Installation+client+wifidog+sur+Debian

De GeRgOsNet

OS: Debian 5 Portail : Wifidog Proxy Tinyproxy

  • Configuration réseau dans /etc/network/interfaces :
allow-hotplug eth0
iface eth0 inet dhcp 

iface eth1 inet static
        address 192.168.100.1
        netmask 255.255.255.0


  • Installation de bind pour le serveur DNS :
apt-get install bind9
  • Tapez la commande pour éviter l'erreur "wifidog: error while loading shared libraries: libhttpd.so.0: cannot open shared object file: No such file or directory"  :
ldconfig
  • Installation du serveur DHCP :
apt-get install dhcp3-server
  • Configuration du serveur dhcp dans /etc/dhcp3/dhcpd.conf
INTERFACES="eth1";

ddns-update-style none; 

option domain-name "monserveur.fr";
option domain-name-servers 192.168.100.1;

default-lease-time 600;
max-lease-time 1200;
 
authoritative;

log-facility local7;

subnet 192.168.100.0 netmask 255.255.255.0 {
  range 192.168.100.10 192.168.100.50;
  option routers 192.168.100.1;
}


  • Ajouter regle de routage :

Creer un fichier firewall dans /etc/network/if-up.d/

vi /etc/network/if-up.d/firewall

Ajouter :

#!/bin/sh
echo 1 > /proc/sys/net/ipv4/ip_forward

if [ "$IFACE" = eth1 ]; then
  iptables -t nat -A POSTROUTING -s 192.168.21.0/24 -o eth0 -j MASQUERADE
fi


Le rendre executable :

chmod +x /etc/network/if-up.d/firewall


  • Installation de wifidog :

Version officiel wifidog

wget http://wiki.gergosnet.com/dl/wifidog-20090925.tar.gz


Version modifié pour utiliser un proxy transparent :

wget http://wiki.gergosnet.com/dl/wifidog-20090925-proxy.tar.gz
tar xvfz wifidog-20090925.tar.gz
./configure
make
make install
cp wifidog.conf /usr/local/etc/
cp wifidog-msg.html /usr/local/etc/
  • Configuration dans /usr/local/etc/wifidog.conf :
# $Id: wifidog.conf 1375M 2009-09-25 14:56:55Z (local) $
# WiFiDog Configuration file

# Parameter: GatewayID
# Default: default
# Optional
#
# Set this to the node ID on the auth server
# This is used to give a customized login page to the clients and for
# monitoring/statistics purpose. If you run multiple gateways on the same
# machine each gateway needs to have a different gateway id.
# If none is supplied, the mac address of the GatewayInterface interface will be used,
# without the : separators

# GatewayID default

# Parameter: ExternalInterface
# Default: NONE
# Optional
#
# Set this to the external interface (the one going out to the Inernet or your larger LAN).
# Typically vlan1 for OpenWrt, and eth0 or ppp0 otherwise,
# Normally autodetected

ExternalInterface eth0

# Parameter: GatewayInterface
# Default: NONE
# Mandatory
#
# Set this to the internal interface (typically your wifi interface).
# Typically br0 for whiterussian, br-lan for kamikaze (by default the wifi interface is bridged with wired lan in openwrt)
# and eth1, wlan0, ath0, etc. otherwise
# You can get this interface with the ifconfig command and finding your wifi interface

GatewayInterface eth1

# Parameter: GatewayAddress
# Default: Find it from GatewayInterface
# Optional
#
#  Set this to the internal IP address of the gateway.  Not normally required.
                                                                             
# GatewayAddress 192.168.1.1

ProxyPort 8888

# Parameter: HtmlMessageFile
# Default: wifidog-msg.html
# Optional
#
# This allows you to specify a custome HTML file which will be used for
# system errors by the gateway. Any $title, $message and $node variables
# used inside the file will be replaced.
#
# HtmlMessageFile /opt/wifidog/etc/wifidog-.html

# Parameter: AuthServer
# Default: NONE
# Mandatory, repeatable
#
# This allows you to configure your auth server(s).  Each one will be tried in order, untill one responds.
# Set this to the hostname or IP of your auth server(s), the path where
# WiFiDog-auth resides in and the port it listens on.
#AuthServer {
#       Hostname                 (Mandatory; Default: NONE)
#       SSLAvailable             (Optional; Default: no; Possible values: yes, no)
#       SSLPort                  (Optional; Default: 443)
#       HTTPPort                 (Optional; Default: 80)
#       Path                     (Optional; Default: /wifidog/ Note:  The path must be both prefixed and suffixed by /.  Use a single / for server root.)
#   LoginScriptPathFragment  (Optional; Default: login/? Note:  This is the script the user will be sent to for login.)
#   PortalScriptPathFragment (Optional; Default: portal/? Note:  This is the script the user will be sent to after a successfull login.)
#   MsgScriptPathFragment    (Optional; Default: gw_message.php? Note:  This is the script the user will be sent to upon error to read a readable message.)
#   PingScriptPathFragment    (Optional; Default: ping/? Note:  This is the script the user will be sent to upon error to read a readable message.)
#   AuthScriptPathFragment    (Optional; Default: auth/? Note:  This is the script the user will be sent to upon error to read a readable message.)
#}

AuthServer {
    Hostname auth.wireless-fr.org
    SSLAvailable yes
    Path /
} 

#AuthServer {
#    Hostname auth2.ilesansfil.org
#    SSLAvailable yes
#    Path /
#}

# Parameter: Daemon


# Default: 1
# Optional
#
# Set this to true if you want to run as a daemon
# Daemon 1

# Parameter: GatewayPort
# Default: 2060
# Optional
#
# Listen on this port
# GatewayPort 2060

# Parameter: HTTPDName
# Default: WiFiDog
# Optional
#
# Define what name the HTTPD server will respond
# HTTPDName WiFiDog

# Parameter: HTTPDMaxConn
# Default: 10
# Optional
#
# How many sockets to listen to
# HTTPDMaxConn 10

# Parameter: HTTPDRealm
# Default: WiFiDog
# Optional
#
# The name of the HTTP authentication realm. This only used when a user
# tries to access a protected WiFiDog internal page. See HTTPUserName.
# HTTPDRealm WiFiDog

# Parameter: HTTPDUserName / HTTPDPassword
# Default: unset
# Optional
#
# The gateway exposes some information such as the status page through its web
# interface. This information can be protected with a username and password,
# which can be set through the HTTPDUserName and HTTPDPassword parameters.
# HTTPDUserName admin
# HTTPDPassword secret

# Parameter: CheckInterval


# Default: 60
# Optional
#
# How many seconds should we wait between timeout checks.  This is also
# how often the gateway will ping the auth server and how often it will
# update the traffic counters on the auth server.  Setting this too low
# wastes bandwidth, setting this too high will cause the gateway to take
# a long time to switch to it's backup auth server(s).

# CheckInterval 60

# Parameter: ClientTimeout
# Default: 5
# Optional
#
# Set this to the desired of number of CheckInterval of inactivity before a client is logged out
# The timeout will be INTERVAL * TIMEOUT
ClientTimeout 5

# Parameter: TrustedMACList
# Default: none
# Optional
#
# Comma separated list of MAC addresses who are allowed to pass
# through without authentication
#TrustedMACList 00:23:54:83:B2:20,00:00:C0:1D:F0:0D

# Parameter: FirewallRuleSet
# Default: none
# Mandatory
#
# Groups a number of FirewallRule statements together.


# Parameter: FirewallRule
# Default: none
#
# Define one firewall rule in a rule set.

# Rule Set: global
#
# Used for rules to be applied to all other rulesets except locked.
FirewallRuleSet global {
    ## To block SMTP out, as it's a tech support nightmare, and a legal liability
    #FirewallRule block tcp port 25


    ## Use the following if you don't want clients to be able to access machines on
    ## the private LAN that gives internet access to wifidog.  Note that this is not
    ## client isolation;  The laptops will still be able to talk to one another, as
    ## well as to any machine bridged to the wifi of the router.
    # FirewallRule block to 192.168.0.0/16
    # FirewallRule block to 172.16.0.0/12
    # FirewallRule block to 10.0.0.0/8

    ## This is an example ruleset for the Teliphone service.
    #FirewallRule allow udp to 69.90.89.192/27
    #FirewallRule allow udp to 69.90.85.0/27
    #FirewallRule allow tcp port 80 to 69.90.89.205
}

# Rule Set: validating-users   
# 
# Used for new users validating their account
FirewallRuleSet validating-users {
FirewallRule allow tcp port 53
FirewallRule allow tcp port 67
FirewallRule allow tcp port 80
FirewallRule allow tcp port 110
FirewallRule allow tcp port 995
FirewallRule allow tcp port 143
FirewallRule allow tcp port 993
FirewallRule allow tcp port 220
FirewallRule allow tcp port 443
FirewallRule allow udp port 53
FirewallRule allow udp port 67
FirewallRule block to 0.0.0.0/0
}

# Rule Set: known-users
# 
# Used for normal validated users.
FirewallRuleSet known-users {
FirewallRule allow tcp port 110
FirewallRule allow tcp port 143
FirewallRule allow tcp port 22
FirewallRule allow tcp port 443
FirewallRule allow tcp port 995
FirewallRule allow udp port 1194
FirewallRule block to 0.0.0.0/0
FirewallRule allow to 10.0.0.0/8
}

# Rule Set: unknown-users
# 
# Used for unvalidated users, this is the ruleset that gets redirected.
# 
# XXX The redirect code adds the Default DROP clause.
FirewallRuleSet unknown-users {
    FirewallRule allow udp port 53
    FirewallRule allow tcp port 53
    FirewallRule allow udp port 67
    FirewallRule allow tcp port 67
}


# Rule Set: locked-users
# 
#  Not currently used
FirewallRuleSet locked-users {
    FirewallRule block to 0.0.0.0/0
}


Aucune regle sont activé sur le firewall pour l'instant, il faudra les configurer dans le fichier wifidog.conf une fois que l'on est sur que le wifidog fonctionne .

  • Lancé wifidog :
wifidog -f -d 7
  • Mise en place demarrage automatique de Wifidog

Editer /etc/rc.local et ajouter :

/usr/local/bin/wifidog -f -d 7 &
  • Commande particuliere :

Connaitre le status du serveur

wdctl status

Stopper Wifidog :

wdctl stop


  • Installation tinyproxy ou squid

En fonction de la puissance de votre machine vous pouvez utiliser soit tinyproxy pour de petit modem/machine ou squid pour une machine plus puissante .

  • TINYPROXY
apt-get install tinyproxy
  • Configuration tinyproxy
User root
Group root

Port 8888 

#Listen 192.168.100.1 

#Bind 192.168.0.1

#BindSame yes

Timeout 600

#ErrorFile 404 "/usr/share/tinyproxy/404.html"
#ErrorFile 400 "/usr/share/tinyproxy/400.html"
#ErrorFile 503 "/usr/share/tinyproxy/503.html"
#ErrorFile 403 "/usr/share/tinyproxy/403.html"
#ErrorFile 408 "/usr/share/tinyproxy/408.html"

DefaultErrorFile "/usr/share/tinyproxy/default.html"

#StatHost "tinyproxy.stats"

StatFile "/usr/share/tinyproxy/stats.html"

Logfile "/var/log/tinyproxy/tinyproxy.log"

Syslog On

#
# LogLevel:
#
# Set the logging level. Allowed settings are:
#       Critical        (least verbose)
#       Error
#       Warning
#       Notice
#       Connect         (to log connections without Info's noise)
#       Info            (most verbose)
#
# The LogLevel logs from the set level and above. For example, if the
# LogLevel was set to Warning, then all log messages from Warning to
# Critical would be output, but Notice and below would be suppressed.
#
LogLevel Connect

PidFile "/var/log/tinyproxy.pid"

#XTinyproxy Yes

MaxClients 100

MinSpareServers 10
MaxSpareServers 200

StartServers 10

MaxRequestsPerChild 0

#On peut restreindre les réseaux autorisé à utiliser le proxy avec les instructions suivante :

#Allow 127.0.0.1
#Allow 192.168.100.0/24

#AddHeader "X-My-Header" "Powered by Tinyproxy"

ViaProxyName "tinyproxy"

#DisableViaHeader Yes

#Filter "/etc/filter"

#FilterURLs On

#FilterExtended On

#FilterCaseSensitive On

#FilterDefaultDeny Yes

ConnectPort 443
ConnectPort 563

#ReversePath "/google/" "http://www.google.com/"
#ReversePath "/wired/"  "http://www.wired.com/"

#ReverseOnly Yes

#ReverseMagic Yes

#ReverseBaseURL "http://localhost:8888/"


  • SQUID
  • Installation Squid :
apt-get install squid
  • Configuration squid :
pico /etc/squid/squid.conf

Fichier de configuration :

acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl wifidog src 192.168.21.0/24 #Trafic wifidog

acl SSL_ports port 443          # https
acl SSL_ports port 563          # snews
acl SSL_ports port 873          # rsync
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 631         # cups
acl Safe_ports port 873         # rsync
acl Safe_ports port 901         # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

http_access allow localhost
http_access allow wifidog

http_access deny all


icp_access deny all

http_port 8888 transparent

hierarchy_stoplist cgi-bin ?

#access_log /var/log/squid/access.log squid
access_log syslog:local3.info

acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
upgrade_http0.9 deny shoutcast

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

extension_methods REPORT MERGE MKACTIVITY CHECKOUT

hosts_file /etc/hosts
coredump_dir /var/spool/squid
  • Installation Syslogd
apt-get install rsyslog
  • Configuration envoi log

Dans /etc/rsyslog.conf ajouter :

*.*     @78.41.234.91


Chez Wireless-fr bien mettre en Majuscule la mac


  • Liens :

- Modification des sources wifidog pour ajouter un proxy transparent :http://wiki.gergosnet.com/index.php/Wifidog_et_proxy_transparent