|
|
马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?注册
×
最好直接做成 CL 的 tgz包 :) 因本人机器少。装不了redhat 不能使用开发包。而且英文比较差。希望高手做一下。。nocatauth这个软件包在下我附上 网页出处http://oob.freeshell.org/nzwireless/nocat1.html#9.3.2http://www.wi-fiplanet.com/tutorials/article.php/3286631Chapter 9. Configuring NoCatAuth Gateway9.1 Overview of NoCatAuth Gateway NoCatAuth is an access control and resource allocation solution for wireless clients. It is implemented on Access Points and is written in PERL. It is a work in progress maintained by the Sonoma County Wireless Group in California, USA. NoCatAuth has two elements; a Gateway service and an Authentication service. The former is discussed in this chapter. The NoCatAuth gateway service is concerned with running what is called Captive Portal. With NoCatAuth installed, wireless clients connecting to the Access Point are blocked from using network resources until such time as they have authenticated themselves. All web traffic from unauthenticated wireless clients is redirected to a login page. NoCatAuth is capable of dynamically relaxing firewall rules for those clients that authenticate successfully. NoCatAuth is constantly under development and in the future it will be superceded by NoCatSplash. For more information on both refer to the NoCat homepage, the NoCat development list and the various text documents that come as part of the NoCat packages. 9.2 Required software In order to install NoCatAuth you must have the PERL programming language, GNU make and gpgv installed on your system. If you didn't chose these during our Redhat install in Chapter 3 or they are otherwise unavailable on your system, you can download and install them here, here and here now. Note that IPTABLES is required and we assume it is supported by your kernel. Once PERL, gpgv and make are available on your system, Download the latest version of NoCatAuth. The version I used for constructing this chapter of the HOWTO is 0.82 but it should be worthwhile getting the latest version. 9.3 Installing NoCatAuth Gateway NoCatAuth is distributed as a tarred and gziped package. Unlike other software dealt with in this HOWTO which is distributed in pre-packaged binary format, we need unpackage NoCatAuth, install it and configure it for our purposes. Here is a description of the steps; 9.3.1 Unpacking NoCatAuth Unpack NoCatAuth with this command (assuming you're using version 0.82); [root@accesspoint root]# tar -zxvf NoCatAuth-0.82.tar.gz Which will unpack all of the NoCatAuth files into a directory called NoCatAuth-0.82 Change to this directory with the cd command and take the time to read the documentation README, INSTALL and the text files in the doc directory as they contain valuable insights into NoCatAuth's operation and it's configuration. 9.3.2 Making NoCatAuth Gateway NoCatAuth is installed using the GNU make utility. Make is capable of analysing our system to make sure that the necessary software requirements are met and installing the necessary NoCatAuth files. It is also possible to use make to modify some install parameters. For more information regarding make refer to the make man page. We are going to install NoCatAuth to a non-default directory, using the following command; [root@accesspoint NoCatAuth-0.82]# make PREFIX=/usr/local/nocat/gateway Which will produce a Congratulations message at the bottom of the resulting output if the installation is successful. If it doesn't, read through the output text for clues as to what may have gone wrong. 9.4 Configuring NoCatAuth Gateway NoCatAuth gateway uses /usr/local/nocat/gateway/nocat.conf as it's configuration file, though the path may be different if you used a different PREFIX variable in the make above in section 9.3.2 As in previous chapters, provided here is an example NoCatAuth gateway configuration file which you can modify for your use using the embedded comments as a guide. In this case, lines beginning with a "#" are comments. Note that the file presented here should be read in conjunction with the default nocat.conf file included with NoCat as the default file includes descriptions from the developers. NoCatAuth has a large number of configuration options and three different modes of operation, more than can be adequetly covered in this HOWTO. For a more in-depth guide to NoCatAuth review the documentation that comes as part of the package and peruse the information available at the NoCat homepage. The following configuration file is suitable for use as a gateway that uses an external authentication service, disallows public acccess and allows member access to Internet web servers using your upstream Internet connection. # example /usr/local/nocat/gateway/nocat.conf #Set logging verbosity. 10 is good for testing, 5 is good for day to day, 0 for off. Verbosity 10 # Set this to the name of your Access Point # NZ-Wireless operators should use your fully qualified domain name GatewayName simon.akld.nzwireless.org # Mode of operation GatewayMode Passive # Log file GatewayLog /usr/local/nocat/gateway/nocat.log # Timeout in seconds for clients to begin login sequence LoginTimeout 600 # Default redirect, to your wireless community group homepage is a good option HomePage http://www.nzwireless.org # The following file locations will only need to be changed if # you used a different PREFIX variable during the make. DocumentRoot /usr/local/nocat/gateway/htdocs SplashForm splash.html StatusForm status.html # Set this to the name of your wireless community group as # specified to your authentication service TrustedGroups NZWireless # Set this to any users who should have unrestricted access to your # LAN from the wireless network Owners oob@wildstar.net # Set to the IP or DNS address of your authentication service AuthServiceAddr authservice.nzwireless.org # The following URLs shouldn't need to be altered AuthServiceURL https://$AuthServiceAddr/cgi-bin/login LogoutURL https://$AuthServiceAddr/logout.html # Uncomment the following line _only_ if NoCat fails to determine # your LAN interface by itself # ExternalDevice eth0 # Your wireless interface. NoCat seems to need this one uncommented InternalDevice wlan0 # Set to the IP and mask of your wireless local network LocalNetwork 10.1.2.0/24 # Set to your DNS server address as given to wireless clients via # DHCP. Set to the WLAN0 IP address if you're running DNS on your # Access Point DNSAddr 10.1.2.1 # Allow traffic from the wireless network to pass through your LAN # to the Internet to contact the following sites AllowedWebHosts nocat.net nzwireless.org # Comment the following line out if you are running NAT RouteOnly 1 # Comment out the following line to allow public access MembersOnly 1 # Use one of the following. Ports that should/shouldn't be available # to wireless clients. IncludePorts 80 443 # ExcludePorts 22 25 Note that it is possible to make NoCatAuth more restrictive and tailor it to our own requirments by adding your own firewall rules to the bottom of the file /usr/local/nocat/gateway/bin/initialize.fw 9.5 Bandwidth Throttling (Traffic Shaping) NoCatAuth has a facility for limiting the use of your upstream internet connection by wireless clients, using the tc tool which is part of the iproute2 package. IPROUTE2 is included in the default Redhat 9.0 installation. You will need to obtain it if you intend to use the bandwidth throttling functionality of NoCatAuth. As mentioned in the NoCatAuth documentation, support for tc in NoCatAuth is experimental, so there are no guarantees. For more information review the documentation that comes with the NoCatAuth package. 9.5.1 Configuring throttling We can set traffic limits for the various classes of NoCat users (Owner, Member, Public) by editing the values at the top of the file /usr/local/nocat/gateway/bin/throttle.fw as in the following example. Note that this example is only a snippet from the top of the file and that the rest of the file is not presented here. Note also that comments are lines that begin with a "#". # Set these to the total capacity of your Internet connection TOTAL_DOWN=1mbit TOTAL_UP=1mbit # Set these limits for your own use OWNER_DOWN=1mbit # fw mark 1 OWNER_UP=1mbit OWNER_OPTIONS="" # Set these to the amount of your bandwidth you are willing to share # with authenticated members of your community group COOP_DOWN=128kbit # fw mark 2 COOP_UP=128kbit COOP_OPTIONS= # Set these to the amount of bandwith you are willing to share # with unauthenticated public users PUBLIC_DOWN=0kbit # fw mark 3 PUBLIC_UP=0kbit PUBLIC_OPTIONS="bounded" The values in the above example provide unlimited upstream bandwidth to users in the Owner class, 10% of available bandwidth to users in the Member class and no bandwidth for users in the Public class. Alter these values to reflect your altruism. 9.5.2 Enabling throttling Bandwidth throttling support in NoCatAuth is enabled with the following command; [root@accesspoint gateway]# chmod +x /usr/local/nocat/gateway/bin/throttle.fw This command makes throttle.fw executable so that NoCatAuth can enable traffic shaping when it starts. 9.6 Testing NoCatAuth Gateway If NoCatAuth is operating nominally, local wireless clients should be unable to use network resources, excepting those websites excluded from blocking in the configuration file. Local wireless clients that attempt to load any other web site should be presented with a login screen to the NoCatAuth Authentication server that we chose in the configuration file. Wireless clients that successfully authenticate should be able to use those network resources which we have allocated. The best way to test that NoCat is working is to attempt the end-to-end connection process from a wireless client. If for some reason it fails, look in the log file /usr/local/nocat/gateway/nocat.log for clues as to what may have gone wrong. It's also worthwhile ensuring that our network resource allocations are being enforced. I recommend using the NMAP portscanner from authenticated and unauthenticated clients, pointing at your Access Point and at machines on your LAN, to ensure that access is only granted following the parameters you have laid down. 9.7 Enabling NoCatAuth from startup NoCatAuth includes a suitable startup script in the etc directory of the install directory. In order to enable NoCatAuth from startup, it needs to be copied into /etc/rc.d/init.d and symlinked to runlevel 3 like so; [root@accesspoint NoCatAuth-0.82]# cp etc/nocat.rc /etc/rc.d/init.d [root@accesspoint NoCatAuth-0.82]# ln -s /etc/rc.d/init.d/nocat.rc /etc/rc3.d/S99nocat As we changed the default NoCatAuth directory in above in section 9.3.2, we need to edit the file /etc/rc.d/init.d/nocat.rc to tell it where to find the gateway binaries. Find the line which reads NC=/usr/local/nocat at the top of the file and change it to read NC=/usr/local/nocat/gateway NoCatAuth should now start when the system boots. |
|
|Archiver|手机版|小黑屋|软路由
( 渝ICP备15001194号-1|
渝公网安备 50011602500124号 )
IP卡
狗仔卡
发表于 2004-12-13 16:17:26
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡
发表于 2004-12-13 16:28:58
