1

(4 replies, posted in Chillispot Configuration)

hi, i tried that one, also did not work.  below is my current iptables setup

IPTABLES="/sbin/iptables"
EXTIF="eth0"
INTIF="eth1"

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#Allow related and established on all interfaces (input)
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#Allow releated, established and ssh on $EXTIF. Reject everything else.
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 8833 --syn -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -j REJECT

#Allow related and established from $INTIF. Drop everything else.
$IPTABLES -A INPUT -i $INTIF -j DROP

#Allow http and https on other interfaces (input).
#This is only needed if authentication server is on same server as chilli
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 8080 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT

#Allow 3990 on other interfaces (input).
$IPTABLES -A INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT

#Allow everything on loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT

# Drop everything to and from $INTIF (forward)
# This means that access points can only be managed from ChilliSpot
$IPTABLES -A FORWARD -i $INTIF -j DROP
$IPTABLES -A FORWARD -o $INTIF -j DROP

#Enable NAT on output device
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

#For chillispot and squid
$IPTABLES -t nat -A POSTROUTING -d my.ext.int.face -o eth1 -p tcp -m tcp --dport 3128 -j MASQUERADE
$IPTABLES -t nat -A PREROUTING -d ! 10.0.0.1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
$IPTABLES -A INPUT -p tcp -m tcp --dport 3128 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT


any help on why i cant ping my AP's in the 10.15.0.* subnet would be greatly appreciated.

thanks

2

(4 replies, posted in Chillispot Configuration)

i am running chillispot with a few AP's on a LAN (10.15.0.*)
I am fiddling with IPTables right now to allow the host machine to ping the AP's to monitor status
eth0 - external IP
eth1 - use for chilli
tun0 - 10.15.0.1

Any ping requests i send to the AP IP's is refused.
Can anyone help me with the iptables rules i need to foward the icmp packets to the AP's and back again?

thanks

3

(1 replies, posted in Chillispot Configuration)

Sure this is possible, just edit the chilli.conf

find this and add the following

uamallowed www.yourdomain.com,192.168.my.ip,more.ip.ip.ip

etc

this in effect allows whatever domains / IP's to become whitelisted, and you can browse without login - and you bypass hotspotlogin.cgi - until you try to go a website that is not listed in the uamallowed.

hope that helps

.

4

(4 replies, posted in Chillispot Configuration)

hi gobris,

you dont need BOTH of those uncommented. If you uncomment

macallowed 00-00-00-00-00-00

you dont need macauth uncommented.

I use mac auth, but  have the macauth var uncommented and then i add the users mac to mysql (no need to uncomment macallowed then - which was also hanging chilli for me too!)

mysql> INSERT INTO radcheck (username, attribute, value) VALUES ("00-1C-BF-32-FC-F9", "Password", "password");
mysql> INSERT INTO radreply (userName, attribute, op, value) VALUES ("00-1C-BF-32-FC-F9", "Framed-IP-Address", ":=", "192.168.181.15");

^ what you need in mysql, in your radius db, where 00-1C-BF-32-FC-F9 is your mac, and 192.168.181.15 is your static IP that you want to give

hope that helps

.

hi gobirs,

i did similar stuff with my chilli.conf, but i reserved a whole subnet like so:

net 10.0.0.0/16
dynip 10.0.2.0/20
statip 10.0.1.0/24

so my static IP users will be in 10.0.1.0->254
and dynamic in 10.0.2->alot.*

what you are saying is basically correct, you cn resere part of a subnet for those static IP's, you will need to make your settings something like this

net 192.168.1.0/24
dynip 192.168.1.32/25
statip 192.168.1.0/29

for example

hope that helps

.