[isf-wifidog] Some new features
Ian White
ian.white at datamile-computers.com
Sam 24 Sep 15:52:29 EDT 2005
The way nocat and locustworld do this is.
Nodes are all on 10.x.x.x and 1.x.x.x networks, and traffic betweem them is
permitted as a general rule.
For auto user access there is a cron job that picks them up from the auth
server and adds them to each node via mac to the iptables.
This is the dump from an intermesh node (1.165.22.29) with permitted users
(00:80:48:1F:A2:55). The marks are used for traffic control, splash page
served from 1.165.22.29:5280
Marks =
# 1: Owner
# 2: Co-op
# 3: Public
# 4: unknown
# 5: mesh
# 6: routing
# 7: vpn arriving on server
################################
iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DECRYPT 177 -- anywhere 255.255.255.255
DECRYPT 177 -- anywhere 192.168.1.2
DECRYPT 177 -- anywhere 1.165.22.29
DECRYPT 177 -- anywhere 1.165.22.29
DECRYPT 177 -- anywhere 255.255.255.255
NoCat all -- anywhere anywhere
DECRYPT 177 -- anywhere anywhere length 92 STRING
match test
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
MARK all -- anywhere anywhere MAC
00:0C:41:2E:2E:DE MARK set 0x1
MARK all -- anywhere anywhere MAC
00:80:48:1F:A2:55 MARK set 0x2
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp dpt:!51010
flags:SYN,RST/SYN TCPMSS set 1300
TCPMSS tcp -- anywhere anywhere tcp dpt:51010
flags:SYN,RST/SYN TCPMSS set 1416
NoCatfwd all -- anywhere anywhere
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp dpt:!51010
flags:SYN,RST/SYN TCPMSS set 1300
TCPMSS tcp -- anywhere anywhere tcp dpt:51010
flags:SYN,RST/SYN TCPMSS set 1416
TTL icmp -- anywhere anywhere icmp
timestamp-reply TTL set to 1
TTL icmp -- anywhere anywhere icmp
timestamp-request TTL set to 1
NoCatfwd all -- anywhere anywhere
Chain NoCat (1 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK set 0x4
MARK all -- 10.0.0.0/8 anywhere MARK set 0x5
MARK all -- 1.0.0.0/8 anywhere MARK set 0x5
MARK all -- 172.16.0.0/16 anywhere MARK set 0x5
MARK all -- anywhere anywhere MAC
00:0C:41:2E:2E:DE MARK set 0x1
MARK all -- anywhere anywhere MAC
00:80:48:1F:A2:55 MARK set 0x2
Chain NoCatfwd (2 references)
target prot opt source destination
MARK all -- 172.16.0.0/16 anywhere MARK set 0x5
MARK all -- anywhere 10.0.0.0/8 MARK set 0x5
MARK all -- anywhere 1.0.0.0/8 MARK set 0x5
MARK all -- anywhere 255.255.255.255 MARK set 0x6
################################
iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 10.0.0.0/8 anywhere
ACCEPT all -- 1.0.0.0/8 anywhere
NoCat_Capture all -- anywhere anywhere
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.0.0/16 anywhere
MASQUERADE all -- 172.16.0.0/16 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain NoCat_Capture (1 references)
target prot opt source destination
DNAT tcp -- anywhere anywhere MARK match 0x4
tcp dpt:https to:1.165.22.29:5280
DNAT tcp -- anywhere anywhere MARK match 0x4
tcp dpt:http to:1.165.22.29:5280
Chain NoCat_NAT (0 references)
target prot opt source destination
MASQUERADE all -- 192.168.0.0/16 anywhere MARK match 0x1
MASQUERADE all -- 192.168.0.0/16 anywhere MARK match 0x2
MASQUERADE all -- 192.168.0.0/16 anywhere MARK match 0x3
MASQUERADE all -- 192.168.0.0/16 anywhere MARK match 0x5
################################
iptables -L -t filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- 10.255.255.254 anywhere
DROP all -- 1.255.255.254 anywhere
DROP all -- anywhere 10.255.255.254
DROP all -- anywhere 1.255.255.254
REJECT tcp -- anywhere anywhere tcp
dpt:amidxtape reject-with icmp-port-unreachable
lmticmp icmp -- !172.16.0.0/16 anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp
flags:SYN,RST/SYN TCPMSS set 1300
NoCat all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp
dpt:amidxtape reject-with icmp-port-unreachable
Chain NoCat (1 references)
target prot opt source destination
NoCat_Ports all -- anywhere anywhere
NoCat_Inbound all -- anywhere anywhere
ACCEPT all -- 192.168.0.0/16 anywhere MARK match 0x1
ACCEPT all -- 192.168.0.0/16 anywhere MARK match 0x2
ACCEPT all -- 192.168.0.0/16 anywhere MARK match 0x3
ACCEPT all -- 192.168.0.0/16 anywhere MARK match 0x5
ACCEPT all -- 10.0.0.0/8 anywhere
ACCEPT all -- 1.0.0.0/8 anywhere
ACCEPT udp -- anywhere 172.16.0.0/16 udp dpt:domain
DROP all -- anywhere anywhere
Chain NoCat_Inbound (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere MAC
00:0C:41:2E:2E:DE
ACCEPT all -- anywhere anywhere MAC
00:80:48:1F:A2:55
Chain NoCat_Ports (1 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:smtp
MARK match 0x3
DROP udp -- anywhere anywhere udp dpt:smtp
MARK match 0x3
DROP tcp -- anywhere anywhere tcp dpt:sunrpc
MARK match 0x3
DROP udp -- anywhere anywhere udp dpt:sunrpc
MARK match 0x3
Chain lmticmp (1 references)
target prot opt source destination
ACCEPT all -- !192.168.0.0/16 anywhere
ACCEPT all -- 192.168.0.0/16 anywhere limit: avg
30/sec burst 5
LOG all -- anywhere anywhere limit: avg 5/min
burst 5 LOG level emerg prefix `STORMWARNING: '
DROP all -- anywhere anywhere
----- Original Message -----
From: "Saul Albert" <saul at twenteenthcentury.com>
To: "WiFiDog Captive Portal" <wifidog at listes.ilesansfil.org>
Sent: Saturday, September 24, 2005 6:50 PM
Subject: Re: [isf-wifidog] Some new features
> Hi Philippe,
>
> On Sat, Sep 24, 2005 at 02:03:34AM -0400, Philippe April wrote:
>> *1. I added {Saul Albert,Jo Walsh,Schuyler}'s patch to send MAC
>> address as the node_id.
>
> yay! Thanks :) we so love to be able to use the default distro and point
> people straight to wifidog.
>
> 1 point - it's not my patch :) I did, for the first time, pick up a book
> on C and spend an afternoon trying to do some seriously dumb copypaste
> coding on this one, but in the end it was jo's idea and schuyler's code
> that did it :)
>
> Also, another bit that might interest you is a script that BMS (bruce
> simpson) wrote to get around the multi-hop splash problem.
>
> We are using freifunk firmware -
> http://www.freifunk.net/wiki/FreifunkFirmware
> on our wrts to provide an easy, web-configurable olsr mesh routing
> solution, and during wsfii - http://wsfii.org next week, we'll have some
> of the developers here, along with Benoit, Francois and Michael.. so it
> might be a good time to see if we can get wifidog rolled into the FFF
> openwrt distro.
>
> We came across the problem that if we are hopping across (well, tunelling
> through) several olsr nodes to get to an uplink, we get splashed first by
> the box we're associated with, then, by each wifidog-enabled box on our
> way to the gateway. Also, past the first one, auth doesn't work because
> it thinks we're connecting as the first wrt... not as a client.
>
> So bruce hacked up this solution, to be run by cron on each wrt
> (attached - and here :
> http://chinabone.lth.bclub.org.uk/~saul/docs/code/wirelesslondon/install-neighbor-rules.sh
> )
> afaik, it polls the olsr database for neighbours, and adds rules to
> iptables, allowing each olsr node to pass traffic through without getting
> splashed.
>
> That way, you only get splashed by the node you're associated with, and
> from there get clear through to the gateway.
>
> This is nice, as it means that if your gateway is 500 meters away, but
> your node is in a cafe with no dsl, you still get splashed with details
> about that cafe, not about things happening near the gateway.
>
> Bruce said this might be better working as a daemon, but I haven't worked
> out how to do that yet, or how to get it rolled into FFF which I had
> trouble building..
>
> hope this is in some way helpful.
>
> cheers,
>
> Saul.
>
--------------------------------------------------------------------------------
_______________________________________________
WiFiDog mailing list
WiFiDog at listes.ilesansfil.org
http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
--------------------------------------------------------------------------------
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.11.5/110 - Release Date: 22/09/2005
More information about the WiFiDog
mailing list