Actions

Captive::Portal notes

From HacDC Wiki

Revision as of 00:54, 30 November 2011 by Drwho (talk | contribs) (Created page with "* By default, access is denied. * Traffic destined for anywhere but to a select few services (i.e., TCP or UDP ports) is blocked by the local firewall. ** NTP ** IMAP(S) ** POP(S...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
  • By default, access is denied.
  • Traffic destined for anywhere but to a select few services (i.e., TCP or UDP ports) is blocked by the local firewall.
    • NTP
    • IMAP(S)
    • POP(S)
    • OpenVPN
    • IPsec
  • HTTP(S) traffic caught by firewall, redirected to the mesh node's client IP and port.
    • iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 80 -j REDIRECT --to-port 31337
    • iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 443 -j REDIRECT --to-port 31338
      • We'd have to add an extra bit in there --destination 10.x.x.1
  • A web server listening on the redirect ports (31337/TCP and 31338/TCP) uses URI rewriting to point everything to a special URI:
  • The web server listening on ports 31337/TCP and 31338/TCP serves a page to the client. The client reads the text ("This is a wireless mesh, stuff about OPSEC, click here to pass through to the directory of services.") and clicks a button.
    • It'd be nice if the page also optionally displayed a message "There is a gateway to the public Net, so you can browse outside of this mesh." if a gateway route existed and had been propagated.
  • When the button is clicked the firewall is updated to permit that MAC address to send traffic.
    • ipset -A capo_sessions_ipset CLIENT_IP,CLIENT_MAC
    • Yes, MAC spoofing to bypass this is trivial. This isn't to prevent people from getting online if they don't have a valid room number, it's to force them to see a message from the admin and then kick them over to a directory of services curated by the node's software.
  • Set a timeout on the client IP? 10 minutes? 60 minutes? 5 minutes (same as DHCP lease time)?
    • ipset -D capo_sessinos_ipset CLIENT_IP
    • Captive::Portal includes a script (capo-ctl.pl) which already does this. In fact, you're supposed to run it from cron every ten minutes or so to clean out idle sessions.
  • Captive::Portal requires iptables (have it), ipset (need to compile and install it), and a rule in /etc/sudoers so it can run without privileges but still carry out privileged tasks.
  • fping is used to test idle sessions (have it).
  • A CGI script that implements a captive portal is included in Captive::Portal, it's called capo.cgi and runs under Apache.
Retrieved from "https://wiki.hacdcserver.org/index.php?title=Captive::Portal_notes&oldid=5977"