* [#hotspot Hotspot] * [#how_it_works How it works] * [#what_is_involved What is involved] * [#firewall Firewall] * [#platforms Platforms] ** [#openwrt_package OpenWrt package] ** [#other_linux Other Linux] ** [#non_linux Non-Linux] * [#customization Customization] ** [#adding_privledged_users Adding privledged users] ** [#moving_capture_httpd_to_non_standard_port Moving capture httpd to non standard port] * [#problems Problems] ! Hotspot This is a package for Melbourne Wireless Nodes to implement a simple '''light-weight''' captive portal. The majority of existing captive portal applications are more comercially oriented and often require the setup of a radius server. This implementation is based on a few simple concepts: * Use of MW website sign-on to authenticate users, so you doo need to have a route to the Intenet. * Interception of incoming http requests from connected but not-signed-on users * Modification of web server to return a redirect 300 message instead of a 404 (Not Found) messages to "capture" a user trying to access a web page that they cannot get to because of the Node firewall. There is a default '''splash''' page that a user must read that lists terms and conditions of network access. They may then choose to connect to the network if they agree with the T&Cs. There is also a check box to indicate if you are a Melbourne Wireless member. The Node owner can decide what level of access they want to grant the public and a MW member. Restricted levels of access can be set up that allow only specified services ( e.g. POP3, SSH, certain web sites). ! How it works On boot up an init script ( S45firewall ) sets up your firewall. In the PREROUTING table it redirects all http traffic from the wireless interface to the port of the patched httpd. This is the capture. All other traffic from the wireless interface is REJECTED. The user is presented with a splash page (like this ). If they do not accept the T&Cs then they get a page requesting they dis-associate form the network. They will not be able to do anything as the firewall will DROP their packets. If the user is a MW member and check the option, they will get a redirect to the MW web site and get a sign-on page. If they correctly sign on then the firewall will be modified to allow them through. A member of the public does not have to sign-on, once they accept the T&Cs they get re-directed to a welcome page ( like this ) that lets then know what access they have. Once the user has been added to either the public_users or member_users table then they are able to access the network and services as defined for the group they are in. ! What is involved * simple init script to set up the firewall * some commands for adding and removing users from iptables * some web pages and some cgi-scripts * a modified (tiny) httpd to handle the captured users * you will need the ip-tables mac module in your Linux distribution. There are two parts of this, 1) the kernel module ipt_mac.o and 2) the iptables loadable module ! Firewall If you are running the hotspot package then it becomes your firewall. It is configured using iptables and is very tight. You choose what ports and services you want to allow each class of user. See MWRPfirewall for a more detailed description and hints on how to set it up if you have a different arrangement of ports and interfaces. ! Platforms !! OpenWrt package The Beta version is available to download. You can downlaod it and install from a locak machine or run ipkg install http://melbournewireless.org.au/files/wrt54/mwhotspot0.5_mipsel.ipk !! Other Linux Soon we should have a general tarball that you can download and install. There are only a few moving parts so it's not that dificult. To avoid having to have a complete appache server installed I will build a tiny httpd for x86 that will be installed with the tarball. This can be runon a non-standard port allowing the "captured" http requests to be processed correctly while signed-on users cold access web content from a regular (un-modified) web server. !! Non-Linux Sorry, this is based around manipulating the netfilter parameters using iptables. ! Customization At the moment you have to hack the scripts by hand. In progress is a configure script you can run to set up and change the package configuration !! Adding privledged users A privledged user is one that does not have to go through the capture process, i.e. your own laptop machine. Using this mechanism I have turned of the AP I was using internally as my laptop can now just pass through my MW Node instread. in S45firewall add for each privledged machine: $IPT -A privleged_users -m mac --mac_addr 00:00:00:00:00 !! Moving capture httpd to non standard port The httpd that is provided in the package is a very lightweightone. For a full linux distribution you probably want to tkeep using your existing web server and should just run the tiny httpd on a different port. in the S45firewall script change the port in the nat PREROUTING line $IPT -t nat -A PRERPUTING -p tcp --destport 80 -j DNAT --to $NETIP:8086 Now the daemon can be started with a differnet port number: /usr/sbin/httpd -p 8086 -b /www -d MW Hotspot All unauthorized user traffic will get captured in PREROUTING and redirected to port 8086. Once the user is authorized then they will get ACCEPTed in PREROUTING before this line so their port 80 traffic will be unaffected. ! Problems Internet connection DNS issues