Troubleshooting NoCat

If you run into problems configuring or using NoCat, three useful troubleshooting tools are the NoCat log file (/usr/local/nocat/nocat.log), the Ethereal protocol analyzer, and IPtables. Here are descriptions of a couple of troubleshooting sessions I was involved in. Hopefully, they will give you some hints about how you might cure your own troubles.

Trouble #1: Allowing a Redirected Site

Basically, what you’re doing here is following the directions for Test #6 and Test #7, but using greendept.org instead of rockisland.com. It doesn’t work. Ethereal and IPtables reveal the problem, suggesting a solution.

1. Edit nocat.conf as follows:

GatewayName: My greendept-only NoCat Portal

AllowedWebHosts: greendept.org

MembersOnly 1

GatewayMode Open

2. Edit splash.html to redirect to www.greendept.org. (See the section All Roads Lead to Rome for instructions on editing splash.html.)

3. Reboot the server and start the gateway.

4. On the client, type www.google.com in the browser address bar, or attempt to refresh the Google screen, if it is already open. You get the NoCat splash screen, as shown in Figure 10-7 or 10-8 (depending on whether this is the first login or a subsequent login). So far, everything is going the same as in Test #6 and Test #7.

5. Click “Login.” At this point, you would expect to be redirected to www.greendept.org. Instead, you get the splash screen again.What is wrong?

6. In a new terminal window, at the Linux command prompt, type IPtables –L. You should see something like the following:

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy ACCEPT)

target prot opt source destination

NoCat all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

Chain NoCat (1 references)

target prot opt source destination

NoCat_Ports all -- anywhere anywhere

NoCat_Inbound all -- anywhere anywhere

ACCEPT all -- 192.168.2.0/24 anywhere MARK match 0x1

ACCEPT all -- 192.168.2.0/24 anywhere MARK match 0x2

ACCEPT tcp -- 192.168.2.0/24 216.218.203.211 tcp dpt:http

ACCEPT tcp -- 216.218.203.211 192.168.2.0/24 tcp spt:http

ACCEPT tcp -- 192.168.2.0/24 216.218.203.211 tcp dpt:https

ACCEPT tcp -- 216.218.203.211 192.168.2.0/24 tcp spt:https

ACCEPT tcp -- 192.168.2.0/24 ip-64-202-167-129.secureserver.net tcp dpt:http

ACCEPT tcp -- ip-64-202-167-129.secureserver.net 192.168.2.0/24 tcp spt:http

ACCEPT tcp -- 192.168.2.0/24 ip-64-202-167-129.secureserver.net tcp dpt:https

ACCEPT tcp -- ip-64-202-167-129.secureserver.net 192.168.2.0/24 tcp spt:https

ACCEPT all -- dslrouter 192.168.2.0/24

ACCEPT tcp -- 192.168.2.0/24 dslrouter tcp dpt:domain

ACCEPT udp -- 192.168.2.0/24 dslrouter udp dpt:domain

ACCEPT all -- apollo.rockisland.com 192.168.2.0/24

ACCEPT tcp -- 192.168.2.0/24 apollo.rockisland.comtcp dpt:domain

ACCEPT udp -- 192.168.2.0/24 apollo.rockisland.comudp dpt:domain

ACCEPT all -- mars.rockisland.com 192.168.2.0/24

ACCEPT tcp -- 192.168.2.0/24 mars.rockisland.comtcp dpt:domain

ACCEPT udp -- 192.168.2.0/24 mars.rockisland.comudp dpt:domain

DROP tcp -- !216.218.203.211 anywhere tcp dpt:5280

DROP all -- anywhere anywhere

Chain NoCat_Inbound (1 references)

target prot opt source destination

ACCEPT all -- anywhere 192.168.2.100

Chain NoCat_Ports (1 references)

target prot opt source destination

DROP tcp -- anywhere anywhere tcp dpt:smtp MARK match 0x3

DROP udp -- anywhere anywhere udp dpt:smtp MARK match 0x3

This printout shows six “chains”—six linkable sequences of firewall rules. (Each line is a rule.) When the firewall receives an IP packet, the packet has to “run the gauntlet” of six chains, in order, from top to bottom.Within each chain, rules are processed in order, unless control is passed to another chain. If control is passed, than the other chain is executed, after which control is passed back to the first chain. At any point, a rule may indicate that the packet should be accepted or dropped.

The INPUT and OUTPUT chains deal with packets originating or terminating in the Linux box itself. NoCatAuth is interested only in packets originating or terminating outside the Linux box. Therefore, the INPUT and OUTPUT chains are empty, and you can ignore them. The FORWARD chain deals with packets originating outside the Linux box, and the one rule in that chain simply says to pass all packets to the NoCat chain.

The NoCat chain does the following:

1. First rule: Passes the packet to the NoCat_Ports chain, where the packet is dropped if it is Public class traffic on a port that is disallowed in the ExcludePorts parameter in the nocat.conf file. (The MARK section on the far right indicates Public class with the hexadecimal number 0  3. Owner class is 0  1, and Co-op class is 0  2. See/usr/local/libexec/nocat/initialize.fw.)

The “mark match” extension is used to match packets based on “marks.” A mark is a special field, maintained only within the operating system kernel, while the packets travel through the computer. This was previously done with the FWMARK target in ipchains, and many people still refer to FWMARK even when dealing with IPtables.

2. Second rule: Passes the packet to the NoCat_Inbound chain, where it is accepted if its destination is the client (192.168.2.100).

3. Third rule: Accepts all Owner class traffic from the internal network (192.168.2.0/24).

(The /24 is the same as a subnet mask of 255.255.255.0. That is, it means that only the first three sections of the IP address are significant. The last section can be anything.)

4. Fourth rule: Accepts all Co-op class traffic from the internal network.

5. Next four rules: Accept everything, coming or going, between the internal network (192.168.2.0/24) and 216.218.203.211 (http://nocat.net).

6. Next four rules: Accept everything, coming or going, between the internal network (192.168.2.0/24) and ip-64-202-167-129.secureserver.net.

7. Thirteenth rule: Accept everything originating in the DSL router and going to the internal network. This would typically be DNS or DHCP traffic. (Other traffic passes through the DSL router, but does not originate in it.)

8. The next eight rules all have to do with accepting DNS-related traffic. (Rockisland.com’s DNS servers were being used.)

9. The last two rules drop traffic that has made it this far without being accepted anywhere. The key to the problem lies in the rules concerning ip-64-202-167-129.secureserver. net (step 6 above). One would expect to find rules concerning greendept.org here, since that is the site listed in AllowedWebHosts. However, when NoCatAuth sent out a DNS query to find out where to send traffic for greendept.org, it was told, in effect, that ip-64-202-167-129.secureserver.net was taking calls for greendept.org. NoCatAuth did not know that this address refers to a Web forwarding service that forwards traffic for greendept.org to still another domain.

Which other domain? Type www.greendept.org in the address bar of the browser on the Linux machine. (Use the Linux machine, because the client can’t contact greendept.org at the moment.) You see that you are redirected to a page at IP address 216.197.125.252 (see Figure 10-9). This redirection is not set in stone, by the way, so it could have changed by the time you read this. However, the principles remain applicable.)

What is happening is something like this: The browser on the client sends out a request for greendept.org. The Web forwarding service raises its hand and says, “That’s mine.” At this point, NoCatAuth creates the rules in the firewall, using the address of the Web forwarding service (ip-64-202-167-129.secureserver.net). However, when the browser actually requests a page, the Web forwarding service tells the browser that the page has been moved to 216.197.125.252.When the browser tries to access it there, the firewall won’t let it, because there are no rules permitting traffic to or from 216.197.125.252.

You can confirm this scenario using Ethereal. Refer to Figure 10-10 for the following instructions.

1. Bring up Ethereal. (In Red Hat: Internet More Internet Applications Ethereal.)

2. Click the left-hand button, “Start New Capture.”

3. In the “Ethereal: Capture Options” dialog, click the “Capture Interface” drop-down menu and select “Pseudo-device that captures on all interfaces.”

4. In the “Filter” box, type something of the form host 192.168.2.100, but substituting the address of your client machine. This will limit the capture to packets to and from the client.

5. Select the check boxes for “Update list of packets in real time” and “Automatic scrolling in live capture.”

6. Click OK at the bottom of the dialog. Ethereal starts capturing packets.

7. Try to access greendept.org from the client. You see a burst of packets in the Ethereal capture window.When the burst of activity is over, click the Stop button in Ethereal. In Ethereal’s capture window, you will see something resembling Figure 10-11.

In line 6 (the first line displayed in the figure), the client requests the page from the Web forwarding service (64.202.167.129). This traffic is allowed, because the firewall is set up to allow communication with the Web forwarding service.

However, in line 8, the Web forwarding service informs the client that the page has “Moved

Permanently.”

In line 10, the client starts communicating with 216.197.125.252. Clearly (though the packet

capture display doesn’t show this), the client has been told that the file is at 216.197.125.252.

In line 27, NoCatAuth (192.168.2.254) tells the client that the page has moved.

In line 34, the client once again tries to get the page from the forwarding service.

Once again, the Web forwarding service tells the client that the page has moved permanently

(line 36) and the client turns once again to 216.197.125.252 (line 38).

In line 45, 216.197.125.252 tells the client that the page has moved.

After that, the conversation is almost entirely between the client and NoCatAuth

(192.168.2.254), culminating in loading the splash page. For instance, in line 69, the client

requests /images/login.gif, which is one of the images on the splash page.

Although you might have to be a bit guru-ish to follow the details, the general plot-line seems

to confirm the surmise you formed by looking at IPtables.

The solution is straightforward: Add 216.197.125.252 to AllowedWebHosts.With both

greendept.org and 216.197.125.252 in AllowedWebHosts, the firewall rules will allow

both the Web forwarding service and 216.197.125.252, and you will get the requested page.

Trouble #2: The Eternal Splash

The most serious problem that I encountered when trying to use the AllowedWebHosts

parameter was clients getting caught in a cycle of endless splash screens, even when requesting

a site that had been accessible in previous tests. I can’t give you step-by step instructions

for replicating this problem, but I won’t be a bit surprised if you run into it on your own.

Here’s a snippet of the NoCat log from the period of time in question:

[2004-02-12 17:53:54] Peer 12.40.110.242 requests

liveupdate.symantecliveupdate.com

[2004-02-12 17:53:54] Capturing peer 12.40.110.242

[2004-02-12 17:53:54] Spawning child process 30554.

[2004-02-12 17:53:54] Connection to 12.40.110.1 from 12.40.110.242

[2004-02-12 17:53:54] Peer 12.40.110.242 requests 12.40.110.1

[2004-02-12 17:53:54] Displaying splash page to peer 12.40.110.242

[2004-02-12 17:54:02] Spawning child process 30555.

[2004-02-12 17:54:02] Connection to 12.40.110.1 from 12.40.110.242

[2004-02-12 17:54:02] Peer 12.40.110.242 requests

liveupdate.symantecliveupdate.com

[2004-02-12 17:54:02] Capturing peer 12.40.110.242

[2004-02-12 17:54:03] Spawning child process 30556.

[2004-02-12 17:54:03] Connection to 12.40.110.1 from 12.40.110.242

[2004-02-12 17:54:03] Peer 12.40.110.242 requests 12.40.110.1

[2004-02-12 17:54:03] Displaying splash page to peer 12.40.110.242

[2004-02-12 17:54:16] Spawning child process 30558.

[2004-02-12 17:54:16] Connection to 12.40.110.1 from 12.40.111.238

[2004-02-12 17:54:16] Peer 12.40.111.238 requests www.livejournal.com

[2004-02-12 17:54:16] Capturing peer 12.40.111.238

[2004-02-12 17:54:16] Spawning child process 30559.

[2004-02-12 17:54:16] Connection to 12.40.110.1 from 12.40.111.238

[2004-02-12 17:54:16] Peer 12.40.111.238 requests 12.40.110.1

[2004-02-12 17:54:16] Displaying splash page to peer 12.40.111.238

[2004-02-12 17:54:16] Spawning child process 30560.

[2004-02-12 17:54:16] Connection to 12.40.110.1 from 12.40.111.238

[2004-02-12 17:54:16] Peer 12.40.111.238 requests 12.40.110.1

[2004-02-12 17:54:16] Displaying splash page to peer 12.40.111.238

The problem here appears to be a Symantec virus checker trying to check its home site for updates to its virus definitions. The requests are refused (because the virus checker’s home site is not in AllowedWebHosts), causing the Windows client to return to the splash screen. The one “legal” request (for greendept.org, for instance—not shown above) is lost in a hail storm of “illegal” requests made by the virus checker.

Another culprit in a similar incident was an e-mail program that automatically tries to connect to a particular Web site, to display news headlines and so on. Many programs now generate network traffic automatically, and sometimes repetitively and insistently. One solution to this problem is simply to allow such traffic. The log file will tell you which domains you need to put on the AllowedWebHosts list. However, it is likely that no matter how many domains you add, new ones will keep popping up. There are too many applications that access the network automatically to have any hope of offering a smooth experience for every user.

That said, you can offer a smoother and smoother experience over time, as you reconfigure your firewall rules to handle the vagaries of clients. If you need to add large numbers of rules, and Perl scripting is an option for you (either because you know Perl or are willing to learn it), considered modifying /usr/local/libexec/initialize.fw by adding rules at the end of the file.

Trouble #3: More Eternal Splash

Do not be lulled into thinking that you now know “the cause” of the eternally returning splash screen. There is an endless variety of problems that can cause this same symptom. You have to use troubleshooting tools such as the log file, IPtables and Ethereal to determine what is happening.

For instance, at one point, I put Google in AllowedWebHosts. NoCatAuth created a set of firewall rules with 216.239.57.104. That address indeed accessed Google when entered in the browser address bar. Everything worked fine the first time I tested via the gateway from a client, too. It looked like I was set.

However, the next time I tried to access Google through the gateway, I encountered the eternal splash. The log file just showed that the client was trying to access Google; there were no unexpected or extraneous requests as in the previous example.

Ethereal, however, showed that the client was trying to access 216.239.57.99 (which the firewall didn’t know about) instead of 216.239.57.104 (which the firewall did know about). So, instead of putting google.com in AllowedWebHosts, I put both IP addresses in. NoCatAuth created firewall rules for both addresses, and once again everything worked as expected in the first test.

It wasn’t long, though, before I was again encountering the eternal splash when I attempted to access Google. Consulting Ethereal, I found that the client was now attempting to access 216.239.53.99, which turned out to be another valid Google address, but not one covered in the firewall rules.

A little investigation (via Google searches!) educated me to the fact that Google had, at that time, over a dozen data centers, each of which could use many IP addresses. And it was adding a data center every few months!

One easy way to make Google one of a small group of allowed hosts is to put a link on the splash page with the IP address of the Google site that is in the firewall rule. That way, users are always asking for the IP address that the firewall knows about. You could even put in several links with different IP addresses for Google, in case one of them doesn’t work for some reason.

Another option, of course, is to comment out MembersOnly 1, which allows users to access any site on the Web after clicking the Login (or Continue) button. In other words, give your users Google by giving them the whole Web.

Summary

In this chapter, you’ve learned the basics required to successfully install, configure, and troubleshoot the NoCatAuth “captive portal,” which will help you secure, manage, and monitor your free wireless hotspot. If you have actually succeeded at this task, you probably have a gorgeous cathode ray tan by now, and have not seen daylight or your friends for days, possibly weeks. Time for some outdoor fun! Read on to Chapter 11, “Playing Access Point Games,” for a fox hunt (you’re the fox), driving games, chatting, and other ways to be sociable wirelessly.