NoCatAuth Gateway Server Configuration - Page 2
November 19, 2003
Installation and Testing
The gateway server is the first step in creating your own NoCatAuth system. Remember that you can have just one remote located authentication server, but your field located access points will need to connect through a gateway server.
- Any PC or Server with a 486 processor or better
- Two network interface cards (NICs); one for connecting to the AP, the other to connect to your outside network.
- A hard disk with at least 10GB
- At least 256K of RAM
- RedHat 9.x Linux distribution with kernel version 2.4.x with iptables running. You need iptables running so that your two NICs can communicate with each other.
- A Copy of the nightly build of NoCatAuth. Be aware that some nightly builds are flaky due to its open-source nature. You may have to hunt around for a good copy. If you have trouble with your version, add yourself to one or both of the NoCat mailing lists and ask the helpful folks a question. You can also find the version we used via FTP.
- You need to have DHCP (Dynamic Host Control Protocol) server daemon running on your machine. Sometimes DHCP can be served from your access point or another server.
- If you plan on setting bandwidth limits on a per user basis, you will need to have 'tc' installed on your sever. This should come with RedHat 9.x. If you do not have it or chose not to install it, get a copy.
- Optionally, you can install a local caching DNS (domain name service) server. There are instructions on how to install this online. You should have the option to install it when you install RedHat 9.x from scratch.
Installation and Configuration of the Gateway
Throughout these instructions, you will need to be the root user so that you have the correct permissions.
- Download the nightly build from the NoCat Website referenced above. Place it in a temporary directory on your gateway server (/tmp for example).
- Go to the directory where you downloaded the file and uncompress the tarball. For example type: gunzip NoCatAuth-0.82.tar.gz
- Then unpack the tarball by typing: tar zvxf NoCatAuth-0.82.tar Upon unpacking the tarball, a subdirectory in /tmp is created named 'NoCatAuth-nightly' that contains all of the files you need for installing the gateway portion of NoCatAuth.
- Go to the 'NoCatAuth-nightly' subdirectory and type: make gateway. This uses the temporary install files to install the full gateway server program files in their respective locations. If you want to specify your own paths for installation of program files, you will need to edit the file named 'Makefile' found in the 'NoCatAuth-nightly' directory. This should only be done if you are a high level Linux user because many problems can result. Please refer to NoCat's own installation instructions in the file named 'install' found in the 'NoCatAuth-nightly' directory for more detail.
- With the gateway software now in its respective directories, you can now
customize the configuration file for your specific system and needs. To do
this go to the recently created /usr/local/nocat/ directory and edit the 'nocat.conf'
file. Inside the 'nocat.conf' file you will find helpful comments on how each
of the parameters affects the gateway server operation. The following parameters
need to be individually configured per your system:
- InternalDevice This is your NIC that will be communicating with your access point. In RedHat 9.x this will probably be set to 'eth0'
- ExternalDevice This is your NIC that will be communicating to an external network (i.e. your DSL, cable, satellite, bridge, whatever). In RedHat 9.x this will probably be set to 'eth1'
- LocalNetwork This will be the network address that your InternalDevice connects to. It can take the form of 192.168.0.0/255.255.255.0 or 192.168.0.0/24
- DNSAddr If you do as we suggest and have a local caching DNS server on your gateway then leave this option commented out. If you are not using a DNS server, then make sure to specify the IP address of your external DNS server.
- GatewayMode This option allows you to toggle between an Open or a Captive type gateway. An open gateway will display a html message specified in the SplashForm, while a Captive gateway requires the user to login and implements the Auth system which includes the exchange of encrypted keys to verify the users identification. We suggest that you set it to Captive so that you have the benefit of a more secure system.
- AuthServiceAddr, AuthServiceURL These really depend on the way you structure your authentication server. Here it allows you to specify the remote auth server's address (yours or someone elses) or a local auth server of your own.
- IncludePorts and ExcludePorts These are set to restrict the use of certain ports that public users can access. If you specify IncludePorts then only the ports listed will be allowed. You need to set this to one or the other because if you set both, then NoCat will default to ExcludePorts.
- GatewayName This is the name that you want your user to see on the splash and status pages as being the name of your gateway
- LimitAverage This is part of the downstream bandwidth control applicable to clients in the Public Class. This setting sets the average number of packets per second. Remember, to use this you must have 'tc' available on your server for the script to call upon.
- Owners This is a list of all local 'owner' users. List the users separated by spaces. Owners will receive unrestricted bandwidth on the network. You will want to put your login ID here.
The Gateway installation and configuration are now complete. You are ready to test the gateway server by its self. Please read further to verify the operation of the Gateway.
Testing the Gateway
As long as you have followed the instructions above, you should have a working gateway server. You will not really know it is working correctly until the authentication server is also in place. Then you will have the ability to verify the interaction of the two and see the whole process in motion.
To test the gateway:
- Go to the 'usr/local/nocat/bin/' directory and type in: gateway
- Upon running the gateway, verify that you see a message displayed similar
to the one below:
[%]# Resetting firewall
[%]# Binding listener socket 0.0.0.0
- If you do see the above message or similar message, you are ready to set up an authentication server to complete the NoCatAuth system. If you are not creating your own auth server, then make sure the AuthServiceAddr and AuthServiceURL parameters in your 'nocat.conf' file correctly reference your external auth server you are borrowing from someone else. If they are set, they you have a complete system. Please refer to the Authentication Server installation and configuration tutorial on how to test the system in its entirety.
- If you do not see the above message, please review our instructions and then refer to the 'install' document file under the 'NoCatAuth-nightly' directory. Your gateway may not be working for a number of reasons (different operating system, wrong paths, etc). If you are not running RedHat 9.x then you may not have the proper supporting programs in place or in the needed directories. The 'install' file covers procedures if you are using an operating system other than RedHat 9.x or if you have custom configured your paths in some way. If there is enough demand for NoCatAuth installation instructions for other Linux distributions we can go to the lab, do some testing, and write the instructions specifically for those.
- To automate the operation of your NoCatAuth gateway server, you may want to place it in your bootup script. To do this look at the '/usr/local/nocat/etc/nocat.rc' script. Copy it into the '/etc/rc.d/init.d'. After that you can either add a call in your 'rc.local' or symbolically link (symlink) it to your runlevel 3 whichever you are comfortable with. You can perform a symlink by typing in something like: ln --s /etc/rc.d/init.d/nocat.rc /etc/rc.d/rc3.d/S99nocat
Congratulations. You have your NoCatAuth Gateway Server running. Stay tuned for how to install and configure your NoCatAuth Authentication Server.
References and Credits1) No Cat Net 2) All of the kind folks on the two NoCat mailing lists 3) The open source community 4) John-David Henderson, Goose Creek Communications, Inc. 5) Flickenger, Rob. Building Wireless Community Networks. Sebastopol: O'Reilly & Associates, Inc, 2002. 6) NoCatNet Digest 7) Nate Davis from Salt Lake City, Utah 8) Atanu from India (chatted over the net)