2012-06-16 - Re: [GRASE-Hotspot] Block and open Ports

Header Data

From: Timothy White <ti***8@gmail.com>
Message Hash: c85de742ed44c21ce3e67930c0aac4b343677e58a836dc7eccd0136d5db1f7d0
Message ID: <CAESLx0KrCiDuZgnjvAEug_ruMZZFiYv_ueNN=+3yPEf1_Us1=g@mail.gmail.com>
Reply To: <13fa.4010002.3d08b26d@aol.com>
UTC Datetime: 2012-06-16 01:12:48 UTC
Raw Date: Sat, 16 Jun 2012 18:12:48 +1000

Raw message 

On Wed, Jun 13, 2012 at 12:55 AM,  <Se***e@aol.com> wrote:
> Hello,
>
> the installation of Grase Hotspot was easy and it works really good right
> from the beginning. An impressive solution for hotspots, many thanks for
> that.
>
> Before I want to implement Grase into our holiday appartements, I wanted to
> know if I could only allow certain ports for user who are logged in. I've
> read some topics about that. One said, that I should change the chilli
> ipup.sh (bottom) "ipt -I POSTROUTING -t nat -o $HS_WANIF -j MASQUERADE" to
> "ipt -I POSTROUTING -t nat -o $HS_WANIF --dport 443 -j MASQUERADE" and the
> ports I want to open (excluding 80 and 53).
> But this results in an opened port 80, and all those i wrote into ipup.sh
> are closed, even 443.
>
> Could somebody tell me also the difference betweeen HS_TCP_Ports in the
> etc/chilli/config and ipup.sh masquerade?

HS_TCP_PORTS is the ports that are available on the "server" at all
times, to all users wether logged in or not. So for example, port 80
needs to be available as the webserver is run on the hotspot server to
run the authentication portal. If you have a ftp server on the server
you want available to all users, then you'd add the ftp port to
HS_TCP_PORTS as well.

ipup.sh, the last line is the one you want. By default, it's
ipt -I POSTROUTING -t nat -o $HS_WANIF -j MASQUERADE

This will MASQUERADE all traffic once authenticated.
As you say, the following should only MASQUERADE HTTPS traffic, and
port 80 should be taken care of by earlier rules.
ipt -I POSTROUTING -t nat -o $HS_WANIF --dport 443 -j MASQUERADE

I can't do any testing at the moment, but if you can test, I'd suggest
you add a rule after it that logs the packets that get through the
MASQUERADE rule, and from memory that'll give you debug information.
At least then we can see if the dport is the issue, but I'd expect
that to be the right bit.

It would be good to write an interface into the admin section to
select all ports allowed, or a selection, so feel free to open a bug
at trac.grasehotspot.org and once I get my replacement computer I'll
get onto it. Sounds like a good feature to have!

I'll try some debugging when I can.

Thanks

Tim

Thread