NoCat

Now that you've configured your Linux machine as an AP, you're probably asking, “Gee, wouldn't it be neat if I had a way to authenticate users and present them with a forced portal (like a redirected Web page), when they try to access my network?” The answer (and very elegant solution) is NoCat. NoCat operates as a captive portal system that lets you set up a gateway machine with some control over who can and cannot access your wireless network.

NoCat operates in a two-tier architecture: Gateway machines bridge the wired and wireless networks (acting like a smart AP); authentication servers are the back-end servers that keep track of user accounts. You can use NoCat's authentication service (auth.nocat.net), or build your own NoCat authentication server. Keep in mind that while a typical NoCat deployment would have a wired interface to your Internet connection (cable/DSL/T1/etc.) and a wireless NIC in HostAP mode to service the wireless clients, this is not a requirement. In fact, it is possible to configure a NoCat device with two wired NICs (one to your Internet connection and the other to your stand-alone AP).

The steps for configuring NoCat are very straightforward.

First, make sure you are root with this command:

su -

Next, download the latest tarball from http://nocat.net/download (in the NoCatAuth folder) and untar the file into the directory of your choice with this command (where x.xx represents your version number):

tar zvxf NoCatAuth-x.xx.tar.gz

Then, change directory into the newly created directory and build the gateway with these commands:

cd NoCatAuth-x.xx

make gateway

(Note that if you were building an authentication server, the command would be make authserv.)

Next, review and modify the NoCat configuration file. Using your favorite text editor, open /usr/local/nocat/nocat.conf. It's a good idea to walk through this entire file to get a feel for the various options. The essential parameters to check are:

• ExternalDevice: This should be set to the interface name of your Internet connection. This is probably going to be eth0.

• InternalDevice: This should to be set to the interface name of your wireless connection. This is probably going to be wlan0 or eth1.

• LocalNetwork: This defines the IP address/Mask of your internal network. For example: 192.168.1.0/24.

• DNSAddr: This should be set to the IP address of your DNS server. Set the DNSAddr only if your DNS server is located outside of your network (i.e., your ISP or service provider). If you are running your own DNS server, this setting should not be defined. If you use DNSAddr, make sure that the DNS Server IP address defined on your clients (set statically or via DHCP) matches the address you set in DNSAddr.

• GatewayMode: This is where you can define the NoCat mode of operation. You have three options: Captive, passive, and open. Captive mode authenticates using a NoCat authentication server. Passive mode is similar to captive, except that you must use passive if you are behind a NAT device, (although if you are not behind a NAT device, you can still use captive mode). In open mode, users do not need to authenticate, but are instead presented with an HTML page and are required to accept an AUP agreement to get access. The recommended mode is passive.

NoCat has the ability to block ports using the IncludePorts and ExcludePorts options in /usr/local/nocat/nocat.conf. This gives you an easy way to create rules for public users. Remember to only use IncludePorts or ExcludePorts (but not both). By default, Port 25 (SMTP) will be excluded to block outgoing email. This is a good idea because you don't want your AP used by a drive-by spammer.

To start the NoCat gateway, type:

/usr/local/nocat/bin/gateway
(or /wherever_you_installed_nocat/bin/gateway)

You will see a message like this:

[1972-07-02 00:31:00] Resetting firewall.

[1972-07-02 00:31:00] Binding listener socket to  0.0.0.0

That's it! You're up and running.