Iptables capture portal question and NAT

Posted on 2004-09-15
Last Modified: 2012-06-27
Hello there..

My question is.. Im trying to setup a wifi gateway using a debian linux box.
My /etc/network/interfaces is as follows
auto eth1
iface eth1 inet static
auto eth0
iface eth0 inet static

eth0 is the external network with access to the internet
eth1 is the imaginary wifi lan

the way i want it setup is so that any webpage that is looked up when connected to the WIFI lan (eth1) is automatically brought to the webserver on port 3000 where it displays please enter password

once the password is entered it automatically adds (using php) an IPtables rule to allow that particular ip NAT access out through eth0 and only that ip that provided the password

the capture portal is accomplished by
iptables -t nat -A PREROUTING -s -p tcp --dport 80 -j REDIRECT --to-port 3000
that just sends all traffic to the webserver sitting on port 3000 on the debian box.

once auththenticated it adds a rule similar to
iptables -t nat -A POSTROUTING -o eth0 -s -j MASQUERADE

Now my problem is.. the above doesnt work.
I need to be able to have all traffic goto the portal by default and only explicit ipaddress allowed out onto the internet
I need to be able to add and delete the specific IP address on the fly after adding in the default to the portal..

so when the time is up (1 hour or so) an at script removes the firewall rule for that particular ip address

please note .. Im only looking for IPTABLE answers i can do the php stuff. etc by myself..
also. I know there is a program called NoCatAuth.. but its not going to do what i want it to do.

many thanks
ps sorry if this description is not so clear

Question by:festerdublin1
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 40

Accepted Solution

jlevie earned 500 total points
ID: 12071614
"iptables -t nat -A POSTROUTING -o eth0 -s -j MASQUERADE" isn't what you want to be doing.

I don't believe you'll be able to do this with firewall rules. The transparent proxy rule that you use to get "any webpage" to the auth server is going to be a problem. Even after authentication the user's web requests are still going to go to the auth page.

I think there are enough controls in Squid to do this, but I'm not sure if you can limit the session as you've asked for.

If the wireless access point can be placed in bridge mode so that you can run a DHCP server on the Linux box you could use NetReg ( to allow access. You'd need to add a custom function that added a FORWARD rule after the user authenticates and takes it out when times up.

Expert Comment

ID: 12375313
If I am understanding this correctly, what you're looking to do is add an SNAT (non-MASQ) rule to the firewall after the php front end authenticates the users.  If this is what you're looking to do, yes it can be done.  But it is a bad idea to try and set it up this way in my opinion.  jlevie (above) is suggesting a proxy server such as Squid as a solution.  What you are talking about is a primary mission of a good proxy.

If you want to pursue this however, I'd suggest taking a look at for sample code.  Pull out the SNAT line and reconfigure it for a single IP SNAT instead of an entire subnet.  You can add a rule for every user.  This will of course bog down the firewall considerably after around 10 users.

I suggest download the firewall I suggested, configuring it for transparent proxy, and configure a Squid proxy.  I never thought I'd discourage someone from coding something in php, but there is a first time for everything.  Good luck.

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit If you want to manage em…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question