hi *,
i just set up a debian server while trying following to do.
I want to realise a wired an wireless chillispot in a event location to provide internet acces to our guests without charge but to secure it against unnown people and to limit access-time to their visit.
first of all i set up debian with two network interfaces. eth0 is connected to a fully funktional network and eth1 will be the guest-network.
apache2 will be the web server to authenticate logins against freeradius. at the moment there is only a textfile userlist. in the future i will install mysql to provide accounting information.
Now i have installed and configured everything as i found it in several listings an how-to i am redirected to the apache homepage, i could sign-in, an i get free access to the internet. unless dns is not working on pc's connected to eth1 interface, so i tryes all with entering ip-addresses. on the server everything workes fine an i could resolve all names and backward resolve ip-addresses.
has eth1 to be defined in iptables to pass dns questions? Probably this is a bind problem but i hope anybody could help because last time i set up a debian system is about version 2.x. To get an idea of what could go wrong here are some config files:
/etc/chilli.conf:
#fg
#debug
#interval 3600
#pidfile /var/run/chilli.pid
#statedir ./
net 192.168.182.0/20
#dynip 192.168.182.0/24
#statip 192.168.182.0/24
dns1 192.168.182.1
dns2 192.168.182.1
domain kundennetz.eslive.local
#ipup /etc/chilli.ipup
#ipdown /etc/chilli.ipdown
#radiuslisten 127.0.0.1
radiusserver1 127.0.0.1
radiusserver2 127.0.0.1
#radiusauthport 1812
#radiusacctport 1813
radiussecret 4bNS3Ia
#radiusnasid nas01
#radiuslocationid isocc=us,cc=1,ac=408,network=ACMEWISP_NewarkAirport
#radiuslocationname ACMEWISP,Gate_14_Terminal_C_of_Newark_Airport
#proxylisten 10.0.0.1
#proxyport 1645
#proxyclient 10.0.0.1/24
#proxysecret testing123
dhcpif eth1
# dhcpmac 00:00:5E:00:02:00
# lease 600
uamserver http://192.168.182.1/cgi-bin/hotspotlogin.cgi
uamhomepage http://192.168.182.1
uamsecret <secret>
#uamlisten 192.168.182.1
#uamport 3990
uamallowed 192.168.182.1,www.chillispot.info
#uamanydns
#macauth
#macallowed 00-A6-35-24-22-57 # another MAC
macpasswd password
#macsuffix suffix
/etc/network/interfaces:
auto lo
iface lo inet loopback
allow-hotplug eth0
iface eth0 inet static
address 192.168.11.251
netmask 255.255.255.0
network 192.168.11.0
broadcast 192.168.11.255
gateway 192.168.11.254
dns-nameservers 192.168.11.254
dns-search eslive.local
output of ifconfig:
eth0 Protokoll:Ethernet Hardware Adresse 00:04:76:1A:93:E2
inet Adresse:192.168.11.251 Bcast:192.168.11.255 Maske:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5265 errors:0 dropped:0 overruns:1 frame:0
TX packets:265 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:1000
RX bytes:681557 (665.5 KiB) TX bytes:23462 (22.9 KiB)
Interrupt:5 Basisadresse:0x2000
eth1 Protokoll:Ethernet Hardware Adresse 00:80:AD:02:FC:54
UP BROADCAST RUNNING MTU:1500 Metric:1
RX packets:402 errors:0 dropped:0 overruns:0 frame:0
TX packets:30 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:1000
RX bytes:44159 (43.1 KiB) TX bytes:5292 (5.1 KiB)
Interrupt:11 Basisadresse:0xa400
lo Protokoll:Lokale Schleife
inet Adresse:127.0.0.1 Maske:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:146 errors:0 dropped:0 overruns:0 frame:0
TX packets:146 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:15081 (14.7 KiB) TX bytes:15081 (14.7 KiB)
tun0 Protokoll:UNSPEC Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet Adresse:192.168.182.1 P-z-P:192.168.182.1 Maske:255.255.240.0
UP PUNKTZUPUNKT RUNNING MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:500
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
/etc/init.d/firewall.iptables: (symlinked to /etc/rcS.d/S40firewall.iptables)
#!/bin/sh
IPTABLES="/sbin/iptables"
EXTIF="eth0"
INTIF="eth1"
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
#Allow related and established on all interfaces (input)
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#Allow releated, established and ssh on $EXTIF. Reject everything else.
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 --syn -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 20 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -j REJECT
#Allow related and established from $INTIF. Drop everything else.
$IPTABLES -A INPUT -i $INTIF -j DROP
#Allow http and https on other interfaces (input).
#This is only needed if authentication server is on same server as chilli
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT
#Allow 3990 on other interfaces (input).
$IPTABLES -A INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT
#Allow everything on loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT
# Drop everything to and from $INTIF (forward)
# This means that access points can only be managed from ChilliSpot
$IPTABLES -A FORWARD -i $INTIF -j DROP
$IPTABLES -A FORWARD -o $INTIF -j DROP
#Enable NAT on output device
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
Hope anybody read to this point and could help me.
When this is done my next step is to set up mysql authentification. After all these thing i post a link to a pdf which is documenting all steps i have done since pressing power-button for the first time.
kind regards and greetings
Andreas