Good day,

On Ubuntu 20.04.5 LTS

coova-chilli 1.6

Compiled with ENABLE_DEBUG ENABLE_ACCOUNTING_ONOFF ENABLE_BINSTATFILE ENABLE_CHILLIQUERY ENABLE_COA ENABLE_RADPROXY ENABLE_CHILLIREDIR ENABLE_DHCPRADIUS ENABLE_IEEE8021Q ENABLE_IPV6 ENABLE_JSON ENABLE_LEAKYBUCKET ENABLE_STATFILE ENABLE_TAP ENABLE_TCPRESET ENABLE_UAMANYIP ENABLE_UAMUIPORT HAVE_NETFILTER_COOVA HAVE_OPENSSL

I have a problem with XT_COOVA and my iptables. (and i have no idea what I am doing)

enp1s0 = dhcp assigned (wan) enp5s0 = 192.168.182.1/16 (coova interface) enp6s0 = 192.170.1.1/24 (internal net)

I can not access my internal network where my splash page is. With the below iptables i just get a timeout

`Chain INPUT (policy ACCEPT 6624 packets, 578K bytes) pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- enp5s0 0.0.0.0/0 11.1.0.1 tcp dpt:3990coova: name: chilli side: source 0 0 INPUT_tun0 all -- tun0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- enp5s0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- tun0 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 383 packets, 110K bytes) pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- enp1s0 tun0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun0 enp1s0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- enp1s0 enp5s0 0.0.0.0/0 0.0.0.0/0 coova: name: chilli side: dest 0 0 ACCEPT all -- enp5s0 enp1s0 0.0.0.0/0 0.0.0.0/0 coova: name: chilli side: source 0 0 DROP all -- enp5s0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- tun0 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 6240 packets, 4031K bytes) pkts bytes target prot opt in out source destination

Chain INPUT_tun0 (1 references) pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- tun0 0.0.0.0/0 11.1.0.1 tcp dpt:3990 0 0 RETURN all -- * 0.0.0.0/0 0.0.0.0/0 `

If I add iptables -I INPUT -d 192.170.1.0/24 -j ACCEPT then i get a TCP RESET error.

To be noted that this config works perfectly if my splash page is on the internet. Once authenticated i can access my internal lan.

my config:

`HS_WANIF=enp1s0 # WE ALSO Need to specify this HS_LANIF=enp5s0 # Subscriber Interface for client devices

HS_NETWORK=192.168.182.0 HS_NETMASK=255.255.0.0 HS_UAMLISTEN=11.1.0.1 HS_UAMPORT=3990
HS_UAMUIPORT=4990
HS_DYNIP=192.168.182.0 HS_DYNIP_MASK=255.255.255.0 HS_STATIP=192.168.182.0 HS_STATIP_MASK=255.255.255.0 HS_DNS_DOMAIN=waveloc.com HS_DNS1=8.8.8.8 HS_DNS2=8.8.4.4 HS_NASID=SERVER HS_RADIUS=192.170.1.1 HS_RADIUS2=192.170.1.1 HS_UAMALLOW=waveloc.com,192.170.1.1 HS_RADSECRET=LETUSIN HS_UAMSECRET=xxxxxx HS_SSID=hotspot-express HS_UAMFORMAT=http://192.170.1.1/cake3/rd_cake/dynamic-details/chilli-browser-detect/ HS_MACAUTH=on HS_TCP_PORTS="80 443" HS_LOC_NAME="My HotSpot"
HS_DHCPLISTEN=192.168.182.1 HS_DHCPIF=enp5s0 HS_SESKEEPALIVE=on HS_ACCTUPDATE=on

for testing

HS_NATANYIP=on

HS_ANYIP=on

HS_LAN_ACCESS=allow`

I even tried https://github.com/coova/coova-chilli/issues/62

Thank you in advance

to answer my own question,

adding this solved my issue iptables -I INPUT_tun0 -d 192.170.1.1 -j ACCEPT

now it looks like this and "works".

`Chain INPUT (policy ACCEPT 39 packets, 2351 bytes) pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- enp5s0 0.0.0.0/0 11.1.0.1 tcp dpt:3990coova: name: chilli side: source 0 0 INPUT_tun0 all -- tun0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- enp5s0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- tun0 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
1 181 ACCEPT all -- enp1s0 tun0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun0 enp1s0 0.0.0.0/0 0.0.0.0/0
1 324 ACCEPT all -- enp1s0 enp5s0 0.0.0.0/0 0.0.0.0/0 coova: name: chilli side: dest 4 208 ACCEPT all -- enp5s0 enp1s0 0.0.0.0/0 0.0.0.0/0 coova: name: chilli side: source 0 0 DROP all -- enp5s0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- tun0 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 37 packets, 82121 bytes) pkts bytes target prot opt in out source destination

Chain INPUT_tun0 (1 references) pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- tun0 0.0.0.0/0 11.1.0.1 tcp dpt:3990 0 0 ACCEPT all -- 0.0.0.0/0 192.170.1.1
0 0 RETURN all -- * 0.0.0.0/0 0.0.0.0/0 `

Thank you

coova / coova-chilli

Help with iptables and XT_COOVA #562

for testing

HS_NATANYIP=on

HS_ANYIP=on

HS_LAN_ACCESS=allow`