[isf-wifidog] Allowing access to specified IP addresses/domainnames without prompting for login

Iurgi Arginzoniz iurgi at fon.es
Mer 21 Juin 18:25:35 EDT 2006


Hi tarken,

It looks like you are trying to whitelist google. Unfortunately this task has no easy solution at all.

The problem is the ip pool of google. Google relies it's web access on akamay, some kind of a proxying system. The problem is that akamay has hundreds of different ips for google. When openwrt resolves the ips for google, the dns servers reply with up to 6 of the available ips for google, and this are the ones that will have open the access to. Unfortunately, when the user trues to go to google, it's dns request can get a completely different ip for google, and so, iptables does not let the request to progress.

I have some 'dirty' tricks to solve this, that I can share if you are interested.

Iurgi
---
Sent via BlackBerry

-----Original Message-----
From: "Tarken Winn" <tarkenwinn at gmail.com>
Date: Thu, 22 Jun 2006 10:15:25 
To:"WiFiDog Captive Portal" <wifidog at listes.ilesansfil.org>
Subject: Re: [isf-wifidog] Allowing access to specified IP addresses/domain
	names without prompting for login

Hi again Francois,
 
 I have just upgraded to RC5 and the outcome is the same. In my wifidog.conf file I specify www.google.com: <http://www.google.com>  ip addresses (for New Zealand at least, resolves to the following) and restart wifidog (or reboot or repower). The outcome is that I am redirected to the wifidog authentication page.
 
 FirewallRuleSet unknown-users {
 # www.google.co.nz: <http://www.google.co.nz>  IP addresses
 FirewallRule allow to 66.102.7.147: <http://66.102.7.147> 
 FirewallRule allow to 66.102.7.104: <http://66.102.7.104> 
 FirewallRule allow to 66.102.7.99: <http://66.102.7.99> 
 }
 
It appears that something is still amiss. Any other suggestions? Does anyone successfully allow unauthenticated access via wifidog.conf rule sets to specific IP Addresses on RC4 or RC5? Any suggestions as to how this can be achieved outside of wifidog conf? ie do not route requests for specific ip address to wifidog gateway - I guess it's an iptable thing, which I am a little hesistant to start hacking at unnecessarily.
 
 I hope someone can help. Thanks in advance.
 
 Tarken
 

On 6/18/06, François Proulx <fproulx at edito.qc.ca: <mailto:fproulx at edito.qc.ca> > wrote: 

RC3 and RC4 have different iptables scripts. RC5 change back to the old style, that might solve your issue. 


Nonetheless, their is currently a bug in Wifidog, here we are now running RC5 and it works great. 




On 17-Jun-06, at 10:43 PM, Tarken Winn wrote:


 Hi Francois,
 
 Thanks for your quick reply. I am running Whiterussian RC4. Everything except allowing specific IP addresses to be accessed without authenticating the client with the wifidog gateway appears to be working fine (that I have found/checked).
 
 Tarken


On 6/18/06, François Proulx <
fproulx at edito.qc.ca: <mailto:fproulx at edito.qc.ca> > wrote: 

Are you running Whiterussian RC5 ?

 




On 17-Jun-06, at 9:01 PM, Tarken Winn wrote:

 
Hi there,
 
 I have been experimenting with Wifidog (version 1.1.2-1) and have it successfully up and running on my shiny new Linksys WRT54GL.
 
 I am now wanting to allow access to a few specific websites without the user being prompted to login.
 
 I have tried adding them to /etc/wifidog.conf in both the FirewallRuleSet unknown-users{...} and FirewallRuleSet global {...} rule sets to no avail. Example below (I have also tried 'allow to 0.0.0.0/0: <http://0.0.0.0/0> ' and other combos..)
 ...
 FirewallRuleSet unknown-users{ 
           FirewallRule allow tcp port 80 to 216.193.215.157: <http://216.193.215.157>  # The IP of the server I want to be able to access 
           FirewallRule block to 0.0.0.0/0: <http://0.0.0.0/0> 
 }
 
 It appears that something (S45Firewall?) is superceding the FirewallRules specified in wifidog.conf. It is as if the redirect of any port 80 requests to the auth server is happening before the FirewallRules from Wifidog.conf are processed. I am redirected to the login page regardless of the IP address/site I attempt to access. If I login then access is granted as expected. [Disclaimer: I don't really know quite what I'm talking about but have spent a fair amount of time investigating this] 
 
 The following is selected output from 'iptables -L -v' command:
 
 Chain WiFiDog_Unknown (1 references)
  pkts bytes target     prot opt in     out     source               destination
     0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:80
 11046  535K REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-port-unreachable
 
 Chain WiFiDog_WIFI2Internet (1 references)
  pkts bytes target     prot opt in     out     source               destination
 12902  719K WiFiDog_AuthServers  all  --  any    any     anywhere             anywhere
     0     0 WiFiDog_Locked  all  --  any    any     anywhere             anywhere            MARK match 0x254
 12864  717K WiFiDog_Global  all  --  any    any     anywhere             anywhere
     0     0 WiFiDog_Validate  all  --  any    any     anywhere             anywhere            MARK match 0x1
  1818  182K WiFiDog_Known  all  --  any    any     anywhere             anywhere            MARK match 0x2
 11046  535K WiFiDog_Unknown  all  --  any    any     anywhere             anywhere
 
 I have had a good look through the mailing list archives and didn't find mention of this issue (although I can't read French) but expect I am not the first and only person to have it.
 
 Any suggestions would be much appreciated!
 
 Thanks in advance,
 
 Tarken


_______________________________________________ 
WiFiDog mailing list
WiFiDog at listes.ilesansfil.org 
: <mailto:WiFiDog at listes.ilesansfil.org> 
http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog 
: <http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog>  
 
_______________________________________________
WiFiDog mailing list

WiFiDog at listes.ilesansfil.org: <mailto:WiFiDog at listes.ilesansfil.org>  
http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
: <http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog> 

 


_______________________________________________

WiFiDog mailing list
 WiFiDog at listes.ilesansfil.org: <mailto:WiFiDog at listes.ilesansfil.org> 

http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog: <http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog>  

 
_______________________________________________
WiFiDog mailing list
WiFiDog at listes.ilesansfil.org: <mailto:WiFiDog at listes.ilesansfil.org> 
http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog: <http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog> 

 
 _______________________________________________
WiFiDog mailing list
WiFiDog at listes.ilesansfil.org
http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog


Plus d'informations sur la liste de diffusion WiFiDog