佐须之男 发布的文章

nodogsplash认证nodogsplash.conf文件使用说明

nodogsplash.conf说明:

#
# Nodogsplash Configuration File
# 说明:#所在行不执行。(启用该参数需要删除执行参数前的#及空格)
# 文件格式为:参数|建议值|参数说明|执行参数 。
# 不同参数之间空一行,同一参数中间可使用带#的空行。
# 为保证规则正确运行,需要用"/etc/init.d/nodogsplash start"启动
#
# Parameter: GatewayInterface
# Default: NONE
#
# GatewayInterface is not autodetected, has no default, and must be set here.
# Set GatewayInterface to the interface on your router
# that is to be managed by Nodogsplash.
# Typically br-lan for the wired and wireless lan on OpenWrt White Russian.
# May be br-lan on OpenWrt Kamikaze.
# 监测接口
#
GatewayInterface br-lan1
# FirewallRuleSet: authenticated-users
#
# Control access for users after authentication.
# These rules are inserted at the beginning of the
# FORWARD chain of the router's filter table, and
# apply to packets that have come in to the router
# over the GatewayInterface from MAC addresses that
# have authenticated with Nodogsplash, and that are
# destined to be routed through the router.  The rules are
# considered in order, and the first rule that matches
# a packet applies to it.
# If there are any rules in this ruleset, an authenticated
# packet that does not match any rule is rejected.
# N.B.: This ruleset is completely independent of
# the preauthenticated-users ruleset.
# 防火墙规则集(我怕改这个)
#
FirewallRuleSet authenticated-users {
# You may want to open access to a machine on a local
# subnet that is otherwise blocked (for example, to
# serve a redirect page; see RedirectURL).  If so,
# allow that explicitly here, e.g:
#  FirewallRule allow tcp port 80 to 192.168.254.254
# Your router may have several interfaces, and you
# probably want to keep them private from the GatewayInterface.
# If so, you should block the entire subnets on those interfaces, e.g.:
    FirewallRule block to 192.168.0.0/16
    FirewallRule block to 10.0.0.0/8
# Typical ports you will probably want to open up include
# 53 udp and tcp for DNS,
# 80 for http,
# 443 for https,
# 22 for ssh:
    FirewallRule allow tcp port 53 
    FirewallRule allow udp port 53 
    FirewallRule allow tcp port 80
    FirewallRule allow tcp port 443
    FirewallRule allow tcp port 22
}
# end FirewallRuleSet authenticated-users

# FirewallRuleSet: preauthenticated-users
#
# Control access for users before authentication.
# These rules are inserted in the PREROUTING chain
# of the router's nat table, and in the
# FORWARD chain of the router's filter table.
# These rules apply to packets that have come in to the 
# router over the GatewayInterface from MAC addresses that
# are not on the BlockedMACList or TrustedMACList,
# are *not* authenticated with Nodogsplash.  The rules are
# considered in order, and the first rule that matches
# a packet applies to it. A packet that does not match 
# any rule here is rejected.
# N.B.: This ruleset is completely independent of
# the authenticated-users and users-to-router rulesets.
#
FirewallRuleSet preauthenticated-users {
# For preauthenticated users to resolve IP addresses in their initial
# request not using the router itself as a DNS server,
# you probably want to allow port 53 udp and tcp for DNS.
    FirewallRule allow tcp port 53 
    FirewallRule allow udp port 53
# For splash page content not hosted on the router, you
# will want to allow port 80 tcp to the remote host here.
# Doing so circumvents the usual capture and redirect of
# any port 80 request to this remote host.
# Note that the remote host's numerical IP address must be known
# and used here.  
#    FirewallRule allow tcp port 80 to 123.321.123.321
}
# end FirewallRuleSet preauthenticated-users

# FirewallRuleSet: users-to-router
#
# Control access to the router itself from the GatewayInterface.
# These rules are inserted at the beginning of the
# INPUT chain of the router's filter table, and
# apply to packets that have come in to the router
# over the GatewayInterface from MAC addresses that
# are not on the TrustedMACList, and are destined for
# the router itself.  The rules are
# considered in order, and the first rule that matches
# a packet applies to it. 
# If there are any rules in this ruleset, a
# packet that does not match any rule is rejected.
#
FirewallRuleSet users-to-router {
# Nodogsplash automatically allows tcp to GatewayPort,
# at GatewayAddress, to serve the splash page.
# However you may want to open up other ports, e.g.
# 53 for DNS and 67 for DHCP if the router itself is
# providing these services.
    FirewallRule allow udp port 53 
    FirewallRule allow tcp port 53 
    FirewallRule allow udp port 67
# You may want to allow ssh, http, and https to the router
# for administration from the GatewayInterface.  If not,
# comment these out.
    FirewallRule allow tcp port 22
    FirewallRule allow tcp port 80
    FirewallRule allow tcp port 443
}
# end FirewallRuleSet users-to-router
# EmptyRuleSetPolicy directives
# The FirewallRuleSets that NoDogSplash permits are:
#
# authenticated-users
# preauthenticated-users
# users-to-router
# trusted-users
# trusted-users-to-router
#
# For each of these, an EmptyRuleSetPolicy can be specified.
# An EmptyRuleSet policy applies to a FirewallRuleSet if the
# FirewallRuleSet is missing from this configuration file,
# or if it exists but contains no FirewallRules.
#
# The possible values of an EmptyRuleSetPolicy are:
# allow  -- packets are accepted
# block  -- packets are rejected
# passthrough -- packets are passed through to pre-existing firewall rules
#
# Default EmptyRuleSetPolicies are set as follows:
# EmptyRuleSetPolicy authenticated-users passthrough
# EmptyRuleSetPolicy preauthenticated-users block
# EmptyRuleSetPolicy users-to-router block
# EmptyRuleSetPolicy trusted-users allow
# EmptyRuleSetPolicy trusted-users-to-router allow

# Parameter: GatewayName
# Default: NoDogSplash
#
# Set  GatewayName to the name of your gateway.  This value
# will be available as variable $gatewayname in the splash page source
# and in status output from ndsctl, but otherwise doesn't matter.
# If none is supplied, the value "NoDogSplash" is used.
# 网关
#
# GatewayName NoDogSplash
# Parameter: GatewayAddress
# Default: Discovered from GatewayInterface
#
# This should be autodetected on an OpenWRT system, but if not:
# Set GatewayAddress to the IP address of the router on
# the GatewayInterface.  This is the address that the Nodogsplash
# server listens on.
# 服务器监听
#
# GatewayAddress 192.168.1.1
# Parameter: ExternalInterface
# Default: Autodetected from /proc/net/route
#
# This should be autodetected on a OpenWRT system, but if not:
# Set ExtrnalInterface to the 'external' interface on your router, 
# i.e. the one which provides the default route to the internet.
# Typically vlan1 for OpenWRT.
# 外部接口
#
# ExternalInterface vlan1
# Parameter: RedirectURL
# Default: none
#
# After authentication, normally a user is redirected 
# to their initially requested page. 
# If RedirectURL is set, the user is redirected to this URL instead.
# 确认后跳转网址(默认关闭) 
#
# RedirectURL http://www.ilesansfil.org/
# Parameter: GatewayPort
# Default: 2050
#
# Nodogsplash's own http server uses GatewayAddress as its IP address.
# The port it listens to at that IP can be set here; default is 2050.
# 网关地址监听端口
#
# GatewayPort 2050
# Parameter: MaxClients
# Default: 20
#
# Set MaxClients to the maximum number of users allowed to 
# connect at any time.  (Does not include users on the TrustedMACList,
# who do not authenticate.)
# 最大用户数(不包括trustedmaclist项里的用户-不受任何限制用户)
#
# MaxClients 20
# ClientIdleTimeout
# Parameter: ClientIdleTimeout
# Default: 10
#
# Set ClientIdleTimeout to the desired of number of minutes
# of inactivity before a user is automatically 'deauthenticated'.
# 用户进入欢迎页面后不进行任何操作的超时设置 (分钟数)
#
# ClientIdleTimeout 10
# Parameter: ClientForceTimeout
# Default: 360
#
# Set ClientForceTimeout to the desired number of minutes before
# a user is automatically 'deauthenticated', whether active or not
# 欢迎页面弹出时间间隔(分钟)
#
# ClientForceTimeout 360
# Parameter: AuthenticateImmediately
# Default: no
#
# Set to yes (or true or 1), to immediately authenticate users
# who make a http port 80 request on the GatewayInterface (that is,
# do not serve a splash page, just redirect to the user's request,
# or to RedirectURL if set).
# 是否进行身份验证
#
# AuthenticateImmediately no
# Parameter: MACMechanism
# Default: block
#
# Either block or allow.
# If 'block', MAC addresses on BlockedMACList are blocked from
# authenticating, and all others are allowed.
# If 'allow', MAC addresses on AllowedMACList are allowed to
# authenticate, and all other (non-trusted) MAC's are blocked.
# MAC过滤方式(启用黑名单阻止方式还是白名单允许方式)
#
# MACMechanism block
# Parameter: BlockedMACList
# Default: none
#
# Comma-separated list of MAC addresses who will be completely blocked
# from the GatewayInterface.  Ignored if MACMechanism is allow.
# N.B.: weak security, since MAC addresses are easy to spoof.
# MAC过滤列表黑名单(用逗号隔开)
#
# BlockedMACList 00:00E:AD:BE:EF,00:00:C0:1D:F0:0D
# Parameter: AllowedMACList
# Default: none
#
# Comma-separated list of MAC addresses who will not be completely
# blocked from the GatewayInterface.  Ignored if MACMechanism is block.
# N.B.: weak security, since MAC addresses are easy to spoof.
# MAC过滤列表白名单(用逗号隔开)
#
# AllowedMACList 00:00:12:34:56:78
# Parameter: TrustedMACList
# Default: none
#
# Comma-separated list of MAC addresses who are not subject to
# authentication, and are not restricted by any FirewallRuleSet.
# N.B.: weak security, since MAC addresses are easy to spoof.
# MAC例外(不受任何限制)
#
# TrustedMACList 00:00:CA:FE:BA:BE, 00:00:C0:010:0D

# Parameter: PasswordAuthentication
# Default: no
# Set to yes (or true or 1), to require a password matching
# the Password parameter to be supplied when authenticating.  
# 是否启用密码保护
#
# PasswordAuthentication no
# Parameter: Password
# Default: none
# Whitespace delimited string that is compared to user-supplied
# password when authenticating.  
# 启用密码保护后使用的密码
#
# Password nodog
# Parameter: UsernameAuthentication
# Default: no
# Set to yes (or true or 1), to require a username matching
# the Username parameter to be supplied when authenticating.  
# 是否启用登陆用户名
#
# UsernameAuthentication no
# Parameter: Username
# Default: none
# Whitespace delimited string that is compared to user-supplied
# username when authenticating.  
# 启用登陆用户名后使用的用户名
#
# Username guest
# Parameter: PasswordAttempts
# Default: 5
# Integer number of failed password/username entries before
# a user is forced to reauthenticate.
# 用户名和密码重试次数(超过规定次数后需要重新授权)
#
# PasswordAttempts 5
# Parameter: TrafficControl
# Default: no
#
# Set to yes (or true or 1), to enable traffic control in Nodogsplash.
# 是否启用流量控制(流量控制总开关)
#
# TrafficControl no
# Parameter: DownloadLimit
# Default: 0
#
# If TrafficControl is enabled, this sets the maximum download
# speed to the GatewayInterface, in kilobits per second.
# For example if you have an ADSL connection with 768 kbit
# download speed, and you want to allow about half of that
# bandwidth for the GatewayInterface, set this to 384.
# A value of 0 means no download limiting is done.
# 最大下载流量(0 为无限制)
#
# DownloadLimit 384
# Parameter: UploadLimit
# Default: 0
#
# If TrafficControl is enabled, this sets the maximum upload
# speed from the GatewayInterface, in kilobits per second.
# For example if you have an ADSL connection with 128 kbit
# upload speed, and you want to allow about half of that
# bandwidth for the GatewayInterface, set this to 64.
# A value of 0 means no upload limiting is done.
# 最大上传流量(0 为无限制)
#
# UploadLimit 64
# Paramter: GatewayIPRange
# Default: 0.0.0.0/0
#
# If TrafficControl is enabled, this sets the maximum download
# speed to the GatewayInterface, in kilobits per second.
# For example if you have an ADSL connection with 768 kbit
# download speed, and you want to allow about half of that
# bandwidth for the GatewayInterface, set this to 384.
# A value of 0 means no download limiting is done
# 流量控制网段设置
#
# GatewayIPRange 0.0.0.0/0

本文章由 http://www.wifidog.pro/2015/04/25/nodogsplash%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6%E8%AF%B4%E6%98%8E.html 整理编辑,转载请注明出处

openwrt 利用nodogsplash 实现简单的广告路由

实现功能: 设备连上路由后,当打开浏览器上网时,浏览器上会显示欢迎画面,当用户点击继续上网后,会正常连接网络,访问之前请求网页。

需要做的工作:
将 nodogsplash 编译进openwrt 镜像,
首先在源码目录中运行

make menuconfig 

在 network/capitive portals 下 将 nodogsplash选上。如果没有nodogsplash选项的话,需要更新openwrt packet ,具体方法如下:
openwrt 源码目录下执行

./scripts/feeds  update routing
./scripts/feeds install -a 

之后应该就可以在menuconfig 界面看到 nodogsplash 选项了。

选择上nodogsplash 之后就可以编译了,还是 make V=99

编译之后就可以看到 nodogsplash 被解压编译目录为

build_dir/target-mips_34kc_uClibc-0.9.33.2/nod ogsplash-0.9_beta9.9.8 

可以在该目录下对部分网页文件进行修改,毕竟nodogsplash 自带的欢迎界面很简单,可以改成自己的。

编译完成,烧写镜像。之后重启路由,找个设备连接该路由,打开浏览器随便点个网页,会发现自己设置的欢迎界面。

本文章由 http://www.wifidog.pro/2015/04/25/nodogsplash-openwrt.html 整理编辑,转载请注明出处

openwrt 安装nodogsplash 并配置conf

Splash page: nodogsplash
Install the package:

root@OpenWrt:~# opkg install nodogsplash

The configuration file is in /etc/nodogsplash/nodogsplash.conf

GatewayInterface wlan0

FirewallRuleSet authenticated-users {
  FirewallRule block to 192.168.0.0/16
  FirewallRule block to 10.0.0.0/8

  # Serveur de fichiers
  FirewallRule allow tcp port 80 to 172.16.42.2

  # respectivement: DNS, http, https, ssh
  FirewallRule allow tcp port 53
  FirewallRule allow udp port 53
  FirewallRule allow tcp port 80
  FirewallRule allow tcp port 443
  FirewallRule allow tcp port 22
}

FirewallRuleSet preauthenticated-users 
{
  # DNS
  FirewallRule allow tcp port 53
  FirewallRule allow udp port 53

  # Splash page
  FirewallRule allow tcp port 80 to 172.16.42.1
}

GatewayName librenet-m2-sud
RedirectURL http://partage.m2.bidon.ca/
TrafficControl yes
UploadLimit 128

On peut modifier le html de la splash page dans /etc/nodogsplash/htdocs/

本文章由 http://www.wifidog.pro/2015/04/23/openwrt-nodogsplash.html 整理编辑,转载请注明出处

nodogsplash配置刷完自带luci界面openwrt配置nodogsplash的方法

路由器刷完openwrt之后,连接到电脑,无线有线皆可。
用网线连接路由LAN口与电脑、
电脑打开cmd、
输入telnet 192.168.1.1回车

如果提示telnet不是可执行的命令、需要在
控制面板-程序-程序和功能-打开或关闭Windows功能、
把telnet服务端和telnet客户端勾选、确定、
执行上述命令后将登录到路由、我们设密码、
输入

passwd root

提示

Changing password for root

New password:
输入密码、这里注意、你输入时屏幕不会有反应、输入完密码回车就是了、
提示
Retype password:
再次输入密码、输入完回车、
虽然在telnet里也可以配置联网、但是我建议使用winSCP来配置、比较清晰、操作也比较方便、
下载winSCP、运行、
主机名填写 192.168.1.1
端口默认22
用户名 root
密码输入你刚刚设置的密码、
协议设置为SCP
点登录、
可能会提示group错误、确定就是了、不会有影响、

点 ..
这个图标回到上级文件夹、
进入到/etc/config/ 文件夹、就可以配置了
开始配置
1.打开/etc/config/wireless文件,加入

config wifi-iface
    option device radio0 #如果是USB外置网卡改为radio1
    option network lan1
    option ifname ath1
    option mode ap
    option ssid nodogsplash

2.打开/etc/config/network文件,加入

config 'interface' 'lan1'
    option 'ifname' 'ath1'
    option 'proto' 'static'
    option 'macaddr' '01:1B:24:D3:1F:37'
    option 'ipaddr' '192.168.9.1'
    option 'netmask' '255.255.255.0'

3.打开/etc/config/dhcp,加入

config dhcp lan1
    option interface lan1
    option start 100
    option limit 150
    option leasetime 12h

4.打开/etc/nodogsplash/nodogsplash.conf,修改

GatewayInterface ath1 #在第九行。

ClientForceTimeout 360 #验证过期时间,单位分钟。

RedirectURL #登录后强制跳转地址。

5.自定义WEB页面在/etc/nodogsplash/htdocs

6.启动项加入/etc/init.d/nodogsplash start 重启连上ssid打开任意网页看效果。

本文章由 http://www.wifidog.pro/2015/04/23/nodogsplash%E9%85%8D%E7%BD%AEopenwrt-luci.html 整理编辑,转载请注明出处