Shorewall users - Apr 2008 - Captive Portal with Shorewall

.

"Saluton",

Sorry by my poor english, I speak Portuguese.

I does a captive portal using:

- shorewall
- dhcpd
- thttpd (in port 8080)
- maradns

With Shorewall I use dinamic zones.

The initial zone in shorewall is
configured to redirects access to
internal thttpd port 8080, that
shows a login.cgi page.

With thttpd I rewrite original url.

The apache rewrite is very cool, but
thttpd configuration is very simple,
and small.

The perl script login.cgi need to do:

`shorewall delete eth2:192.168.2.11 zone1`;
`shorewall add    eth2:192.168.2.11 zone2`;

The zone1 have access only to dhcpd, dns,
thttpd. And http access is redirected to
a rewrite url in login page in thttpd port.

The zone2 have authorized access to WAN.

But the problem is:

User www-data, "whoami" in thttpd cgi script,
does not to run, execute, "shorewall command".

I tried to put www-data and /sbin/shorewall
in file "/etc/sudoers" but the system
answer thet the file "/etc/shorewall/shorewall.conf"
does not exist.

I thinked in some problem with function
"find_file", but I dont know.

Then, in thttpd.conf, I changed the userid
www-data to root.

In this case, the login.cgi answer that
do not find shorewall script.

I changed the login.cgi to:

`/sbin/shorewall delete eth2:192.168.2.11 zone1`;
`/sbin/shorewall add    eth2:192.168.2.11 zone2`;

And in this case, with thttpd with userid "root",
and not "www-data", the command shorewall worked.

I am making now a Perl script to admin this
dinamics zones, adding and deleting IPs
from this dinamics zones.

But to do it, I need run shorewall commands
from a perl script running in a httpd server.

I would like some help about how to runs 
shorewall commands, from a perl script
runned in a httpd server (thttpd for example).

And if you can show me my english errors,
I can learn it too. :)

Thank you very much.

Sávio Sampaio
saviosampaio@yahoo.com.br

.


      Abra sua conta no Yahoo! Mail, o único sem limite de espaço para
armazenamento!
http://br.mail.yahoo.com/

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

.

Sorry,

Now I see... The program "sudo" was not installed.

I create two shell script:

------------ sh_delete.sh ----
#!/bin/sh
shorewall delete eth2:$1 zone1
shorewall add    eth2:$1 zone2
------------------------------

------------ sh_add.sh ----
#!/bin/sh
shorewall delete eth2:$1 zone2
shorewall add    eth2:$1 zone1
------------------------------

And put in /etc/sudoers:

www-data ALL=NOPASSWD: /sbin/sh_delete.sh
www-data ALL=NOPASSWD: /sbin/sh_add.sh

And in perl script I put:

`sudo /sbin/sh_add.sh $ip`;

And now this works okay.

Now I will create a admin.cgi to
control Users, Passwords, Times,
Permissions, and others things.

And I would like to know how to
verify how many "bytes" a IP (client)
have used in the conection,
using Shorewall accounting.

Thank you very much.

Sávio Sampaio
saviosampaio@yahoo.com.br




      Abra sua conta no Yahoo! Mail, o único sem limite de espaço para
armazenamento!
http://br.mail.yahoo.com/

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Savio Sampaio wrote:
> 
> And I would like to know how to
> verify how many "bytes" a IP (client)
> have used in the conection,
> using Shorewall accounting.
I wouldn''t use Shorewall accounting for that. The accouting rules you 
would need to set up would be ugly and slow.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone