NoCatSplash Basic Setup Dec 15, 2004 S.Benedict Testing of the package was done with a fairly basic setup. I've included this document just as a little more of a guide to getting things going. There are security issues of course in opening your network to public access. A more secure setup would be to use a seperate gateway machine. WAP -> eth1 -> install machine -> eth0 -> WAP/Router -> Cable Modem eth1: 192.168.193.0 eth0: 192.168.192.0 WAP Open System, no WEP fixed IP 192.168.193.2 channel 11 ESSID norris_net WAP/Router Shared Key 128 Bit WEP fixed IP 192.168.192.12 channel 6 ESSID ays_net Server eth1 is 192.168.193.1 eth0 is 192.168.192.45 gateway is 192.168.192.12 The fact that the Router also is a WAP is incidental. As it turns out, it allows me to continue to use WEP on that box for my own devices, while allowing open access through the WAP for public access. The WAP has a 12dBi omni antenna mounted on the roof. I live in a very rural area, so my exposure as far as war driving etc., is pretty small. Iptables is installed on the server machine. You would want to have IP forwarding/masquerading enabled to forward the eth1 traffic to eth0 for outside access. A script to set this up, if you're not using the "Internet Sharing" setup can be found at (works for 2.6 kernel also): http://www.ecst.csuchico.edu/~dranch/LINUX/ipmasq/examples/rc.firewall-2.4 I'm running dhcpd on the server machine, with fixed IPs asigned to my own gear, and a dynamic pool to the 192.168.193 network. I'm also running named on this machine. domain-anme-servers should point to an appropriate address. subnet 192.168.193.0 netmask 255.255.255.0 { # default gateway option routers 192.168.193.1; option subnet-mask 255.255.255.0; option domain-name "linuxcontrol.org"; option domain-name-servers 192.168.193.1; option nis-domain "linuxcontrol.org"; range dynamic-bootp 192.168.193.100 192.168.193.150; default-lease-time 21600; max-lease-time 43200; } For an initial test you can make 2 changes to /etc/nocat.conf: LoginTimeout 120 (users will need to acknowledge again after 2 minutes) LocalNetwork 192.168.193.0/24 (this should agree with your WAP end of the network) If your setup resembles mine, ExternalDevice and InternalDevice of eth0 and eth1 whould be correct. Otherwise change accordingly. You can also tailor which protocols you want to pass. by default everything but port 25 is open. Just to be sure, you may want to flush any iptables rules: [root@powerbook root]# iptables -F Now running splashd from the command line should show something like this when you use a wireless device connected to the public side of the network and try to browse the web. (In this case a Zaurus 5500). When I try to browse to mapquest, I instead get the NoCatSplash banner page and have to acknowledge that I'm using the network, then I'm redirected to my desired URL. After 120 secs, I'll again see the splash screen, should I continue to try and browse the internet. [root@powerbook root]# splashd Message: Read 31 config items from /etc/nocat.conf ** WARNING **: Got command /usr/lib/nocat/initialize.fw from action ResetCmd ** WARNING **: ResetCmd of peer (null) returned 1 Message: starting main loop DEBUG: adder: adding an item 0x10002ca4 DEBUG: adder: queue == 0, waking all workers DEBUG: worker 16386: dequeuing item 0x10002ca4 Message: Checking peers for expiration DEBUG: adder: adding an item 0x10002ca4 DEBUG: adder: queue == 0, waking all workers DEBUG: worker 16386: dequeuing item 0x10002ca4 Message: Checking peers for expiration DEBUG: adder: adding an item 0x10002dec DEBUG: adder: queue == 0, waking all workers DEBUG: worker 16386: dequeuing item 0x10002dec Message: thread entering handle_read Message: Header in: User-agent=Mozilla/4.0 (compatible; MSIE 5.0; Linux 2.4.6-rmk1-np2-embedix armv4l; 240x320) Opera 5.0 [en] Message: Header in: Host=192.168.193.1:5280 Message: Header in: Accept=text/html, image/png, image/jpeg, image/gif, image/x-xbitmap, */* Message: Header in: Accept-encoding=deflate, gzip, x-gzip, identity, *;q=0 Message: Header in: Referer=http://192.168.193.1:5280/?redirect=http%3A//www.mapquest.com/redir.adp Message: Header in: Connection=Keep-Alive, TE Message: Header in: Content-type=application/x-www-form-urlencoded Message: Header in: Content-length=81 Message: Accepting peer 192.168.193.148 ** WARNING **: Got command /usr/lib/nocat/access.fw permit 00:06:25:24:91:35 192.168.193.148 Public from action PermitCmd Message: Header out: HTTP/1.1 302 Moved Location: http://www.mapquest.com/redir.adp Message: thread exiting handle_read DEBUG: adder: adding an item 0x10002ca4 DEBUG: adder: queue == 0, waking all workers DEBUG: worker 16386: dequeuing item 0x10002ca4 Message: Checking peers for expiration Message: Checking peer 192.168.193.148 for expire: 117 sec. remain DEBUG: adder: adding an item 0x10002ca4 DEBUG: adder: queue == 0, waking all workers DEBUG: worker 16386: dequeuing item 0x10002ca4 Message: Checking peers for expiration Message: Checking peer 192.168.193.148 for expire: 112 sec. remain DEBUG: adder: adding an item 0x10002ca4 DEBUG: adder: queue == 0, waking all workers DEBUG: worker 16386: dequeuing item 0x10002ca4 Message: Checking peers for expiration Message: Checking peer 192.168.193.148 for expire: 107 sec. remain DEBUG: adder: adding an item 0x10002ca4 DEBUG: adder: queue == 0, waking all workers DEBUG: worker 16386: dequeuing item 0x10002ca4 Message: Checking peers for expiration Message: Checking peer 192.168.193.148 for expire: 102 sec. remain DEBUG: adder: adding an item 0x10002ca4 DEBUG: adder: queue == 0, waking all workers DEBUG: worker 16386: dequeuing item 0x10002ca4 Message: Checking peers for expiration Message: Checking peer 192.168.193.148 for expire: 92 sec. remain DEBUG: adder: adding an item 0x10002ca4 DEBUG: adder: queue == 0, waking all workers DEBUG: worker 16386: dequeuing item 0x10002ca4 Message: Checking peers for expiration Message: Checking peer 192.168.193.148 for expire: 47 sec. remain DEBUG: adder: adding an item 0x10002ca4 DEBUG: adder: queue == 0, waking all workers DEBUG: worker 16386: dequeuing item 0x10002ca4 Message: Checking peers for expiration Message: Checking peer 192.168.193.148 for expire: 42 sec. remain DEBUG: adder: adding an item 0x10002ca4 DEBUG: adder: queue == 0, waking all workers DEBUG: worker 16386: dequeuing item 0x10002ca4 Message: Checking peers for expiration Message: Checking peer 192.168.193.148 for expire: 37 sec. remain DEBUG: adder: adding an item 0x10002ca4 DEBUG: adder: queue == 0, waking all workers DEBUG: worker 16386: dequeuing item 0x10002ca4 Message: Checking peers for expiration Message: Checking peer 192.168.193.148 for expire: 32 sec. remain DEBUG: adder: adding an item 0x10002ca4 DEBUG: adder: queue == 0, waking all workers DEBUG: worker 16386: dequeuing item 0x10002ca4 Message: Checking peers for expiration Message: Checking peer 192.168.193.148 for expire: 27 sec. remain DEBUG: adder: adding an item 0x10002ca4 DEBUG: adder: queue == 0, waking all workers DEBUG: worker 16386: dequeuing item 0x10002ca4 Message: Checking peers for expiration Message: Checking peer 192.168.193.148 for expire: 22 sec. remain DEBUG: adder: adding an item 0x10002ca4 DEBUG: adder: queue == 0, waking all workers DEBUG: worker 16386: dequeuing item 0x10002ca4 Message: Checking peers for expiration Message: Checking peer 192.168.193.148 for expire: 17 sec. remain DEBUG: adder: adding an item 0x10002ca4 DEBUG: adder: queue == 0, waking all workers DEBUG: worker 16386: dequeuing item 0x10002ca4 Message: Checking peers for expiration Message: Checking peer 192.168.193.148 for expire: 12 sec. remain DEBUG: adder: adding an item 0x10002ca4 DEBUG: adder: queue == 0, waking all workers DEBUG: worker 16386: dequeuing item 0x10002ca4 Message: Checking peers for expiration Message: Checking peer 192.168.193.148 for expire: 7 sec. remain DEBUG: adder: adding an item 0x10002ca4 DEBUG: adder: queue == 0, waking all workers DEBUG: adder: queue == 0, waking all workers DEBUG: worker 16386: dequeuing item 0x10002ca4 Message: Checking peers for expiration Message: Checking peer 192.168.193.148 for expire: 2 sec. remain DEBUG: adder: adding an item 0x10002ca4 DEBUG: adder: queue == 0, waking all workers DEBUG: worker 16386: dequeuing item 0x10002ca4 Message: Checking peers for expiration Message: Checking peer 192.168.193.148 for expire: 4294967293 sec. remain Message: Removing peer 192.168.193.148 ** WARNING **: Got command /usr/lib/nocat/access.fw deny 00:06:25:24:91:35 192.168.193.148 Public from action DenyCmd DEBUG: adder: adding an item 0x10002ca4 DEBUG: adder: queue == 0, waking all workers DEBUG: worker 16386: dequeuing item 0x10002ca4 Message: Checking peers for expiration DEBUG: adder: adding an item 0x10002ca4 DEBUG: adder: queue == 0, waking all workers DEBUG: worker 16386: dequeuing item 0x10002ca4 Message: Checking peers for expiration Message: Caught SIGINT! Message: exiting main loop (I intentionally Ctrl-C'd out of the daemon). That's it! The daemon could probably use an initscript, and the sister software NoCatAuth, has a 2 part authentication and gateway setup that allows you to define classes of users with more or less access in terms of time allotted and what protocols they might use. NoCatSplash will probably grow to include more features. The program is in it's early stages right now.