Wifidog sur Openwrt et Squid
De GeRgOsNet
Installer l'image d'openwrt suivant : http://wiki.gergosnet.com/dl/openwrt-x86-ext2.image
- Installation depuis linux sur un disque flash, usb, ou simple disque dur :
dd if=openwrt-x86-ext2.image of=/dev/sde
- Installation des divers paquets :
Une fois votre distribution installer, ce connecter sur l'interface graphique et y installer les paquets necessaire (wifidog, squid, ...) et configurer réseau .
- Configuration du dns et dhcp /etc/config/dhcp :
config dnsmasq option domainneeded 1 option boguspriv 1 option filterwin2k '0' #enable for dial on demand option localise_queries 1 option local '/lan/' option domain 'lanpublic' option expandhosts 1 option nonegcache 0 option authoritative 1 option readethers 1 option leasefile '/tmp/dhcp.leases' option resolvfile '/tmp/resolv.conf.auto' #list server '/mycompany.local/1.2.3.4' #option nonwildcard 0 #list interface br-lan config 'dhcp' 'eth1' option 'interface' 'eth1' option 'start' '100' option 'limit' '150' option 'leasetime' '12h'
- Configuration de Squid /etc/squid/squid.conf :
cache_effective_user nobody cache_mgr bigbrother@unslung_squid visible_hostname ddwrt #cache_replacement_policy heap LFUDA duno why dont work with 2.6 #memory_replacement_policy LFUDA same ipcache_size 2048 cache_swap_low 90 cache_swap_high 95 maximum_object_size_in_memory 100 KB #If you have 64/8MB Router you can use 16MB cache_mem if smaler router use 8MB cache_mem 16 MB #this is cachedir you can change if you want. 400 meams 400MB cache. size you can change what you want cache_dir ufs /tmp 8 16 256 logfile_rotate 10 fqdncache_size 2048 memory_pools off maximum_object_size 16384 KB quick_abort_min 0 KB quick_abort_max 0 KB log_icp_queries off client_db off buffered_logs on half_closed_clients off negative_dns_ttl 10 second connect_timeout 60 second read_timeout 80 second request_timeout 80 second #Logs you can change dir what you want #cache_access_log /tmp/access.log cache_log /tmp cache_store_log /tmp access_log syslog:local3.info hierarchy_stoplist on #Proxy Ip same as ddwrt RuterIp. change how you want http_port 8888 transparent # Global ACL-Definitions (Access control lists) acl idents ident REQUIRED acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl all src 0.0.0.0/0.0.0.0 acl intern dst 192.168.21.0/255.255.255.0 acl FTP proto FTP always_direct allow FTP #Allowed working outgoing Ports and LanIps acl Allowed_Ports port 80 99 443 21 563 488 777 210 1025-65535 acl yourLAN src 192.168.21.0/255.255.255.0 #http_access definition http_access allow idents http_access allow all http_access allow intern http_access deny manager all http_access allow yourLAN http_access deny all icp_access deny all miss_access allow all always_direct allow intern
- Configuration de Wifidog /etc/wifidog.conf :
# $Id: wifidog.conf 11656 2008-07-05 13:07:12Z florian $ # WiFiDog Configuration file GatewayID 000DB917E805 ExternalInterface br-lan GatewayInterface eth1 AuthServer { Hostname auth.wireless-fr.org SSLAvailable yes Path / } CheckInterval 60 # Parameter: ClientTimeout # Default: 5 # Optional # # Set this to the desired of number of CheckInterval of inactivity before a client is logged out # The timeout will be INTERVAL * TIMEOUT ClientTimeout 5 # Parameter: TrustedMACList # Default: none # Optional # # Comma separated list of MAC addresses who are allowed to pass # through without authentication #TrustedMACList 00:00:DE:AD:BE:AF,00:00:C0:1D:F0:0D # Parameter: FirewallRuleSet # Default: none # Mandatory # # Groups a number of FirewallRule statements together. # Parameter: FirewallRule # Default: none # # Define one firewall rule in a rule set. # Rule Set: global # # Used for rules to be applied to all other rulesets except locked. FirewallRuleSet global { ## To block SMTP out, as it's a tech support nightmare, and a legal liability #FirewallRule block tcp port 25 ## Use the following if you don't want clients to be able to access machines on ## the private LAN that gives internet access to wifidog. Note that this is not ## client isolation; The laptops will still be able to talk to one another, as ## well as to any machine bridged to the wifi of the router. # FirewallRule block to 192.168.0.0/16 # FirewallRule block to 172.16.0.0/12 # FirewallRule block to 10.0.0.0/8 ## This is an example ruleset for the Teliphone service. #FirewallRule allow udp to 69.90.89.192/27 #FirewallRule allow udp to 69.90.85.0/27 #FirewallRule allow tcp port 80 to 69.90.89.205 } # Rule Set: validating-users # # Used for new users validating their account FirewallRuleSet validating-users { FirewallRule allow tcp port 53 FirewallRule allow tcp port 67 FirewallRule allow tcp port 80 FirewallRule allow tcp port 110 FirewallRule allow tcp port 995 FirewallRule allow tcp port 143 FirewallRule allow tcp port 993 FirewallRule allow tcp port 220 FirewallRule allow tcp port 443 FirewallRule allow udp port 53 FirewallRule allow udp port 67 FirewallRule block to 0.0.0.0/0 } # Rule Set: known-users # # Used for normal validated users. FirewallRuleSet known-users { FirewallRule allow tcp port 110 FirewallRule allow tcp port 143 FirewallRule allow tcp port 22 FirewallRule allow tcp port 443 FirewallRule allow tcp port 995 FirewallRule allow tcp port 80 FirewallRule block to 0.0.0.0/0 } # Rule Set: unknown-users # # Used for unvalidated users, this is the ruleset that gets redirected. # # XXX The redirect code adds the Default DROP clause. FirewallRuleSet unknown-users { FirewallRule allow udp port 53 FirewallRule allow tcp port 53 FirewallRule allow udp port 67 FirewallRule allow tcp port 67 } # Rule Set: locked-users # # Not currently used FirewallRuleSet locked-users { FirewallRule block to 0.0.0.0/0 }
- Ajout de règle iptable pour forcer le passage par le proxy dans /etc/proxy.sh
#!/bin/sh echo "Lancement regle proxy" sleep 45 /usr/sbin/iptables -t nat -I WiFiDog_WIFI2Internet -i eth1 -m mark --mark 0x2 -p tcp --dport 80 -j REDIRECT --to-port 8888 echo "Fin lancement regle proxy"
Rendre executable le fichier :
chmod +x /etc/proxy.sh
- Ajout de regle de routage principal :
Creer un fichier /etc/rc.d/S45firewallwifidog :
echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s 192.168.21.0/24 -o br-lan -j MASQUERADE
Rendre executable le fichier :
chmod +x /etc/rc.d/S45firewallwifidog
- Ajout du demarrage de squid :
Creer un fichier /etc/rc.d/S71squid :
#Creation de la swap /usr/sbin/squid -z #Demarrage de squid /usr/sbin/squid -D
Rendre executable le fichier :
chmod +x /etc/rc.d/S71squid
- Ajout du demarrage de wifidog :
Creer un fichier /etc/rc.d/S80wifidog :
#!/bin/sh /etc/rc.common # Copyright (C) 2006 OpenWrt.org START=50 start() { /usr/bin/wifidog-init start /etc/proxy.sh } stop() { /usr/bin/wifidog-init stop }
- Desactivation du firewall par defaut :
mv S45firewall downS45firewall