[isf-wifidog] Some new features

Ian White ian.white at datamile-computers.com
Sam 24 Sep 15:52:29 EDT 2005


The way nocat and locustworld do this is.

Nodes are all on 10.x.x.x and 1.x.x.x networks, and traffic betweem them is 
permitted as a general rule.

For auto user access there is a cron job that picks them up from the auth 
server and adds them to each node via mac to the iptables.

This is the dump from an intermesh node (1.165.22.29) with permitted users 
(00:80:48:1F:A2:55). The marks are used for traffic control, splash page 
served from 1.165.22.29:5280

Marks =
#  1: Owner
#  2: Co-op
#  3: Public
#  4: unknown
#  5: mesh
#  6: routing
#  7: vpn arriving on server


################################
 iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DECRYPT    177  --  anywhere             255.255.255.255
DECRYPT    177  --  anywhere             192.168.1.2
DECRYPT    177  --  anywhere             1.165.22.29
DECRYPT    177  --  anywhere             1.165.22.29
DECRYPT    177  --  anywhere             255.255.255.255
NoCat      all  --  anywhere             anywhere
DECRYPT    177  --  anywhere             anywhere           length 92 STRING 
match test

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
MARK       all  --  anywhere             anywhere           MAC 
00:0C:41:2E:2E:DE MARK set 0x1
MARK       all  --  anywhere             anywhere           MAC 
00:80:48:1F:A2:55 MARK set 0x2

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
TCPMSS     tcp  --  anywhere             anywhere           tcp dpt:!51010 
flags:SYN,RST/SYN TCPMSS set 1300
TCPMSS     tcp  --  anywhere             anywhere           tcp dpt:51010 
flags:SYN,RST/SYN TCPMSS set 1416
NoCatfwd   all  --  anywhere             anywhere

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
TCPMSS     tcp  --  anywhere             anywhere           tcp dpt:!51010 
flags:SYN,RST/SYN TCPMSS set 1300
TCPMSS     tcp  --  anywhere             anywhere           tcp dpt:51010 
flags:SYN,RST/SYN TCPMSS set 1416
TTL        icmp --  anywhere             anywhere           icmp 
timestamp-reply TTL set to 1
TTL        icmp --  anywhere             anywhere           icmp 
timestamp-request TTL set to 1
NoCatfwd   all  --  anywhere             anywhere

Chain NoCat (1 references)
target     prot opt source               destination
MARK       all  --  anywhere             anywhere           MARK set 0x4
MARK       all  --  10.0.0.0/8           anywhere           MARK set 0x5
MARK       all  --  1.0.0.0/8            anywhere           MARK set 0x5
MARK       all  --  172.16.0.0/16        anywhere           MARK set 0x5
MARK       all  --  anywhere             anywhere           MAC 
00:0C:41:2E:2E:DE MARK set 0x1
MARK       all  --  anywhere             anywhere           MAC 
00:80:48:1F:A2:55 MARK set 0x2

Chain NoCatfwd (2 references)
target     prot opt source               destination
MARK       all  --  172.16.0.0/16        anywhere           MARK set 0x5
MARK       all  --  anywhere             10.0.0.0/8         MARK set 0x5
MARK       all  --  anywhere             1.0.0.0/8          MARK set 0x5
MARK       all  --  anywhere             255.255.255.255    MARK set 0x6

################################
iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  10.0.0.0/8           anywhere
ACCEPT     all  --  1.0.0.0/8            anywhere
NoCat_Capture  all  --  anywhere             anywhere

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  192.168.0.0/16       anywhere
MASQUERADE  all  --  172.16.0.0/16        anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain NoCat_Capture (1 references)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere           MARK match 0x4 
tcp dpt:https to:1.165.22.29:5280
DNAT       tcp  --  anywhere             anywhere           MARK match 0x4 
tcp dpt:http to:1.165.22.29:5280

Chain NoCat_NAT (0 references)
target     prot opt source               destination
MASQUERADE  all  --  192.168.0.0/16       anywhere           MARK match 0x1
MASQUERADE  all  --  192.168.0.0/16       anywhere           MARK match 0x2
MASQUERADE  all  --  192.168.0.0/16       anywhere           MARK match 0x3
MASQUERADE  all  --  192.168.0.0/16       anywhere           MARK match 0x5

################################

iptables -L -t filter
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  10.255.255.254       anywhere
DROP       all  --  1.255.255.254        anywhere
DROP       all  --  anywhere             10.255.255.254
DROP       all  --  anywhere             1.255.255.254
REJECT     tcp  --  anywhere             anywhere           tcp 
dpt:amidxtape reject-with icmp-port-unreachable
lmticmp    icmp -- !172.16.0.0/16        anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
TCPMSS     tcp  --  anywhere             anywhere           tcp 
flags:SYN,RST/SYN TCPMSS set 1300
NoCat      all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere           tcp 
dpt:amidxtape reject-with icmp-port-unreachable

Chain NoCat (1 references)
target     prot opt source               destination
NoCat_Ports  all  --  anywhere             anywhere
NoCat_Inbound  all  --  anywhere             anywhere
ACCEPT     all  --  192.168.0.0/16       anywhere           MARK match 0x1
ACCEPT     all  --  192.168.0.0/16       anywhere           MARK match 0x2
ACCEPT     all  --  192.168.0.0/16       anywhere           MARK match 0x3
ACCEPT     all  --  192.168.0.0/16       anywhere           MARK match 0x5
ACCEPT     all  --  10.0.0.0/8           anywhere
ACCEPT     all  --  1.0.0.0/8            anywhere
ACCEPT     udp  --  anywhere             172.16.0.0/16      udp dpt:domain
DROP       all  --  anywhere             anywhere

Chain NoCat_Inbound (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           MAC 
00:0C:41:2E:2E:DE
ACCEPT     all  --  anywhere             anywhere           MAC 
00:80:48:1F:A2:55

Chain NoCat_Ports (1 references)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere           tcp dpt:smtp 
MARK match 0x3
DROP       udp  --  anywhere             anywhere           udp dpt:smtp 
MARK match 0x3
DROP       tcp  --  anywhere             anywhere           tcp dpt:sunrpc 
MARK match 0x3
DROP       udp  --  anywhere             anywhere           udp dpt:sunrpc 
MARK match 0x3

Chain lmticmp (1 references)
target     prot opt source               destination
ACCEPT     all  -- !192.168.0.0/16       anywhere
ACCEPT     all  --  192.168.0.0/16       anywhere           limit: avg 
30/sec burst 5
LOG        all  --  anywhere             anywhere           limit: avg 5/min 
burst 5 LOG level emerg prefix `STORMWARNING: '
DROP       all  --  anywhere             anywhere



----- Original Message ----- 
From: "Saul Albert" <saul at twenteenthcentury.com>
To: "WiFiDog Captive Portal" <wifidog at listes.ilesansfil.org>
Sent: Saturday, September 24, 2005 6:50 PM
Subject: Re: [isf-wifidog] Some new features


> Hi Philippe,
>
> On Sat, Sep 24, 2005 at 02:03:34AM -0400, Philippe April wrote:
>> *1. I added {Saul Albert,Jo Walsh,Schuyler}'s patch to send MAC
>> address as the node_id.
>
> yay! Thanks :) we so love to be able to use the default distro and point
> people straight to wifidog.
>
> 1 point - it's not my patch :) I did, for the first time, pick up a book
> on C and spend an afternoon trying to do some seriously dumb copypaste
> coding on this one, but in the end it was jo's idea and schuyler's code
> that did it :)
>
> Also, another bit that might interest you is a script that BMS (bruce
> simpson) wrote to get around the multi-hop splash problem.
>
> We are using freifunk firmware -
> http://www.freifunk.net/wiki/FreifunkFirmware
> on our wrts to provide an easy, web-configurable olsr mesh routing
> solution, and during wsfii - http://wsfii.org next week, we'll have some
> of the developers here, along with Benoit, Francois and Michael.. so it
> might be a good time to see if we can get wifidog rolled into the FFF
> openwrt distro.
>
> We came across the problem that if we are hopping across (well, tunelling
> through) several olsr nodes to get to an uplink, we get splashed first by
> the box we're associated with, then, by each wifidog-enabled box on our
> way to the gateway. Also, past the first one, auth doesn't work because
> it thinks we're connecting as the first wrt... not as a client.
>
> So bruce hacked up this solution, to be run by cron on each wrt
> (attached - and here :
> http://chinabone.lth.bclub.org.uk/~saul/docs/code/wirelesslondon/install-neighbor-rules.sh
> )
> afaik, it polls the olsr database for neighbours, and adds rules to
> iptables, allowing each olsr node to pass traffic through without getting
> splashed.
>
> That way, you only get splashed by the node you're associated with, and
> from there get clear through to the gateway.
>
> This is nice, as it means that if your gateway is 500 meters away, but
> your node is in a cafe with no dsl, you still get splashed with details
> about that cafe, not about things happening near the gateway.
>
> Bruce said this might be better working as a daemon, but I haven't worked
> out how to do that yet, or how to get it rolled into FFF which I had
> trouble building..
>
> hope this is in some way helpful.
>
> cheers,
>
> Saul.
>


--------------------------------------------------------------------------------


_______________________________________________
WiFiDog mailing list
WiFiDog at listes.ilesansfil.org
http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog


--------------------------------------------------------------------------------


No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.11.5/110 - Release Date: 22/09/2005



More information about the WiFiDog mailing list