เราจะต้องมี lan gard 2 ใบ
eth0 ต่อกับ อินเตอร์เน็ต
eth1 ต่อกับเครื่อง AP
มี 2 File คือ .rpm กับ .tar.gz
(1)
Download http://www.chillispot.org/download/chillispot-1.0.tar.gz
tar xvfz chillispot-1.0.tar.gz -C /tmp
cd /tmp/chillispot-1.0
cd ..
./configure
make
make install
cp doc/chilli.conf /etc
(2)
Download http://chillispot.org/download.html
[root@RADIUS ~]# rmp -i chillispot-1.xxxxx .rpm
[root@RADIUS ~]# chkconfig chilli on
[root@RADIUS ~]# /etc/init.d/chilli start
Shutting down chilli: [ PASS ]
Starting chilli: [ PASS ]
[root@RADIUS ~]#
[root@RADIUS ~]# /etc/init.d/chilli status
chilli (pid 2753) is running...
[root@RADIUS ~]#
เป็นคำสั่งในการ kill process
[root@RADIUS ~]#kill -9 `ps -A | grep chilli | gawk '{ print $1 }'`
แก้ไข file chilli.conf
[root@RADIUS ~]#cd etc
[root@RADIUS ~]# grep chilli.conf
##############################################################################
#
# Sample ChilliSpot configuration file
#
##############################################################################
# TAG: fg
# Include this flag if process is to run in the foreground
#fg
# TAG: debug
# Include this flag to include debug information.
#debug
# TAG: interval
# Re-read configuration file at this interval. Will also cause new domain
# name lookups to be performed. Value is given in seconds.
#interval 3600
# TAG: pidfile
# File to store information about the process id of the program.
# The program must have write access to this file/directory.
#pidfile /var/run/chilli.pid
# TAG: statedir
# Directory to use for nonvolatile storage.
# The program must have write access to this directory.
# This tag is currently ignored
#statedir ./
# TUN parameters
# TAG: net
# IP network address of external packet data network
# Used to allocate dynamic IP addresses and set up routing.
# Normally you do not need to uncomment this tag.
net 10.114.0.0/24
# TAG: dynip
# Dynamic IP address pool
# Used to allocate dynamic IP addresses to clients.
# If not set it defaults to the net tag.
# Do not uncomment this tag unless you are an experienced user!
#dynip 10.114.0.0/24
# TAG: statip
# Static IP address pool
# Used to allocate static IP addresses to clients.
# Do not uncomment this tag unless you are an experienced user!
#statip 10.114.0.1
# TAG: dns1
# Primary DNS server.
# Will be suggested to the client.
# If omitted the system default will be used.
# Normally you do not need to uncomment this tag.
#dns1 10.114.0.1
# TAG: dns2
# Secondary DNS server.
# Will be suggested to the client.
# If omitted the system default will be used.
# Normally you do not need to uncomment this tag.
#dns2 202.28.33.2
# TAG: domain
# Domain name
# Will be suggested to the client.
# Normally you do not need to uncomment this tag.
#domain 10
# TAG: ipup
# Script executed after network interface has been brought up.
# Executed with the following parameters:
#
# Normally you do not need to uncomment this tag.
#ipup /etc/chilli.ipup
# TAG: ipdown
# Script executed after network interface has been taken down.
# Executed with the following parameters:
#
# Normally you do not need to uncomment this tag.
#ipdown /etc/chilli.ipdown
# TAG: conup
# Script executed after a user has been authenticated.
# Executed with the following parameters:
#
# Normally you do not need to uncomment this tag.
#conup /etc/chilli.conup
# TAG: conup
# Script executed after a user has disconnected.
# Executed with the following parameters:
#
# Normally you do not need to uncomment this tag.
#conup /etc/chilli.condown
# Radius parameters
# TAG: radiuslisten
# IP address to listen to
# Normally you do not need to uncomment this tag.
radiuslisten 10.114.0.2
# TAG: radiusserver1
# IP address of radius server 1
# For most installations you need to modify this tag.
radiusserver1 10.114.0.2
# TAG: radiusserver2
# IP address of radius server 2
# If you have only one radius server you should set radiusserver2 to the
# same value as radiusserver1.
# For most installations you need to modify this tag.
radiusserver2 10.114.0.2
# TAG: radiusauthport
# Radius authentication port
# The UDP port number to use for radius authentication requests.
# The same port number is used for both radiusserver1 and radiusserver2.
# Normally you do not need to uncomment this tag.
radiusauthport 1645
# TAG: radiusacctport
# Radius accounting port
# The UDP port number to use for radius accounting requests.
# The same port number is used for both radiusserver1 and radiusserver2.
# Normally you do not need to uncomment this tag.
radiusacctport 1646
# TAG: radiussecret
# Radius shared secret for both servers
# For all installations you should modify this tag.
radiussecret testing
# TAG: radiusnasid
# Radius NAS-Identifier
# Normally you do not need to uncomment this tag.
#radiusnasid nas01
# TAG: radiusnasip
# Radius NAS-IP-Address
# Normally you do not need to uncomment this tag.
#radiusnasip 10.114.0.46
# TAG: radiuscalled
# Radius Called-Station-ID
# Normally you do not need to uncomment this tag.
#radiuscalled 00133300
# TAG: radiuslocationid
# WISPr Location ID. Should be in the format: isocc=
# cc=
# Normally you do not need to uncomment this tag.
#radiuslocationid isocc=us,cc=1,ac=408,network=ACMEWISP_NewarkAirport
# TAG: radiuslocationname
# WISPr Location Name. Should be in the format:
#
# Normally you do not need to uncomment this tag.
#radiuslocationname ACMEWISP,Gate_14_Terminal_C_of_Newark_Airport
# Radius proxy parameters
# TAG: proxylisten
# IP address to listen to
# Normally you do not need to uncomment this tag.
proxylisten 10.114.0.1
# TAG: proxyport
# UDP port to listen to.
# If not specified a port will be selected by the system
# Normally you do not need to uncomment this tag.
proxyport 1812
# TAG: proxyclient
# Client(s) from which we accept radius requests
# Normally you do not need to uncomment this tag.
proxyclient 10.114.0.1/24
# TAG: proxysecret
# Radius proxy shared secret for all clients
# If not specified defaults to radiussecret
# Normally you do not need to uncomment this tag.
proxysecret testing
# Remote configuration management
# TAG: confusername
# If confusername is specified together with confpassword chillispot
# will at regular intervals specified by the interval option query the
# radius server for configuration information.
# Normally you do not need to uncomment this tag.
#confusername conf
# TAG: confpassword
# If confusername is specified together with confpassword chillispot
# will at regular intervals specified by the interval option query the
# radius server for configuration information.
# Normally you do not need to uncomment this tag.
#confpassword secret
# DHCP Parameters
# TAG: dhcpif
# Ethernet interface to listen to.
# This is the network interface which is connected to the access points.
# In a typical configuration this tag should be set to eth1.
dhcpif eth1
# TAG: dhcpmac
# Use specified MAC address.
# An address in the range 00:00:5E:00:02:00 - 00:00:5E:FF:FF:FF falls
# within the IANA range of addresses and is not allocated for other
# purposes.
# Normally you do not need to uncomment this tag.
#dhcpmac 00:00:5E:00:02:00
# TAG: lease
# Time before DHCP lease expires
# Normally you do not need to uncomment this tag.
#lease 600
# Universal access method (UAM) parameters
# TAG: uamserver
# URL of web server handling authentication.
uamserver https://10.114.0.1/cgi-bin/hotspotlogin.cgi
# TAG: uamhomepage
# URL of welcome homepage.
# Unauthenticated users will be redirected to this URL. If not specified
# users will be redirected to the uamserver instead.
# Normally you do not need to uncomment this tag.
uamhomepage https://10.114.0.1/welcome.html
# TAG: uamsecret
# Shared between chilli and authentication web server
uamsecret secretchilli
# TAG: uamlisten
# IP address to listen to for authentication requests
# Do not uncomment this tag unless you are an experienced user!
#uamlisten 10.114.0.1
# TAG: uamport
# TCP port to listen to for authentication requests
# Do not uncomment this tag unless you are an experienced user!
#uamport 3990
# TAG: uamallowed
# Comma separated list of domain names, IP addresses or network segments
# the client can access without first authenticating.
# It is possible to specify this tag multiple times.
# Normally you do not need to uncomment this tag.
#uamallowed 10.114.0.0/24
# TAG: uamanydns
# If this flag is given unauthenticated users are allowed to use
# any DNS server.
# Normally you do not need to uncomment this tag.
uamanydns
# MAC authentication
# TAG: macauth
# If this flag is given users will be authenticated only on their MAC
# address.
# Normally you do not need to uncomment this tag.
#macauth
# TAG: macallowed
# List of MAC addresses.
# The MAC addresses specified in this list will be authenticated only on
# their MAC address.
# This tag is ignored if the macauth tag is given.
# It is possible to specify this tag multiple times.
# Normally you do not need to uncomment this tag.
#macallowed 00-0A-5E-AC-BE-51,00-30-1B-3C-32-E9
# TAG: macpasswd
# Password to use for MAC authentication.
# Normally you do not need to uncomment this tag.
#macpasswd password
# TAG: macsuffix
# Suffix to add to MAC address in order to form the username.
# Normally you do not need to uncomment this tag.
#macsuffix suffix
แก้ไข file firewall.iptables
#!/bin/sh
#
# Firewall script for ChilliSpot
# A Wireless LAN Access Point Controller
#
# Uses $EXTIF (eth0) as the external interface (Internet or intranet) and
# $INTIF (eth1) as the internal interface (access points).
#
#
# SUMMARY
# * All connections originating from chilli are allowed.
# * Only ssh is allowed in on external interface.
# * Nothing is allowed in on internal interface.
# * Forwarding is allowed to and from the external interface, but disallowed
# to and from the internal interface.
# * NAT is enabled on the external interface.
IPTABLES="/sbin/iptables"
EXTIF="ppp0"
INTIF="eth1"
#Flush all rules
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -F -t mangle
#Set default behaviour
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
#Allow related and established on all interfaces (input)
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i tun0 -p udp -m udp --dport 1812 -j ACCEPT
#Allow releated, established and ssh on $EXTIF. Reject everything else.
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 --syn -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -j REJECT
#Allow related and established from $INTIF. Drop everything else.
$IPTABLES -A INPUT -i $INTIF -j DROP
#Allow http and https on other interfaces (input).
#This is only needed if authentication server is on same server as chilli
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT
#Allow 3990 on other interfaces (input).
$IPTABLES -A INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT
#Allow ICMP echo on other interfaces (input).
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
#Allow everything on loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT
# Drop everything to and from $INTIF (forward)
# This means that access points can only be managed from ChilliSpot
$IPTABLES -A FORWARD -i $INTIF -j DROP
$IPTABLES -A FORWARD -o $INTIF -j DROP
#Enable NAT on output device
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
$IPTABLES -t nat -A PREROUTING -s 10.114.0.0/24 -p udp --dport 53 -j DNAT --to 10.114.0.1
$IPTABLES -t nat -A PREROUTING -s 10.114.0.0/24 -p tcp --dport 25 -j DNAT --to 10.114.0.1
สร้าง file welcone.html ที่ /var/www/html
TESTING ONLY
Welcome to Our Hotspot, Wireless Network.
You are connected to an authentication and restricted network access point.
Click here to login
Enjoy.
แล้วลองบราวดูครับ
รายละเอียดภายในยังไม่แน่ใจเท่าไหร่ว่ามันเกี่ยวข้องกับส่วนไหนบ้าง
ถ้ารู้ก็ช่วยเพิ่มเติมหน่อยนะ
คำสั่งในการ Run Debug Mode
chilli --debug --fg
******************* The End **********************
7 comments:
Can anyone recommend the best Patch Management tool for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central script distribution
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!
Hey,
I am regular visitor of this website[url=http://www.weightrapidloss.com/lose-10-pounds-in-2-weeks-quick-weight-loss-tips].[/url]Plenty of useful information on kthakon.blogspot.com. Do you pay attention towards your health?. Let me present you with one fact here. Research displays that nearly 50% of all United States adults are either chubby or weighty[url=http://www.weightrapidloss.com/lose-10-pounds-in-2-weeks-quick-weight-loss-tips].[/url] Hence if you're one of these individuals, you're not alone. Its true that we all can't be like Brad Pitt, Angelina Jolie, Megan Fox, and have sexy and perfect six pack abs. Now next question is how you can achive quick weight loss? [url=http://www.weightrapidloss.com/lose-10-pounds-in-2-weeks-quick-weight-loss-tips]Quick weight loss[/url] is really not as tough as you think. Some improvement in of daily activity can help us in losing weight quickly.
About me: I am blogger of [url=http://www.weightrapidloss.com/lose-10-pounds-in-2-weeks-quick-weight-loss-tips]Quick weight loss tips[/url]. I am also mentor who can help you lose weight quickly. If you do not want to go under painful training program than you may also try [url=http://www.weightrapidloss.com/acai-berry-for-quick-weight-loss]Acai Berry[/url] or [url=http://www.weightrapidloss.com/colon-cleanse-for-weight-loss]Colon Cleansing[/url] for effortless weight loss.
Simple enough
Great post, I am almost 100% in agreement with you
top [url=http://www.c-online-casino.co.uk/]casino online[/url] check the latest [url=http://www.casinolasvegass.com/]casinolasvegass.com[/url] autonomous no set aside hand-out at the leading [url=http://www.baywatchcasino.com/]casino online
[/url].
geotorelxzp loan consolidation
debt consolidation services
Hello i am kavin, its my first occasion to commenting anyplace,
when i read this post i thought i could also make comment due to this
sensible piece of writing.
Feel free to surf to my page - acoustic guitar chords for beginners
Post a Comment