Has anybody on this managed to get ChilliSpot and Shorewall to work together? I have managed to get it to work with the supplied firewall script but if I wanted to do my firewall like that I would not be using Shorewall. At any rate, I am having all kinds of trouble translating the supplied rules to something that Shorewall would understand. If anybody has already done it I would love to see the relevant config files. I am using Shorewall 2.0.13 Thanks, -- _ /-\ ndrew
On Tue, 2005-01-04 at 12:33 -0700, lists@pure-wireless.net wrote:> Has anybody on this managed to get ChilliSpot and Shorewall to work > together? I have managed to get it to work with the supplied firewall > script but if I wanted to do my firewall like that I would not be using > Shorewall. > > At any rate, I am having all kinds of trouble translating the supplied > rules to something that Shorewall would understand. If anybody has already > done it I would love to see the relevant config files. > > I am using Shorewall 2.0.13After you have Chillispot up and running, what does the output of ip addr ls look like? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi, ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Tuesday, January 04, 2005 1:57 PM Subject: Re: [Shorewall-users] Shorewall and ChilliSpot> On Tue, 2005-01-04 at 12:33 -0700, lists@pure-wireless.net wrote: >> At any rate, I am having all kinds of trouble translating the supplied >> rules to something that Shorewall would understand. If anybody has >> already >> done it I would love to see the relevant config files. >> >> I am using Shorewall 2.0.13 > > After you have Chillispot up and running, what does the output of > > ip addr ls > > look like? > > -Tom1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 4: br0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue link/ether 00:04:5a:7f:92:9b brd ff:ff:ff:ff:ff:ff inet 10.0.0.25/24 brd 10.0.0.255 scope global br0 inet6 fe80::200:ff:fe00:0/64 scope link valid_lft forever preferred_lft forever 5: sit0: <NOARP> mtu 1480 qdisc noop link/sit 0.0.0.0 brd 0.0.0.0 6: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:04:5a:7f:92:9b brd ff:ff:ff:ff:ff:ff inet6 fe80::204:5aff:fe7f:929b/64 scope link valid_lft forever preferred_lft forever 7: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:41:22:57:d5 brd ff:ff:ff:ff:ff:ff inet6 fe80::20c:41ff:fe22:57d5/64 scope link valid_lft forever preferred_lft forever 14: tun0: <POINTOPOINT,UP> mtu 1500 qdisc pfifo_fast qlen 10 link/[65534] inet 192.168.182.1/24 scope global tun0 This is a bridge setup just to make things a little more complicated. The tun0 is the ChilliSpot interface. It needs to be masq over to the br0 eventual public IP. -- _ /-\ ndrew
On Tue, 2005-01-04 at 15:57 -0700, Andrew Niemantsverdriet wrote:> > This is a bridge setup just to make things a little more complicated. The > tun0 is the ChilliSpot interface. It needs to be masq over to the br0 > eventual public IP.Ok -- I''m not going to make these generic instructions include the bridge but you should be able to adapt them (make EXT_IF=br0 and set the ''routeback'' option in /etc/shorewall/interfaces). /etc/shorewall/params: EXT_IF=eth0 INT_IF=eth1 /etc/shorewall/zones loc local Local Zone -- only for WAP admin net Internet The big bad net WiFi Wireless The Wireless Network /etc/shorewall/interfaces loc $INT_IF - net $EXT_IF detect norfc1918,route_filter WiFi tun0 - /etc/shorewall/policy WiFi net ACCEPT net all DROP loc all DROP fw all ACCEPT all all REJECT /etc/shorewall/masq $EXT_IF 0.0.0.0/0 /etc/shorewall/rules # # Allow SSH from net # ACCEPT net fw tcp 22 # # Allow 3990 from WiFi # ACCEPT Wifi fw tcp 3990 # # Next rules only if the authentication server is on the Chilli box # ACCEPT Wifi fw tcp 80,443 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi, On Tue, 2005-01-04 at 16:15, Tom Eastep wrote:> On Tue, 2005-01-04 at 15:57 -0700, Andrew Niemantsverdriet wrote: > > This is a bridge setup just to make things a little more complicated. The > > tun0 is the ChilliSpot interface. It needs to be masq over to the br0 > > eventual public IP. > > Ok -- I''m not going to make these generic instructions include the > bridge but you should be able to adapt them (make EXT_IF=br0 and set the > ''routeback'' option in /etc/shorewall/interfaces). > > /etc/shorewall/params: > > EXT_IF=eth0 > INT_IF=eth1> /etc/shorewall/interfaces > > loc $INT_IF - > net $EXT_IF detect norfc1918,route_filter > WiFi tun0 -> -TomGreat, it works like it should. The only problem is since it is a bridge my interface file looks like this: - br0 10.0.0.255 routeback WiFi tun0 - The problem is that when I try to start Shorewall I get a "Error: The routeback option may not be specified on a multi zone interface". Things seem to work fine with out the routeback option but I have not had a chance to fully test it yet. So not a big deal but I would like to know what is going on. Not the latest Shorewall version (but darn close) it is 2.0.13 so that may have something to do with it. Thanks for the help Tom! -- _ /-\ ndrew
On Tue, 2005-01-04 at 17:29 -0700, Andrew Niemantsverdriet wrote:> > > -Tom > Great, it works like it should. The only problem is since it is a bridge > my interface file looks like this: > > - br0 10.0.0.255 routeback > WiFi tun0 - > > The problem is that when I try to start Shorewall I get a "Error: The > routeback option may not be specified on a multi zone interface".I was assuming a simple bridge setup where you didn''t need to control traffic through the bridge. In that case, the bridge interface can be associated with a zone in /etc/shorewall/interfaces. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key