665
edits
Changes
Jump to navigation
Jump to search
Line 44:
Line 44: + + Line 89:
Line 91: − to not serve anything could jeopardize your server, so please let private. − + Line 102:
Line 103: − + − + − + + + + + + + + Line 188:
Line 196: − + + + + + + + − + + + + + − (This will change in futur release, firewall customizations for chilli will be done through db commands)+
no edit summary
yum --enablerepo=smecontribs install smeserver-coova-chilli
yum --enablerepo=smecontribs install smeserver-coova-chilli
(For now, you may also have to enable the repo smetest as smeserver-coova-chilli requires e-smith-radiusd => 1.0.0-18 which is in smetest repo)
=== Set up and activate the service ===
=== Set up and activate the service ===
*access: Please, let this private. Setting public, which wouldn't be usefull at all, will open chilli daemon on the WAN port, which can be dangerous.
*access: Please, let this private. Setting public, which wouldn't be usefull at all, will open chilli daemon on the WAN port, which can be dangerous.
*defidletimeout: the defined period of inactivity of a client (no traffic) before disconnect.
*defidletimeout: the defined period of inactivity of a client (no traffic) before disconnect (in seconds).
*defsessiontimeout: maximum duration of a session. After this time (in seconds, as defidletimeout), the client must reconnect
*defsessiontimeout: maximum duration of a session. After this time (in seconds, as defidletimeout), the client must reconnect
*net: the network range to use. The server uses the first IP available from the network (and thus default 10.1.0.1) and provide customers with addresses in this range.
*net: the network range to use. The server uses the first IP available from the network (and thus default 10.1.0.1) and provide customers with addresses in this range.
*radiussecret: the secret shared between the radius server and chilli daemon. For each installation, a radom secret is generated, so you shouldn't have to change it.
*radiussecret: the secret shared between the radius server and chilli daemon. For each installation, a random secret is generated, so you shouldn't have to change it.
*status: there's no trap that defined the state of service, and whether it should be started when the server boots.
*status: there's no trap that defined the state of service, and whether it should be started when the server boots up.
*tundev: defines the tun interface to use (chilli mask the real interface eth2 and the system sees the traffic as comming from a tun interface).
*tundev: defines the tun interface to use (chilli mask the real interface eth2 and the system sees the traffic as comming from a tun interface).
By default, tun0, you can change if tun0 is already used for a VPN for example.
By default, tun0, you can change if tun0 is already used for a VPN for example.
*uamallowed: A list of host that will be accessible before authentication. It can be a simple list of host, or a list of the form host: port, or protocol: host, or protocol: Host: port
*uamallowed: A list of host that will be accessible before authentication. It can be a simple list of host, or a list of the form host:port, or protocol:host, or protocol:Host:port
*uamsecret: a shared secret between the login page and chilli daemon (to encrypt the password). As for radiussecret, the secret is randomly generated for each installation.
*uamsecret: a shared secret between the login page and chilli daemon (to encrypt the password). As for radiussecret, the secret is randomly generated for each installation.
*AllowedServices: a list of services which will be accessible for chilli clients (see What authenticated users have access to ?)
*AllowedOutgoing: a list of allowed proto/host/port for the client (see What authenticated users have access to ?)
*RedirectToChilli: a list of IP address which will be redirected to your server. By default, InternalIP and ExternalIP are already redirected to your server. But in some situation (like if your Public IP isn't the same as ExternalIP), this setting can be usefull
db configuration setprop chilli RedirectToChilli 1.2.3.4,5.6.7.8
After you've changed the configuration, just run the command signal-event chilli-update, it'll re-generate the necessary files and restart the service.
After you've changed the configuration, just run the command signal-event chilli-update, it'll re-generate the necessary files and restart the service.
*Ping outwards and your server
*Ping outwards and your server
*If you want to customize these rules, modify options in the chilli template /etc/e-smith/templates/etc/rc.d/init.d/masq/60ChilliRules
There are two key in the db to customize this:
*AllowedServices will allow some services of your server to be acessible to chilli clients. For exemple, you want to make ssh and openvpn-bridge accessible:
db configuration setprop chilli AllowedServices sshd,openvpn-bridge
Services names need to correspond to those defined in the configuration db
*AllowedOutgoing will allow more outgoing traffic. It's list of proto/host/port clients will be able to contact on the internet (These rules only apply to forwarded traffic, nothing will be allowed to the private network). Wildcard '*' (or keyword any) can replace host or port. Eg:
db configuration setprop AllowedOutgoing tcp:56.23.41.1:25,udp:*:1194,tcp:4.5.6.7:any,tcp:any:123
*You can copy it in custom-templates and customize it. I think the rules are fairly simple to understand.
This will allow:
*host 56.23.41.1 on port 25 to be accessible with TCP
*Any host will be accessible on port 1194 with udp
*All the port of host 4.5.6.7 will be accessible with tcp
*Any host will be accessible on port 123 with tcp
'''Note''': proto can be tcp or udp only for now, there's now way to add icmp rules with db commands for now.
== Troubleshoot ==
== Troubleshoot ==