Home

Linux-Powered Wireless Hot Spots

Issue 113

From Issue #113
September 2003

Sep 01, 2003  By Mike Kershaw
 in
If you're setting up a wireless gateway for work or a public place, configure it to authenticate users and prevent abuse.
Five Steps to a Simple Portal

Our example portal is a basic open portal. It needs only a single access point and server, because we don't need our own authentication system. We'll also lock it down so anonymous users can browse Web pages, use AIM and SSH to remote systems, but they won't have access to other TCP ports. This is a reasonably secure configuration for anonymous users, but you may wish to restrict it even further and allow only Web page access.

For our example portal, we use the following equipment:

  • A generic access point, such as the Linksys WAP11, D-Link DWL900, the SMC 2655W or countless others. Normally, access points function as bridges connecting all users on a wired and wireless network, but in our setup we use the NoCat gateway to restrict traffic.

  • A Linux server with at least 32MB of RAM, preferably a Pentium class processor or better; your favorite Linux distribution with Perl, Apache-SSL, iptables, Bind and DHCP; and two Ethernet cards. Alternatively, use one Ethernet card and one network card of whatever type is needed to connect to your external network. Once we have all the equipment, we can put the portal together in five easy steps:

  1. Configure the Linux gateway to be on the real network and the wireless networks and to connect to server DHCP and DNS addresses. Plug the first Ethernet card (eth0) in to the access point and the second Ethernet card (eth1) in to the real network. Each distribution has its own method of configuring network cards, so here we use the command line. You'll need to configure your system to set up these interfaces at boot time. We're using 123.123.123.123 as an example address; you should change this to whatever your real address is: 

    ifconfig eth0 192.168.1.1 \
netmask 255.255.255.0 up
ifconfig eth1 123.123.123.123 \
netmask 255.255.255.0 up

  2. Configure BIND (the DNS server) to be a basic caching DNS server listening to the local network. The default bind installation comes with an example caching configuration.

  3. Configure DHCP to hand out addresses in the 192.168.1.X network by putting the following in /etc/dhcpd.conf. If your DNS server is not 192.168.1.1, change the domain-name-servers option line accordingly: 

    max-lease-time 120;
default-lease-time 120;
allow unknown-clients;

subnet 192.168.1.0 netmask 255.255.255.0 {
    option routers 192.168.1.1;
    option broadcast-address 192.168.1.255;
    option subnet-mask 255.255.255.0;
    option domain-name-servers 192.168.1.1;
    range 192.168.1.100 192.168.1.254;
}

  4. Compile and install NoCat.

  5. Configure NoCat: 

    InternalInterface	eth0
ExternalInterface	eth1
LocalNetwork		192.168.1.0/255.255.255.0
GatewayMode			open
IncludePorts		22 80 443 5190

Things to Remember

When setting up and operating a wireless hot spot, you should remember a few things. First, protect your user information. If you allow users to sign up for your service over the wireless, and especially if you plan to take credit-card information, configure Apache for SSL encryption. Second, encourage users to use encryption wherever possible. POP and IMAP traffic can be encrypted with SSL if the remote site supports it, and any traffic can be tunneled over SSH if users have a remote account to which they can connect. Finally, learn as much as possible about wireless technology and security, and consider running monitoring programs. Many wireless security programs are available, but staying on the free software side of the fence, AirSnort (airsnort.shmoo.com), Kismet (www.kismetwireless.net) and Snort (www.snort.org) are good places to begin.

802.11a, b or g?

802.11a is nowhere near as widespread as 802.11b, and 802.11g boasts the same speeds plus backward compatibility. 802.11a also is extremely short-range.

At the time of this writing, existing 802.11g hardware on the market was released before the IEEE specification was completed and may not be compatible with other or future 802.11g implementations. Many reviewers have found backward-compatibility problems. Future 802.11g implementations hopefully will have these issues resolved. It may be more cost effective to set up a hot spot using 802.11b now and upgrade in the future.

Sam Leffler recently has developed drivers for Atheros 802.11a and 802.11g cards. However, the drivers require a proprietary hardware abstraction layer to restrict the frequencies and power the card uses.

Mike Kershaw currently works for a medium-sized college between Albany and New York City. He became interested in wireless in 2001 and hasn't looked back since. He also is the author of the Kismet wireless security program.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Won't install!

anonymous's picture
Submitted by anonymous (not verified) on Tue, 07/07/2009 - 08:27.

NoCat won't install! when I type make gateway it just says:

Looking for gpgv...
Checking for firewall compatibility: No supported firewalls detected! Check your path.
Supported firewalls include: iptables, ipchains, ipf, pf.
Can't seem to find supported firewall software. Check your path?
make: *** [check_fw] Error 255


And I DO have firewall software and a firewall!
HELP!!!

Usually I would be able to figure this out but not this time!

PS: I am using fedora 11

Great article!

Wade3445's picture
Submitted by Wade3445 (not verified) on Sat, 11/22/2008 - 23:34.

I searched long and hard to find something this detailed when I was trying to figure out how to set up open source hotspots. Great job.

Wade
82nd street hotspot software

Access point DHCP

Diego Piersanti's picture
Submitted by Diego Piersanti (not verified) on Fri, 06/16/2006 - 08:42.

i have a question: if i run the DHCP from the Access Point and not from the gateway, NoCat can catch the users?
In the config there is an option to use if the gateway is connected to a NAT, but is not explained how it works.

Re: Linux-Powered Wireless Hot Spots

Anonymous's picture
Submitted by Anonymous on Sun, 11/09/2003 - 03:00.

Hello, I am about to open a hot spot and I would need to charge people, a small amount to pay for the high speed internet and the hardwhere. Could I use this softwhere to create my own user names and passwords and sell them? If i can, can I give each password only blank amount of min.?

Were you able to build your

Anonymous's picture
Submitted by Anonymous (not verified) on Mon, 01/21/2008 - 11:28.

Were you able to build your hot spot (charging) using the Nocat product? if yes, please explain as I am interested too.

Re: Linux-Powered Wireless Hot Spots

Anonymous's picture
Submitted by Anonymous on Wed, 05/12/2004 - 02:00.

if you're charging you could look into this: zyxel.com .. they offer some very nice products for small businesses, tho the wireless gateway i test ran didnt have the ability to use permanent user:pass combos, so it was unsuited for my needs.

Re: Linux-Powered Wireless Hot Spots

Anonymous's picture
Submitted by Anonymous on Tue, 09/23/2003 - 02:00.

Could you please put Figure 2 up again?

Thanks in advance!

Re: Linux-Powered Wireless Hot Spots

Anonymous's picture
Submitted by Anonymous on Tue, 08/26/2003 - 02:00.

Very nice article. I use nocat exactly as the author described to provide a free public access point in downtown San Diego:
Little Italy Wireless

The Linux distribution that I use is Multi Network Firewall (from MandrakeSoft). This is a very nice firewall product that allows the creation of fairly complex firewall rules with an easy to use web interface. It also has an impressive set of network monitoring capabilities and supports VPNs, tunnels, etc.

Recently I began to use NoCat for its 'captive portal' feature. This allows me to display a splash page when a user wants to access the network. Eventually I may use the authentication part of the software.

Many thanks to the nocat developers who provide such a wonderful Free Software application.

Phil Lavigna

phil@littleitalywifi.com

White Paper
More Resources
Fabric-Based Computing Enables Optimized Hyperscale Data Centers

Today’s modular x86 servers are compute-centric, designed as a least common denominator to support a wide range of IT workloads. Those generic, virtualized IT workloads have much different resource optimization requirements than hyperscale and cloud applications. They have resulted in a “one size fits all” enterprise IT architecture that is not optimized for a specific set of IT workloads, and especially not emerging hyperscale workloads, such as web applications, big data, and object storage. In this report, you will learn how shifting the focus from traditional compute-centric IT architectures to an innovative disaggregated fabric-based architecture can optimize and scale your data center.

Learn More

Sponsored by AMD

White Paper
More Resources
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy

Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6

Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.

Learn more about catching the bad guy in this free white paper.

Learn More

Sponsored by DLT Solutions