一、移植 wifidog功能
1、功能介绍
wifidog是一种能够实现让路由器局域网设备(包括wifi连接和网线连接设备)在上网前先进行 portal认证的工具,主要应用于手机端上网认证,手机在连接wifi后会自动打开浏览器并跳转出 login界面,用户在该页面上进行填写信息并提交给后台认证,只有通过后台认证服务器允许的用户才能进行上网。
(注:手机端只有在刚连接上wifi的时候才会自动弹出浏览器窗口,PC端连接网络不会自动打开浏览器,不弹出浏览器窗口情况下,需要手动打开浏览器并进行访问网站的时候才会跳转出 login界面)
2、内核配置 wifidog 和 nginx
make menuconfig
Network —>
Captive Portals —>
< * > wifidog
Web Servers/Proxies —>
< * >nginx
(注:nginx是一种高性能的HTTP和反向代理web服务器。由于本人将 “login”页面放到了路由器上(原流程是直接去访问认证服务器上的页面),因此需要用到本地web服务器用于手机端浏览器能访问本地网关上的页面。故在此处也配置了nginx功能)
3、配置 wifidog和 nginx功能
1、wifidog配置
【 /etc/wifidog.conf 】
GatewayID wdog_id01
ExternalInterface eth0
GatewayInterface br-lan
GatewayPort 2060 // wifidog监听端口
HTTPDMaxConn 100
CheckInterval 60
ClientTimeout 50
Daemon 1
AuthServer {Hostname www.server.com // 认证服务器地址SSLAvailable noHTTPPort 80Path /wifidog/ // 访问路径
}
// 可以有多个AuthServer,Wifidog会从第一个往后找,直到找到可用的认证服务器为止
FirewallRuleSet global {
}
FirewallRuleSet validating-users {FirewallRule allow to 0.0.0.0/0
}
FirewallRuleSet known-users {FirewallRule allow to 0.0.0.0/0
}
FirewallRuleSet unknown-users {FirewallRule allow udp port 53FirewallRule allow tcp port 53FirewallRule allow udp port 67FirewallRule allow tcp port 67
}
FirewallRuleSet locked-users {FirewallRule block to 0.0.0.0/0
}
启动 wifidog
/etc/init.d/wifidog start
或 wifidog -f -d 7& // 该放手运行会在终端上输出log信息
需要实现的效果:
局域网手机端连接wifi会自动弹出浏览器窗口。
2、配置 nginx
(注:该功能在这边主要是实现局域网设备能够访问本地的web页面,这边主要是访问本地 login页面。若 login页面不放在本地的话,请忽略该步骤)
【vi /etc/nginx/nginx.conf】
http { server {listen 7878; // 监听端口,不要与路由器配置网页的端口冲突location / {root /home/nginx/; // 页面存放的本地路径index index.html index.htm index.php; // 可以支持 php页面... ...
网上下载一个简单的 index.html页面拷贝到本地目录 “/home/nginx/”下
启用nginx
/etc/init.d/nginx start
需要实现的效果:
局域网设备浏览器访问 “http://192.168.9.1:7878” 会跳转到 /home/nginx/index.html 页面。( 192.168.9.1为局域网网关地址 )
3、查看进程
root@OpenWrt:/# netstat -tunlp
tcp 0 0 0.0.0.0:7878 0.0.0.0:* LISTEN 4187/nginx.conf
tcp 0 0 192.168.9.1:2060 0.0.0.0:* LISTEN 18693/wifidog
二、wifidog功能工作原理
1、认证流程图
下图为本人自己整理的流程图,wiki网站上的流程图见 点击打开链接
2、认证流程说明
(1)、用户浏览器发起访问网站请求,例如:www.baidu.com,数据包在网关防火墙处80端口数据请求被重定向到本地 wifidog监听端口2060上;
(2)、网关给用户返回一个认证服务器的 login请求地址;
(3)、用户端向认证服务器请求 login认证页面;
(4)、服务器给用户返回一个 login认证页面;(此处由于本人将 login页面存放在本地路由器上,因此返回一个重定向本地网关地址)
(5)、用户在 login页面上点击提交相关信息(如用户名和密码等),发送给认证服务器,确认信息是否符合,是否允许上网;
(6)、若允许用户上网,认证服务器给用户端返回重定向至网关 wifidog监听端口并携带 token标识的地址;
(7)、用户将 token发送给网关 wifidog,网关将信息加入 client list中;
(8)、wifidog将 token信息发送给认证服务器上进行认证;
(9)、若认证通过给网关返回 “Auth:1”,认证失败返回 “Auth:0”;(可用于黑白名单判断上网)
(10)、若认证成功网关在 Firewall添加该用户放行规则,并向用户返回重定向到服务器认证成功的地址;若认证失败,用户重新返回 login页面;
(11)、用户向服务端请求认证成功访问的地址;
(12)、服务器返回给用户端认证成功界面;
补充:
流程 (4)中正常流程是由认证服务器直接返回 login登录页面,由于本人将 login页面放在了本地网关上,故此处返回一个重定向到本地网关7878端口(nginx监听端口)地址,因此在上图中多了 (a)和 (b)两个处理步骤,去访问网关上的 login页面;
流程 (8)中,在认证阶段过程中 “stage=login”,认证成功后默认每分钟会向服务器发送带 “stage=counters”的数据包。
wifidog会有个定时 ping协议数据发送给服务器,可以用于给服务器上报本地部分信息。认证服务器成功接受数据后,会给wifidog返回相应 “Pone”。
认证成功后只要防火墙中的相应放行规则存在,则后期用户重新连接网络都不需要再认证可直接上网。
三、防火墙规则分析
1、NAT表
root@OpenWrt:/#iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 1238 packets, 374K bytes)pkts bytes target prot opt in out source destination 0 0 WiFiDog_br-lan_Outgoing all -- br-lan * 0.0.0.0/0 0.0.0.0/0 // 添加 wifidog规则链Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 283 17585 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain WiFiDog_br-lan_AuthServers (1 references)pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 47.114.115.89 // 至服务器80端口数据不转发 Chain WiFiDog_br-lan_Global (1 references)pkts bytes target prot opt in out source destination Chain WiFiDog_br-lan_Outgoing (1 references)pkts bytes target prot opt in out source destination 0 0 WiFiDog_br-lan_WIFI2Router all -- * * 0.0.0.0/0 192.168.9.1 // 192.168.9.1:80 不跳转 0 0 WiFiDog_br-lan_WIFI2Internet all -- * * 0.0.0.0/0 0.0.0.0/0 Chain WiFiDog_br-lan_Unknown (1 references)pkts bytes target prot opt in out source destination 0 0 WiFiDog_br-lan_AuthServers all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 WiFiDog_br-lan_Global all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 2060 // 80端口重定向2060端口,即wifidogChain WiFiDog_br-lan_WIFI2Internet (1 references)pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x2 // 标记为0x2的所有规则将不被重定向到wifidog监听端口,即放行网络0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x1 // 标记为0x1的所有规则将不被重定向到wifidog监听端口,即放行网络0 0 WiFiDog_br-lan_Unknown all -- * * 0.0.0.0/0 0.0.0.0/0 Chain WiFiDog_br-lan_WIFI2Router (1 references)pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
2、MANGLE表
root@OpenWrt:/#iptables -t mangle -nvL
Chain PREROUTING (policy ACCEPT 678 packets, 96472 bytes)pkts bytes target prot opt in out source destination 0 0 WiFiDog_br-lan_Trusted all -- br0 * 0.0.0.0/0 0.0.0.0/00 0 WiFiDog_br-lan_Outgoing all -- br0 * 0.0.0.0/0 0.0.0.0/0Chain INPUT (policy ACCEPT 564 packets, 57225 bytes)pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 WiFiDog_br-lan_Incoming all -- * br0 0.0.0.0/0 0.0.0.0/0Chain OUTPUT (policy ACCEPT 204 packets, 51351 bytes)pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 204 packets, 51351 bytes)pkts bytes target prot opt in out source destination Chain WiFiDog_br-lan_Incoming (1 references)pkts bytes target prot opt in out source destination1926 1272K ACCEPT all -- * * 0.0.0.0/0 192.168.9.100Chain WiFiDog_br-lan_Outgoing (1 references)pkts bytes target prot opt in out source destination1830 313K MARK all -- * * 192.168.9.100 0.0.0.0/0 MAC 58:C6:F0:DC:20:97 MARK set 0x2 // 放行该用户Chain WiFiDog_br-lan_Trusted (1 references)pkts bytes target prot opt in out source destination
3、FILTER表
root@OpenWrt:/#iptables -t filter -nvL
Chain INPUT (policy ACCEPT 151 packets, 13424 bytes)pkts bytes target prot opt in out source destination 9761 1117K CUSTOMIN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination
21979 14M CUSTOMFORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
21979 14M CUSTOMMAC all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 WiFiDog_br0_WIFI2Internet all -- br0 * 0.0.0.0/0 0.0.0.0/0 +++++Chain OUTPUT (policy ACCEPT 76 packets, 7959 bytes)pkts bytes target prot opt in out source destination 2628 895K CUSTOMOUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain CUSTOMFORWARD (1 references)pkts bytes target prot opt in out source destination Chain CUSTOMIN (1 references)pkts bytes target prot opt in out source destination Chain CUSTOMMAC (1 references)pkts bytes target prot opt in out source destination Chain CUSTOMOUT (1 references)pkts bytes target prot opt in out source destination Chain WiFiDog_br0_AuthServers (1 references) +++++pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 47.114.115.89 Chain WiFiDog_br0_Global (1 references) +++++pkts bytes target prot opt in out source destination Chain WiFiDog_br0_Known (1 references) +++++pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain WiFiDog_br0_Locked (1 references) +++++pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachableChain WiFiDog_br0_QOS_Known (1 references) +++++pkts bytes target prot opt in out source destination Chain WiFiDog_br0_Unknown (1 references) +++++pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:530 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:670 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachableChain WiFiDog_br0_Validate (1 references) +++++pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain WiFiDog_br0_WIFI2Internet (1 references) +++++pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID0 0 TCPMSS tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x02 TCPMSS clamp to PMTU0 0 WiFiDog_br0_AuthServers all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 WiFiDog_br0_Locked all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x2540 0 WiFiDog_br0_Global all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 WiFiDog_br0_Validate all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x10 0 WiFiDog_br0_Known all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x20 0 WiFiDog_br0_QOS_Known all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 WiFiDog_br0_Unknown all -- * * 0.0.0.0/0 0.0.0.0/0
四、认证服务器
说明:下面认证服务器对应代码为本人用于测试的简单代码,仅用于测试使用。
1、重定向 login页面
【 wifidog/login/index.php 】
<?php
$url = "http://192.168.9.1:7878";
echo "<script language='javascript' type='text/javascript'>";
echo "window.location.href='$url'+window.location.search";
echo "</script>";
//redirect('http://192.168.9.1:2060/wifidog/auth', 'location', 302);
?>
2、login页面
注:该 login页面是存放于本地网关上的,相应存放路径:“/home/nginx/index.html”
<html lang="en">
<head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta http-equiv="X-UA-Compatible" content="ie=edge"><title>login</title>
</head><style>body {background-image: url('./logo.jpg');background-size: 100% 100%;}.btn {width: 100%;margin-top: 120%;text-align: center;}button{height: 40px;width: 200px;border: 0px;color: #fff;background-color:#FF0000;}.form {margin-top: 80%;text-align: center;}.submit {height: 40px;width: 250px;border: 0px;color: #fff;background-color:#3c59ff;} .input {border: 1px solid #3c59ff;height: 40px;width: 150px;}.pp {font-weight: bold;font-size: 18px;//color: #fff;}
</style>
<script>var $_GET = (function(){var url = window.document.location.href.toString();var u = url.split("?");if(typeof(u[1]) == "string"){u = u[1].split("&");var get = {};for(var i in u){var j = u[i].split("=");get[j[0]] = j[1];}return get;} else {return {};}})();$error=$_GET['error'];if($error){if(confirm( '账号密码有误! 请重新输入')) location.href='./';else location.href='./'; // if(confirm( 'The authentication information is incorrect. Please re-enter it.')) location.href='./';else location.href='./'; }
</script>
<body>
<!-- 一键按钮认证 --><div class="btn" onclick="window.location.href = 'http://test.caimore.com/wifidog/login/login.php'"><button>申请token操作</button></div><div class="btn" onclick="window.location.href = 'http://192.168.9.1:2060/wifidog/auth?token=<?php echo md5(uniqid(rand(), 1)); ?>'"><button>跳过申请token</button></div><!-- 用户名密码认证 --><div class="form"><form action="http://test.caimore.com/wifidog/login/userlogin.php" method="get"><p class="pp">Username: <input class="input" type="text" name="username" /></p><p class="pp">Password: <input class="input" type="text" name="password" /></p><input class="submit" type="submit" value="Submit" /></form></div>
</body></html>
3、返回 token
【 wifidog/login/login.php 一键认证 】
<?php
$url = 'http://192.168.9.1:2060/wifidog/auth?token='.md5(uniqid(rand(), 1)).'';
echo $url;
echo "<script language='javascript' type='text/javascript'>";
echo "window.location.href='$url'";
echo "</script>";
redirect('http://192.168.9.1:2060/wifidog/auth?token='.md5(uniqid(rand(), 1)).'', 'location', 302);
?>【 wifidog/login/userlogin.php 用户名密码认证 】
<?php
$username=$_GET['username'];
$password=$_GET['password'];
if($username=='admin'&& $password=='123456'){ // 认证成功$url = 'http://192.168.9.1:2060/wifidog/auth?token='.md5(uniqid(rand(), 1)).'';echo $url;echo "<script language='javascript' type='text/javascript'>"; echo "window.location.href='$url'"; echo "</script>"; redirect('http://192.168.9.1:2060/wifidog/auth?token='.md5(uniqid(rand(), 1)).'', 'location', 302);
}else { // 认证失败$url = "http://192.168.9.1:7878?error=1";echo "<script language='javascript' type='text/javascript'>"; echo "window.location.href='$url'+window.location.search"; echo "</script>";
}
?>
4、返回认证结果
【 wifidog/auth/index.php 】
<?php
echo "Auth: 1";
?>
5、返回认证成功页面
【 wifidog/portal/index.php 】
<?php
header("Location: http://www.baidu.com");
?>
6、Ping返回
【 wifidog/ping/index.php 】
<?php
echo "Pong";
?>