Its functionality is similar to Nocatsplash, but it is derived from the codebase of the Wifi Guard Dog project. Nodogsplash is released under the GNU General Public License.
The following describes what Nodogsplash does, how to get it and run it, and how to customize its behavior for your application.
When installed and running, Nodogsplash implements a simple 'authentication' protocol. First, it detects any user attempting to use your internet connection to request a web page. It captures the request, and instead serves back a 'splash' web page using its own builtin web server. The splash page contains a link which, when the user clicks on it, opens limited access for them to the internet via your connection, beginning by being redirected to their originally requested page. This access expires after a certain time interval.
Nodogsplash also permits limiting the aggregate bandwidth provided to users, if you don't want to grant all of your available upload or download bandwidth.
Specific features of Nodogsplash are configurable, by editing the configuration file and the splash page. The default installed configuration may be all you need, though.
eth1), and for the following use ssh or telnet access to your router over a different interface.
nodogsplash*.ipkpackage you want to install from the project website, copy it to
/tmp/on your OpenWRT router, and, in as root on the router, run:
ipkg install /tmp/nodogsplash*.ipkOr, to install the latest version, you can just run:
ipkg install http://kokoro.ucsd.edu/nodogsplash/latest.ipk(Note: to prevent installation of an older package, you may have to remove references to remote package repositories in your ipkg.conf file.)
ipkg remove nodogsplash
br0, the bridge to both the wireless and wired LAN; or the wireless lan interface may be named something else if you have broken the
br0bridge to separate the wired and wireless LAN's.
block, and the source MAC address of the packet matches one listed in the BlockedMACList; or if the MAC mechanism is
allow, and source MAC address of the packet does not match one listed in the AllowedMACList or the TrustedMACList. These packets are dropped.
FirewallRuleSet trusted-users-to-routerlists in the
nodogsplash.confconfiguration file, or by the
FirewallRuleSet users-to-routerin the
FirewallRuleSet users-to-routerin the
nodogsplash.confconfiguration file). Any other packet is dropped, except that a packet for destination port 80 at any address is redirected to port 2050 on the router, where nodogsplash's builtin libhttpd-based web server is listening. This begins the 'authentication' process. The server will serve a splash page back to the source IP address of the packet. The user clicking the appropriate link on the splash page will complete the process, causing future packets from this IP/MAC address to be marked as Authenticated until the inactive or forced timeout is reached, and its packets revert to being Preauthenticated.
Nodogsplash implements this functionality by enabling two intermediate queue devices (IMQ's), one for upload and one for download, and attaching simple rate-limited HTB qdiscs to them. Rules are inserted in the router's iptables mangle PREROUTING and POSTROUTING tables to jump to these IMQ's. The result is simple but effective tail-drop rate limiting (no packet classification or fairness queueing is done).
/etc/nodogsplash/nodogsplash.confIn the configuration file, a
FirewallRulehas the form:
FirewallRule permission [protocol [port portrange]] [to ip]where
permissionis required and must be either
protocolis optional. If present must be
all. Defaults to
port portrangeis optional. If present,
portrangecan be a single integer port number, or a colon-separated port range, e.g.
1024:1028. Defaults to all ports.
to ipis optional. If present,
ipmust be a decimal dotted-quad IP address with optional mask. Defaults to
0.0.0.0/0, i.e. all addresses.
/etc/nodogsplash/htdocs/splash.htmlWhen the splash page is served, the following variables in the page are replaced by their values:
$gatewaynameThe value of
GatewayNameas set in
$authtargetA URL which encodes a unique token and the URL of the user's original web request. If nodogsplash receives a request at this URL, it completes the authentication process for the client and replies to the request with a "307 Temporary Redirect" to the encoded originally requested URL. (Alternatively, you can use a GET-method HTML form to send this information to the nodogsplash server; see below.) As a simple example:
$imagesdirThe directory in nodogsplash's web hierarchy where images to be displayed in the splash page must be located.
$denyactionare also available and can be useful if you want to write the splash page to use a GET-method HTML form instead of using
$authtargetas the value of an href attribute to communicate with the nodogsplash server. As a simple example:
<form method='GET' action='$authaction'> <input type='hidden' name='tok' value='$tok'> <input type='hidden' name='redir' value='$redir'> <input type='submit' value='Click Here to Enter'> </form>
/etc/nodogsplash/htdocs/infoskel.htmlIn this file, variables
$contentwill be replaced by their values.
$titleis a summary of the information or kind of error;
$contentis the content of the information or error message.
To enable this, edit
nodogsplash.conf to set parameters
PasswordAttempts as desired.
Then the splash page must use a GET-method HTML form
to send user-entered username and/or password as
values of variables
respectively, along with others as required, to the server.
<form method='GET' action='$authaction'> <input type='hidden' name='tok' value='$tok'> <input type='hidden' name='redir' value='$redir'> username: <input type='text' name='nodoguser' value='' size=12 maxlength=12> <br> password: <input type='password' name='nodogpass' value='' size=12 maxlength=10> <br> <input type='submit' value='Enter'> </form>
ndsctl, a separate application which provides some control over a running nodogsplash process by communicating with it over a unix socket. Some command line options:
/usr/bin/ndsctl block MAC
/usr/bin/ndsctl unblock MAC
/usr/bin/ndsctl allow MAC
/usr/bin/ndsctl unallow MAC
/usr/bin/ndsctl deauth IP|MAC
/usr/bin/ndsctl loglevel n
ndsctl -h. (Note that if you want the effect of ndsctl commands to to persist across nodogsplash restarts, you have to edit the configuration file.)
/etc/init.d/S65nodogsplashfile to set the
OPTIONSvariable to the flags
"-s -d 7", restart or reboot, and view messages with logread. The
-sflag logs to syslog; the
-d 7flag sets level 7, LOG_DEBUG, for debugging messages (see syslog.h). You don't want to run with these flags routinely, as it will quickly fill the syslog circular buffer, unless you enable remote logging. A lower level of logging, for example level 5, LOG_NOTICE, is more appropriate for routine use (this is the default). Logging level can also be set using
ndsctlas shown above.
Alternatively, you can set the flag
-f instead of
This will run nodogsplash in the foreground, logging to stdout.
iptables -t mangle -v -n -LFor extensive suggestions on debugging iptables, see for example Oskar Andreasson's tutorial.
Another explanation of steps that can be used to successfully install Nodogsplash on Kamikaze is available here: anarcat post on forum.opernwrt.org.
Thanks to Tobias Pal and Jeff Allen and anarcat for early testing on Kamikaze.