summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVitor Brandão (noisebleed) <vitorbrandao.pt@gmail.com>2009-09-18 21:50:23 +0000
committerVitor Brandão (noisebleed) <vitorbrandao.pt@gmail.com>2009-09-18 21:50:23 +0000
commit004b59425208a2d633f7659d44a65a509052f973 (patch)
tree459e3225e9dfb968b370feaa4af15cf7f64d05e7 /net-wireless/coova-chilli/files
parentsys-kernel/ccs-sources: Version bumped. (diff)
downloadsunrise-004b59425208a2d633f7659d44a65a509052f973.tar.gz
sunrise-004b59425208a2d633f7659d44a65a509052f973.tar.bz2
sunrise-004b59425208a2d633f7659d44a65a509052f973.zip
net-wireless/coova-chilli: New Ebuild for bug 217141 (net-wireless/coova-chilli). Thanks to Laurento Frittella.
svn path=/sunrise/; revision=9244
Diffstat (limited to 'net-wireless/coova-chilli/files')
-rw-r--r--net-wireless/coova-chilli/files/chilli44
-rw-r--r--net-wireless/coova-chilli/files/firewall.iptables63
2 files changed, 107 insertions, 0 deletions
diff --git a/net-wireless/coova-chilli/files/chilli b/net-wireless/coova-chilli/files/chilli
new file mode 100644
index 000000000..090851eab
--- /dev/null
+++ b/net-wireless/coova-chilli/files/chilli
@@ -0,0 +1,44 @@
+#!/sbin/runscript
+# Copyright 1999-2008 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: $
+
+# Import chilli specific functions
+. /etc/chilli/functions
+
+depend() {
+ use net logger
+}
+
+
+checkconfig() {
+ check_required
+
+ if [ -f /etc/chilli.conf ]; then
+ return 0;
+ else
+ eerror "Error starting CoovaChilli. Please create /etc/chilli.conf before."
+ return 1;
+ fi
+}
+
+start() {
+ checkconfig || return 1
+ ebegin "Starting CoovaChilli"
+
+ # TODO: check for tun module and ip_forward
+
+ writeconfig
+ radiusconfig
+
+ start-stop-daemon --start --pidfile /var/run/chilli.pid --quiet \
+ --exec /usr/sbin/chilli -- --pidfile=/var/run/chilli.pid
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping Chillispot"
+ start-stop-daemon --stop --pidfile /var/run/chilli.pid --quiet
+ eend $?
+}
+
diff --git a/net-wireless/coova-chilli/files/firewall.iptables b/net-wireless/coova-chilli/files/firewall.iptables
new file mode 100644
index 000000000..f1c856fd1
--- /dev/null
+++ b/net-wireless/coova-chilli/files/firewall.iptables
@@ -0,0 +1,63 @@
+#!/bin/sh
+#
+# Firewall script for ChilliSpot
+# A Wireless LAN Access Point Controller
+#
+# Uses $EXTIF (eth0) as the external interface (Internet or intranet) and
+# $INTIF (eth1) as the internal interface (access points).
+#
+#
+# SUMMARY
+# * All connections originating from chilli are allowed.
+# * Only ssh is allowed in on external interface.
+# * Nothing is allowed in on internal interface.
+# * Forwarding is allowed to and from the external interface, but disallowed
+# to and from the internal interface.
+# * NAT is enabled on the external interface.
+
+IPTABLES="/sbin/iptables"
+EXTIF="eth0"
+INTIF="eth1"
+
+#Flush all rules
+$IPTABLES -F
+$IPTABLES -F -t nat
+$IPTABLES -F -t mangle
+
+#Set default behaviour
+$IPTABLES -P INPUT DROP
+$IPTABLES -P FORWARD ACCEPT
+$IPTABLES -P OUTPUT ACCEPT
+
+#Allow related and established on all interfaces (input)
+$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+#Allow releated, established and ssh on $EXTIF. Reject everything else.
+$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 --syn -j ACCEPT
+$IPTABLES -A INPUT -i $EXTIF -j REJECT
+
+#Allow related and established from $INTIF. Drop everything else.
+$IPTABLES -A INPUT -i $INTIF -j DROP
+
+#Allow http and https on other interfaces (input).
+#This is only needed if authentication server is on same server as chilli
+$IPTABLES -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
+$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT
+
+#Allow 3990 on other interfaces (input).
+$IPTABLES -A INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT
+
+#Allow ICMP echo on other interfaces (input).
+$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+
+#Allow everything on loopback interface.
+$IPTABLES -A INPUT -i lo -j ACCEPT
+
+# Drop everything to and from $INTIF (forward)
+# This means that access points can only be managed from ChilliSpot
+$IPTABLES -A FORWARD -i $INTIF -j DROP
+$IPTABLES -A FORWARD -o $INTIF -j DROP
+
+#Enable NAT on output device
+$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
+