Linux-Powered Wireless Hot Spots

If you're setting up a wireless gateway for work or a public place, configure it to authenticate users and prevent abuse.
Five Steps to a Simple Portal

Our example portal is a basic open portal. It needs only a single access point and server, because we don't need our own authentication system. We'll also lock it down so anonymous users can browse Web pages, use AIM and SSH to remote systems, but they won't have access to other TCP ports. This is a reasonably secure configuration for anonymous users, but you may wish to restrict it even further and allow only Web page access.

For our example portal, we use the following equipment:

  • A generic access point, such as the Linksys WAP11, D-Link DWL900, the SMC 2655W or countless others. Normally, access points function as bridges connecting all users on a wired and wireless network, but in our setup we use the NoCat gateway to restrict traffic.

  • A Linux server with at least 32MB of RAM, preferably a Pentium class processor or better; your favorite Linux distribution with Perl, Apache-SSL, iptables, Bind and DHCP; and two Ethernet cards. Alternatively, use one Ethernet card and one network card of whatever type is needed to connect to your external network. Once we have all the equipment, we can put the portal together in five easy steps:

  1. Configure the Linux gateway to be on the real network and the wireless networks and to connect to server DHCP and DNS addresses. Plug the first Ethernet card (eth0) in to the access point and the second Ethernet card (eth1) in to the real network. Each distribution has its own method of configuring network cards, so here we use the command line. You'll need to configure your system to set up these interfaces at boot time. We're using as an example address; you should change this to whatever your real address is:

    ifconfig eth0 \
    netmask up
    ifconfig eth1 \
    netmask up

  2. Configure BIND (the DNS server) to be a basic caching DNS server listening to the local network. The default bind installation comes with an example caching configuration.

  3. Configure DHCP to hand out addresses in the 192.168.1.X network by putting the following in /etc/dhcpd.conf. If your DNS server is not, change the domain-name-servers option line accordingly:

    max-lease-time 120;
    default-lease-time 120;
    allow unknown-clients;
    subnet netmask {
        option routers;
        option broadcast-address;
        option subnet-mask;
        option domain-name-servers;

  4. Compile and install NoCat.

  5. Configure NoCat:

    InternalInterface	eth0
    ExternalInterface	eth1
    GatewayMode			open
    IncludePorts		22 80 443 5190

Things to Remember

When setting up and operating a wireless hot spot, you should remember a few things. First, protect your user information. If you allow users to sign up for your service over the wireless, and especially if you plan to take credit-card information, configure Apache for SSL encryption. Second, encourage users to use encryption wherever possible. POP and IMAP traffic can be encrypted with SSL if the remote site supports it, and any traffic can be tunneled over SSH if users have a remote account to which they can connect. Finally, learn as much as possible about wireless technology and security, and consider running monitoring programs. Many wireless security programs are available, but staying on the free software side of the fence, AirSnort (, Kismet ( and Snort ( are good places to begin.

Mike Kershaw currently works for a medium-sized college between Albany and New York City. He became interested in wireless in 2001 and hasn't looked back since. He also is the author of the Kismet wireless security program.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Won't install!

anonymous's picture

NoCat won't install! when I type make gateway it just says:

Looking for gpgv...
Checking for firewall compatibility: No supported firewalls detected! Check your path.
Supported firewalls include: iptables, ipchains, ipf, pf.
Can't seem to find supported firewall software. Check your path?
make: *** [check_fw] Error 255

And I DO have firewall software and a firewall!

Usually I would be able to figure this out but not this time!

PS: I am using fedora 11

Great article!

Wade3445's picture

I searched long and hard to find something this detailed when I was trying to figure out how to set up open source hotspots. Great job.

82nd street hotspot software

Access point DHCP

Diego Piersanti's picture

i have a question: if i run the DHCP from the Access Point and not from the gateway, NoCat can catch the users?
In the config there is an option to use if the gateway is connected to a NAT, but is not explained how it works.

Re: Linux-Powered Wireless Hot Spots

Anonymous's picture

Hello, I am about to open a hot spot and I would need to charge people, a small amount to pay for the high speed internet and the hardwhere. Could I use this softwhere to create my own user names and passwords and sell them? If i can, can I give each password only blank amount of min.?

Were you able to build your

Anonymous's picture

Were you able to build your hot spot (charging) using the Nocat product? if yes, please explain as I am interested too.

Re: Linux-Powered Wireless Hot Spots

Anonymous's picture

if you're charging you could look into this: .. they offer some very nice products for small businesses, tho the wireless gateway i test ran didnt have the ability to use permanent user:pass combos, so it was unsuited for my needs.

Re: Linux-Powered Wireless Hot Spots

Anonymous's picture

Could you please put Figure 2 up again?

Thanks in advance!

Re: Linux-Powered Wireless Hot Spots

Anonymous's picture

Very nice article. I use nocat exactly as the author described to provide a free public access point in downtown San Diego:
Little Italy Wireless

The Linux distribution that I use is Multi Network Firewall (from MandrakeSoft). This is a very nice firewall product that allows the creation of fairly complex firewall rules with an easy to use web interface. It also has an impressive set of network monitoring capabilities and supports VPNs, tunnels, etc.

Recently I began to use NoCat for its 'captive portal' feature. This allows me to display a splash page when a user wants to access the network. Eventually I may use the authentication part of the software.

Many thanks to the nocat developers who provide such a wonderful Free Software application.

Phil Lavigna