AuthInstall
NoCatAuth gateway installation guide
This is the quick-and-dirty guide to getting a wireless gateway running with the NoCatAuth system. If you simply want to "run a NoCat node", this should get you going.
For detailed instructions on how to set up your own Authentication Service (and a good overall view of how this whole thing works), check out Introduction.txt and AuthService.txt in the doc/ directory.
We don't recommend running the gateway and the authservice on the same machine, but if you're dead-set on doing it, be sure to read doc/SameMachine.txt first.
Installing a gateway.
For the terminally impatient!
Check your prerequisites as below. Then, try the following:
$ su - # tar zvxf NoCatAuth-x.xx.tar.gz # cd NoCatAuth-x.xx # make gateway # cd /usr/local/nocat # vi nocat.conf # bin/gateway
If you see something to the effect of:
[2001-12-28 20:38:27] Resetting firewall. [2001-12-28 20:38:27] Binding listener socket to 0.0.0.0
...then you're up! Watch the progress in 'nocat.log', and give it a try.
Step by step:
Currently, the gateway is designed to run on a standalone box. If you have other firewall rules defined, THEY WILL BE OVERWRITTEN by the gateway process when it starts. See the end of this file for how to get around this, but please first consider running the gateway on its own machine.
Also, remember that running a gateway requires root permissions.
1. Make sure you have the prerequisites installed:
- Linux 2.4.x with iptables. You'll find a sample kernel configuration in etc/linux-2.4.config. Support for other OSes is planned, especially FreeBSD. Support for ipchains is beta, and is currently broken. Patches welcome.
- gpgv, a PGP signature verifier. gpgv comes with the gnupg package, which can be downloaded from http://www.gnupg.org/download.html
- You'll probably also want to run dhcpd on this machine, but DHCP can in some cases be served from your access point or elsewhere on your local network.
- If you want to try the bandwidth throttling rules, you'll also need a copy of the 'tc' tool from the iproute2 package. Get it at ftp://ftp.inr.ac.ru/ip-routing/
- Optionally (and recommended), a local caching DNS server.
2. Unpack the NoCatAuth tarball. You probably already did this if you're reading this file.
$ tar zvxf NoCatAuth-x.xx.tar.gz
3. Edit the Makefile, if necessary. The only real option at present is INST_PATH, which determines where NoCatAuth gets installed to. The default is '/usr/local/nocat', so if that's okay with you, you can skip this step.
4. From the NoCatAuth directory, run 'make gateway'. This will install the important pieces of the gateway software.
5. Edit the /usr/local/nocat/nocat.conf file to suit. These parameters are required:
- InternalDevice must be set to the interface name of your wireless card, or the ethernet card that talks to your AP (e.g., eth0. See docs/Introduction.txt for more details.)
- ExternalDevice must be set to the name of the network interface that talks to the Internet. (probably the ethernet card connected to your DSL or cable modem, or your dialup device: eth1, ppp0, etc.)
- LocalNetwork needs to be set to the network address and mask of your internal (wireless) network. This typically takes the form 111.222.333.444/255.255.255.0, or 11.22.33.44/24, etc.
- DNSAddr needs to be set to the same domain name server address that your DHCP server hands out, if and only if you're using a DNS outside your LocalNetwork (as specified above). Otherwise, if you're using a caching DNS server on the gateway or anywhere else on your wireless network, leave this option commented out.
- GatewayMode toggles between Open and Captive/Passive mode. An Open gateway just displays the html file specified in SplashForm for acceptance. Passive mode implements the whole authentication process. If you want people to have to login, use Passive mode. (Captive mode is an older operating mode that doesn't work at all if your gateway is behind a NAT from your authserv.)
- AuthServiceAddr, AuthServiceURL, and LogoutURL depend on your chosen auth service (assuming you're using Captive or Passive as your GatewayMode.) Check with your local auth service admins for these values (or leave the defaults to use our auth service.)
- IncludePorts and ExcludePorts can be set to restrict ports that public users can access (say, to disallow email traffic.) If you use IncludePorts, only the ports listed will be allowed. Using ExcludePorts makes all ports available except the ports listed. Currently, only TCP ports are supported.
Starting the gateway
You should now be able to start the portal by running bin/gateway as root. You'll see a message to the effect of:
[2001-12-28 20:38:27] Resetting firewall. [2001-12-28 20:38:27] Binding listener socket to 0.0.0.0
If it doesn't start cleanly, read on.
The portal needs to know where to find (a) its perl libraries, and (b) its nocat.conf configuration file. NoCatAuth tries very hard to figure out these values on its own. If you installed to /usr/local/nocat, you should have no problems.
Otherwise, you may need to add the following variables to the shell environment before running the gateway script:
$ export PERL5LIB=/path/to/nocat/lib:$PERL5LIB $ export NOCAT=/path/to/nocat/nocat.conf
Utilities like iptables, modprobe, and gpgv need should be in your $PATH somewhere (if they aren't already). For example:
$ export PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin
Starting the gateway is then as simple as: (from a root prompt)
# /path/to/nocat/bin/gateway
NOTE: You MUST run the gateway program as root, in order for it to be able to update the firewall rules as needed. Arguably, this is a bug. Patches welcome.
To start the gateway service automatically at boot time, check out the etc/nocat.rc script. Install it by copying it to /etc/rc.d/init.d, and either add a call to it in your rc.local, or symlink it to your runlevel, like this:
# ln -s /etc/rc.d/init.d/nocat.rc /etc/rc.d/rc3.d/S99nocat
Congratulations. You're now running a gateway.
Important Notes for the Gateway
- Make sure that your dhcp server hands out the same DNS address listed in nocat.conf (if you're using external DNS). Otherwise, your wireless clients won't be able to resolve hostnames.
- We have designed this software to be run on very modest hardware (a 486/50 with 32MB ram should be plenty.) Please consider running the gateway on a dedicated machine before simply installing it on your existing firewall.
IP security is a complicated enough already... NoCat adds to the complexity by introducing dynamic firewall rules that are triggered by completely anonymous users (via the wireless.) While no security system is foolproof, risk can be minimized by isolating your wireless node from the rest of your network.
Please read docs/Introduction.txt (and a good book on firewalls) for more details.
Thanks for using NoCatAuth. Good luck! Patches welcome!