Hi *,

was a problem in IPTABLES.
i just added a ACCEPT on tcp and udp port 53 to "other" interfaces (not $INTIF or $EXTIF) an it works. all clients on eth1 / tun could now resolve names only known by the local bind. these names could not be known by official nameservers, so bind is working fine.

Here are the lines i added after http und https allowd

$IPTABLES -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp --dport 53 -j ACCEPT

Andreas

hi *,

i just set up a debian server while trying following to do.

I want to realise a wired an wireless chillispot in a event location to provide internet acces to our guests without charge but to secure it against unnown people and to limit access-time to their visit.

first of all i set up debian with two network interfaces. eth0 is connected to a fully funktional network and eth1 will be the guest-network.
apache2 will be the web server to authenticate logins against freeradius. at the moment there is only a textfile userlist. in the future i will install mysql to provide accounting information.

Now i have installed and configured everything as i found it in several listings an how-to i am redirected to the apache homepage, i could sign-in, an i get free access to the internet. unless dns is not working on pc's connected to eth1 interface, so i tryes all with entering ip-addresses. on the server everything workes fine an i could resolve all names and backward resolve ip-addresses.

has eth1 to be defined in iptables to pass dns questions? Probably this is a bind problem but i hope anybody could help because last time i set up a debian system is about version 2.x. To get an idea of what could go wrong here are some config files:


/etc/chilli.conf:
#fg
#debug
#interval 3600
#pidfile /var/run/chilli.pid
#statedir ./
net 192.168.182.0/20
#dynip 192.168.182.0/24
#statip 192.168.182.0/24
dns1 192.168.182.1
dns2 192.168.182.1
domain kundennetz.eslive.local
#ipup /etc/chilli.ipup
#ipdown /etc/chilli.ipdown
#radiuslisten 127.0.0.1
radiusserver1 127.0.0.1
radiusserver2 127.0.0.1
#radiusauthport 1812
#radiusacctport 1813
radiussecret 4bNS3Ia
#radiusnasid nas01
#radiuslocationid isocc=us,cc=1,ac=408,network=ACMEWISP_NewarkAirport
#radiuslocationname ACMEWISP,Gate_14_Terminal_C_of_Newark_Airport
#proxylisten 10.0.0.1
#proxyport 1645
#proxyclient 10.0.0.1/24
#proxysecret testing123
dhcpif eth1
# dhcpmac 00:00:5E:00:02:00
# lease 600
uamserver http://192.168.182.1/cgi-bin/hotspotlogin.cgi
uamhomepage http://192.168.182.1
uamsecret <secret>
#uamlisten 192.168.182.1
#uamport 3990
uamallowed 192.168.182.1,www.chillispot.info
#uamanydns
#macauth
#macallowed 00-A6-35-24-22-57   # another MAC
macpasswd password
#macsuffix suffix


/etc/network/interfaces:
auto lo
iface lo inet loopback
allow-hotplug eth0
iface eth0 inet static
    address 192.168.11.251
    netmask 255.255.255.0
    network 192.168.11.0
    broadcast 192.168.11.255
    gateway 192.168.11.254
    dns-nameservers 192.168.11.254
    dns-search eslive.local


output of ifconfig:
eth0      Protokoll:Ethernet  Hardware Adresse 00:04:76:1A:93:E2 
          inet Adresse:192.168.11.251  Bcast:192.168.11.255  Maske:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5265 errors:0 dropped:0 overruns:1 frame:0
          TX packets:265 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:1000
          RX bytes:681557 (665.5 KiB)  TX bytes:23462 (22.9 KiB)
          Interrupt:5 Basisadresse:0x2000

eth1      Protokoll:Ethernet  Hardware Adresse 00:80:AD:02:FC:54 
          UP BROADCAST RUNNING  MTU:1500  Metric:1
          RX packets:402 errors:0 dropped:0 overruns:0 frame:0
          TX packets:30 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:1000
          RX bytes:44159 (43.1 KiB)  TX bytes:5292 (5.1 KiB)
          Interrupt:11 Basisadresse:0xa400

lo        Protokoll:Lokale Schleife 
          inet Adresse:127.0.0.1  Maske:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:146 errors:0 dropped:0 overruns:0 frame:0
          TX packets:146 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0
          RX bytes:15081 (14.7 KiB)  TX bytes:15081 (14.7 KiB)

tun0      Protokoll:UNSPEC  Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet Adresse:192.168.182.1  P-z-P:192.168.182.1  Maske:255.255.240.0
          UP PUNKTZUPUNKT RUNNING  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:500
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)


/etc/init.d/firewall.iptables: (symlinked to /etc/rcS.d/S40firewall.iptables)
#!/bin/sh
IPTABLES="/sbin/iptables"
EXTIF="eth0"
INTIF="eth1"

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#Allow related and established on all interfaces (input)
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#Allow releated, established and ssh on $EXTIF. Reject everything else.
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 --syn -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 20 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -j REJECT

#Allow related and established from $INTIF. Drop everything else.
$IPTABLES -A INPUT -i $INTIF -j DROP

#Allow http and https on other interfaces (input).
#This is only needed if authentication server is on same server as chilli
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT

#Allow 3990 on other interfaces (input).
$IPTABLES -A INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT

#Allow everything on loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT

# Drop everything to and from $INTIF (forward)
# This means that access points can only be managed from ChilliSpot
$IPTABLES -A FORWARD -i $INTIF -j DROP
$IPTABLES -A FORWARD -o $INTIF -j DROP

#Enable NAT on output device
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE




Hope anybody read to this point and could help me.
When this is done my next step is to set up mysql authentification. After all these thing i post a link to a pdf which is documenting all steps i have done since pressing power-button for the first time.


kind regards and greetings
Andreas