WiFiDog creates the following chains in magle table, WiFiDog_br-wlan_Incoming /Outgoing /Trusted, and WiFiDog_br-wlan_AuthServers /Global /Internet /Known /Locked /Unknown /Validate in filter table. br-wlan is the GatewayInterface set in /etc/wifidog.conf
WiFiDog_br-wlan_Outgoing is chained in mangle PREROUTING. If a client passes authentication, WiFiDog daemon inserts a rule in WiFiDog_br-wlan_Outgoing, marking the packets from this user with mark 0x2.
WiFiDog_br-wlan_Internet is chained in filter FORWARD table. The contents in this chain is derived from /etc/wifidog.conf, which resembles the following:
Chain WiFiDog_br-wlan_Internet (1 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
WiFiDog_br-wlan_AuthServers all -- anywhere anywhere
WiFiDog_br-wlan_Locked all -- anywhere anywhere mark match 0x254
WiFiDog_br-wlan_Global all -- anywhere anywhere
WiFiDog_br-wlan_Validate all -- anywhere anywhere mark match 0x1
WiFiDog_br-wlan_Known all -- anywhere anywhere mark match 0x2
WiFiDog_br-wlan_Unknown all -- anywhere anywhere
At this point, WiFiDog is capable of separating known users and unknown users. However, there is one more thing, redirecting unknown users to the web portal. This is done with WiFiDog_br-wlan_Unknown chain in the nat table. There is a rule:
REDIRECT tcp -- anywhere anywhere tcp dpt:www redir ports 2060
which redirects unkown user's HTTP connection to 2060 port on the router.
No comments:
Post a Comment