- 论坛徽章:
- 0
|
介绍
如果用过m0n0wall这个东西的朋友应该知道里面有个Captive Portal功能。就是通过网页认证的方式来接入internet.最近无聊,准备选一个open source在linux下或者BSD下自己做一个。本来准备移植m0n0的,但是嫌麻烦。
有兴趣的朋友可以在这里看一下:http://wiki.personaltelco.net/PortalSoftware
这里有很多开源的和商业化的。最后我选到了Opengate 原因是因为我很多都试过了。感觉支持不是很好opengate是日本saga大学维护这个项目。唯一的缺陷是只能在BSD下。呵呵。好。我来大概说一下安装调式的步骤。
首先申明本人仅仅只是对opengate的安装过程拿官方的文挡做了简单的翻译和自己实现了一次的过程,在实现过程中很多都是最简化的配置.在这里并不讨论稳定性和安全性..
安装FREEBSD
首先安装FREEBSD7.0 我采用的是最小化安装,装上sys ports和cvsup拿来更新ports树…(我采用的是vmware6.0 虚拟两张网卡.一张物理连接.一张连接到vmnet8 最后测试的时候我采用windows上的VMware Network Adapter VMnet8进行测试.本地连接上随便配置一个IP就可以了.)
配置内核
我的内核配置是这样的:
cpu I486_CPU
cpu I586_CPU
cpu I686_CPU
ident MYKERNEL
makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols
options SCHED_4BSD # 4BSD scheduler
options PREEMPTION # Enable kernel thread preemption
options INET # InterNETworking
options INET6 # IPv6 communications protocols
options SCTP # Stream Control Transmission Protocol
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big directories
options UFS_GJOURNAL # Enable gjournal-based UFS journaling
options MD_ROOT # MD is a potential root device
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_PART_GPT # GUID Partition Tables.
options GEOM_LABEL # Provides labelization
options COMPAT_43TTY # BSD 4.3 TTY compat [KEEP THIS!]
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options COMPAT_FREEBSD5 # Compatible with FreeBSD5
options COMPAT_FREEBSD6 # Compatible with FreeBSD6
options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI
options KTRACE # ktrace(1) support
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options ADAPTIVE_GIANT # Giant mutex is adaptive.
options STOP_NMI # Stop CPUS using NMI instead of IPI
options AUDIT # Security event auditing
options IPDIVERT
options IPFIREWALL
options IPFIREWALL_FORWARD
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
#options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPSEC
device crypto
device apic # I/O APIC
device cpufreq
device pci
# ATA and ATAPI devices
device ata
device atadisk # ATA disk drives
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device psm # PS/2 mouse
device kbdmux # keyboard multiplexer
device vga # VGA video card driver
device splash # Splash screen and screen saver support
# syscons is the default console driver, resembling an SCO console
device sc
device agp # support several AGP chipsets
# Add suspend/resume support for the i8254.
device pmtimer
device le # AMD Am7900 LANCE and Am79C9xx PCnet
device miibus # MII bus support
device bge # Broadcom BCM570xx Gigabit Ethernet
# Pseudo devices.
device loop # Network loopback
device random # Entropy device
device ether # Ethernet support
device sl # Kernel SLIP
device ppp # Kernel PPP
device tun # Packet tunnel.
device pty # Pseudo-ttys (telnet etc)
device md # Memory "disks"
device gif # IPv6 and IPv4 tunneling
device faith # IPv6-to-IPv4 relaying (translation)
device firmware # firmware assist module
# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
# Note that 'bpf' is required for DHCP.
device bpf # Berkeley packet filter
编译内核#config MYKERNEL
#cd ../compile/MYKERNEL
#make cleandepend && make depend
#make
#make install
安装BIND9
#cd /usr/ports/dns/bind9/
# make install clean ; rehash
我的最简单的DNS的配置文件:启动会报错rndc有问题没关系.
# cat /etc/namedb/named.conf
options {
directory "/etc/namedb";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
allow-query { 192.168.15/24; } ;
allow-transfer { 192.168.15/24; } ;
};
zone "." {
type hint;
file "named.root";
};
zone "opengate.cn" {
type master;
file "opengate.cn";
}; # cat /etc/namedb/opengate.cn
$TTL 3600
@ IN SOA ns.opengate.cn. root.ns.opengate.cn. (
2005051702 ;
3600
1200
2419200
86400 )
@ IN NS ns.opengate.cn.
ns IN A 192.168.15.1
gateway IN A 192.168.15.1
其实这样就可以启动DNS了..如果你做为安全的关系的话.自己多做其他设置.我这里只做测试.
安装isc-dhcp3
# cd /usr/ports/net/isc-dhcp3-server
# make install clean ; rehash
Dhcpd.conf配置文件的最简单的写法:
# cat /usr/local/etc/dhcpd.conf
ddns-update-style none;
log-facility local7;
subnet 192.168.15.0 netmask 255.255.255.0 {
range 192.168.15.5 192.168.15.20;
option domain-name-servers 192.168.15.1;
option domain-name "opengate.cn";
option routers 192.168.15.1;
option broadcast-address 192.168.15.255;
default-lease-time 6000;
max-lease-time 72000;
}
安装apache22
# cd /usr/ports/www/apache22
# make install clean ; rehash
做一个SSL的private key,因为后面要用的SSL来验证..
# cd /usr/local/etc/apache22
# mkdir ssl.key ssl.crt
# chmod 700 ssl.key ssl.crt
# /usr/bin/openssl genrsa -out /usr/local/etc/apache22/server.key 1024
做一个证书:
# /usr/bin/openssl req -new -x509 -days 365 -key /usr/local/etc/apache22/server.key -out /usr/local/etc/apache22/server.crt
后面就自己看提示输入东西了.呵呵.只要把证书生成就可以了..
设置apache的SSL:
在/usr/local/etc/apache22/extra/httpd-ssl.conf文件最后添加类似这样来设置SSL的虚拟主机:
<VirtualHost _default_:443>
DocumentRoot "/usr/local/www/apache22/data"
ServerName gateway.opengate.cn:443
ServerAdmin wawnglin@cqie.cn
ErrorLog "|/usr/bin/logger -p local6.info"
CustomLog "|/usr/bin/logger -p local5.info" combined
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/etc/apache22/server.crt
SSLCertificateKeyFile /usr/local/etc/apache22/server.key
</VirtualHost>
修改/usr/local/etc/apache22/httpd.conf文件:
①:找到:
#ErrorDocument 404 /missing.html
修改为:
ErrorDocument 404 /
②:找到:
<Directory "/usr/local/www/apache22/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
修改为:
<Directory "/usr/local/www/apache22/cgi-bin">
AllowOverride None
Options None
Options ExecCGI
Order allow,deny
Allow from all
</Directory>
③:取消:
AddHandler cgi-script .cgi
AddHandler type-map .var
前的注释.
④:找到:
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
修改为:
<IfModule dir_module>
DirectoryIndex index.html.var index.html
</IfModule>
⑤:设置ServerName这行为你自己的主机名,其实不设置也可以.
我的设置为:
ServerName gateway.opengate.cn
⑥:在httpd.conf最后添加一行:
Include etc/apache22/extra/httpd-ssl.conf
⑦:最后还要做一个软连接:
#ln –s /usr/local/www/apache22/cgi-bin /usr/local/www/cgi-bin
rc.conf文件的基本配置
前期工作做完后,开始设置所有服务启动.我的/etc/rc.conf是这样的:
# cat /etc/rc.conf
defaultrouter="192.168.0.1"
font8x14="NO"
font8x16="NO"
font8x8="NO"
gateway_enable="YES"
hostname="ns.opengate.cn"
ifconfig_le0="inet 192.168.0.100 netmask 255.255.255.0"
ifconfig_le1="inet 192.168.15.1 netmask 255.255.255.0"
ipv6_enable="NONE"
keymap="us.iso"
moused_enable="YES"
sshd_enable="YES"
sendmail_enable="NONE"
firewall_enable="YES"
firewall_script="/etc/opengate/rc.firewall"
这行这里暂时你可能看不懂,后面安装好了就知道了.
firewall_type="open"
natd_enable="YES"
natd_interface="le0"
named_enable="YES"
named_program="/usr/sbin/named"
named_flags="-c /etc/namedb/named.conf"
dhcpd_enable="YES"
dhcpd_ifaces="le1"
dhcpd_conf="/usr/local/etc/dhcpd.conf"
apache22_enable="YES"
apache22ssl_enable="YES"
安装opengate
http://www.cc.saga-u.ac.jp/openg ... engate1.4.36.tar.gz 下载软件包
#tar zxvf opengate1.4.36.tar.gz
#cd opengate1.4.36
#ee opengatesrv/Makefile
把前面几行如果不是这样的话就改成这样.
WWWTOP = /usr/local/www/apache22
DOCDIR = /data
CGIDIR = /cgi-bin
OPENGATEDIR = /opengate
CONFIGPATH = /etc/opengate
LOCKFILE = /tmp/opengate.lock #make clean
#make install
#cd /etc/opengate/
#cp opengatesrv.conf.sample opengatesrv.conf #ee opengatesrv.conf
前面找找最前面几行.自己改一下认证的协议我用的pam就是直接可以用系统帐户.后面有很多用其他协议认证的方式.自己可以参考例子.如radius ldap等等.
<OpengateServerName>gateway.opengate.cn</OpengateServerName>
<AuthServer>
<Protocol>pam</Protocol>
<Address>192.168.15.1</Address>
<Timeout>10</Timeout>
</AuthServer>
设置ipfw防火墙
这里他是有例子的.但是你自己要稍微修改一下ipfw其实我也不是很熟,只是觉得他的流量整形有点霸道.
# cd /etc/opengate
# cp rc.firewall.sample rc.firewall # cat rc.virewall
### set these to your outside interface network and netmask and ip
oif="le0"
onet="192.168.0.0"
omask="255.255.255.0"
oip="192.168.0.100"
### set these to your inside interface network and netmask and ip
iif="le1"
inet="192.168.15.0"
imask="255.255.255.0"
iip="192.168.15.1"
fwcmd="/sbin/ipfw"
### divert packet to NATD
$fwcmd add 1 divert natd ip4 from any to any via ${oif}
### Stop spoofing
$fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
$fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
### Allow from / to myself
$fwcmd add pass all from ${iip} to any via ${iif}
$fwcmd add pass all from ${oip} to any via ${oif}
$fwcmd add pass all from any to ${iip} via ${iif}
$fwcmd add pass all from any to ${oip} via ${oif}
### Allow DNS queries out in the world
### (if DNS is on localhost, delete passDNS)
$fwcmd add pass udp from any 53 to any
$fwcmd add pass udp from any to any 53
$fwcmd add pass tcp from any to any 53
$fwcmd add pass tcp from any 53 to any
### Allow RA RS NS NA Redirect...
$fwcmd add pass ipv6-icmp from any to any
# Allow IP fragments to pass through
$fwcmd add pass all from any to any frag
# Allow RIPng
### Forwarding IPv4 http connection from unauth client
$fwcmd add 60000 fwd localhost tcp from ${inet}:${imask} to any 80
$fwcmd add 60000 fwd localhost tcp from ${inet}:${imask} to any 443
### Allow http reply for forwarded request
### (it is sent out from localhost but has original source address)
$fwcmd add 60100 pass tcp from any 80 to any out
$fwcmd add 60100 pass tcp from any 443 to any out
# TCP reset notice message for IPv6 http connection
$fwcmd add 60200 reset tcp from any to any 80
$fwcmd add 60300 reset tcp from any to any 443
设置syslog记录日志
修改/etc/syslog.conf添加
local1.* /var/log/opengate.log
然后自己创建文件:
# touch /var/log/opengate.log
测试
WINDOWS自动获得IP。然后随便在浏览器里输入地址。用BSD下的系统帐户,登陆。(默认的页面是英文的,你想怎么改都行。)
[ 本帖最后由 剑心通明 于 2008-8-25 14:16 编辑 ] |
-
1.JPG
(99.89 KB, 下载次数: 181)
-
2.JPG
(186.99 KB, 下载次数: 176)
-
3.JPG
(145.33 KB, 下载次数: 174)
|
免费注册
发表于 2008-08-24 20:14
发表于 2008-08-24 22:00
