[isf-wifidog] Difficulty in getting wifidog gateway on OpenWRT to
connect to Auth Server
John Boushall
stumblingthunder at yahoo.com
Ven 6 Oct 16:11:42 EDT 2006
Skipped content of type multipart/alternative-------------- next part --------------
[6][Fri Dec 31 19:09:29 1999][1293](conf.c:575) Reading configuration file '/etc/wifidog.conf'
[7][Fri Dec 31 19:09:29 1999][1293](conf.c:614) Parsing token: GatewayID, value: marina
[7][Fri Dec 31 19:09:29 1999][1293](conf.c:614) Parsing token: ExternalInterface, value: vlan1
[7][Fri Dec 31 19:09:29 1999][1293](conf.c:614) Parsing token: GatewayInterface, value: eth1
[7][Fri Dec 31 19:09:29 1999][1293](conf.c:614) Parsing token: AuthServer, value: {
[7][Fri Dec 31 19:09:29 1999][1293](conf.c:287) Adding tyccwifi:80 (SSL: 443) /wifidog/ to the auth server list
[7][Fri Dec 31 19:09:29 1999][1293](conf.c:309) Auth server added
[7][Fri Dec 31 19:09:29 1999][1293](conf.c:614) Parsing token: CheckInterval, value: 60
[7][Fri Dec 31 19:09:29 1999][1293](conf.c:614) Parsing token: ClientTimeout, value: 5
[7][Fri Dec 31 19:09:29 1999][1293](conf.c:614) Parsing token: FirewallRuleSet, value: global
[7][Fri Dec 31 19:09:29 1999][1293](conf.c:346) Adding Firewall Rule Set global
[7][Fri Dec 31 19:09:29 1999][1293](conf.c:385) p1 = [FirewallRule]; p2 = [allow udp to 10.1.31.105/27]
[7][Fri Dec 31 19:09:29 1999][1293](conf.c:432) leftover: allow udp to 10.1.31.105/27
[7][Fri Dec 31 19:09:29 1999][1293](conf.c:514) Adding Firewall Rule allow udp port (null) to 10.1.31.105/27
[7][Fri Dec 31 19:09:29 1999][1293](conf.c:385) p1 = [FirewallRule]; p2 = [allow udp to 10.1.31.105/27]
[7][Fri Dec 31 19:09:29 1999][1293](conf.c:432) leftover: allow udp to 10.1.31.105/27
[7][Fri Dec 31 19:09:29 1999][1293](conf.c:514) Adding Firewall Rule allow udp port (null) to 10.1.31.105/27
[7][Fri Dec 31 19:09:29 1999][1293](conf.c:385) p1 = [FirewallRule]; p2 = [allow tcp port 80 to 10.1.31.105]
[7][Fri Dec 31 19:09:29 1999][1293](conf.c:432) leftover: allow tcp port 80 to 10.1.31.105
[7][Fri Dec 31 19:09:29 1999][1293](conf.c:514) Adding Firewall Rule allow tcp port 80 to 10.1.31.105
[7][Fri Dec 31 19:09:29 1999][1293](conf.c:409) Firewall Rule Set global added.
[7][Fri Dec 31 19:09:29 1999][1293](conf.c:614) Parsing token: FirewallRuleSet, value: validating-users
[7][Fri Dec 31 19:09:29 1999][1293](conf.c:346) Adding Firewall Rule Set validating-users
[7][Fri Dec 31 19:09:29 1999][1293](conf.c:385) p1 = [FirewallRule]; p2 = [block tcp port 25]
[7][Fri Dec 31 19:09:29 1999][1293](conf.c:432) leftover: block tcp port 25
[7][Fri Dec 31 19:09:29 1999][1293](conf.c:514) Adding Firewall Rule block tcp port 25 to 0.0.0.0/0
[7][Fri Dec 31 19:09:30 1999][1293](conf.c:385) p1 = [FirewallRule]; p2 = [allow to 10.1.31.254/0]
[7][Fri Dec 31 19:09:30 1999][1293](conf.c:432) leftover: allow to 10.1.31.254/0
[7][Fri Dec 31 19:09:30 1999][1293](conf.c:514) Adding Firewall Rule allow (null) port (null) to 10.1.31.254/0
[7][Fri Dec 31 19:09:30 1999][1293](conf.c:409) Firewall Rule Set validating-users added.
[7][Fri Dec 31 19:09:30 1999][1293](conf.c:614) Parsing token: FirewallRuleSet, value: known-users
[7][Fri Dec 31 19:09:30 1999][1293](conf.c:346) Adding Firewall Rule Set known-users
[7][Fri Dec 31 19:09:30 1999][1293](conf.c:385) p1 = [FirewallRule]; p2 = [allow to 10.1.31.254/0]
[7][Fri Dec 31 19:09:30 1999][1293](conf.c:432) leftover: allow to 10.1.31.254/0
[7][Fri Dec 31 19:09:30 1999][1293](conf.c:514) Adding Firewall Rule allow (null) port (null) to 10.1.31.254/0
[7][Fri Dec 31 19:09:30 1999][1293](conf.c:409) Firewall Rule Set known-users added.
[7][Fri Dec 31 19:09:30 1999][1293](conf.c:614) Parsing token: FirewallRuleSet, value: unknown-users
[7][Fri Dec 31 19:09:30 1999][1293](conf.c:346) Adding Firewall Rule Set unknown-users
[7][Fri Dec 31 19:09:30 1999][1293](conf.c:385) p1 = [FirewallRule]; p2 = [allow udp port 53]
[7][Fri Dec 31 19:09:30 1999][1293](conf.c:432) leftover: allow udp port 53
[7][Fri Dec 31 19:09:30 1999][1293](conf.c:514) Adding Firewall Rule allow udp port 53 to 0.0.0.0/0
[7][Fri Dec 31 19:09:30 1999][1293](conf.c:385) p1 = [FirewallRule]; p2 = [allow tcp port 53]
[7][Fri Dec 31 19:09:30 1999][1293](conf.c:432) leftover: allow tcp port 53
[7][Fri Dec 31 19:09:30 1999][1293](conf.c:514) Adding Firewall Rule allow tcp port 53 to 0.0.0.0/0
[7][Fri Dec 31 19:09:30 1999][1293](conf.c:385) p1 = [FirewallRule]; p2 = [allow udp port 67]
[7][Fri Dec 31 19:09:30 1999][1293](conf.c:432) leftover: allow udp port 67
[7][Fri Dec 31 19:09:30 1999][1293](conf.c:514) Adding Firewall Rule allow udp port 67 to 0.0.0.0/0
[7][Fri Dec 31 19:09:30 1999][1293](conf.c:385) p1 = [FirewallRule]; p2 = [allow tcp port 67]
[7][Fri Dec 31 19:09:30 1999][1293](conf.c:432) leftover: allow tcp port 67
[7][Fri Dec 31 19:09:30 1999][1293](conf.c:514) Adding Firewall Rule allow tcp port 67 to 0.0.0.0/0
[7][Fri Dec 31 19:09:30 1999][1293](conf.c:409) Firewall Rule Set unknown-users added.
[7][Fri Dec 31 19:09:30 1999][1293](conf.c:614) Parsing token: FirewallRuleSet, value: locked-users
[7][Fri Dec 31 19:09:30 1999][1293](conf.c:346) Adding Firewall Rule Set locked-users
[7][Fri Dec 31 19:09:30 1999][1293](conf.c:385) p1 = [FirewallRule]; p2 = [block to 0.0.0.0/0]
[7][Fri Dec 31 19:09:30 1999][1293](conf.c:432) leftover: block to 0.0.0.0/0
[7][Fri Dec 31 19:09:30 1999][1293](conf.c:514) Adding Firewall Rule block (null) port (null) to 0.0.0.0/0
[7][Fri Dec 31 19:09:30 1999][1293](conf.c:409) Firewall Rule Set locked-users added.
[7][Fri Dec 31 19:09:30 1999][1293](gateway.c:310) Initializing signal handlers
[6][Fri Dec 31 19:09:30 1999][1293](gateway.c:370) Setting started_time
[7][Fri Dec 31 19:09:30 1999][1293](gateway.c:380) Finding IP address of eth1
[7][Fri Dec 31 19:09:30 1999][1293](gateway.c:385) eth1 = 172.31.2.254
[5][Fri Dec 31 19:09:31 1999][1293](gateway.c:399) Creating web server on 172.31.2.254:2060
-------------- next part --------------
#!/bin/sh
## Please make changes in /etc/firewall.user
. /etc/functions.sh
WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)
## CLEAR TABLES
for T in filter nat; do
iptables -t $T -F
iptables -t $T -X
done
iptables -N input_rule
iptables -N output_rule
iptables -N forwarding_rule
iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule
### INPUT
### (connections with the router as destination)
# base case
iptables -P INPUT DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A INPUT -j input_rule
# allow
iptables -A INPUT -i \! $WAN -j ACCEPT # allow from lan/wifi interfaces
iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
iptables -A INPUT -p gre -j ACCEPT # allow GRE
# reject (what to do with anything not allowed earlier)
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
### OUTPUT
### (connections with the router as source)
# base case
iptables -P OUTPUT DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A OUTPUT -j output_rule
# allow
iptables -A OUTPUT -j ACCEPT #allow everything out
# reject (what to do with anything not allowed earlier)
iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
### FORWARDING
### (connections routed through the router)
# base case
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A FORWARD -j forwarding_rule
# allow
# iptables -A FORWARD -i br0 -o br0 -j ACCEPT
# iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
# reject (what to do with anything not allowed earlier)
# uses the default -P DROP
### MASQ
iptables -t nat -A PREROUTING -j prerouting_rule
iptables -t nat -A POSTROUTING -j postrouting_rule
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
## USER RULES
[ -f /etc/firewall.user ] && . /etc/firewall.user
[ -e /etc/config/firewall ] && {
awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/config/firewall | ash
}
-------------- next part --------------
# $Header$
# WiFiDog Configuration file
# Parameter: GatewayID
# Default: default
# Optional but essential for monitoring purposes
#
# Set this to the template ID on the auth server
# this is used to give a customized login page to the clients
# If none is supplied, the default login page will be used.
GatewayID marina
# Parameter: ExternalInterface
# Default: NONE
# Optional
#
# Set this to the external interface. Typically vlan1 for OpenWrt, and eth0 or ppp0 otherwise
ExternalInterface vlan1
# Parameter: GatewayInterface
# Default: NONE
# Mandatory
#
# Set this to the internal interface. Typically br0 for OpenWrt, and eth1 otherwise
GatewayInterface eth1
# Parameter: GatewayAddress
# Default: Find it from GatewayInterface
# Optional
#
# Set this to the internal IP address of the gateway
# GatewayAddress 192.168.1.1
# Parameter: AuthServMaxTries
# Default: 1
# Optional
#
# Sets the number of auth servers the gateway will attempt to contact when a request fails.
# this number should be equal to the number of AuthServer lines in this
# configuration but it should probably not exceed 3.
# AuthServMaxTries 3
# Parameter: AuthServer
# Default: NONE
# Mandatory
#
# Set this to the hostname or IP of your auth server, the path where
# WiFiDog-auth resides and optionally as a second argument, the port it
# listens on.
#AuthServer {
# Hostname (Mandatory; Default: NONE)
# SSLAvailable (Optional; Default: no; Possible values: yes, no)
# SSLPort 443 (Optional; Default: 443)
# HTTPPort 80 (Optional; Default: 80)
# Path wifidog/ (Optional; Default: /wifidog/ Note: The path must be both prefixed and suffixed by /. Use a single / for server root.)
#}
AuthServer {
Hostname tyccwifi
SSLAvailable no
}
#AuthServer {
# Hostname auth2.ilesansfil.org
# SSLAvailable yes
# Path /
#}
#AuthServer {
# Hostname auth3.ilesansfil.org
# SSLAvailable yes
# Path /
#}
# Parameter: Daemon
# Default: 1
# Optional
#
# Set this to true if you want to run as a daemon
# Daemon 1
# Parameter: GatewayPort
# Default: 2060
# Optional
#
# Listen on this port
# GatewayPort 2060
# Parameter: HTTPDName
# Default: WiFiDog
# Optional
#
# Define what name the HTTPD server will respond
# HTTPDName WiFiDog
# Parameter: HTTPDMaxConn
# Default: 10
# Optional
#
# How many sockets to listen to
# HTTPDMaxConn 10
# Parameter: CheckInterval
# Default: 60
# Optional
#
# How many seconds should we wait between timeout checks
CheckInterval 60
# Parameter: ClientTimeout
# Default: 5
# Optional
#
# Set this to the desired of number of CheckInterval of inactivity before a client is logged out
# The timeout will be INTERVAL * TIMEOUT
ClientTimeout 5
# Parameter: FirewallRuleSet
# Default: none
# Mandatory
#
# Groups a number of FirewallRule statements together.
# Parameter: FirewallRule
# Default: none
#
# Define one firewall rule in a rule set.
# Rule Set: global
#
# Used for rules to be applied to all other rulesets except locked.
# This is the default config for the Teliphone service.
FirewallRuleSet global {
FirewallRule allow udp to 10.1.31.105/27
FirewallRule allow udp to 10.1.31.105/27
FirewallRule allow tcp port 80 to 10.1.31.105
}
# Rule Set: validating-users
#
# Used for new users validating their account
FirewallRuleSet validating-users {
FirewallRule block tcp port 25
FirewallRule allow to 10.1.31.254/0
}
# Rule Set: known-users
#
# Used for normal validated users.
FirewallRuleSet known-users {
FirewallRule allow to 10.1.31.254/0
}
# Rule Set: unknown-users
#
# Used for unvalidated users, this is the ruleset that gets redirected.
#
# XXX The redirect code adds the Default DROP clause.
FirewallRuleSet unknown-users {
FirewallRule allow udp port 53
FirewallRule allow tcp port 53
FirewallRule allow udp port 67
FirewallRule allow tcp port 67
}
# Rule Set: locked-users
#
# Used for users that have been locked out.
FirewallRuleSet locked-users {
FirewallRule block to 0.0.0.0/0
}
Plus d'informations sur la liste de diffusion WiFiDog