NoMice Files

+-----------------------------------------+
| NoMice v2.0                             |
| (previous version: gatewaywlanuab v1.0) |
| http://sourceforge.net/projects/nomice/ |
| Servicio de Informática                 |
| Universidad Autónoma de Barcelona       |
| nomice@uab.es                           |
+-----------------------------------------+


Linux distribution
------------------

Debian kernel 2.6.8-3-686 with minimal installation.




Additional paquets
------------------

Paquets installed:

apache2-mpm-prefork v2.0.54
ssh v3.8.1
mysql-server-4.1 v4.1.11
dhcp v2.0
php4 v4.3.10
php4-mysql v4.3.10
libapache2-mod-php4	 v4.3.10
php4-common	 v4.3.10
php4-cli v4.3.10
php4-ldap v4.3.10
sudo v1.6.8
libldap2 v2.1.30




Configuration files modified
----------------------------

Apache2 configuration files modified:

apache2.conf
ports.conf
mods-enabled
mods-enabled/auth_ldap.conf
mods-enabled/auth_ldap.load

The installation make the following symbolic links:

ln –s /etc/apache2/mods-available/ssl.conf
ln –s /etc/apache2/mods-available/ssl.load

Configuration files of apache2 auth_ldap module modified:

Load of the certificate /etc/apache2/Certificat.pem to access 	the secure port of the ldap server.

Configuration files of dhcp modified:

Modify /etc/init.d/dhcp
Changing eth0 to eth1 and using the configuration file from 		/etc/dhcpd.conf

/var/www/apache2-default/gwf/config/dhcpd.conf is a symbolic link to /etc/dhcpd.conf

Configuration files of network interfaces /etc/network/interfaces: 

eth1:
ip 10.0.0.1
netmask 255.255.252.0

By default we have configured a classe C range for statyc IP addressess (10.0.0.2 to 10.0.0.254) and 3 classes C for dynamic IP address (10.0.1.2 to 10.0.3.254).

Also, we have modified the file /etc/sysctl.conf adding the ip forwarding parameter and the limits of the arp table:

net.ipv4.ip_forward=1
net.ipv4.neigh.default.gc_thresh1=4096 
net.ipv4.neigh.default.gc_thresh2=8192 
net.ipv4.neigh.default.gc_thresh3=16394 

To enable the support to ldap in php, we have modified the file /etc/php4/apache2/php.ini adding:
Extension=ldap.so

The dhcp configuration file is modified from aplication INTER from the procedure:
/var/www/apache2-default/gwf/codi/dhcpd/act_fitxer_dhcp.php

The eth1 interface have the ip fixed to 10.0.0.1. If we want to change it, beside
doing it in /etc/network/interfaces and in the firewall rules, we have to do it
also in the following scripts:

codi/dhcpd/act_fitxer_dhcpd.php
codi/iptables/save_rf.php
config/dhcpd.conf
ldapauth.php
porta.php




Web application INTER 
---------------------

From this application we can add new Access Points, users, user equipment with a fixed IP, user profiles, services (open ports in the firewall), profile assignment, etc.

To access INTER we have modified the file /etc/php4/apache2/php.ini adding:
extension=mysql.so

Also we have modified /etc/php4/cli/php.ini removing the commentary of the line:
extension=mysql.so

The configuration file of dhcp (/etc/dhcpd.conf) is modified from the application INTER with the option "Update DHCP config file" by the procedure:
/var/www/apache2-default/gwf/codi/dhcpd/act_fitxer_dhcp.php

To access the INTER web interface:

http://10.0.0.1/inter

This interface has access control by user and password test/test.




Modification to SUDO
--------------------

# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL) ALL

www-data ALL=(root) NOPASSWD: /sbin/iptables, /sbin/iptables-save, /sbin/iptables-restore, /var/www/apache2-default/gwf/sys/GetMAC.sh, /var/www/apache2-default/gwf/sys/dhcpd/start_dhcpd.sh, /var/www/apache2-default/gwf/sys/dhcpd/stop_dhcpd.sh, /etc/rc.d/dhcpd, /sbin/killproc, /usr/sbin/arp




IPTABLES firewall
-----------------

The rules get up-to-day from INTER from the option menu "Update iptables" with the script:
/var/www/apache2-default/gwf/codi/iptables/actualitza_iptables.php

If we want load the startup rules from command line could use:
var/www/apache2-default/gwf/config/regles_firewall

The script that loads the startup rules in the system startup is /etc/rc2.d/S93regles_firewall that is a symbolic link to /var/www/apache2-default/gwf/config/regles_firewall

When the server startup we have the following rules:

PREROUTING and FORWARD of all fixed IP (AP and user equipment registered in the database in range 10.0.0.x).
PREROUTING with the redirection to the captive portal address and port for all the dynamic IP addresses: 
PREROUTING -i eth1 -p tcp -j DNAT --to-destination 10.0.0.1:88
POSTROUTING of all the fixed IP (with masquerade) and
POSTROUTING of all the dynamic IP (also with masquerade):
POSTROUTING -s 10.0.0.0/255.255.252.0 -j MASQUERADE


If we have defined a range of address that includes more than four classes C
it is necessary to change the mask of POSTROUTING's rule from /22 thas is the
default to the one that is correct. The change has to do in the current rule of
the firewall and also in the save_rf.php file that is in the folder codi/iptables.
After the change it is necessary to execute save_rf in order that the new rule is
loaded on having restarted the system.


When a user validate:
A PREROUTING roule is created with the IP and MAC address of the user equipment.
A FORWARD roule is created with the IP and MAC address of the user equipment.

The destination of the FORWARD paquets is to one of these following chains:
PDI, Alumne, Default i Admin.
By default, the opened ports associated with these chains are the recommended ones for Eduroam. 

Also, IPtables loads the rules recommended for Eduroam to access a VPN server. The rules are:

FORWARD -p 50 -j ACCEPT
FORWARD -p 51 -j ACCEPT
FORWARD -p 41 -j ACCEPT
FORWARD -p 47 -j ACCEPT
FORWARD -p udp --dport 500 -j ACCEPT
FORWARD -p udp --dport 1194 -j ACCEPT
FORWARD -p udp --dport 4500 -j ACCEPT
FORWARD -p tcp --dport 10000 -j ACCEPT
FORWARD -p tcp --dport 1723 -j ACCEPT




Observations
------------

When we want to save the rules we have added or modified in the firewall without the INTER web interface, we can execute the script save_rf.php that save the actual rules into the file gwf/config/regles_firewall that will be loaded with the script Actualitza_iptables.php.




System Cron
-----------

The script is /etc/cron.d/uabgwireless
and the content is:

0 */2 * * * php -c /etc/php4/apache2 /var/www/apache2-default/gwf/logs/log.php 2> /var/www/apache2-default/gwf/logs/lastcheck.log > /var/www/apache2-default/gwf/logs/lastcheck.log




Details of the cron script log.php
----------------------------------

Every two hours the log.php proces wake up and does ping to all
the registered ip to know if they are still connected or not. The script obtain the fixed ip from the gw database and the dynamic ip from the firewall rules.

The log.php script checks all the ip addresses and compares the current result (reply to ping or not) with the registered in the previous review (the previous state is registered in the file lastcheck.log on the same directory). When an ip that was marked connected does nor answer, the program marks it like possible lost of coverage.
When an ip that was marked as possible lost of coverage does not answer, the program marks it disconnected and removes the rules from the firewall. 

These changes are registered in the log file /var/www/apache2-default/gwf/logs/connect.log. When an user logins an entry in the same log file is created marking the user ip address connected.




Eduroam project
---------------

NoMice allows the users' connection of organizations joined to the Eduroam project. These users can validate with the credentials of the organization of origin and they will have access to the services that Eduroam recommends.

To declare itself as Eduroam user it is necessary to put the username followed by and arroba and the user's domain.

When the validation program (ldapauth.php) detects this patron, it determines that the user does not belong to our organization and sends the credentials to the radius server.

To decide the address and others parameters of the ldap or radius server a query to the gw database is done to the table servidors_ldap. The ldap server register has the content "1" in the field "actiu". 
The radius server register has the content "2" in the field "actiu".




Table contents of the gw database after the installation
--------------------------------------------------------

mysql -u root gw

mysql> select * from rangs;
+---------+---------+---------------+-----------------+
| id_rang | defecte | ip_inicial    | ip_final        |
+---------+---------+---------------+-----------------+
|   1     |    1    | 10.0.1.2      | 10.0.3.254      |
|   2     |    0    | 10.0.0.2      | 10.0.0.254      |
+---------+---------+---------------+-----------------+

mysql> select * from perfils;
+-----------+---------+--------------------+-------+-------+
| id_perfil | nom     | descripcio         | proxy | local |
+-----------+---------+--------------------+-------+-------+
|    1      | Admin   | TOT                |       |     0 |
|    2      | Default | Sense identificar  |       |     0 |
|    5      | Alumne  | Alumne UAB         |       |     0 |
|    21     | PDI     | perfil genèric PDI |       |     0 |
+-----------+---------+--------------------+-------+-------+
6 rows in set (0.00 sec)

mysql> select * from serveis;

+-----------+-------+------------+------+
| id_servei | tipus | nom        | port |
+-----------+-------+------------+------+
|         1 |     1 | ALL        |    0 |
|         2 |     1 | http       |   80 |
|         4 |     1 | https      |  443 |
|         7 |     1 | ssh        |   22 |
|        58 |     1 | imaps      |  993 |
|        56 |     1 | imap2+4    |  143 |
|        57 |     1 | imap3      |  220 |
|        63 |     1 | smtp start |  587 |
|        62 |     1 | smtps      |  465 |
|        61 |     1 | pass.ftp   |   21 |
|        64 |     1 | rdp        | 3389 |
|        60 |     1 | pop3s      |  995 |
|        59 |     1 | POP        |  110 |
+-----------+-------+------------+------+
14 rows in set (0.00 sec)


mysql> select * from ip;

List all the static ip address: 

+-------+------------+---------+-----------+
| Id_ip | ip         | defecte | assignada |
+-------+------------+---------+-----------+
|  3040 | 10.0.0.2   |       0 |         0 |
+-------+------------+---------+-----------+
............................................
+-------+------------+---------+-----------+
|  3292 | 10.0.0.254 |       0 |         0 |
+-------+------------+---------+-----------+
253 rows in set (0.00 sec)

And all the dinamyc ip address:

+-------+------------+---------+-----------+
| Id_ip | ip         | defecte | assignada |
+-------+------------+---------+-----------+
|  2281 | 10.0.1.2   |       1 |         0 |
+-------+------------+---------+-----------+
............................................
+-------+------------+---------+-----------+
|  3039 | 10.0.3.254 |       1 |         0 |
+-------+------------+---------+-----------+
759 rows in set (0.00 sec)