/), you must open port 443, as well.
iptables -A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
try this
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 555 -j DNAT --to 192.168.x.x:80
iptables -A forwarding_rule -i $WAN -p tcp --dport 80 -d 192.168.x.x -j ACCEPT
Try to enable packet forwarding you should add the following line in /etc/sysctl.conf
net/ipv4/ip_forward=1
then restart your network /etc/init.d/networking restart
try to add port 21 to be accept or allowed into you iptables configuration
in addition to my posted opinion:
as you said you are using squid. Try to remove your SQUID as transparent proxy in your server, because i think user can easily bypass Chillispot login page. if they specify server's IP address (for example 192.168.182.1) in to there BROWSER proxy setting to HTTP proxy input and the port (usually 3128), user do not need to login to access/browse the internet.
maybe you have to change the ip of your second internet eth1 not the eth0 for internet you maybe might using the known ip block like 192.168.1.1
because if your eth1 is 192.168.1.1 it can easily bypass your billing system... if i will configured my PC ip into same block as your eth1 ip and specify the gateway to 192.168.1.1 and the DNS server into your ISP DNS.....
Just maybe.... who knows..... your client accidentally guest the right ip of your eth1
YES of course! try to execute this command on your mysql
SELECT SUM(AcctInputOctets) AS total_upload, SUM(AcctOutputOctets) AS total_download FROM radacct WHERE UserName='$username'
to the total of your download upload while online....
Good luck!
try to check if the username and the password is stored on your database
to check use radclient.... if its accepted and it keeps on saying that error
then change the attribute name to Cleartext-Password, and the operator to ":=".
See "man users" for an explanation of the operators. You're comparing
the value to the User-Password in the request (which doesn't exist).
So the comparison fails.
YES....
specify IP address with same block as your chilli box ip.... and your gateway should be the the ip of your chilli box
Youre problem is simple........
1. check your UAM server configured on your /etc/chilli.conf if its correct.... you might entered the wrong address of your hotspotlogin.cgi from your web server
or
2. check the ip of your client pc if its getting the ip which is issued bye the chilli... by default it is 192.168.182.xxx , if not then you have to fireup your chilli... /etc/init.d/chilli start
then check execute ipconfig check if tun0 interface is active....
hope this idea helps
Pages 1
Chillispot Forum → Posts by dannymagat
Powered by PunBB 1.4.4, supported by Informer Technologies, Inc.