User Tools

Site Tools


setting_up_a_captive_portal_from_scratch_using_debian

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revision Both sides next revision
setting_up_a_captive_portal_from_scratch_using_debian [2018/12/06 20:12]
abeverley
setting_up_a_captive_portal_from_scratch_using_debian [2018/12/06 20:15]
abeverley
Line 1: Line 1:
 =====Setting up a captive portal from scratch using Debian===== =====Setting up a captive portal from scratch using Debian=====
- 
  
 ===== Introduction ===== ===== Introduction =====
Line 61: Line 60:
   * Install PPP using the command   * Install PPP using the command
  
-<​html>​<​code>​</​html>​ +<​code>​
 apt-get install ppp apt-get install ppp
 +</​code>​
  
-<​html></​code></​html>​ 
  
   * Create file /​etc/​ppp/​chap-secrets with the following contents:   * Create file /​etc/​ppp/​chap-secrets with the following contents:
Line 75: Line 73:
   * Create file /​etc/​ppp/​peers/​isp0 with the following contents:   * Create file /​etc/​ppp/​peers/​isp0 with the following contents:
  
-<​html>​<​code>​</​html>​ +<​code>​
 noipdefault noipdefault
 defaultroute defaultroute
Line 85: Line 82:
 plugin pppoatm.so plugin pppoatm.so
 0.0.38 0.0.38
-<​html>​</​code>​</​html>​+</​code>​ 
  
 Replace username as appropriate Replace username as appropriate
Line 101: Line 99:
   * Install PPP using the command   * Install PPP using the command
  
-<​html>​<​code>​</​html>​ +<​code>​
 apt-get install ppp apt-get install ppp
-<​html>​</​code>​</​html>​+</​code>​ 
  
 Create file /​etc/​ppp/​chap-secrets with the following contents: Create file /​etc/​ppp/​chap-secrets with the following contents:
Line 114: Line 112:
 Create file /​etc/​ppp/​peers/​isp0 with the following contents: Create file /​etc/​ppp/​peers/​isp0 with the following contents:
  
-<​html>​<​code>​</​html>​ +<​code>​
 noipdefault noipdefault
 defaultroute defaultroute
Line 124: Line 121:
 plugin pppoatm.so plugin pppoatm.so
 0.38 0.38
-<​html>​</​code>​</​html>​+</​code>​ 
  
 Replace username as appropriate Replace username as appropriate
Line 140: Line 138:
 A number of additional packages are needed and can be installed using apt. Because the installation was initially done from a CD, no network repositories will be available, so it is best to set one up using the netselect command. However, netselect is not currently installed and is not on the CD! So, setup a temporary network repository first: A number of additional packages are needed and can be installed using apt. Because the installation was initially done from a CD, no network repositories will be available, so it is best to set one up using the netselect command. However, netselect is not currently installed and is not on the CD! So, setup a temporary network repository first:
  
-<​html>​<​code>​</​html>​ +<​code>​
 echo deb http://​ftp.debian.org/​debian squeeze main > /​etc/​apt/​sources.list echo deb http://​ftp.debian.org/​debian squeeze main > /​etc/​apt/​sources.list
 apt-get update apt-get update
-<​html>​</​code>​</​html>​+</​code>​ 
  
 Then install netselect-apt:​ Then install netselect-apt:​
  
-<​html>​<​code>​</​html>​ +<​code>​
 apt-get install netselect-apt apt-get install netselect-apt
-<​html>​</​code>​</​html>​+</​code>​ 
  
 And finally use netselect to setup the best repositories:​ And finally use netselect to setup the best repositories:​
  
-<​html>​<​code>​</​html>​ +<​code>​
 cd /etc/apt cd /etc/apt
 netselect-apt squeeze netselect-apt squeeze
 apt-get update apt-get update
-<​html>​</​code>​</​html>​+</​code>​ 
  
   * Now install additional packages using the command:   * Now install additional packages using the command:
Line 179: Line 177:
   * Ensure the eth0 entry looks as follows:   * Ensure the eth0 entry looks as follows:
  
-<​html>​<​code>​</​html>​ +<​code>​
 auto eth0 auto eth0
 iface eth0 inet static iface eth0 inet static
 address 10.0.0.1 address 10.0.0.1
 netmask 255.255.0.0 netmask 255.255.0.0
-<​html>​</code></​html>+</​code>​
  
-  * If required set up a second ethernet interface. This can be used to provide internet access for a separate independent network if required. Add the following code to /​etc/​network/​interface:​ 
  
-<​html><​code></html>+  * If required set up a second ethernet interface. This can be used to provide internet access for a separate independent network if required. Add the following ​code to /etc/​network/​interface:​
  
 +<​code>​
 auto eth1 auto eth1
 iface eth1 inet static iface eth1 inet static
 address 192.168.0.1 address 192.168.0.1
 netmask 255.255.255.0 netmask 255.255.255.0
-<​html>​</​code>​</​html>​+</​code>​ 
  
   * Restart networking:   * Restart networking:
  
-<​html>​<​code>​</​html>​ +<​code>​
 /​etc/​init.d/​networking restart /​etc/​init.d/​networking restart
-<​html>​</​code>​</​html>​+</​code>​ 
  
 ===== Update config files ===== ===== Update config files =====
Line 210: Line 208:
   * Set up web server for captive portal (apache). The following instructions download all the files from this website. They can be edited as required, or alternatively full instructions for this method of setting up a captive portal are detailed elsewhere on this site.   * Set up web server for captive portal (apache). The following instructions download all the files from this website. They can be edited as required, or alternatively full instructions for this method of setting up a captive portal are detailed elsewhere on this site.
  
-<​html>​<​code>​</​html>​ +<​code>​
 cd /var/ cd /var/
 wget files.andybev.com/​web-portal/​portalshaper-www.tar.gz wget files.andybev.com/​web-portal/​portalshaper-www.tar.gz
 tar -zxvf portalshaper-www.tar.gz tar -zxvf portalshaper-www.tar.gz
 rm portalshaper-www.tar.gz rm portalshaper-www.tar.gz
-<​html>​</​code>​</​html>​+</​code>​ 
  
   - Edit settings.php and set all variables at beginning of the file as required, including the passwords   - Edit settings.php and set all variables at beginning of the file as required, including the passwords
Line 229: Line 227:
   * Configure URL redirect for captive portal by enabling mod_rewrite:​   * Configure URL redirect for captive portal by enabling mod_rewrite:​
  
-<​html>​<​code>​</​html>​ +<​code>​
 cd /​etc/​apache2/​mods-enabled cd /​etc/​apache2/​mods-enabled
 ln -s ../​mods-available/​rewrite.load ln -s ../​mods-available/​rewrite.load
-<​html>​</​code>​</​html>​+</​code>​ 
  
   * Edit /​etc/​apache2/​sites-enabled/​000-default and add rewrite rules after ServerAdmin (be sure to edit server name qualso and add any other webserver names):   * Edit /​etc/​apache2/​sites-enabled/​000-default and add rewrite rules after ServerAdmin (be sure to edit server name qualso and add any other webserver names):
  
-<​html>​<​code>​</​html>​ +<​code>​
 Options +FollowSymlinks Options +FollowSymlinks
 RewriteEngine On RewriteEngine On
Line 244: Line 241:
 RewriteCond %{HTTP_HOST} !^earth [NC] RewriteCond %{HTTP_HOST} !^earth [NC]
 RewriteRule . http://​qualso.wardroom/​index.php/​%{HTTP_HOST}%{REQUEST_URI}?​%{QUERY_STRING} [L,R] RewriteRule . http://​qualso.wardroom/​index.php/​%{HTTP_HOST}%{REQUEST_URI}?​%{QUERY_STRING} [L,R]
-<​html>​</​code>​</​html>​+</​code>​ 
  
   * Restart Apache: ''​%%apache2ctl%%''​ ''​%%restart%%''​   * Restart Apache: ''​%%apache2ctl%%''​ ''​%%restart%%''​
Line 255: Line 253:
   * Add the following after the "​localhost"​ domain:   * Add the following after the "​localhost"​ domain:
  
-<​html>​<​code>​</​html>​ +<​code>​
 zone "​wardroom"​ { zone "​wardroom"​ {
     type master;     type master;
     file "/​etc/​bind/​db.wardroom";​     file "/​etc/​bind/​db.wardroom";​
 }; };
-<​html>​</​code>​</​html>​+</​code>​ 
  
   * Go to /etc/bind   * Go to /etc/bind
Line 268: Line 266:
   * Add required hostnames at the end of the file. These entries setup 3 different names for the main server (spaces should be tabs, and make sure that you increase the serial number). qualso is the name you gave your server earlier, earth is the name of the server as assumed by the web server and the captive portal web scripts.   * Add required hostnames at the end of the file. These entries setup 3 different names for the main server (spaces should be tabs, and make sure that you increase the serial number). qualso is the name you gave your server earlier, earth is the name of the server as assumed by the web server and the captive portal web scripts.
  
-<​html>​<​code>​</​html>​ +<​code>​
 qualso ​     A      10.0.0.1 qualso ​     A      10.0.0.1
 earth       ​A ​     10.0.0.1 earth       ​A ​     10.0.0.1
 mail        A      10.0.0.1 mail        A      10.0.0.1
-<​html>​</​code>​</​html>​+</​code>​ 
  
   * Reload BIND with ''​%%/​etc/​init.d/​bind9%%''​ ''​%%reload%%''​   * Reload BIND with ''​%%/​etc/​init.d/​bind9%%''​ ''​%%reload%%''​
Line 286: Line 284:
   - Add the following at the end of the file:   - Add the following at the end of the file:
  
-<​html>​<​code>​</​html>​ +<​code>​
 subnet 10.0.0.0 netmask 255.255.0.0 { subnet 10.0.0.0 netmask 255.255.0.0 {
   option subnet-mask 255.255.0.0;​   option subnet-mask 255.255.0.0;​
Line 297: Line 294:
   next-server 10.0.0.1;   next-server 10.0.0.1;
 } }
-<​html>​</​code>​</​html>​+</​code>​ 
  
 The last 3 lines are only for network booting of clients. On a separate page (see link later) it is shown how to set up some network booting deskstations that will boot a network live copy of Ubunutu. The last 3 lines are only for network booting of clients. On a separate page (see link later) it is shown how to set up some network booting deskstations that will boot a network live copy of Ubunutu.
Line 303: Line 301:
 Restart the DHCP server: <​html><​code></​html>​ Restart the DHCP server: <​html><​code></​html>​
  
 +<​code>​
 /​etc/​init.d/​isc-dhcp-server restart /​etc/​init.d/​isc-dhcp-server restart
-<​html>​</​code>​</​html>​+</​code>​ 
  
 ===== Install IPSet ===== ===== Install IPSet =====
Line 310: Line 310:
 IPSet is a program that allows sets of IP addresses to be stored within iptables rules. It is used to collate a list of clients using P2P software. IPSet consists of both a kernel module and a userspace program. The module is not yet in the kernel provided with Debian. The following will install both the userspace program and the kernel module. IPSet is a program that allows sets of IP addresses to be stored within iptables rules. It is used to collate a list of clients using P2P software. IPSet consists of both a kernel module and a userspace program. The module is not yet in the kernel provided with Debian. The following will install both the userspace program and the kernel module.
  
-<​html>​<​code>​</​html>​ +<​code>​
 aptitude install ipset ipset-source module-assistant aptitude install ipset ipset-source module-assistant
 module-assistant auto-install ipset-source module-assistant auto-install ipset-source
-<​html>​</​code>​</​html>​+</​code>​ 
  
 ===== Install specialist internet scripts ===== ===== Install specialist internet scripts =====
Line 322: Line 322:
   * This program removes cached tracks from the tracking table for a particular client. When a client is registered or unregistered from the network, this makes sure the correct web pages are presented on browsing the internet, otherwise any redirects are not properly flushed.   * This program removes cached tracks from the tracking table for a particular client. When a client is registered or unregistered from the network, this makes sure the correct web pages are presented on browsing the internet, otherwise any redirects are not properly flushed.
  
-<​html><​code></​html>​ 
  
 +<​code>​
 cd /​usr/​local/​bin cd /​usr/​local/​bin
 wget http://​files.andybev.com/​web-portal/​rmtrack wget http://​files.andybev.com/​web-portal/​rmtrack
 chmod +x rmtrack chmod +x rmtrack
-<​html>​</​code>​</​html>​+</​code>​ 
  
   * The following checks that the PPP link is up and reconnects if it is not   * The following checks that the PPP link is up and reconnects if it is not
  
-<​html>​<​code>​</​html>​ +<​code>​
 cd /​usr/​local/​bin cd /​usr/​local/​bin
 wget http://​files.andybev.com/​web-portal/​test-ppp wget http://​files.andybev.com/​web-portal/​test-ppp
Line 340: Line 340:
 chmod +x test-ppp.init chmod +x test-ppp.init
 insserv test-ppp.init insserv test-ppp.init
-<​html>​</​code>​</​html>​+</​code>​ 
  
   * The next 3 show the current internet bandwidth use in classes   * The next 3 show the current internet bandwidth use in classes
  
-<​html>​<​code>​</​html>​ +<​code>​
 cd /​usr/​local/​bin cd /​usr/​local/​bin
 wget http://​files.andybev.com/​web-portal/​linkstats-ppp0 wget http://​files.andybev.com/​web-portal/​linkstats-ppp0
Line 353: Line 353:
 wget http://​files.andybev.com/​web-portal/​tc-viewer wget http://​files.andybev.com/​web-portal/​tc-viewer
 chmod +x tc-viewer chmod +x tc-viewer
-<​html>​</​code>​</​html>​+</​code>​ 
  
   * And finally the firewall which sets up all the required iptables rules including the captive portal and shaping. This downloads the scripts and forces them to run when the network is brought up.   * And finally the firewall which sets up all the required iptables rules including the captive portal and shaping. This downloads the scripts and forces them to run when the network is brought up.
  
-<​html>​<​code>​</​html>​ +<​code>​
 cd /usr/local/ cd /usr/local/
 wget http://​files.andybev.com/​web-portal/​portalshaper-sh.tar.gz wget http://​files.andybev.com/​web-portal/​portalshaper-sh.tar.gz
 tar -zxvf portalshaper-sh.tar.gz tar -zxvf portalshaper-sh.tar.gz
 rm portalshaper-sh.tar.gz rm portalshaper-sh.tar.gz
-<​html>​</​code>​</​html>​+</​code>​ 
  
   * Edit ''​%%/​usr/​local/​portal/​settings%%''​ as required   * Edit ''​%%/​usr/​local/​portal/​settings%%''​ as required
Line 398: Line 399:
   * Edit /​etc/​network/​interfaces adding the following:   * Edit /​etc/​network/​interfaces adding the following:
  
-<​html>​<​code>​</​html>​ +<​code>​
 auto ppp0 auto ppp0
 iface ppp0 inet ppp iface ppp0 inet ppp
Line 405: Line 405:
         provider isp0         provider isp0
         post-up /​usr/​local/​portalshaper/​master         post-up /​usr/​local/​portalshaper/​master
-<​html>​</code></​html>+</​code>​
  
-  * If using a second interface add it as well: 
  
-<​html><​code></​html>​+  * If using a second interface add it as well:
  
 +<​code>​
 auto ppp1 auto ppp1
 iface ppp1 inet ppp iface ppp1 inet ppp
Line 416: Line 416:
         provider isp1         provider isp1
         post-up /​usr/​local/​portalshaper/​master         post-up /​usr/​local/​portalshaper/​master
-<​html>​</​code>​</​html>​+</​code>​ 
  
   * Add pre-connection helper script (will need editing if using a speedtouch modem):   * Add pre-connection helper script (will need editing if using a speedtouch modem):
  
-<​html><​code></​html>​ 
  
 +
 +<​code>​
 cd /​etc/​network/​ cd /​etc/​network/​
 wget http://​files.andybev.com/​web-portal/​solos-preload wget http://​files.andybev.com/​web-portal/​solos-preload
 chmod +x solos-preload chmod +x solos-preload
-<​html>​</​code>​</​html>​+</​code>​ 
  
   * Disconnect the current connection:   * Disconnect the current connection:
Line 439: Line 442:
   * Run ''​%%visudo%%''​ and add the following lines. Sudo is used to allow the apache web server to add and remove the needed iptables rules each time a user signs up to access the internet, as well as update the Squid session helper when displaying announcement pages   * Run ''​%%visudo%%''​ and add the following lines. Sudo is used to allow the apache web server to add and remove the needed iptables rules each time a user signs up to access the internet, as well as update the Squid session helper when displaying announcement pages
  
-<​html><​code></​html>​ 
  
 +<​code>​
 www-data ALL = NOPASSWD: /​sbin/​iptables -I internet 1 -t nat -m time --datestop ???????????????????​ -m mac --mac-source ??​\:??​\:??​\:??​\:??​\:??​ -j RETURN www-data ALL = NOPASSWD: /​sbin/​iptables -I internet 1 -t nat -m time --datestop ???????????????????​ -m mac --mac-source ??​\:??​\:??​\:??​\:??​\:??​ -j RETURN
 www-data ALL = NOPASSWD: /​sbin/​iptables -D internet -t nat -m time --datestop ???????????????????​ -m mac --mac-source ??​\:??​\:??​\:??​\:??​\:??​ -j RETURN www-data ALL = NOPASSWD: /​sbin/​iptables -D internet -t nat -m time --datestop ???????????????????​ -m mac --mac-source ??​\:??​\:??​\:??​\:??​\:??​ -j RETURN
 www-data ALL = NOPASSWD: /​usr/​local/​bin/​rmtrack [0-9]*.[0-9]*.[0-9]*.[0-9]* www-data ALL = NOPASSWD: /​usr/​local/​bin/​rmtrack [0-9]*.[0-9]*.[0-9]*.[0-9]*
 www-data ALL = (proxy) NOPASSWD: /​usr/​lib/​squid3/​ext_session_acl www-data ALL = (proxy) NOPASSWD: /​usr/​lib/​squid3/​ext_session_acl
-<​html>​</​code>​</​html>​+</​code>​ 
  
 Note: sudo does not use regular expressions,​ so the last statement is not as accurate as it should be Note: sudo does not use regular expressions,​ so the last statement is not as accurate as it should be
Line 451: Line 455:
 ===== Configure Squid ===== ===== Configure Squid =====
  
-|<​HTML>​\\ <​center>​\\ </​HTML>​\\ <​html><​strong></​html>​Squid is configured to show splash page announcements and mark packets for traffic shaping. Both of these require recent patches which are only contained in the latest beta version of Squid. Therefore, a very recent version of Squid will need to be compiled and installed over the standard Debian build<​html></​strong></​html>​\\ \\ <​HTML>​\\ </​center>​\\ </HTML>|+|\\ <​html><​strong></​html>​Squid is configured to show splash page announcements and mark packets for traffic shaping. Both of these require recent patches which are only contained in the latest beta version of Squid. Therefore, a very recent version of Squid will need to be compiled and installed over the standard Debian build\\ \\ >|
  
 The web proxy is used to speed up requests, as well as log all requests and show a splash page periodically. The web proxy is used to speed up requests, as well as log all requests and show a splash page periodically.
Line 458: Line 462:
   * Add the following to the beginning of the file:   * Add the following to the beginning of the file:
  
-<​html><​code></​html>​ 
  
 +<​code>​
 # We don't want persistent connections,​ otherwise lots # We don't want persistent connections,​ otherwise lots
 # of requests to the same server will look like a bulk download # of requests to the same server will look like a bulk download
Line 468: Line 472:
 # properly routed at the re-route stage. # properly routed at the re-route stage.
 qos_flows mark miss=0x1000000/​0xF000000 qos_flows mark miss=0x1000000/​0xF000000
-<​html>​</​code>​</​html>​+</​code>​ 
  
   * Change "​http_port 3128" to "​http_port 3128 transparent"​   * Change "​http_port 3128" to "​http_port 3128 transparent"​
Line 479: Line 484:
   * Locate the section "​INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS"​ and add the following rules (replacing qualso as required):   * Locate the section "​INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS"​ and add the following rules (replacing qualso as required):
  
-<​html><​code></​html>​ 
  
 +<​code>​
 acl our_networks src 10.0.0.0/16 acl our_networks src 10.0.0.0/16
  
Line 497: Line 502:
    
 http_access allow our_networks http_access allow our_networks
-<​html>​</​code>​</​html>​+</​code>​ 
  
   * Create a session database. This is used to display the splash pages periodically. The associated /​var/​www/​announce_days.txt file should be created when the web files are installed.   * Create a session database. This is used to display the splash pages periodically. The associated /​var/​www/​announce_days.txt file should be created when the web files are installed.
  
-<​html>​<​code>​</​html>​ +<​code>​
 mkdir -p /​var/​lib/​squid/​session mkdir -p /​var/​lib/​squid/​session
 chown proxy:proxy /​var/​lib/​squid/​session/​ chown proxy:proxy /​var/​lib/​squid/​session/​
-<​html>​</​code>​</​html>​+</​code>​ 
  
   * Install the date/time external ACL helper:   * Install the date/time external ACL helper:
Line 573: Line 579:
   * Create a file /​etc/​postfix/​relay_passwd with the following contents, replacing values as required:   * Create a file /​etc/​postfix/​relay_passwd with the following contents, replacing values as required:
  
-<​html><​code></​html>​ 
  
 +<​code>​
 isp.server.name USERNAME:​PASSWORD isp.server.name USERNAME:​PASSWORD
-<​html>​</​code>​</​html>​+</​code>​ 
  
   * Change the permissions on the file:   * Change the permissions on the file:
  
-<​html><​code></​html>​ 
  
 +
 +<​code>​
 chown root:root /​etc/​postfix/​relay_passwd  ​ chown root:root /​etc/​postfix/​relay_passwd  ​
 chmod 600 /​etc/​postfix/​relay_passwd  ​ chmod 600 /​etc/​postfix/​relay_passwd  ​
-<​html>​</​code>​</​html>​+</​code>​ 
  
   * Setup the files hash:   * Setup the files hash:
  
-<​html><​code></​html>​ 
  
 +<​code>​
 postmap /​etc/​postfix/​relay_passwd postmap /​etc/​postfix/​relay_passwd
-<​html>​</​code>​</​html>​+</​code>​ 
  
   * Edit /​etc/​postfix/​main.cf and add the following lines below the relayhost option:   * Edit /​etc/​postfix/​main.cf and add the following lines below the relayhost option:
  
-<​html><​code></​html>​ 
  
 +<​code>​
 smtp_sasl_auth_enable = yes  ​ smtp_sasl_auth_enable = yes  ​
 smtp_sasl_password_maps = hash:/​etc/​postfix/​relay_passwd  ​ smtp_sasl_password_maps = hash:/​etc/​postfix/​relay_passwd  ​
 smtp_sasl_security_options = smtp_sasl_security_options =
-<​html>​</​code>​</​html>​+</​code>​ 
  
   * Edit /​etc/​mailname and set a valid FQDN (eg. qualso.simplelists.com). This will be the default mail domain for mail sent from the server.   * Edit /​etc/​mailname and set a valid FQDN (eg. qualso.simplelists.com). This will be the default mail domain for mail sent from the server.
Line 610: Line 621:
   * Add a linux local user to the system with appropriate password. Users will use this account to authenticate against the SMTP server:   * Add a linux local user to the system with appropriate password. Users will use this account to authenticate against the SMTP server:
  
-<​html>​<​code>​</​html>​ +<​code>​
 useradd -g users mailuser useradd -g users mailuser
 passwd mailuser passwd mailuser
-<​html>​</​code>​</​html>​+</​code>​ 
  
   * After adding the user edit /etc/passwd and add ''​%%/​bin/​false%%''​ on the end of the line for the new user. This will stop people logging into the server using that username and password!   * After adding the user edit /etc/passwd and add ''​%%/​bin/​false%%''​ on the end of the line for the new user. This will stop people logging into the server using that username and password!
setting_up_a_captive_portal_from_scratch_using_debian.txt · Last modified: 2018/12/06 20:16 by abeverley