We are running chilli in vlan/multi ten mode along with Pacemaker. Everything works fine except upon boot up we continually have to reload iptables for the chilli rules to work. Right now each chilli config under /etc/chilli/eth2.x has its own up.sh. Which is run. This will create the necessary .sh file in /var/run. So for example:
This seems to insert the rules into iptables but when we do a iptables -L -v there are no packets going in/out when we connect our device to our SSID. The device will grab a DHCP address and show up in chilli_query list but it will not re-direct us to our custom page until we actually do an iptables reload. Once that is done everything works w/o issue.
The documentation says that the up.sh script runs after the tun interfaces are up. It also references ipup.sh if we need to add in additional iptables commands. Would this help in our case as I'm not 100% if the iptables rules from the above up.sh are the default or if we have added to this file?
We are running chilli in vlan/multi ten mode along with Pacemaker. Everything works fine except upon boot up we continually have to reload iptables for the chilli rules to work. Right now each chilli config under /etc/chilli/eth2.x has its own up.sh. Which is run. This will create the necessary .sh file in /var/run. So for example:
eth2.160 Link encap:Ethernet HWaddr 00:30:18:C7:C7:54
inet6 addr: fe80::230:18ff:fec7:c754/64 Scope:Link UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:3813 errors:0 dropped:0 overruns:0 frame:0 TX packets:686 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:281235 (274.6 KiB) TX bytes:327051 (319.3 KiB)
tun5 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.60.0.1 P-t-P:10.60.0.1 Mask:255.255.248.0 UP POINTOPOINT RUNNING MTU:1500 Metric:1 RX packets:492 errors:0 dropped:0 overruns:0 frame:0 TX packets:523 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:95925 (93.6 KiB) TX bytes:309719 (302.4 KiB)
Edit: Sorry I see now that down.sh calls this and removes the rules.
/var/run # cat chilli.tun5.sh iptables -D INPUT -i tun5 -p tcp -m tcp --dport 3990 --dst 10.60.0.1 -j ACCEPT iptables -D INPUT -i tun5 -p tcp -m tcp --dport 4990 --dst 10.60.0.1 -j ACCEPT iptables -D INPUT -i tun5 -p udp -d 255.255.255.255 --destination-port 67:68 -j ACCEPT iptables -D INPUT -i tun5 -p udp -d 10.60.0.1 --destination-port 67:68 -j ACCEPT iptables -D INPUT -i tun5 -p udp --dst 10.60.0.1 --dport 53 -j ACCEPT iptables -D INPUT -i tun5 -p icmp --dst 10.60.0.1 -j ACCEPT iptables -D INPUT -i tun5 --dst 10.60.0.1 -j DROP iptables -D INPUT -i eth2.160 -j DROP iptables -D FORWARD -i eth2.160 -j DROP iptables -D FORWARD -o eth2.160 -j DROP iptables -D FORWARD -i tun5 -j ACCEPT iptables -D FORWARD -o tun5 -j ACCEPT iptables -D FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu iptables -D FORWARD -t mangle -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu iptables -D FORWARD -i tun5 ! -o eth1 -j DROP iptables -D FORWARD -i tun5 -o eth1 -j ACCEPT
This seems to insert the rules into iptables but when we do a iptables -L -v there are no packets going in/out when we connect our device to our SSID. The device will grab a DHCP address and show up in chilli_query list but it will not re-direct us to our custom page until we actually do an iptables reload. Once that is done everything works w/o issue.
The documentation says that the up.sh script runs after the tun interfaces are up. It also references ipup.sh if we need to add in additional iptables commands. Would this help in our case as I'm not 100% if the iptables rules from the above up.sh are the default or if we have added to this file?