About nanna

nanna logo

nanna is a web based network authorization system for Linux firewalls I developed and used for a while years ago.

It's primary function is to allow authenticated users access to Internet using wireless (or wired) network. Authetication happens with a simple web interface by entering username and password, and after that automatically as long as the cookie is preserved on the computer. The connection is usable as long as there is any traffic and dropped after a timeout if the traffic stops or the user logs out. (User can always reauthenticate if necessary.)

The system is actually not that complicated and consists of a rather simple Python web server implementation (HTTP and HTTPS), few shell scripts, and some iptables rules.

The server's only secondary function is to serve a proxy.pac file for any browser smart enough to know where to look for it. For anything more, use a separate web server to keep the authorization server simple and secure. (Actually, you can probably drop the custom web server and re-implement the login and administration pages as CGI or something.)

Scenario

At the time I had a Linux computer acting as a firewall sitting between an ADSL router and a wireless network. The same computer also acted as the AP but it could have just been connected to a separate AP connected to a second Ethernet port.)

I also wanted to support some old hardware with ancient operating systems we had still in light use (Windows 98 and Mac OS 9 with 802.11b Wifi adapters.) So, I had to use the poor WEP encryption which could be broken in a matter of minutes. I would have liked to drop the encryption complete to improve stability but never actually did that. But, I did not want everone passing by our house to be able to use my Internet connection (mostly due to possibly being legally liable of their actions.)

Therefore, to provide some extra security, I developed nanna to give a random attacker a second hurdle to overcome before succeeding to leach my connection. (Actually, it is also quite easy to bypass by simply cloning an authorized users MAC and IP addresses.)

What the User Sees

A random user decides to surf a little over the Internet. He takes his laptop and connects to my wireless network with it. He opens his favorite web browser which tries to open his home page. However, instead of his browser's home page the user sees my network login page which asks for his username and password. (After a nag about a self-signed SSL certification.)

He enters his credentials and clicks Login and now is told he is allowed to continue his happy surfing or whatever online activity. After he has had enough (of porn) he turns off his laptop. (Or if he is really nice, he re-visits the authentication server and logs out.)

What the Server Does

When a new computer connects to the network, the DHCP server assigns it an IP address as usual. However, the iptables rules will block all network access from that still unauthorized address, except HTTP to TCP port 80, which is redirected to the authentication server. Ok, TCP port 443 (HTTPS) of the firewall is also accessible before authorization, as well as the DNS server, or else this whole thing we are trying to do would not work.

At the unencrypted port 80 (plain old HTTP) the authorization server just tells the user's browser to redirect to its own encrypted HTTPS (443) port instead. At the HTTPS port the server shows the login page and the status / log out page afterwards, as well as administration for users with the administration flag set.

When the user successfully authenticates with the server, it adds iptables rules that allow all network traffic to the outside world and no longer does the HTTP redirection.

The iptable rules has some logging rules in them so that the server can detect when user is no longer generating any traffic. When that happens, or the user manually logs out, the user specific iptable rules are removed and traffic from the user's IP and MAC addresses are again blocked by the firewall.

Rationale

Everything nanna does has been done years before by other software. (I had seen and used some of those systems.) I was, however, unable to find free, open source, software that met my simple small-scale needs.

Since I had been playing around with Linux's iptables and web servers/clients enough I knew how to implement this kind of a system myself. Which I then did, and for a few years, nanna was serving me nicely. Eventually, I upgraded to a faster Wifi with WPA2 encryption, had to drop those old system of the network, and saw no need nanna anymore.

Problems

There were some problems with this system, too. For example, automatic Windows updates do not work until the user has authenticated himself by opening his browser. Clock synchronization could be made to work at boot time by using the firewall as the time source.

As said earlier, an attacker simply has to wait until an authorized user shuts down his computer without logging out. Before the timeout unauthorizes the connection, he is can change his MAC and IP addresses to match those of the previous user's, and he is then able to access the network. Even if WEP is used on a Wifi network, it can be broken using automated tools in a matter of minutes if there is enough traffic. The attacker probably doesn't even have to way for the user to stop using his connection before hijacking it. Sure, recent Windows systems do warn the user that someone else is using your address but other system might not. Does the user know what is going on even if he sees that?

License

The source code is released under GNU General Public License, version 3.

2016-04-13 10:16:43 UTC

Screenshots

The login page that is diplayed when the user tries to access the Internet.

Login page


Page displayed after the user has successfully logged in. (The current user is an administrator. For ordinary users, the Administer link will not be shown.)

Access granted page


Page where the user can change his password.

Change password page


Administers can add and delete users, change anyone's password and grant and drop the administration right. Administrators are shown in bold text and everyone currently logged in are underlined. You can see from the layout that nanna is meant to be used at home with only a handful of users.

Administration page

2016-04-13 10:12:39 UTC

Download

After I had already stopped using nanna, someone asked for the source code. (This page had been up for a while already but I didn't get around to publish the source.) So, I touched them up, added some documentation and configuration examples, and made it available for download as a development snapshot.

The sources include an incomplete and disabled feature for configuring port forwards (a firewall function, not related to the authorization.) The link should be easy to remove and it is only visible to administrators.

While I don't consider this code to be production ready in any way, here it is anyways... with no warranty. Have fun!