Linux-Powered Wireless Hot Spots

If you're setting up a wireless gateway for work or a public place, configure it to authenticate users and prevent abuse.

Wireless access in public areas is provided by 802.11 hot spots, with varying types of access depending on the desires of the hot spot operator. Many commercial hot spots exist in locations such as Starbucks or fast-food franchises, whereas libraries and conference halls might choose to provide free services to visitors and attendees. A public hot spot can be entirely altruistic, offering visitors free network access in the area; it can be a business opportunity, charging visitors for network access and services; or it could be a combination, allowing visitors restricted access and providing paying customers increased bandwidth or greater access.

Proprietary solutions are available for creating wireless hot spots, but why go for a closed-source solution when your favorite operating system and freely licensed tools can do it on a spare PC?

As the operator of a public access point, you have several options. The easiest, of course, is simply to connect a wireless access point (AP) to your network and allow all traffic. Unfortunately, the simplest route is not necessarily the safest one from a security standpoint. If your hot spot is designed to offer connectivity to the Internet at large or if it is connected to a segment of your private network, you almost certainly don't want to allow unfettered access to random passersby.

Many access points have controls to limit access by port and MAC address, but they don't offer any other tools for managing new users, logins or providing the user with information about the hot spot. The hot spots we discuss building here provide a captive portal, a system where users who have not logged in are forced to a single Web page with login, policy and, optionally, payment information.

Hardware and Software

What do you need to get started providing a wireless hot spot? The list, fortunately, is short:

  • Your favorite Linux distribution.

  • NoCatAuth hot spot/portal software (free, open-source and available at

  • A wireless access point, or several. Access points function as a bridge between the wired and wireless segments of your network. What type of wireless you choose depends on the users of your network. Currently, 802.11b is the most widely used; however, 802.11a offers higher data rates over shorter distances. 802.11g hardware, which provides higher data rates and is backward-compatible with 802.11b, is becoming more prominent (see the Sidebar 802.11a, b or g?).

  • A moderately powered PC (Pentium or Pentium II class is more than sufficient for routing packets). NoCat suggests having at least two servers—one to act as a firewall and router and one to handle authentication—but a single server will do in a pinch.


NoCat builds a captive portal by assigning incoming users an IP address using DHCP and restricting network access until the user has validated, be it as a guest, paying customer or administrator. By rewriting the destination of all port 80 traffic in the firewall, any Web page the user attempts to visit before validating can be rerouted to the portal login page.

Figure 1. The NoCat Portal Login Page

Not all access points have the ability to control what MAC addresses are allowed on the network, and each manufacturer that does has a different method of configuring it, so NoCat uses the standard Linux iptables firewalling to control network access. It works with any access point. NoCat cannot prevent users from associating with the wireless network nor would you want it to; if a user can't associate, they can't log in. But it does prevent them from gatewaying to the outside network. Because NoCat dynamically rewrites the firewall rules to allow new users and deny disconnecting users access to the wired network, it's best to use a dedicated system that doesn't have other iptables rules on it already as a gateway.

NoCat consists of two main components: the gateway, which handles user logins and routing packets from the wireless network to the real network, and the authentication server, which stores user accounts and passwords. Typically, one gateway server is used per access point, and a single authentication server is used for a given installation.

The NoCat authentication system can use a simple flat-file password system, a MySQL database, a Radius or LDAP server or a Windows domain login over Samba to validate a user. The authentication server can be located on the local wired network or elsewhere on the Internet.

You can run your own authentication server on the same hardware as your gateway. However, it's more secure and easier for multiple gateways to use a single authentication server if you use separate machines for the authentication server and gateway.

Figure 2. Multiple NoCat gateways providing three hot spots linked to the same wired network using a single authentication server.

Before downloading and installing NoCat, you should begin planning what level of access you want users to have and what your acceptable use policies will be. Although the majority of your users likely will be honest, it's possible someone may attempt to cause mischief. Your port restrictions and acceptable use policies must strike a balance between being strict enough to prevent abuse and being permissive enough that the service is useful. Although any port can be used by a determined mischief maker to cause problems, many hot spots choose to allow SSH (port 22), HTTP (port 80) and HTTPS (port 443).

Other ports that may be useful to your users include POP3 (110), IMAP (143) and SMTP (25), but these carry their own risks to users and to your network. POP3 and IMAP traffic typically is not encrypted, which means users checking their e-mail risk having their passwords captured either in transit to their server or by someone sniffing wireless traffic in the area. Allowing SMTP, especially to unauthenticated users, can be dangerous because it could help a spammer connect to your network. The chances of someone sending massive bulk mailings through your hot spot probably are slim, but taking precautions always makes sense.

Building NoCat itself is a simple process: simply download the NoCat tarball from, do make gateway and make install and edit the configuration file, /usr/local/nocat/nocat.conf. For full functionality, install a DHCP server and configure it to hand out private addresses for your wireless network.

NoCat is controlled by the nocat.conf file. A basic gateway needs:

  • GatewayMode: controls the type of portal you run. An open portal allows anyone to use it once the terms on the splash page are accepted. A closed portal requires users to authenticate before they get access.

  • IncludePorts and ExcludePorts: these control what TCP ports users are allowed to access. If you're running an open portal, you almost certainly want to restrict these to prevent abuse of the network. IncludePorts allows only the listed ports to be used, and ExcludePorts allows any ports but the listed ports to be used.

  • InternalDevice and ExternalDevice: control the network interfaces that NoCat uses. The InternalDevice specifies the device to which the access point is connected, and the ExternalDevice specifies the wired network.

  • LocalNetwork and DNSAddr: LocalNetwork should be set to the network used on your wireless network, and DNSAddr should be set only if you have a DNS server outside your wireless network. If you have a DNS server on your wireless segment, you won't need this option.

  • AuthserviceAddr, AuthServiceURL and LogoutURL: control the type of authentication service the portal uses. By default, they are configured to use the NoCat authentication servers. If you're running a closed portal, though, you'll almost certainly want to set these to be your own authentication system.

Your portal can work with only the minimal configuration, but investigate the other configuration options to customize your portal's interface and rules.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Won't install!

anonymous's picture

NoCat won't install! when I type make gateway it just says:

Looking for gpgv...
Checking for firewall compatibility: No supported firewalls detected! Check your path.
Supported firewalls include: iptables, ipchains, ipf, pf.
Can't seem to find supported firewall software. Check your path?
make: *** [check_fw] Error 255

And I DO have firewall software and a firewall!

Usually I would be able to figure this out but not this time!

PS: I am using fedora 11

Great article!

Wade3445's picture

I searched long and hard to find something this detailed when I was trying to figure out how to set up open source hotspots. Great job.

82nd street hotspot software

Access point DHCP

Diego Piersanti's picture

i have a question: if i run the DHCP from the Access Point and not from the gateway, NoCat can catch the users?
In the config there is an option to use if the gateway is connected to a NAT, but is not explained how it works.

Re: Linux-Powered Wireless Hot Spots

Anonymous's picture

Hello, I am about to open a hot spot and I would need to charge people, a small amount to pay for the high speed internet and the hardwhere. Could I use this softwhere to create my own user names and passwords and sell them? If i can, can I give each password only blank amount of min.?

Were you able to build your

Anonymous's picture

Were you able to build your hot spot (charging) using the Nocat product? if yes, please explain as I am interested too.

Re: Linux-Powered Wireless Hot Spots

Anonymous's picture

if you're charging you could look into this: .. they offer some very nice products for small businesses, tho the wireless gateway i test ran didnt have the ability to use permanent user:pass combos, so it was unsuited for my needs.

Re: Linux-Powered Wireless Hot Spots

Anonymous's picture

Could you please put Figure 2 up again?

Thanks in advance!

Re: Linux-Powered Wireless Hot Spots

Anonymous's picture

Very nice article. I use nocat exactly as the author described to provide a free public access point in downtown San Diego:
Little Italy Wireless

The Linux distribution that I use is Multi Network Firewall (from MandrakeSoft). This is a very nice firewall product that allows the creation of fairly complex firewall rules with an easy to use web interface. It also has an impressive set of network monitoring capabilities and supports VPNs, tunnels, etc.

Recently I began to use NoCat for its 'captive portal' feature. This allows me to display a splash page when a user wants to access the network. Eventually I may use the authentication part of the software.

Many thanks to the nocat developers who provide such a wonderful Free Software application.

Phil Lavigna