Just Uber

Novell has released two adverts satirising the Macintosh ads that are doing the rounds at the moment. Not too bad an idea I suppose, we just need something like this for Ubuntu now!

I thought I’d do something half useful today, and put together all of the instructions/notes etc I’d written about putting together a free public wireless access system using WiFiDog (link at the bottom of this post).

If you are an organisation (or even an individual I guess), wanting to provide WiFi access over multiple locations (perhaps a college campus?) with centralised login, the tutorial should get you there.

The system as stands is much superior to more or less any proprietary access system that I’ve come across, but costs next to nothing as it can be put together using old recycled PCs and free software.

Hopefully this should prove useful to someone out there. Please feel free to contribute to the tutorial too if you have anything to add.

>>> Setting up a System for Public Wireless Internet Access <<<

For the past couple of days I’ve been playing with Ubuntu Server and transparent proxying. What fun!

If you, like me work for a business/organisation which offers free wireless internet to the public (or even if you leave your home network open) you would be wise to keep an eye on what visitors are using your internet connection for.

We will be setting up an Ubuntu box which intercepts all traffic going out to the net and redirects any destined for port 80 to a squid proxy. It logs the destination of the traffic before sending it on it’s way so you know what your internet connection is being used for.

Bring the Thunder…

First up set up a box with 2 network cards installed, install Ubuntu Server onto it, and assign the network cards with static IP address.

Install squid sudo apt-get install squid and edit the /etc/squid/squid.conf file to your taste. Once you have squid working just how you like it, make sure the following directives are included:

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Now create a file called proxy.sh – I got this script from an excellent Red Hat Linux tutorial You just need to edit the top bits labelled SQUID_SERVER, INTERNET, LAN_IN and SQUID_PORT.

#!/bin/sh
# squid server IP
SQUID_SERVER=“192.168.1.1″
# Interface connected to Internet
INTERNET=“eth0″
# Interface connected to LAN
LAN_IN=“eth1″
# Squid port
SQUID_PORT=“3128″
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Move script to /etc/init.d – Make it executable sudo chmod a+x proxy.sh and test it /etc/init.d/proxy.sh by setting the internet facing port as the gateway on a client machine.

Visit a few websites on the client machine, and see if they’re appearing in your squid access log tail /var/log/squid/access.log

To make sure your firewall rules work after a reboot, set your script to run during the startup process by making a symbolic link to the rc2.d directory ln -s /etc/init.d/proxy.sh /etc/rc2.d/S95proxy

Now if you change the gateway address the DHCP server gives to wireless clients, to the interface assigned to your LAN on the proxy, all traffic to port 80 will pass through your squid box thus being logged.

To make it easier to interpret the stats squid produces I’d suggest installing sarg sudo apt-get install sarg apache2

To implement web-content-filtering I guess you could also install dansguardian and fiddle with the port settings in the script. In fact this is a particularly good way to tunnel your kids computers through web-filtering when they’ve got bright enough to figure out how to change their proxy settings in firefox/ie…

Have fun!

PS. Information on this subject is included in the wiki here – please feel free to contribute and or expand.

When testing out OpenSUSE not so long ago, I was pretty impressed with the function and usability of the gnome menu bundled with the distro. I wrongly assumed this was something specific to SUSE but happily, I’ve been proved wrong.

The package that gives this functionality is available straight from the Ubuntu Edgy/Feisty repositories.

Get and install the package gnome-main-menu

sudo apt-get install gnome-main-menu

Right click on the gnome panel, select ‘Add to Panel’, find the section called ‘Utilities’ and select the ‘Main Menu’ app indicated by the picture of the computer.

Bobs your uncle! – Done…