Monday, April 02, 2012

Optimizing and Security Hotspot YFI (part 1)

In this article, I try to optimize my server hotspot yfi, by adding squid, shorewall, and updating coova chilli. This post continued from previous post about Install Hotspot YFI. See the previous post in part 1 and part 2.

Upgrade Coova Chilli.

Important points to remember. The UAM Port is by default on 3990 when you compile the CoovaChilli package yourself, and on 3660 when using !CoovaChilliAP Firmware.

UAM Port
3990
COA Port
3799

 

Install CoovaChilli


  • First, stop the service chilli, and remove the old coova chilli. Execute the following commands:
dpkg -l | grep chilli
ii  coova-chilli                         1.0.14-1  
dpkg --purge coova-chilli
wget http://ap.coova.org/chilli/coova-chilli-1.2.9.tar.gz
tar zxvf coova-chilli-1.2.9.tar.gz
cd coova-chilli-1.2.9
./configure
make
sudo make install
  • This will install CoovaChilli under the '/usr/local' directory.

File
Role
chilli.conf
This file will source various secondary configuration files under the ./chilli directory. It will also define the script to run when the coova chilli program has started and the script to run upon shut-down.
./chilli/main.conf
This file gets automatically generated, thus you should not make changes to it as it will be overwritten.
./chilli/hs.conf
This file is empty – Gets created by startup script
./chilli/local.conf
This file is empty – Gets created by startup script
./chilli/defaults
This file contains the default values that will be used by the ./chilli/functions to produce the ./chilli/main.conf file.
./chilli/config
This starts out as a copy of the ./chilli/defaults file and are subsequently modified by the user. This file is used together with the defaults file to produce the ./chilli/main.conf file when the start-up script is run. In this document we will make use of the ./chilli/config file to configure the options to the coova chilli daemon.
  • These options are specified in the ./chilli/config file mentioned above.

# -*- /bin/sh -*-
# HS_WANIF=eth0            # WAN Interface toward the Internet
HS_LANIF=eth1              # Subscriber Interface for client devices
HS_NETWORK=10.1.0.0        # HotSpot Network (must include HS_UAMLISTEN)
HS_NETMASK=255.255.255.0   # HotSpot Network Netmask
HS_UAMLISTEN=10.1.0.1      # HotSpot IP Address (on subscriber network)
HS_UAMPORT=3990            # HotSpot Port (on subscriber network)
HS_NASID=nas01
HS_UAMSECRET=greatsecret
HS_RADIUS=10.1.0.1
HS_RADIUS2=10.1.0.1
HS_RADSECRET=testing123
HS_UAMALLOW=coova.org
HS_NASIP=10.1.0.1   # To explicitly set NAS-IP-Address
HS_UAMFORMAT=http://10.1.0.1/coova_json/hs_land.php
HS_UAMHOMEPAGE=http://10.1.0.1/coova_json/splash.php
HS_MODE=hotspot
HS_TYPE=chillispot
# HS_RADAUTH=1812
# HS_RADACCT=1813
# HS_ADMUSR=chillispot
# HS_ADMPWD=chillispot
HS_WWWDIR=/etc/chilli/www
HS_WWWBIN=/etc/chilli/wwwsh
HS_PROVIDER=Coova
HS_PROVIDER_LINK=http://www.coova.org/
HS_LOC_NAME="My HotSpot"           # WISPr Location Name and used in portal

This file will be processed by the start-up script to create the main.conf file.


Note : in my case, NASIP=10.1.0.1. you can change with 127.0.0.1. if you do that, you should also change RADIUS=127.0.0.1. Normally, NASIP must be the same with radius.
because NASIP=10.1.0.1, dont forget to add nas devices.
click realms & provider -- nas devices -- add (+). look at the picture below.
Nas devices

CoovaChilli Start-up script


  • To ensure CoovaChilli starts up each time, you need to create the file '/etc/init.d/chilli' with the following contents:

#! /bin/sh
#
# skeleton      example file to build /etc/init.d/ scripts.
#               This file should be used to construct scripts for /etc/init.d.
#
#               Written by Miquel van Smoorenburg <miquels@cistron.nl>.
#               Modified for Debian GNU/Linux
#               by Ian Murdock <imurdock@gnu.ai.mit.edu>.
#
# Version:      @(#)skeleton  1.8  03-Mar-1998  miquels@cistron.nl
#
# This file was automatically customized by dh-make on Thu,  1 Apr 2004 20:05:44 +0200
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
DAEMON=/usr/local/sbin/chilli
NAME=chilli
DESC=chilli
CONFFILE=/usr/local/etc/chilli.conf
OPTS="--pidfile /usr/local/var/run/$NAME.pid --coaport 3799"
START_CHILLI=0
if [ -f /usr/local/etc/default/chilli ] ; then
       . /usr/local/etc/default/chilli
fi
if [ "$START_CHILLI" != "1" ] ; then
    echo "Chilli default off. Look at /usr/local/etc/default/chilli"
    exit 0
fi
test -f $DAEMON || exit 0
test -f $CONFFILE || exit 0
. /usr/local/etc/chilli/functions
check_required
RETVAL=0
prog="chilli"
case "$1" in
  start)
            echo -n "Starting $DESC: "
    /sbin/modprobe tun >/dev/null 2>&1
    echo 1 > /proc/sys/net/ipv4/ip_forward
    writeconfig
    radiusconfig
    (crontab -l 2>&- | grep -v $0
        test ${HS_ADMINTERVAL:-0} -gt 0 && echo "*/$HS_ADMINTERVAL * * * * $0 radconfig"
    echo "*/10 * * * * $0 checkrunning"
    #echo "*/2  * * * * $0 arping"
    ) | crontab - 2>&-
    #Do NAT
    iptables -F POSTROUTING -t nat
    iptables -I POSTROUTING -t nat -o $HS_WANIF -j MASQUERADE
    ifconfig $HS_LANIF 0.0.0.0
            start-stop-daemon --start --quiet --pidfile /usr/local/var/run/$NAME.pid \
        --exec $DAEMON -- $OPTS
    RETVAL=$?
    echo "$NAME."
        ;;
 
   checkrunning)
    check=`start-stop-daemon --start --exec $DAEMON .test`
    if [ x"$check" != x"$DAEMON already running." ] ; then
        $0 start
    fi
   ;;
  radconfig)
    [ -e $MAIN_CONF ] || writeconfig
    radiusconfig
  ;;
 restart)
    $0 stop
    sleep 3;
    $0 start
    RETVAL=$?
  ;;
  stop)
    echo -n "Stopping $DESC: "
    crontab -l 2>&- | grep -v $0 | crontab -
    start-stop-daemon --oknodo --stop --quiet --pidfile /usr/local/var/run/$NAME.pid \
    --exec $DAEMON
    echo "$NAME."
  ;;
 reload)
    echo "Reloading $DESC."
    start-stop-daemon --stop --signal 1 --quiet --pidfile \
    /var/run/$NAME.pid --exec $DAEMON
  ;;
 condrestart)
    check=`start-stop-daemon --start --exec $DAEMON .test`
    if [ x"$check" != x"$DAEMON already running." ] ; then
        $0 restart
        RETVAL=$?
    fi
  ;;
  status)
    status chilli
    RETVAL=$?
  ;;
  *)
    N=/etc/init.d/$NAME
    echo "Usage: $N {start|stop|restart|condrestart|status|reload|radconfig}" >&2
    exit 1
  ;;
esac
 exit 0

  • Remember to allow execution of the script and at it to the startup scripts:

sudo chmod +x /etc/init.d/chilli
sudo update-rc.d chilli defaults
  • Also enable the ChoovaChilli service by doing the following:

mkdir -p /usr/local/etc/default/
echo "START_CHILLI=1" >> /usr/local/etc/default/chilli
echo 'CONFFILE="/usr/local/etc/chilli.conf"' >> /usr/local/etc/default/chilli

  • for some people, so as not to be confused, make a symlink between /etc/chilli and /usr/local/etc/chilli/, and symlink others.
ln -s /usr/local/etc/chilli /etc/chilli
ln –s /usr/local/etc/default/chilli /etc/default/chilli
ln –s /usr/local/etc/chilli.conf /etc/chilli.conf
  • Run…
/etc/init.d/chilli start
  • If you get error, when you starting chilli.
Starting chilli:
/usr/local/sbin/chilli: error while loading shared libraries: libchilli.so.0: cannot open shared object file: No such file or directory

Try command below for solving the problem

echo '/usr/local/lib/' >> /etc/ld.so.conf
ldconfig

and run again...

To be continued... to part 2
Reference : 
http://sourceforge.net/apps/trac/hotcakes/wiki/yfi_setup_nas_coova

No comments:

Post a Comment