My Hot-Spot

Responder
sysop
Site Admin
Mensajes: 21
Registrado: Jue Ago 01, 2019 4:24 pm

My Hot-Spot

Mensaje por sysop » Vie Ago 02, 2019 10:12 am

how-to configure covachilli HOT y freeradius en linux

Este programa controla el acceso a la red wireless del bbs
necesitas freeradius u otro RADIUS ademas de apache ssl y por supuesto el covachilli

el freeradius necesita poco podemos bajar la version 2.0.0 desde el repostorio
como root pika. #urpmi freeradius
la configuracion esta en /etc/raddb, nos centramos en dos ficheros el
fichero `client.conf,` aki ponemos el secetro que compartimos con covachilli
que es un password de cifrado,buscamos secret y ponemos nuestro secreto
el mismo que pongamos en la configuracion del covachilli

Código: Seleccionar todo

secret = radsecret
y cerramos. ahora vamos a por el fichero 'users'
despues de la entrada de steve podemos crear nuestro usarios

Código: Seleccionar todo

peter   Cleartext-Password := "passw12"
WISPr-Bandwidth-Max-Down := 3000000,
WISPr-Bandwidth-Max-Up := 256000
esta es la entrada de usario peter, con definicion de velocidad, 3Mg de bajada y 256 Kb de subida, la bajada y la subida es opcional. Tambien podemos poner un ancho de banda general en la configuracion del covachilli, siempre que suprimamos la entrada de velocidad.

Y ahora a por el covachilli el mejor hotspot que podras encontar para controlar acceso
en http://cova.org la continuacion del chillispot
bajale de aki #wget http://ap.coova.org/chilli/coova-chilli-1.0.13.tar.gz
descomprime, configure, make install

Confiruracion del fichero defaults solamente modifica este fichero para la configuracion
en /usr/local/etc/chilli

Código: Seleccionar todo

# -*- /bin/sh -*-
#
#   Coova-Chilli Default Configurations.
#   To customize, copy this file to /usr/local/etc/chilli/config
#   and edit to your liking. This is included in shell scripts
#   that configure chilli and related programs before file 'config'.


###
#   Local Network Configurations
#

# HS_WANIF=eth0            # WAN Interface toward the Internet
HS_LANIF=eth1         # Subscriber Interface for client devices (wirelees conexion)
HS_NETWORK=192.168.182.0   # HotSpot Network (must include HS_UAMLISTEN)
HS_NETMASK=255.255.252.0   # HotSpot Network Netmask
HS_UAMLISTEN=192.168.182.1 # HotSpot IP Address (on subscriber network)
HS_UAMPORT=3990            # HotSpot Port (on subscriber network)

HS_DYNIP=192.168.182.50
HS_DYNIP_MASK=255.255.252.0
# HS_STATIP=
# HS_STATIP_MASK=255.255.255.0
# HS_DNS_DOMAIN=
HS_DNS1=62.42.230.136
HS_DNS2=192.168.182.1

###
#   HotSpot settings for simple Captive Portal
#
HS_NASID=nas01
HS_UAMSECRET=
HS_RADIUS=127.0.0.1
HS_RADIUS2=127.0.0.1
HS_RADSECRET=radsecret
HS_UAMALLOW=84.127.232.16

#   Put entire domains in the walled-garden with DNS inspection
# HS_UAMDOMAINS=".paypal.com,.paypalobjects.com"

#   Optional initial redirect and RADIUS settings
# HS_SSID=<ssid>      # To send to the captive portal
# HS_NASMAC=<mac address>  # To explicitly set Called-Station-Id
# HS_NASIP=<ip address>    # To explicitly set NAS-IP-Address

#   The server to be used in combination with HS_UAMFORMAT to
#   create the final chilli 'uamserver' url configuration.
HS_UAMSERVER=192.168.182.1

#   Use HS_UAMFORMAT to define the actual captive portal url.
#   Shell variable replacement takes place when evaluated, so here
#   HS_UAMSERVER is escaped and later replaced by the pre-defined
#   HS_UAMSERVER to form the actual "--uamserver" option in chilli.
HS_UAMFORMAT=https://\$HS_UAMSERVER/app/uam/

#   Same principal goes for HS_UAMHOMEPAGE.
HS_UAMHOMEPAGE=http://\$HS_UAMLISTEN:\$HS_UAMPORT/www/coova.html

#   This option will be configured to be the WISPr LoginURL as well
#   as provide "uamService" to the ChilliController. The UAM Service is
#   described in: http://coova.org/wiki/index.php/CoovaChilli/UAMService
#
#HS_UAMSERVICE=https://coova.org/app/uam/auth


###
#   Features not activated per-default (default to off)
#
# HS_RADCONF=off      # Get some configurations from RADIUS or a URL ('on' and 'url' respectively)
#
# HS_ANYIP=on         # Allow any IP address on subscriber LAN
#
#HS_MACAUTH=on         # To turn on MAC Authentication
#
HS_MACAUTHDENY=on      # Put client in 'drop' state on MAC Auth Access-Reject

#
#HS_MACAUTHMODE=local      # To allow MAC Authentication based on macallowed, not RADIUS
#
# HS_MACALLOW="00:xx:xx:xx:xx:1C"      # List of MAC addresses to authenticate (comma seperated)
#think banned
# HS_USELOCALUSERS=on      # To use the /usr/local/etc/chilli/localusers file
#
#HS_OPENIDAUTH=on      # To inform the RADIUS server to allow OpenID Auth
#
#HS_WPAGUESTS=on      # To inform the RADIUS server to allow WPA Guests
#
#HS_DNSPARANOIA=on      # To drop DNS packets containing something other
#            # than A, CNAME, SOA, or MX records
#
HS_OPENIDAUTH=on      # To inform the RADIUS server to allow OpenID Auth
#            # Will also configure the embedded login forms for OpenID
#
# HS_USE_MAP=on         # Short hand for allowing the required google
#            # sites to use Google maps (adds many google sites!)
#
###
#   Other feature settings and their defaults
#
HS_DEFSESSIONTIMEOUT=86400        # Default session-timeout if not defined by RADIUS (0 for unlimited)
#
HS_DEFIDLETIMEOUT=3600         # Default idle-timeout if not defined by RADIUS (0 for unlimited)
#
HS_DEFBANDWIDTHMAXDOWN=30000000    # 3MBDefault WISPr-Bandwidth-Max-Down if not defined by RADIUS (0 for unlimited)
#
HS_DEFBANDWIDTHMAXUP=72000      # 72KDefault WISPr-Bandwidth-Max-Up if not defined by RADIUS (0 for unlimited)

###
# Centralized configuration options examples
#
# HS_RADCONF=url      # requires curl
# HS_RADCONF_URL=https://coova.org/app/ap/config

# HS_RADCONF=on         # gather the ChilliSpot-Config attributes in
#            # Administrative-User login
#HS_RADCONF_SERVER=127.0.0.1       # RADIUS Server
#HS_RADCONF_SECRET=secret       # RADIUS Shared Secret
#HS_RADCONF_AUTHPORT=1812       # Auth port
#HS_RADCONF_USER=coova-chilli       # Username
#HS_RADCONF_PWD=coova-chilli       # Password


###
#   Standard configurations
#
HS_MODE=hotspot
HS_TYPE=chillispot
#HS_RADAUTH=1812
#HS_RADACCT=1813
#HS_ADMUSR=chillispot
#HS_ADMPWD=chillispot


###
#   Post-Auth proxy settings
#
# HS_POSTAUTH_PROXY=127.0.0.1
# HS_POSTAUTH_PROXYPORT=33128

#   Directory specifying where internal web pages can be served
#   by chilli with url /www/<file name>. Only extentions like .html
#   .jpg, .gif, .png, .js are allowed. See below for using .chi as a
#   CGI extension.
HS_WWWDIR=/usr/local/etc/chilli/www

#   Using this option assumes 'haserl' is installed per-default
#   but, and CGI type program can ran from wwwsh to process requests
#   to chilli with url /www/filename.chi
HS_WWWBIN=/usr/local/etc/chilli/wwwsh

#   Some configurations used in certain user interfaces
#
HS_PROVIDER=belchi.org
HS_PROVIDER_LINK=http://www.belchi.org/


###
#   WISPr RADIUS Attribute support
#

HS_LOC_NAME="Accesso RED INET by Absoloom"      # WISPr Location Name and used in portal

#   WISPr settings (to form a proper WISPr-Location-Id)
HS_LOC_NETWORK="Absoloom"      # Network name
HS_LOC_AC=34            # Phone area code
HS_LOC_CC=868            # Phone country code
HS_LOC_ISOCC=ES         # ISO Country code
para activar el acceso por web mediante el template jhonson

dowload

Código: Seleccionar todo

    #wget http://coova.org/app/uam/index.html
    #wget http://coova.org/app/uam/chilli.js
modificalas con respecto a tu server .....
y ponerlas en tu apache /var/www/html/app/uam/ind.....

El fichero *functions tiene un bug con respecto a a la velovidad de subida, tiene una "doble d" en el codigo

asi tendras un control total sobre el acceso a tu red a traves de linux
mira en http://coova.org que tienen otras soluciones como firmware

P.D.: se suprime la configuracion de apche por que es obvia #urpmi apache-ssl


sysop

sysop
Site Admin
Mensajes: 21
Registrado: Jue Ago 01, 2019 4:24 pm

Ejemplo Firewall iptables para cobachilli

Mensaje por sysop » Vie Ago 02, 2019 10:13 am

Código: Seleccionar todo

#!/bin/sh
#
# Firewall script for ChilliSpot
# A Wireless LAN Access Point Controller
#
# Uses $EXTIF (eth0) as the external interface (Internet or intranet) and
# $INTIF (eth1) as the internal interface (access points).
#
#
# SUMMARY
# * All connections originating from chilli are allowed.
# * Only ssh is allowed in on external interface.
# * Nothing is allowed in on internal interface.
# * Forwarding is allowed to and from the external interface, but disallowed
#   to and from the internal interface.
# * NAT is enabled on the external interface.

IPTABLES="/sbin/iptables"
EXTIF="eth0"
INTIF="eth1"

#Flush all rules
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -F -t mangle

#Set default behaviour
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#Allow related and established on all interfaces (input)
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#Allow releated, established and ssh on $EXTIF. Reject everything else.
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 --syn -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -j REJECT

#Allow related and established from $INTIF. Drop everything else.
$IPTABLES -A INPUT -i $INTIF -j DROP

#Allow http and https on other interfaces (input).
#This is only needed if authentication server is on same server as chilli
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT

#Allow 3990 on other interfaces (input).
$IPTABLES -A INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT

#Allow ICMP echo on other interfaces (input).
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#Allow everything on loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT

# Drop everything to and from $INTIF (forward)
# This means that access points can only be managed from ChilliSpot
$IPTABLES -A FORWARD -i $INTIF -j DROP
$IPTABLES -A FORWARD -o $INTIF -j DROP

#Enable NAT on output device
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

sysop
Site Admin
Mensajes: 21
Registrado: Jue Ago 01, 2019 4:24 pm

para no loguear el martian source en log

Mensaje por sysop » Vie Ago 02, 2019 10:15 am

Código: Seleccionar todo

echo 0 > /proc/sys/net/ipv4/conf/all/log_martians

Responder