Requirement applications for Captive portal solution
CoovaChilli 1.2.4
FreeRadius
MySQL
1. Install Ubuntu 10.04 and choose package LAMP ,DNS, Openssh .
nano /etc/network/interfaces |
iface eth0 inet static
address 10.10.10.3
netmask 255.255.255.240
gateway 10.10.10.1
auto eth1
nano /etc/sysctl.conf |
net.ip4.ip_forward=1
2. Install Freeradius and edit
apt-get install freeradius freeradius-mysql |
mysqladmin -p create radius mysql -u root -p radius < /etc/freeradius/sql/mysql/nas.sql mysql -u root -p use radius; GRANT ALL PRIVILEGES ON radius.* TO 'radius'@'localhost' IDENTIFIED BY 'xxxxxxxx'; FLUSH PRIVILEGES; quit |
nano -w /etc/freeradius/sql.conf |
server = "localhost"
login = "radius"
password = "xxxxxxxx"
แล้วเอา # หน้า readclient =yes ออก
nano /etc/freeradius/radiusd.conf |
ให้เอา comment ที่หน้า 2 บรรทัดนี้ออก
modules {
….
$INCLUDE sql.conf
$INCLUDE sql/mysql/counter.conf
nano -w /etc/freeradius/clients.conf |
client 127.0.0.1 {
secret = Iloveradius
}
nano -w /etc/freeradius/sites-available/default |
ให้กด ctrl+w หาคำว่า authorize { เจอแล้วให้เลื่อนลงมาใส่ # ที่ file และเอา # ที่หน้า sql
authorize {
#file เติม # เข้าไป
sql เอา # ออก
daily เอา # ออก และเพิ่ม 3 บรรทัดข้างล่างต่อท้าย
noresetcounter
dailycounter
monthlycounter
}
ต่อมาก็หาคำว่า accounting { แล้วเอา # หน้า sql ออก
accounting {
sql # uncomment
}
ต่อมาก็หาคำว่า session { แล้วเอา # หน้า sql ออก
session {
sql #uncomment
}
mysql -u root -p INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('guest', 'Password','guest'); เพิ่มusername เข้าไปในฐานข้อมูล quit /etc/init.d/freeradius restart radtest guest guest 127.0.0.1 0 xxxxxxxx |
ถ้าทำสำเร็จ จะมีข้อความประมาณนี้ Access-Accept packet from host 127.0.0.1:1812, id=144, length=20
--------------------จบ Freeradius----------------
3. Build Coova แล้ว install และ config
aptitude --assume-yes install dpkg-dev debhelper libssl-dev cd /tmp wget -c http://ap.coova.org/chilli/coova-chilli-1.2.4.tar.gz tar xzf coova-chilli*.tar.gz cd coova-chilli* dpkg-buildpackage -rfakeroot |
cd .. dpkg -i coova-chilli_*_i386.deb |
cp /etc/chilli/defaults /etc/chilli/config |
mkdir /var/www/hotspot cd /var/www/hotspot cp /etc/chilli/www/* /var/www/hotspot sed -i 's/1.0.0.1/192.168.0.1/g' /etc/chilli/www/ChilliLibrary.js ยาวเป็นบรรทัดเดียว sed -i 's/1.0.0.1/192.168.0.1/g' /var/www/hotspot/ChilliLibrary.js |
nano -w /etc/default/chilli |
START_CHILLI=1
nano /etc/chilli/config |
HS_LANIF=eth1 # Subscriber Interface for client devices
HS_NETWORK=192.168.0.0 # HotSpot Network (must include HS_UAMLISTEN)
HS_NETMASK=255.255.255.0 # HotSpot Network Netmask
HS_UAMLISTEN=192.168.0.1 # HotSpot IP Address (on subscriber network)
HS_UAMPORT=3990 # HotSpot Port (on subscriber network)
HS_NASID=nas01
HS_UAMSECRET=uamsecret
HS_RADIUS=127.0.0.1
HS_RADIUS2=127.0.0.1
HS_RADSECRET=xxxxxxxx
HS_UAMALLOW=www.google.com,192.168.0.0/24
HS_UAMSERVER=192.168.0.1
HS_UAMFORMAT=https://\$HS_UAMSERVER/uam/
HS_UAMHOMEPAGE=http://\$HS_UAMLISTEN:\$HS_UAMPORT/www/coova.html
HS_UAMSERVICE=https://192.168.0.1/cgi-bin/hotspotlogin.cgi
HS_ANYIP=on # Allow any IP address on subscriber LAN
#
HS_MACAUTH=on # To turn on MAC Authentication
HS_MACPASSWD=XXXXXX #รหัสผ่านต้องเหมือนกับทีแก้ไขในไพล์/etc/chilli/functions
nano /etc/chilli/up.sh |
#แทรก หลังจาก . /etc/chilli/functions
iptables -F
iptables -t nat -F
#แล้วต่อท้ายด้วย ข้างล่างนี้
# may not have been populated the first time; run again
[ -e "/var/run/chilli.iptables" ] && sh /var/run/chilli.iptables 2>/dev/null
# force-add the final rule necessary to fix routing tables
iptables -I POSTROUTING -t nat -o $HS_WANIF -j MASQUERADE
iptables -P INPUT DROP
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT -p icmp --icmp-type 8 -s 0/0 -d 192.168.0.1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I OUTPUT -p icmp --icmp-type 0 -s 192.168.0.1 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#SSH Accept from tun0
iptables -I INPUT -i tun0 -p tcp -m tcp --dport 22222 --dst 192.168.0.1 -j ACCEPT
iptables -I INPUT -i eth0 -s 10.10.10.3 -p tcp -m tcp --dport 22222 --dst 10.10.10.4 -j ACCEPT
#SNMP
iptables -I INPUT -p udp -s 0/0 --sport 1024:65535 -d 192.168.0.1 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT -p udp -i tun0 -d 192.168.0.1 --dport 161 -j ACCEPT
#iptables -t nat -I PREROUTING -i tun0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
#iptables -I INPUT -i tun0 -p tcp -m tcp --dport 3128 --syn -j ACCEPT
#iptables -t nat -I PREROUTING -p tcp -m tcp --dport 3128 -j DROP
#iptables -t nat -I PREROUTING -p tcp -m tcp --dport 8080 -j DROP
#iptables -t nat -I PREROUTING -p tcp -m tcp --dport 2121 -j DROP
iptables -t nat -I POSROUTING -o eth0 -j LOG
#squid Log
iptables -t nat -N logging
iptables -t nat -A PREROUTING -j logging
#iptables -t nat -A POSTROUTING -j logging
iptables -A INPUT -j LOG --log-level info --log-prefix "INPUT "
iptables -A OUTPUT -j LOG --log-level info --log-prefix "OUTPUT "
iptables -A FORWARD -j LOG --log-level info --log-prefix "FORWARD "
# HTTP:
iptables -t nat -A logging -p tcp --dport 80 -j LOG --log-prefix "HTTP: " \
--log-level info
# HTTPS:
iptables -t nat -A logging -p tcp --dport 443 -j LOG --log-prefix "HTTPS: " \
--log-level info
# SMTP:
iptables -t nat -A logging -p tcp --dport 25 -j LOG --log-prefix "SMTP: " \
--log-level info
# FTP:
iptables -t nat -A logging -p tcp --dport 21 -j LOG --log-prefix "FTP: " \
--log-level info
# IMAP:
iptables -t nat -A logging -p tcp --dport 143 -j LOG --log-prefix "IMAP: " \
--log-level info
# POP3:
iptables -t nat -A logging -p tcp --dport 110 -j LOG --log-prefix "POP3: " \
--log-level info
# MSN:
iptables -t nat -A logging -p tcp --dport 1863 -j LOG --log-prefix "MSN: " \
--log-level info
# JABBER:
iptables -t nat -A logging -p tcp --dport 5222 -j LOG --log-prefix "JABBER: " \
--log-level info
JABBERS
iptables -t nat -A logging -p tcp --dport 5223 -j LOG --log-prefix "JABBERS: " \
--log-level info
# ICQ/AIM
iptables -t nat -A logging -p tcp --dport 5190 -j LOG --log-prefix "ICQ/AIM: " \
--log-level info
# Yahoo
iptables -t nat -A logging -p tcp --dport 5050 -j LOG --log-prefix "YAHOO: " \
--log-level info
# IRC
iptables -t nat -A logging -p tcp --dport 6667 -j LOG --log-prefix "IRC: " \
--log-level info
# Gadu-Gadu
iptables -t nat -A logging -p tcp --dport 8074 -j LOG --log-prefix "GADU-GADU: " \
--log-level info
iptables -I INPUT -i lo -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 4990 --syn -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 53 --syn -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 67:68 --syn -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 3306 --syn -j ACCEPT
iptables -A INPUT -i tun0 -j DROP
4. config Apapche2
apt-get install libapache2-mod-auth-mysql |
apt-get install ssl-cert |
mkdir /etc/apache2/ssl |
hostname -f |
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem |
a2enmod ssl /etc/init.d/apache2 force-reload |
nano /etc/hosts |
127.0.0.1 localhost.local localhost
127.0.1.1 Authen.local Authen
192.168.0.1 Authen.local Authen
nano -w /etc/apache2/sites-available/hotspot |
NameVirtualHost 192.168.0.1:443
<.VirtualHost 192.168.0.1:443>
ServerAdmin webmaster@domain.org
DocumentRoot "/var/www/hotspot"
ServerName "192.168.0.1"
<.Directory "/var/www/hotspot/">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
<./Directory>
Alias "/dialupadmin/" "/usr/share/freeradius-dialupadmin/htdocs/"
<.Directory "/usr/share/freeradius-dialupadmin/htdocs/">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
<./Directory>
<.Directory "/var/www/hotspot/cgi-bin/">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
<./Directory>
ErrorLog /var/log/apache2/hotspot-error.log
LogLevel warn
CustomLog /var/log/apache2/hotspot-access.log combined
ServerSignature On
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
<./VirtualHost>
a2ensite hotspot |
nano -w /etc/apache2/ports.conf |
แก้ไขให้เหลือตามข้างล่างเป็นพอ
Listen 443
Listen 80
nano -w /etc/apache2/apache2.conf |
ServerName 192.168.0.1 เพิ่มคำสั่งนี้ไว้บนสุดเลยครับ
nano -w /etc/apache2/sites-available/default |
เพิ่มตรงบนสุด NameVirtualHost *:80
cd /var/www/hotspot/ wget http://www.truesoft.co.th/wifi/uam.tgz tar xvf uam.tgz |
update-rc.d chilli defaults |
จบด้วยการ restart มาถึงตรงนี้ สามารถทดสอบได้แล้ว
5. ติดตั้ง Haserl Download haserl from http://haserl.sourceforge.net/.
sudo apt-get install gcc
tar xvf haserl-0.8.0.tar.gz
cd haserl-0.8.0/
./configure
make
make install
Edit /etc/chilli/wwwsh file
haserl=$(which haserl 2>/dev/null)
with
haserl=/usr/local/bin/haserl
6. Install Syslog-ng
apt-get install syslog-ng
cp /etc/syslog-ng/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf.bak
nano /etc/syslog-ng/syslog-ng.conf
destination remote {
udp("192.168.20.104" port(514));
};
log {source(s_all); filter(f_messages); destination(remote); };
log {source(s_all); filter(f_kern); destination(remote); };
/etc/init.d/syslog-ng start
nano /etc/init.d/rc.capture
#!/bin/bash
tail -F /var/log/squid/access.log logger -t squid -p local3.info &
tail -F /var/log/radius/radacct/127.0.0.1/details logger -t radiusd -p local3.info &
chmod a+x /etc/init.d/rc.capture
ln -s /etc/init.d/rc.capture /etc/rcS.d/S88rccapture
nano /etc/logrotate.d/freeradius
/var/log/radius/radacct/127.0.0.1/details {
rotate 13
weekly
delaycompress
missingok
notifempty
compress
}
nano /etc/freeradius/modules/detail
ให้เปลี่ยนค่า detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d เป็น
detailfile = ${radacctdir}/%{Client-IP-Address}/details
ขั้นตอนการติดตั้ง NTP Server ที่เครื่อง Log Server เป็นดังนี้
1.ติดตั้ง ntp ด้วยสั่ง
apt-get install ntp
2.ทำการสำเนาไฟล์คอนฟิกของ ntp ไปไว้เป็นอีกชื่อดังนี้
cp /etc/ntp.conf /etc/ntp.conf.bak
3.แก้ไขไฟล์ /etc/ntp.conf ให้มีค่าเป็นดังนี้
restrict default kod nomodify notrap noquery nopeer
restrict 127.0.0.1
# อนุญาตให้ Internal network เข้าใช้งาน
restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap
server 203.185.69.60 dynamic
server time.navy.mi.th dynamic
server time.nist.gov dynamic
server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10
driftfile /var/lib/ntp/ntp.drift
broadcastdelay 0.008
keys /etc/ntp/keys
4.สั่ง restart service ด้วยคำสั่ง
chkconfig ntpd on
/etc/init.d/ntp restart
5. ตรวจสอบ Remote Server ที่ต้องการใช้อ้างอิงฐานเวลา ใช้คำสั่งดังนี้
ntptrace
อ้างอิง
http://linux.xvx.cz/2010/03/debian-wi-fi-hotspot-using-coovachilli-freeradius-mysql-and-daloradius/
http://www.itmanage.info/technology/linux/ubuntu/chillihospot/install_chillhotspot_ubutu_8_10.html
ถ้าจะใช้เป็น Ubuntu Desktop 10.04 แทน Ubuntu Server 10.04 ได้หรือเปล่าครับ
ตอบลบถ้าได้ต้องแก้ตรงใหนบ้างครับ
ตอบลบยังไม่เคยลงบน Desktop เลย ผมคิดว่าถ้าลง LAMP ได้ ก็น่าจะใช้ Coova ได้
ตอบลบอ่านดูแล้วน่าสนใจนะ
ตอบลบAdmittedly, setting up a hotspot server took me a long time. I was following either incomplete or outdated instructions I found online. I was so lucky to have finally found this post. I finished setting it up on Ubuntu Server 10.10 in 4 hours.
ตอบลบI'm so excited and trying to explore the current system.
The steps here are very well written and I owe a debt of gratitude to the author. I have no idea who he is. But, his generosity touches me!!!
Thank you so so much.
I'm using port 22 for ssh.
ตอบลบI have changed from
iptables -I INPUT -i tun0 -p tcp -m tcp --dport 22222 --dst 192.168.0.1 -j ACCEPT
iptables -I INPUT -i eth0 -s 10.10.10.3 -p tcp -m tcp --dport 22222 --dst 10.10.10.4 -j ACCEPT
to
iptables -I INPUT -i tun0 -p tcp -m tcp --dport 22 --dst 192.168.0.1 -j ACCEPT
iptables -I INPUT -i eth0 -s 10.10.10.3 -p tcp -m tcp --dport 22 --dst 10.10.10.4 -j ACCEPT
Right now, I can ssh from inside my home. But, I cannot ssh in from outside. You think you can help?
Sorry, I think I got ssh to work now.
ตอบลบI just didn't forward the 22 port on my router.
ความคิดเห็นนี้ถูกผู้เขียนลบ
ตอบลบAfter setting up CoovaChilli following the steps above, I found that the client machines display a message about an untrusted connection. This was due to the fact that the browsers were redirected to a https:// login page. Coming from a non-linux background, this part took me a long time, so I decided to post the steps I took here:
ตอบลบPlease note that this blog won't let you enter in a greater than or less than sign, so I had to find a way to avoid them.
1. vi /etc/apache2/sites-available/default
- Comment out NameVirtualHost *:80
- Add
"less than sign"VirtualHost *:80"greater than sign"
ServerAdmin webmaster@localhost
DocumentRoot /var/www/
"less than sign"/VirtualHost"greater than sign"
2. vi /etc/apache2/apache2.conf
- Comment out Include sites-enabled
- Add
Include /etc/apache2/sites-enabled/
NameVirtualHost *:80
"less than sign"ifmodule mod_ssl.c"greater than sign"
NameVirtualHost *:443
"less than sign"/ifmodule"greater than sign"
3. vi /etc/apache2/sites-available/hotspot
- Comment out
NameVirtualHost 192.168.0.1:443
ServerSignature On
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
- Change
"less than sign"VirtualHost 192.168.0.1:443"greater than sign" to "less than sign"VirtualHost *:80"greater than sign"
4. Find the following if clauses (maybe with the find command) and comment them out if they do appear anywhere inside your files. Sorry, I can't tell you exactly where they appear on your machine since I've installed Daloradius on my machine and the files I have for this part are not identical to yours.
if(!($_ENV['HTTPS'] == 'on')){
.
.
.
}
if(!($_SERVER['HTTPS'] == 'on')){
.
.
.
}
5. Under /etc/chilli/config, alter the HS_UAMFORMAT line so that we have
HS_UAMFORMAT = http://\$HS_UAMSERVER/hotspot/uam
6. sudo a2dismod ssl
sudo service apache2 restart
update-rc.d chilli defaults
ฺBy the way, the exact message I received was this:
ตอบลบThere is a problem with this website's security certificate
In case, someone wonders what I was trying to fix.
eth 1 นี่รับไอพีอัตโนมัติจากอะไรครับ
ตอบลบรับIP จาก coova
ลบรับIP จาก coova
ลบแล้วตามลักษณะที่วางไว้นี่วางรูปแบบการเชื่อมต่อไว้แบบไหน
ตอบลบInternet ===> eth0 (coova) eth1 ===>Client
ลบขอสอบถามหน่อยครับ ต้องรันใน Ubuntu Server เท่านั้นใช้ไหมครับ
ตอบลบไม่จำเป็นครับ
ลบยังไม่ได้สร้างผู้ใช้งานฐานข้อมูลนะครับ
ตอบลบ