Keith Whyte
c749dd35f8
An implementation of a simple Captive Portal that allows access to an IP network via forwarding on the same machine running the GSM core network. A Wifi AP could be connected to the ethernet port specified in the hiera as wifi_if (default eth3) Any Wifi AP can be used, and configured as desired. In the future, maybe a RADIUS based solution could supercede this.
107 lines
2.6 KiB
Puppet
107 lines
2.6 KiB
Puppet
# wifi.pp
|
|
#
|
|
# A basic Wifi service with
|
|
# captive portal and authentication via SMS OTP.
|
|
#
|
|
#
|
|
|
|
class rhizo_base::wifi {
|
|
|
|
$pub_if = $rhizo_base::stats_if
|
|
$wifi_if = $rhizo_base::wifi_if
|
|
$wifi_ip = $rhizo_base::wifi_ip_address
|
|
$wifi_net = $rhizo_base::wifi_net
|
|
$wifi_dhcp_range = $rhizo_base::wifi_dhcp_range
|
|
$wifi_dns = $rhizo_base::wifi_dns
|
|
|
|
file { '/etc/dnsmasq.wifi.conf':
|
|
content => template('rhizo_base/dnsmasq.conf.erb'),
|
|
notify => Service['dnsmasq-wifi']
|
|
}
|
|
|
|
file { '/lib/systemd/system/dnsmasq-wifi.service':
|
|
ensure => present,
|
|
source => 'puppet:///modules/rhizo_base/systemd/dnsmasq-wifi.service',
|
|
}
|
|
|
|
service { 'dnsmasq-wifi':
|
|
provider => 'systemd',
|
|
enable => true,
|
|
ensure => 'running'
|
|
}
|
|
|
|
python::pip { 'python-iptables':
|
|
schedule => 'onceweek',
|
|
ensure => '1.0.1',
|
|
pkgname => 'python-iptables',
|
|
}
|
|
|
|
file { '/etc/apache2/sites-available/001-portal.conf':
|
|
content => template('rhizo_base/portal.conf.erb'),
|
|
require => Package['apache2']
|
|
}
|
|
->file { '/etc/apache2/sites-enabled/001-portal.conf':
|
|
ensure => link,
|
|
target => '../sites-available/001-portal.conf',
|
|
require => Package['apache2'],
|
|
notify => Service['apache2']
|
|
}
|
|
|
|
firewall { '000 accept DHCP (udp port 67)':
|
|
proto => 'udp',
|
|
iniface => $wifi_if,
|
|
dport => [53, 67],
|
|
action => 'accept',
|
|
}
|
|
->firewall { '001 accept WWW Portal':
|
|
proto => 'tcp',
|
|
iniface => $wifi_if,
|
|
dport => 81,
|
|
action => 'accept',
|
|
}
|
|
->firewall { '002 accept ICMP':
|
|
proto => 'icmp',
|
|
iniface => $wifi_if,
|
|
destination => $wifi_ip,
|
|
action => 'accept',
|
|
}
|
|
->firewall { '003 drop mark 10':
|
|
iniface => $wifi_if,
|
|
match_mark => 0xa,
|
|
action => 'drop',
|
|
}
|
|
|
|
firewall { '005 accept related established':
|
|
chain => 'FORWARD',
|
|
proto => 'all',
|
|
iniface => $pub_if,
|
|
state => ['RELATED', 'ESTABLISHED'],
|
|
action => 'accept',
|
|
}
|
|
->firewall { '006 drop mark 10':
|
|
chain => 'FORWARD',
|
|
iniface => $wifi_if,
|
|
match_mark => 0xa,
|
|
action => 'drop',
|
|
}
|
|
|
|
firewall { '020 redirect to portal':
|
|
table => 'nat',
|
|
chain => 'PREROUTING',
|
|
proto => 'tcp',
|
|
dport => 80,
|
|
iniface => $wifi_if,
|
|
match_mark => 0xa,
|
|
jump => 'DNAT',
|
|
todest => "$wifi_ip:81"
|
|
}
|
|
|
|
firewall { '021 nat masq from Wifi':
|
|
table => 'nat',
|
|
chain => 'POSTROUTING',
|
|
source => $wifi_net,
|
|
outiface => $pub_if,
|
|
jump => 'MASQUERADE'
|
|
}
|
|
|
|
}
|