Sunday, July 8, 2007

WiFiDog and Squid

One of the shortcomings of WiFiDog is that it employs its own limited syntax to manage iptables rules on the fly. If you want to add transparent proxying (via Squid), on the same system, it's quite difficult to get the proper table entry to load after auto-starting WiFiDog. The proper table entry is:

    iptables -t nat -I WiFiDog_WIFI2Internet -i eth0 -m mark --mark 0x2 -p tcp --dport 80 -j REDIRECT --to-port 3128

I got quite frustrated in trying to script the table entry, post startup. So much so, that I attacked the source code and figured out the following, slightly buggy, patch:

    iptables_do_command("-t nat -I WiFiDog_WIFI2Internet -i eth0 -m mark --mark 0x2 -p tcp --dport 80 -j REDIRECT --to-port 3128");

When you're building WiFiDog, after you've run the autogen script and before you run make, add the above to wifidog/src/fw_iptables.c, after the last line containing "TABLE_WIFIDOG_WIFI_TO_INTERNET". After running "make" and "make install", all you have to do is turn on transparency in your Squid box.

I said "slightly buggy" because, by itself, it prevents admin logins. I managed a work-around by adding a high-port listener to Apache (I was pressed for time). When I'm able to access the system again, I think that the fix would be to add another line, just before the one just added, that prevents redirection of traffic to the auth server.

I'll keep you posted. I'm annoyed enough that I'm looking at tweaking the source code.