Wifidog sur Openwrt et Squid

De GeRgOsNet.

Installer l'image d'openwrt suivant : http://wiki.gergosnet.com/dl/openwrt-x86-ext2.image

  • Installation depuis linux sur un disque flash, usb, ou simple disque dur :
dd if=openwrt-x86-ext2.image of=/dev/sde
  • Installation des divers paquets :

Une fois votre distribution installer, ce connecter sur l'interface graphique et y installer les paquets necessaire (wifidog, squid, ...) et configurer réseau .

  • Configuration du dns et dhcp /etc/config/dhcp :
config dnsmasq
	option domainneeded	1
	option boguspriv	1
	option filterwin2k	'0'  #enable for dial on demand
	option localise_queries	1
	option local	'/lan/'
	option domain	'lanpublic'
	option expandhosts	1
	option nonegcache	0
	option authoritative	1
	option readethers	1
	option leasefile	'/tmp/dhcp.leases'
	option resolvfile	'/tmp/resolv.conf.auto'
	#list server		'/mycompany.local/1.2.3.4'
	#option nonwildcard	0
	#list interface		br-lan
	
config 'dhcp' 'eth1'
	option 'interface'   'eth1'
	option 'start'       '100'
	option 'limit'	     '150'
	option 'leasetime'   '12h'

  • Configuration de Squid /etc/squid/squid.conf :
cache_effective_user nobody
cache_mgr bigbrother@unslung_squid
visible_hostname ddwrt

#cache_replacement_policy heap LFUDA  duno why dont work with 2.6
#memory_replacement_policy LFUDA      same

ipcache_size 2048
cache_swap_low 90
cache_swap_high 95
maximum_object_size_in_memory 100 KB

#If you have 64/8MB Router you can use 16MB cache_mem if smaler router use 8MB
cache_mem 16 MB

#this is cachedir you can change if you want. 400 meams 400MB cache. size you can change what you want
cache_dir ufs /tmp 8 16 256

logfile_rotate 10
fqdncache_size 2048
memory_pools off
maximum_object_size 16384 KB
quick_abort_min 0 KB
quick_abort_max 0 KB
log_icp_queries off
client_db off
buffered_logs on
half_closed_clients off
negative_dns_ttl 10 second
connect_timeout 60 second
read_timeout 80 second
request_timeout 80 second

#Logs you can change dir what you want
#cache_access_log /tmp/access.log
cache_log /tmp
cache_store_log /tmp
access_log syslog:local3.info

hierarchy_stoplist on

#Proxy Ip same as ddwrt RuterIp. change how you want
http_port 8888 transparent

# Global ACL-Definitions (Access control lists)
acl idents ident REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl all src 0.0.0.0/0.0.0.0
acl intern dst 192.168.21.0/255.255.255.0
acl FTP proto FTP
always_direct allow FTP

#Allowed working outgoing Ports and LanIps          
acl Allowed_Ports port 80 99 443 21 563 488 777 210 1025-65535
acl yourLAN src 192.168.21.0/255.255.255.0                    
                                                              
#http_access definition                                       
http_access allow idents                                      
http_access allow all                                         
http_access allow intern                                      
http_access deny manager all                                  
http_access allow yourLAN                                     
http_access deny all                                          
icp_access deny all                                           
miss_access allow all                                         
always_direct allow intern


  • Configuration de Wifidog /etc/wifidog.conf :
# $Id: wifidog.conf 11656 2008-07-05 13:07:12Z florian $
# WiFiDog Configuration file


GatewayID 000DB917E805


ExternalInterface br-lan


GatewayInterface eth1

AuthServer {
    Hostname auth.wireless-fr.org
    SSLAvailable yes
    Path /
} 

CheckInterval 60 

# Parameter: ClientTimeout
# Default: 5
# Optional
#
# Set this to the desired of number of CheckInterval of inactivity before a client is logged out
# The timeout will be INTERVAL * TIMEOUT
ClientTimeout 5 

# Parameter: TrustedMACList
# Default: none
# Optional
#
# Comma separated list of MAC addresses who are allowed to pass
# through without authentication
#TrustedMACList 00:00:DE:AD:BE:AF,00:00:C0:1D:F0:0D

# Parameter: FirewallRuleSet
# Default: none
# Mandatory
#
# Groups a number of FirewallRule statements together.

# Parameter: FirewallRule
# Default: none
# 
# Define one firewall rule in a rule set.

# Rule Set: global
# 
# Used for rules to be applied to all other rulesets except locked.
FirewallRuleSet global {
    ## To block SMTP out, as it's a tech support nightmare, and a legal liability
    #FirewallRule block tcp port 25
    
    ## Use the following if you don't want clients to be able to access machines on 
    ## the private LAN that gives internet access to wifidog.  Note that this is not
    ## client isolation;  The laptops will still be able to talk to one another, as
    ## well as to any machine bridged to the wifi of the router.
    # FirewallRule block to 192.168.0.0/16
    # FirewallRule block to 172.16.0.0/12
    # FirewallRule block to 10.0.0.0/8
    
    ## This is an example ruleset for the Teliphone service.
    #FirewallRule allow udp to 69.90.89.192/27
    #FirewallRule allow udp to 69.90.85.0/27
    #FirewallRule allow tcp port 80 to 69.90.89.205
}

# Rule Set: validating-users
#
# Used for new users validating their account
FirewallRuleSet validating-users {
FirewallRule allow tcp port 53
FirewallRule allow tcp port 67
FirewallRule allow tcp port 80
FirewallRule allow tcp port 110
FirewallRule allow tcp port 995
FirewallRule allow tcp port 143
FirewallRule allow tcp port 993
FirewallRule allow tcp port 220
FirewallRule allow tcp port 443
FirewallRule allow udp port 53
FirewallRule allow udp port 67
FirewallRule block to 0.0.0.0/0
}

# Rule Set: known-users
#
# Used for normal validated users.
FirewallRuleSet known-users {
FirewallRule allow tcp port 110
FirewallRule allow tcp port 143
FirewallRule allow tcp port 22
FirewallRule allow tcp port 443
FirewallRule allow tcp port 995
FirewallRule allow tcp port 80
FirewallRule block to 0.0.0.0/0
}

# Rule Set: unknown-users
#
# Used for unvalidated users, this is the ruleset that gets redirected.
#
# XXX The redirect code adds the Default DROP clause.
FirewallRuleSet unknown-users {
    FirewallRule allow udp port 53
    FirewallRule allow tcp port 53
    FirewallRule allow udp port 67
    FirewallRule allow tcp port 67
} 

# Rule Set: locked-users
#
# Not currently used
FirewallRuleSet locked-users {
    FirewallRule block to 0.0.0.0/0
}


  • Ajout de règle iptable pour forcer le passage par le proxy dans /etc/proxy.sh
#!/bin/sh
echo "Lancement regle proxy"
sleep 45
/usr/sbin/iptables -t nat -I WiFiDog_WIFI2Internet -i eth1 -m mark --mark 0x2 -p tcp --dport 80 -j REDIRECT --to-port 8888
echo "Fin lancement regle proxy"

Rendre executable le fichier :

chmod +x /etc/proxy.sh
  • Ajout de regle de routage principal :

Creer un fichier /etc/rc.d/S45firewallwifidog :

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 192.168.21.0/24 -o br-lan -j MASQUERADE

Rendre executable le fichier :

chmod +x /etc/rc.d/S45firewallwifidog
  • Ajout du demarrage de squid :

Creer un fichier /etc/rc.d/S71squid :

#Creation de la swap
/usr/sbin/squid -z
#Demarrage de squid
/usr/sbin/squid -D

Rendre executable le fichier :

chmod +x /etc/rc.d/S71squid
  • Ajout du demarrage de wifidog :

Creer un fichier /etc/rc.d/S80wifidog :

#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org
START=50 

start() { 
	/usr/bin/wifidog-init start
	/etc/proxy.sh
		}
		
stop() {
	/usr/bin/wifidog-init stop
		}
  • Desactivation du firewall par defaut :
mv S45firewall downS45firewall
Outils personnels