home 
wiki
wiki
Spelling: MWRPHotspot
* Hotspot [1]
* How it works [2]
* What is involved [3]
* Firewall [4]
* Platforms [5]
* OpenWrt package [6]
* Other Linux [7]
* Non-Linux [8]
* Customization [9]
* Adding privledged users [10]
* Moving capture httpd to non standard port [11]
* Problems [12]
HOTSPOT
This is a package for Melbourne Wireless Nodes to implement a simple
LIGHT-WEIGHT captive portal. The majority of existing captive portal
applications are more comercially oriented and often require the setup
of a radius server.
This implementation is based on a few simple concepts:
* Use of MW website sign-on to authenticate users, so you doo need to
have a route to the Intenet.
* Interception of incoming http requests from connected but
not-signed-on users
* Modification of web server to return a redirect 300 message
instead of a 404 (Not Found) messages to "capture" a user trying to
access a web page that they cannot get to because of the Node
firewall.
There is a default SPLASH page that a user must read that lists terms
and conditions of network access. They may then choose to connect to
the network if they agree with the T&Cs. There is also a check box to
indicate if you are a Melbourne Wireless member.
The Node owner can decide what level of access they want to grant the
public and a MW member. Restricted levels of access can be set up that
allow only specified services ( e.g. POP3, SSH, certain web sites).
HOW IT WORKS
On boot up an init script ( S45firewall ) sets up your firewall. In
the PREROUTING table it redirects all http traffic from the wireless
interface to the port of the patched httpd. This is the capture. All
other traffic from the wireless interface is REJECTED.
The user is presented with a splash page (like this ). If they do not
accept the T&Cs then they get a page requesting they dis-associate
form the network. They will not be able to do anything as the firewall
will DROP their packets.
If the user is a MW member and check the option, they will get a
redirect to the MW web site and get a sign-on page. If they correctly
sign on then the firewall will be modified to allow them through.
A member of the public does not have to sign-on, once they accept the
T&Cs they get re-directed to a welcome page ( like this ) that lets
then know what access they have.
Once the user has been added to either the public_users or
member_users table then they are able to access the network and
services as defined for the group they are in.
WHAT IS INVOLVED
* simple init script to set up the firewall
* some commands for adding and removing users from iptables
* some web pages and some cgi-scripts
* a modified (tiny) httpd to handle the captured users
* you will need the ip-tables mac module in your Linux distribution.
There are two parts of this, 1) the kernel module ipt_mac.o and 2) the
iptables loadable module
FIREWALL
If you are running the hotspot package then it becomes your firewall.
It is configured using iptables and is very tight. You choose what
ports and services you want to allow each class of user. See
MWRPfirewall for a more detailed description and hints on how to set
it up if you have a different arrangement of ports and interfaces.
PLATFORMS
OPENWRT PACKAGE
The Beta version is available to download. You can downlaod it and
install from a locak machine or run
ipkg install
http://melbournewireless.org.au/files/wrt54/mwhotspot0.5_mipsel.ipk
OTHER LINUX
Soon we should have a general tarball that you can download and
install. There are only a few moving parts so it's not that dificult.
To avoid having to have a complete appache server installed I will
build a tiny httpd for x86 that will be installed with the tarball.
This can be runon a non-standard port allowing the "captured" http
requests to be processed correctly while signed-on users cold access
web content from a regular (un-modified) web server.
NON-LINUX
Sorry, this is based around manipulating the netfilter parameters
using iptables.
CUSTOMIZATION
At the moment you have to hack the scripts by hand. In progress is a
configure script you can run to set up and change the package
configuration
ADDING PRIVLEDGED USERS
A privledged user is one that does not have to go through the capture
process, i.e. your own laptop machine. Using this mechanism I have
turned of the AP I was using internally as my laptop can now just pass
through my MW Node instread.
in S45firewall add for each privledged machine:
$IPT -A privleged_users -m mac --mac_addr 00:00:00:00:00
MOVING CAPTURE HTTPD TO NON STANDARD PORT
The httpd that is provided in the package is a very lightweightone.
For a full linux distribution you probably want to tkeep using your
existing web server and should just run the tiny httpd on a different
port.
in the S45firewall script change the port in the nat PREROUTING line
$IPT -t nat -A PRERPUTING -p tcp --destport 80 -j DNAT --to
$NETIP:8086
Now the daemon can be started with a differnet port number:
/usr/sbin/httpd -p 8086 -b /www -d MW Hotspot
All unauthorized user traffic will get captured in PREROUTING and
redirected to port 8086. Once the user is authorized then they will
get ACCEPTed in PREROUTING before this line so their port 80 traffic
will be unaffected.
PROBLEMS
Internet connection
DNS issues
Links:
------
[1] http://melbournewireless.org.au/#hotspot
[2] http://melbournewireless.org.au/#how_it_works
[3] http://melbournewireless.org.au/#what_is_involved
[4] http://melbournewireless.org.au/#firewall
[5] http://melbournewireless.org.au/#platforms
[6] http://melbournewireless.org.au/#openwrt_package
[7] http://melbournewireless.org.au/#other_linux
[8] http://melbournewireless.org.au/#non_linux
[9] http://melbournewireless.org.au/#customization
[10] http://melbournewireless.org.au/#adding_privledged_users
[11]
http://melbournewireless.org.au/#moving_capture_httpd_to_non_standard_port
[12] http://melbournewireless.org.au/#problems
[EditText] [Spelling] [Current] [Raw] [Code] [Diff] [Subscribe] [VersionHistory] [Revert] [Delete] [RecentChanges]