• Registered: 2008-02-18
  • Posts: 4

Topic: Established TCP connections not reset upon Session-Timeout

My setup:

Client  (PC) <----> Chillispot v1.1.0 (OpenWRT) <----> Freeradius v1.1.3 (Debian)

All works as configured and wanted:
1. Client tries to access a URL, and is redirected to hotspotlogin.cgi

2. Chillispot asks Freeradius, which sends back a "Acct-Status-Type = Start"

3. Client PC can then browse, establish SSH connections, etc etc

4. Until Freeradius generates an "Acct-Status-Type = Stop", reason: "Acct-Terminate-Cause = Session-Timeout"

5. Chillispot receives the information, client PC cannot browse anymore and is redirected to hotspotlogin.cgi


EXCEPT:
6. Client PC established SSH connections (puTTy) are still working, even though its browser cannot access any new site !?

Am I missing something big ?

  • From: Thailand
  • Registered: 2008-06-19
  • Posts: 159

Re: Established TCP connections not reset upon Session-Timeout

SSH can access all host?

or you open port 22 for ssh in firewall.

easyzonecorp's Website

  • Registered: 2008-02-18
  • Posts: 4

Re: Established TCP connections not reset upon Session-Timeout

No, I mean that existing, established, SSH connections are NOT closed, when the Chillispot session expires.

SSH still gets forwarded, even though Chillispot redirects the browser to the hotspotlogin.cgi portal.

4 Reply by dannymagat (edited by dannymagat 2009-02-19 06:31:42)

  • Registered: 2008-02-04
  • Posts: 15

Re: Established TCP connections not reset upon Session-Timeout

check my firewall setup on my openwrt chillispot box
IT WORKS FOR ME!!! when the user expired, it close all ports! specially ssh


====================================
=             filename: /etc/init.d/S45firewal                   =
=                                                                            =
====================================
#!/bin/sh

## Please make changes in /etc/firewall.user
${FAILSAFE:+exit}

. /etc/functions.sh
WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)

## CLEAR TABLES
for T in filter nat; do
  iptables -t $T -F
  iptables -t $T -X
done

iptables -N input_rule
iptables -N output_rule
iptables -N forwarding_rule

iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule

### INPUT
###  (connections with the router as destination)

  # base case
  iptables -P INPUT DROP
  iptables -A INPUT -m state --state INVALID -j DROP
  iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j  DROP

  #
  # insert accept rule or to jump to new accept-check table here
  #
  iptables -A INPUT -j input_rule

  # allow
  iptables -A INPUT -i \! $WAN  -j ACCEPT       # allow from lan/wifi interfaces
  #iptables -A INPUT -p icmp     -j ACCEPT       # allow ICM
  iptables -A INPUT -p gre      -j ACCEPT       # allow GRE

  # reject (what to do with anything not allowed earlier)
  iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
  #iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
### OUTPUT
### (connections with the router as source)

  # base case
  iptables -P OUTPUT DROP
  iptables -A OUTPUT -m state --state INVALID -j DROP
  iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

  #
  # insert accept rule or to jump to new accept-check table here
  #
  iptables -A OUTPUT -j output_rule

  # allow
  iptables -A OUTPUT -j ACCEPT          #allow everything out

  # reject (what to do with anything not allowed earlier)
  iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
  iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable

### FORWARDING
### (connections routed through the router)

  # base case
  iptables -P FORWARD DROP
  iptables -A FORWARD -m state --state INVALID -j DROP
  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

  #
  # insert accept rule or to jump to new accept-check table here
  #
  iptables -A FORWARD -j forwarding_rule

  # allow
  iptables -A FORWARD -i br0 -o br0 -j ACCEPT
  iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT

  # reject (what to do with anything not allowed earlier)
  # uses the default -P DROP

### MASQ
  iptables -t nat -A PREROUTING -j prerouting_rule
  iptables -t nat -A POSTROUTING -j postrouting_rule
  iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE


## USER RULES
[ -f /etc/firewall.user ] && . /etc/firewall.user


===================================
=                                                                          =
=  filename:/etc/firewall/ssh                                    =
===================================

#!/bin/sh
. /etc/functions.sh

WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)

iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT
iptables        -A input_rule      -i $WAN -p tcp --dport 22 -j ACCEPT