mpeven/captive_portal.sh

## captive_portal.sh
# Captive portal setup
########################################################
sudo apt-get update -qq
sudo apt-get install -qq dnsmasq vim hostapd ufw dnsutils netstat-nat conntrack nginx php5 php5-common php5-fpm

sudo mkdir /usr/share/nginx/html/portal
sudo useradd nginx
sudo chown nginx:www-data /usr/share/nginx/html/portal
sudo chmod 755 /usr/share/nginx/html/portal
########################################################

############### Update network interfaces ##############
cat << EOF > /etc/network/interfaces
source-directory /etc/network/interfaces.d

auto lo
iface lo inet loopback

iface eth0 inet static
  address 10.10.0.1
  netmask 255.255.255.0
  network 10.10.0.0

allow-hotplug wlan1
iface wlan1 inet manual
  wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

auto wlan0
allow-hotplug wlan0
iface wlan0 inet static
  address 192.168.5.1
  netmask 255.255.255.0
  network 192.168.5.0
EOF
########################################################

################## Setup hostapd #######################
cat << EOF > /etc/hostapd/hostapd.conf
interface=wlan0
driver=nl80211
ssid=_wingnet-wifi_
channel=9
EOF
########################################################

########## make hostapd use new conf file ##############
sudo sed -i 's;\#DAEMON_CONF="";DAEMON_CONF="/etc/hostapd/hostapd.conf";' /etc/default/hostapd
########################################################

################ Setup dhcpd.conf ###################
sudo mv /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.default
cat << EOF > /etc/dhcp/dhcpd.conf
default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.5.255;
option routers 192.168.5.1;
option domain-name-servers 192.168.5.1;
option domain-name "localdomain";
subnet 192.168.5.0 netmask 255.255.255.0 {
range 192.168.5.10 192.168.5.100;
}
EOF
########################################################

######### setup isc-dhcp-server INTERFACE ##############
sudo sed -i 's;\INTERFACES="";INTERFACES="wlan0 eth0";' /etc/default/isc-dhcp-server
########################################################

############## Setup dnsmasq.conf #####################
sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
cat << EOF > /etc/dnsmasq.conf
address=/#/192.168.5.1
listen-address=127.0.0.1,192.168.5.1
port=53
bind-interfaces      # Bind to wifi interface
server=8.8.8.8       # Forward DNS requests to Google DNS
no-poll
bogus-priv           # Never forward addresses in the non-routed address spaces.
neg-ttl=3600
cache-size=1000
dns-forward-max=150
domain-needed        # Don't forward short names
EOF
########################################################

############### Setup dhclient.conf ####################
# This prevents the INTERNET connection to change our local DNS server
sed -i 's/domain-name, domain-name-servers, domain-search, host-name,/host-name,/' /etc/dhcp/dhclient.conf
########################################################

######################## UFW ###########################
sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf
sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"

sed -i 's/IPV6=yes/IPV6=no/' /etc/default/ufw
sed -i 's/DEFAULT_INPUT_POLICY="DROP"/DEFAULT_INPUT_POLICY="ACCEPT"/' /etc/default/ufw
sed -i 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw
sed -i 's/ENABLED=no/ENABLED=yes/' /etc/ufw/ufw.conf
sed -i 's;\#net/ipv4/ip_forward=1;net/ipv4/ip_forward=1;' /etc/ufw/sysctl.conf

cat >> /etc/ufw/before.rules << EOF
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic through wlan1 - Change to match you out-interface
-A POSTROUTING -s 192.168.5.0/24 -o wlan1 -j MASQUERADE

# don't delete the 'COMMIT' line or these nat table rules won't
# be processed
COMMIT
EOF
########################################################

################### Setup nginx ########################
sudo cat << EOF > /etc/nginx/sites-available/hotspot.conf
server {
    # Listening on IP Address.
    # This is the website iptables redirects to
    listen    	80 default_server;
    root	/usr/share/nginx/html/portal/;
    index	hotspot.html index.php;

    # For iOS
    if (\$http_user_agent ~* (CaptiveNetworkSupport) ) {
        return 302 http://hotspot.localnet/hotspot.html;
    }

    # For others
    location / {
        return 302 http://hotspot.localnet/;
    }
 }

 upstream php {
    #this should match value of "listen" directive in php-fpm pool
		server unix:/tmp/php-fpm.sock;
		server 127.0.0.1:9000;
	}

server {
     listen       80;
     server_name  hotspot.localnet;
     root         /usr/share/nginx/html/portal;
     index	  index.html index.php;

    # Pass all .php files onto a php-fpm/php-fcgi server.
    location ~ [^/]\.php(/|\$) {
    	fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    	if (!-f \$document_root\$fastcgi_script_name) {
    		return 404;
    	}
    	# This is a robust solution for path info security issue and works with "cgi.fix_pathinfo = 1" in /etc/php.ini (default)
    	include fastcgi_params;
    	fastcgi_index index.php;
    	fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
    	fastcgi_pass php;
    }
}
EOF

sudo rm /etc/nginx/sites-available/default
sudo rm /etc/nginx/sites-enabled/default
sudo ln -s /etc/nginx/sites-available/hotspot.conf /etc/nginx/sites-enabled/hotspot.conf
sudo systemctl reload nginx
########################################################

########################################################
sudo touch /usr/share/nginx/html/portal/index.php
sudo cat << EOF > /usr/share/nginx/html/portal/index.php
<!DOCTYPE html>
<?php

// Grant access if the Security code is accurate.
if ($_POST['security_code'] == "andrew-wippler-is-cool") {

// Grab the MAC address
$arp = "/usr/sbin/arp"; // Attempt to get the clients mac address
$mac = shell_exec("$arp -a ".$_SERVER['REMOTE_ADDR']);
preg_match('/..:..:..:..:..:../',$mac , $matches);
$mac2 = $matches[0];

// Reconnect the device to the firewall
exec("sudo rmtrack " . $_SERVER['REMOTE_ADDR']);
$i = "sudo iptables -t mangle -A wlan0_Outgoing  -m mac --mac-source ".$_GET['mac']." -j MARK --set-mark 2";
exec($i);

sleep(5);

?> <html>
<head>
<title></title>
</head>
<body>
<h1>You are now free to browse the internet.</h1>
</body> </html>
<?php } else {
  // this is what is seen when first viewing the page
  ?>
  <html>
  <head>
  <title></title>
  </head>
  <body>
  <h1>Authorization Required</h1>
  <p>Before continuing, you must first agree to the <a href="#">Terms of Service</a> and be of the legal age to do that in your selective country or have Parental Consent.
  </p>
  <form method="post" action="index.php">
    <input type="hidden" name="security_code" value="andrew-wippler-is-cool" />
    <input type="checkbox" name="checkbox1" CHECKED /><label for="checkbox1">I Agree to the terms</label><br />
    <input type="submit" value="Connect" />
  </form>
  </body> </html>
<?php } ?>

EOF
########################################################

########################################################
sudo touch /usr/share/nginx/html/portal/hotspot.html
sudo cat << EOF > /usr/share/nginx/html/portal/hotspot.html
<!--
<?xml version="1.0" encoding="UTF-8"?>
<WISPAccessGatewayParam xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.wballiance.net/wispr_2_0.xsd">
<Redirect>
<MessageType>100</MessageType>
<ResponseCode>0</ResponseCode>
<VersionHigh>2.0</VersionHigh>
<VersionLow>1.0</VersionLow>
<AccessProcedure>1.0</AccessProcedure>
<AccessLocation>Andrew Wippler is awesome</AccessLocation>
<LocationName>MyOpenAP</LocationName>
<LoginURL>http://hotspot.localnet/</LoginURL>
</Redirect>
</WISPAccessGatewayParam>
-->
EOF
########################################################

############## Change what runs on boot ################
sudo rm /etc/rc.local
sudo touch /etc/rc.local
sudo chmod +x /etc/rc.local
cat << EOF > /etc/rc.local
#!/bin/sh -e
sudo /etc/init.d/hostapd stop && sudo /etc/init.d/hostapd start
sudo /etc/init.d/dnsmasq stop && sudo /etc/init.d/dnsmasq start
sudo /etc/init.d/nginx stop && sudo /etc/init.d/nginx start
exit 0
EOF
########################################################

###################### Reboot ##########################
echo "press any key to reboot"
read reboot_key
sudo shutdown -r now
########################################################
	# Captive portal setup
	########################################################
	sudo apt-get update -qq
	sudo apt-get install -qq dnsmasq vim hostapd ufw dnsutils netstat-nat conntrack nginx php5 php5-common php5-fpm

	sudo mkdir /usr/share/nginx/html/portal
	sudo useradd nginx
	sudo chown nginx:www-data /usr/share/nginx/html/portal
	sudo chmod 755 /usr/share/nginx/html/portal
	########################################################

	############### Update network interfaces ##############
	cat << EOF > /etc/network/interfaces
	source-directory /etc/network/interfaces.d

	auto lo
	iface lo inet loopback

	iface eth0 inet static
	address 10.10.0.1
	netmask 255.255.255.0
	network 10.10.0.0

	allow-hotplug wlan1
	iface wlan1 inet manual
	wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

	auto wlan0
	allow-hotplug wlan0
	iface wlan0 inet static
	address 192.168.5.1
	netmask 255.255.255.0
	network 192.168.5.0
	EOF
	########################################################

	################## Setup hostapd #######################
	cat << EOF > /etc/hostapd/hostapd.conf
	interface=wlan0
	driver=nl80211
	ssid=_wingnet-wifi_
	channel=9
	EOF
	########################################################

	########## make hostapd use new conf file ##############
	sudo sed -i 's;\#DAEMON_CONF="";DAEMON_CONF="/etc/hostapd/hostapd.conf";' /etc/default/hostapd
	########################################################

	################ Setup dhcpd.conf ###################
	sudo mv /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.default
	cat << EOF > /etc/dhcp/dhcpd.conf
	default-lease-time 600;
	max-lease-time 7200;
	option subnet-mask 255.255.255.0;
	option broadcast-address 192.168.5.255;
	option routers 192.168.5.1;
	option domain-name-servers 192.168.5.1;
	option domain-name "localdomain";
	subnet 192.168.5.0 netmask 255.255.255.0 {
	range 192.168.5.10 192.168.5.100;
	}
	EOF
	########################################################

	######### setup isc-dhcp-server INTERFACE ##############
	sudo sed -i 's;\INTERFACES="";INTERFACES="wlan0 eth0";' /etc/default/isc-dhcp-server
	########################################################

	############## Setup dnsmasq.conf #####################
	sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
	cat << EOF > /etc/dnsmasq.conf
	address=/#/192.168.5.1
	listen-address=127.0.0.1,192.168.5.1
	port=53
	bind-interfaces # Bind to wifi interface
	server=8.8.8.8 # Forward DNS requests to Google DNS
	no-poll
	bogus-priv # Never forward addresses in the non-routed address spaces.
	neg-ttl=3600
	cache-size=1000
	dns-forward-max=150
	domain-needed # Don't forward short names
	EOF
	########################################################

	############### Setup dhclient.conf ####################
	# This prevents the INTERNET connection to change our local DNS server
	sed -i 's/domain-name, domain-name-servers, domain-search, host-name,/host-name,/' /etc/dhcp/dhclient.conf
	########################################################

	######################## UFW ###########################
	sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf
	sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"

	sed -i 's/IPV6=yes/IPV6=no/' /etc/default/ufw
	sed -i 's/DEFAULT_INPUT_POLICY="DROP"/DEFAULT_INPUT_POLICY="ACCEPT"/' /etc/default/ufw
	sed -i 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw
	sed -i 's/ENABLED=no/ENABLED=yes/' /etc/ufw/ufw.conf
	sed -i 's;\#net/ipv4/ip_forward=1;net/ipv4/ip_forward=1;' /etc/ufw/sysctl.conf

	cat >> /etc/ufw/before.rules << EOF
	# NAT table rules
	*nat
	:POSTROUTING ACCEPT [0:0]

	# Forward traffic through wlan1 - Change to match you out-interface
	-A POSTROUTING -s 192.168.5.0/24 -o wlan1 -j MASQUERADE

	# don't delete the 'COMMIT' line or these nat table rules won't
	# be processed
	COMMIT
	EOF
	########################################################

	################### Setup nginx ########################
	sudo cat << EOF > /etc/nginx/sites-available/hotspot.conf
	server {
	# Listening on IP Address.
	# This is the website iptables redirects to
	listen 80 default_server;
	root /usr/share/nginx/html/portal/;
	index hotspot.html index.php;

	# For iOS
	if (\$http_user_agent ~* (CaptiveNetworkSupport) ) {
	return 302 http://hotspot.localnet/hotspot.html;
	}

	# For others
	location / {
	return 302 http://hotspot.localnet/;
	}
	}

	upstream php {
	#this should match value of "listen" directive in php-fpm pool
	server unix:/tmp/php-fpm.sock;
	server 127.0.0.1:9000;
	}

	server {
	listen 80;
	server_name hotspot.localnet;
	root /usr/share/nginx/html/portal;
	index index.html index.php;

	# Pass all .php files onto a php-fpm/php-fcgi server.
	location ~ [^/]\.php(/\|\$) {
	fastcgi_split_path_info ^(.+?\.php)(/.*)$;
	if (!-f \$document_root\$fastcgi_script_name) {
	return 404;
	}
	# This is a robust solution for path info security issue and works with "cgi.fix_pathinfo = 1" in /etc/php.ini (default)
	include fastcgi_params;
	fastcgi_index index.php;
	fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
	fastcgi_pass php;
	}
	}
	EOF

	sudo rm /etc/nginx/sites-available/default
	sudo rm /etc/nginx/sites-enabled/default
	sudo ln -s /etc/nginx/sites-available/hotspot.conf /etc/nginx/sites-enabled/hotspot.conf
	sudo systemctl reload nginx
	########################################################

	########################################################
	sudo touch /usr/share/nginx/html/portal/index.php
	sudo cat << EOF > /usr/share/nginx/html/portal/index.php
	<!DOCTYPE html>
	<?php

	// Grant access if the Security code is accurate.
	if ($_POST['security_code'] == "andrew-wippler-is-cool") {

	// Grab the MAC address
	$arp = "/usr/sbin/arp"; // Attempt to get the clients mac address
	$mac = shell_exec("$arp -a ".$_SERVER['REMOTE_ADDR']);
	preg_match('/..:..:..:..:..:../',$mac , $matches);
	$mac2 = $matches[0];

	// Reconnect the device to the firewall
	exec("sudo rmtrack " . $_SERVER['REMOTE_ADDR']);
	$i = "sudo iptables -t mangle -A wlan0_Outgoing -m mac --mac-source ".$_GET['mac']." -j MARK --set-mark 2";
	exec($i);

	sleep(5);

	?> <html>
	<head>
	<title></title>
	</head>
	<body>
	<h1>You are now free to browse the internet.</h1>
	</body> </html>
	<?php } else {
	// this is what is seen when first viewing the page
	?>
	<html>
	<head>
	<title></title>
	</head>
	<body>
	<h1>Authorization Required</h1>
	<p>Before continuing, you must first agree to the <a href="#">Terms of Service</a> and be of the legal age to do that in your selective country or have Parental Consent.
	</p>
	<form method="post" action="index.php">
	<input type="hidden" name="security_code" value="andrew-wippler-is-cool" />
	<input type="checkbox" name="checkbox1" CHECKED /><label for="checkbox1">I Agree to the terms</label><br />
	<input type="submit" value="Connect" />
	</form>
	</body> </html>
	<?php } ?>

	EOF
	########################################################

	########################################################
	sudo touch /usr/share/nginx/html/portal/hotspot.html
	sudo cat << EOF > /usr/share/nginx/html/portal/hotspot.html
	<!--
	<?xml version="1.0" encoding="UTF-8"?>
	<WISPAccessGatewayParam xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.wballiance.net/wispr_2_0.xsd">
	<Redirect>
	<MessageType>100</MessageType>
	<ResponseCode>0</ResponseCode>
	<VersionHigh>2.0</VersionHigh>
	<VersionLow>1.0</VersionLow>
	<AccessProcedure>1.0</AccessProcedure>
	<AccessLocation>Andrew Wippler is awesome</AccessLocation>
	<LocationName>MyOpenAP</LocationName>
	<LoginURL>http://hotspot.localnet/</LoginURL>
	</Redirect>
	</WISPAccessGatewayParam>
	-->
	EOF
	########################################################

	############## Change what runs on boot ################
	sudo rm /etc/rc.local
	sudo touch /etc/rc.local
	sudo chmod +x /etc/rc.local
	cat << EOF > /etc/rc.local
	#!/bin/sh -e
	sudo /etc/init.d/hostapd stop && sudo /etc/init.d/hostapd start
	sudo /etc/init.d/dnsmasq stop && sudo /etc/init.d/dnsmasq start
	sudo /etc/init.d/nginx stop && sudo /etc/init.d/nginx start
	exit 0
	EOF
	########################################################

	###################### Reboot ##########################
	echo "press any key to reboot"
	read reboot_key
	sudo shutdown -r now
	########################################################