Wifidog sur Openwrt et Squid
De GeRgOsNet
Installer l'image d'openwrt suivant : http://wiki.gergosnet.com/dl/openwrt-x86-ext2.image
- Installation depuis linux sur un disque flash, usb, ou simple disque dur :
dd if=openwrt-x86-ext2.image of=/dev/sde
- Installation des divers paquets :
Une fois votre distribution installer, ce connecter sur l'interface graphique et y installer les paquets necessaire (wifidog, squid, ...) et configurer réseau .
- Configuration du dns et dhcp /etc/config/dhcp :
config dnsmasq option domainneeded 1 option boguspriv 1 option filterwin2k '0' #enable for dial on demand option localise_queries 1 option local '/lan/' option domain 'lanpublic' option expandhosts 1 option nonegcache 0 option authoritative 1 option readethers 1 option leasefile '/tmp/dhcp.leases' option resolvfile '/tmp/resolv.conf.auto' #list server '/mycompany.local/1.2.3.4' #option nonwildcard 0 #list interface br-lan config 'dhcp' 'eth1' option 'interface' 'eth1' option 'start' '100' option 'limit' '150' option 'leasetime' '12h'
- Configuration de Squid /etc/squid/squid.conf :
cache_effective_user nobody
cache_mgr bigbrother@unslung_squid
visible_hostname ddwrt
#cache_replacement_policy heap LFUDA duno why dont work with 2.6
#memory_replacement_policy LFUDA same
ipcache_size 2048
cache_swap_low 90
cache_swap_high 95
maximum_object_size_in_memory 100 KB
#If you have 64/8MB Router you can use 16MB cache_mem if smaler router use 8MB
cache_mem 16 MB
#this is cachedir you can change if you want. 400 meams 400MB cache. size you can change what you want
cache_dir ufs /tmp 8 16 256
logfile_rotate 10
fqdncache_size 2048
memory_pools off
maximum_object_size 16384 KB
quick_abort_min 0 KB
quick_abort_max 0 KB
log_icp_queries off
client_db off
buffered_logs on
half_closed_clients off
negative_dns_ttl 10 second
connect_timeout 60 second
read_timeout 80 second
request_timeout 80 second
#Logs you can change dir what you want
#cache_access_log /tmp/access.log
cache_log /tmp
cache_store_log /tmp
access_log syslog:local3.info
hierarchy_stoplist on
#Proxy Ip same as ddwrt RuterIp. change how you want
http_port 8888 transparent
# Global ACL-Definitions (Access control lists)
acl idents ident REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl all src 0.0.0.0/0.0.0.0
acl intern dst 192.168.21.0/255.255.255.0
acl FTP proto FTP
always_direct allow FTP
#Allowed working outgoing Ports and LanIps
acl Allowed_Ports port 80 99 443 21 563 488 777 210 1025-65535
acl yourLAN src 192.168.21.0/255.255.255.0
#http_access definition
http_access allow idents
http_access allow all
http_access allow intern
http_access deny manager all
http_access allow yourLAN
http_access deny all
icp_access deny all
miss_access allow all
always_direct allow intern
- Configuration de Wifidog /etc/wifidog.conf :
# $Id: wifidog.conf 11656 2008-07-05 13:07:12Z florian $
# WiFiDog Configuration file
GatewayID 000DB917E805
ExternalInterface br-lan
GatewayInterface eth1
AuthServer {
Hostname auth.wireless-fr.org
SSLAvailable yes
Path /
}
CheckInterval 60
# Parameter: ClientTimeout
# Default: 5
# Optional
#
# Set this to the desired of number of CheckInterval of inactivity before a client is logged out
# The timeout will be INTERVAL * TIMEOUT
ClientTimeout 5
# Parameter: TrustedMACList
# Default: none
# Optional
#
# Comma separated list of MAC addresses who are allowed to pass
# through without authentication
#TrustedMACList 00:00:DE:AD:BE:AF,00:00:C0:1D:F0:0D
# Parameter: FirewallRuleSet
# Default: none
# Mandatory
#
# Groups a number of FirewallRule statements together.
# Parameter: FirewallRule
# Default: none
#
# Define one firewall rule in a rule set.
# Rule Set: global
#
# Used for rules to be applied to all other rulesets except locked.
FirewallRuleSet global {
## To block SMTP out, as it's a tech support nightmare, and a legal liability
#FirewallRule block tcp port 25
## Use the following if you don't want clients to be able to access machines on
## the private LAN that gives internet access to wifidog. Note that this is not
## client isolation; The laptops will still be able to talk to one another, as
## well as to any machine bridged to the wifi of the router.
# FirewallRule block to 192.168.0.0/16
# FirewallRule block to 172.16.0.0/12
# FirewallRule block to 10.0.0.0/8
## This is an example ruleset for the Teliphone service.
#FirewallRule allow udp to 69.90.89.192/27
#FirewallRule allow udp to 69.90.85.0/27
#FirewallRule allow tcp port 80 to 69.90.89.205
}
# Rule Set: validating-users
#
# Used for new users validating their account
FirewallRuleSet validating-users {
FirewallRule allow tcp port 53
FirewallRule allow tcp port 67
FirewallRule allow tcp port 80
FirewallRule allow tcp port 110
FirewallRule allow tcp port 995
FirewallRule allow tcp port 143
FirewallRule allow tcp port 993
FirewallRule allow tcp port 220
FirewallRule allow tcp port 443
FirewallRule allow udp port 53
FirewallRule allow udp port 67
FirewallRule block to 0.0.0.0/0
}
# Rule Set: known-users
#
# Used for normal validated users.
FirewallRuleSet known-users {
FirewallRule allow tcp port 110
FirewallRule allow tcp port 143
FirewallRule allow tcp port 22
FirewallRule allow tcp port 443
FirewallRule allow tcp port 995
FirewallRule allow tcp port 80
FirewallRule block to 0.0.0.0/0
}
# Rule Set: unknown-users
#
# Used for unvalidated users, this is the ruleset that gets redirected.
#
# XXX The redirect code adds the Default DROP clause.
FirewallRuleSet unknown-users {
FirewallRule allow udp port 53
FirewallRule allow tcp port 53
FirewallRule allow udp port 67
FirewallRule allow tcp port 67
}
# Rule Set: locked-users
#
# Not currently used
FirewallRuleSet locked-users {
FirewallRule block to 0.0.0.0/0
}
- Ajout de règle iptable pour forcer le passage par le proxy dans /etc/proxy.sh
#!/bin/sh echo "Lancement regle proxy" sleep 45 /usr/sbin/iptables -t nat -I WiFiDog_WIFI2Internet -i eth1 -m mark --mark 0x2 -p tcp --dport 80 -j REDIRECT --to-port 8888 echo "Fin lancement regle proxy"
Rendre executable le fichier :
chmod +x /etc/proxy.sh
- Ajout de regle de routage principal :
Creer un fichier /etc/rc.d/S45firewallwifidog :
echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s 192.168.21.0/24 -o br-lan -j MASQUERADE
Rendre executable le fichier :
chmod +x /etc/rc.d/S45firewallwifidog
- Ajout du demarrage de squid :
Creer un fichier /etc/rc.d/S71squid :
#Creation de la swap /usr/sbin/squid -z #Demarrage de squid /usr/sbin/squid -D
Rendre executable le fichier :
chmod +x /etc/rc.d/S71squid
- Ajout du demarrage de wifidog :
Creer un fichier /etc/rc.d/S80wifidog :
#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org
START=50
start() {
/usr/bin/wifidog-init start
/etc/proxy.sh
}
stop() {
/usr/bin/wifidog-init stop
}
- Desactivation du firewall par defaut :
mv S45firewall downS45firewall
