Slashdot Mirror

← Back to Stories (view on slashdot.org)

Providing a Whitelisted Wireless Hotspot?

Posted by timothy on from the devil-in-the-details dept.

Ploxis writes "I volunteer some of my day managing a small network (and a ragtag band of computers) for a local nonprofit. I have been asked to set up a second, open, independent wireless network on site that will provide cost-free broadband Internet access to patrons. The catch is that they want to provide access only to a select group of about 25 websites while disallowing everything else. No objectionable sites, no mundane but non-relevant sites such as online banking or YouTube, and no other activities such as P2P or IM. They only want HTTP and HTTPS activity from a set of whitelisted websites." For the rest of Ploxis's question and his intial thoughts on making this happen, read on below. "They'd also like any non-whitelisted URL to be redirected to a 'splash page,' which would just be some HTML providing a list of allowed sites by category. I'd host this page internally on the network. Their primary concerns are liability for access of illegal/objectionable materials and conserving their bandwidth, while still providing access to specific relevant tools online. My initial thought was simply an open wireless router, a set of remarkably restrictive firewall rules, and an in-house server as a custom DNS ... but that's pretty shaky (i.e. anyone specifying their own DNS can still get at whatever they want). I assume they'll need a router with some pretty significant traffic management capabilities as well, but that's not something I've investigated before. Anyone's experiences, recommendations, case studies, or maps of similar networks would be greatly appreciated."

16 of 58 comments (clear)

  1. Get an old machine put Linux on it... by BitterOldGUy · · Score: 2, Informative

    and turn it into a router and make a domain for those folks?

  2. Squid by eln · · Score: 4, Informative

    Configure a linux box as a router, put squid on it, set up your whitelist, and you're all set.

    1. Re:Squid by eln · · Score: 4, Informative

      I should also add there's some iptables stuff involved too, but if you know the terms "squid" and "transparent proxy", Google will give you plenty of pages telling you how to set it up.

    2. Re:Squid by mikael_j · · Score: 2, Informative

      Squid was my first thought as well, configure it as a transparent proxy and redirect all non-allowed traffic to the splash page. Combine that with firewall rules that block all non-DNS and non-HTTP traffic.

      /Mikael

      --
      Greylisting is to SMTP as NAT is to IPv4
    3. Re:Squid by cbiltcliffe · · Score: 2, Informative

      pfSense has got this built in.
      Install it on an old Pentium 266-400 or so, with 256MB RAM, if you can, and check the captive portal section.
      Set your client WAP up on a NIC by itself, and you can configure captive portal on that interface. Ensure your login page has no login options...just a "You can't go here" type of thing.
      Then, set up your allowed sites in the captive portal whitelist.
      Problem solved, and you've stopped another machine from ending up in a landfill.

      --
      "City hall" in German is "Rathaus" Kinda explains a few things......
    4. Re:Squid by Architect_sasyr · · Score: 2, Informative

      I would suggest that adding a pac.localdomain to DNS might (might mind) be better. Write a proxy auto-configuration file and don't permit any access to the outside world (i.e. turn off ip4_forward and use iptables rules to enforce just in case). That way you don't have to worry about transparent connections (which sometimes cause issues with certain pages - like "submit" on /. every now and then for me here) and you can sort-of monitor HTTPS connections as well.

      Just a thought, annihilate at will.

      --
      Me failed English...
      FreeBSD over Linux. If my comments seem odd, this may explain...
    5. Re:Squid by simcop2387 · · Score: 2, Informative

      thats not exactly true, you can have many per ip address for both http and https, BUT along with a squid proxy, you could also filter dns queries to other domains since https doesn't cover that.

  3. pfSense by Fez · · Score: 2, Informative

    Sounds like something that pfSense might be able to do, between squid and maybe the captive portal.

    1. Re:pfSense by bill_mcgonigle · · Score: 2, Informative

      Not even that complex. I wrote a little tutorial, here - just invert the meaning of the block rule and add a default deny.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  4. mod_proxy by ak_hepcat · · Score: 4, Informative

    mod_proxy, mod_rewrite

    your friends at apache have most of the work done for you. All you have to do is slap it together and write some custom rules.

    Linux as a firewall, to make sure that all http/http traffic gets redirected through the proxy

    if the hostname in the url doesn't match what's in your rewrite rules (aka, to pass through) then rewrite it to your custom splash page.

    no need for wacky dns tricks here.

    --
    Support FSF: Stop thinking with your wallet, and think with your imagination. (cc/non-commercial)
  5. Untangle Pro by Russianspi · · Score: 2, Informative

    Untangle's pro version should allow this. Maybe they have a discount for non-profits?

  6. tinyproxy by argent · · Score: 4, Informative

    Instead of squid, use tinyproxy. You're not primarily interested in caching, you're interested in access control. Tinyproxy gives you much finer control of that, and it's also ... well ... tiny.

    Just set up a "no proxy" rule for the sites you want them to get to, and redirect everything else to a 404 server.

    1. Re:tinyproxy by oyenstikker · · Score: 4, Informative

      As the stated goals are to provide access to a very small number of pages and limit bandwidth, caching is a great idea.

      --
      The masses are the crack whores of religion.
  7. OpenDNS? by jabithew · · Score: 2, Informative

    OpenDNS were talking about adding this as a pay-for service, which would be cheaper and easier than setting up a dedicated Linux box, which is the normal proposed solution to any problem posed to Slashdot.

    Incidentally, the thread I linked has some other solutions posted in it.

    --
    All intents and purposes. Not intensive purposes.
  8. Dont forget to include dependencies! by coryking · · Score: 2, Informative

    Whatever you do, make sure you whitelist any dependencies these 25 websites use. I'm thinking of things like google-analytics, any kind of javascript library that is third-party hosted (Google Code or YUI) and ad code here. If you whitelist those as well, your patrons browsers might act a little funky depending on your solution.

  9. Re:Forget it by coryking · · Score: 3, Informative

    Wont work. The days of IP's meaning anything are long over. You are best to assume they will change in a week.

    These 25 sites could be using round-robin DNS and change their IP every DNS lookup. They could be using some load balancer that plays games with DNS and hops you around the globe depending on their mood. You have no idea how they manage their IP space and you are insane to try :-)

    Squid is a much better solution. You can get squid to whitelist by domain.

    But seriously, the greater internet nerd contingent needs to get it in their head that the days of IP addresses being useful as any kind of fixed or even temporary identifier are over.