Solved

Iptables capture portal question and NAT

Posted on 2004-09-15
4
659 Views
Last Modified: 2012-06-27
Hello there..

My question is.. Im trying to setup a wifi gateway using a debian linux box.
My /etc/network/interfaces is as follows
auto eth1
iface eth1 inet static
        address 192.168.0.6
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
auto eth0
iface eth0 inet static
        address 192.168.1.6
        netmask 255.255.255.0
        network 192.168.1.0
        broadcast 192.168.1.255
        gateway 192.168.1.1

eth0 is the external network with access to the internet
eth1 is the imaginary wifi lan

the way i want it setup is so that any webpage that is looked up when connected to the WIFI lan (eth1) is automatically brought to the webserver on port 3000 where it displays please enter password

once the password is entered it automatically adds (using php) an IPtables rule to allow that particular ip NAT access out through eth0 and only that ip that provided the password

the capture portal is accomplished by
iptables -t nat -A PREROUTING -s 192.168.0.6/24 -p tcp --dport 80 -j REDIRECT --to-port 3000
that just sends all traffic to the webserver sitting on port 3000 on the debian box.

once auththenticated it adds a rule similar to
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.3/24 -j MASQUERADE

Now my problem is.. the above doesnt work.
I need to be able to have all traffic goto the portal by default and only explicit ipaddress allowed out onto the internet
I need to be able to add and delete the specific IP address on the fly after adding in the default to the portal..

so when the time is up (1 hour or so) an at script removes the firewall rule for that particular ip address

please note .. Im only looking for IPTABLE answers i can do the php stuff. etc by myself..
also. I know there is a program called NoCatAuth.. but its not going to do what i want it to do.

many thanks
Stephen
ps sorry if this description is not so clear


0
Comment
Question by:festerdublin1
4 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 500 total points
ID: 12071614
"iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.3/24 -j MASQUERADE" isn't what you want to be doing.

I don't believe you'll be able to do this with firewall rules. The transparent proxy rule that you use to get "any webpage" to the auth server is going to be a problem. Even after authentication the user's web requests are still going to go to the auth page.

I think there are enough controls in Squid to do this, but I'm not sure if you can limit the session as you've asked for.

If the wireless access point can be placed in bridge mode so that you can run a DHCP server on the Linux box you could use NetReg (http://www.netreg.org/) to allow access. You'd need to add a custom function that added a FORWARD rule after the user authenticates and takes it out when times up.
0
 
LVL 2

Expert Comment

by:garak1357
ID: 12375313
If I am understanding this correctly, what you're looking to do is add an SNAT (non-MASQ) rule to the firewall after the php front end authenticates the users.  If this is what you're looking to do, yes it can be done.  But it is a bad idea to try and set it up this way in my opinion.  jlevie (above) is suggesting a proxy server such as Squid as a solution.  What you are talking about is a primary mission of a good proxy.

If you want to pursue this however, I'd suggest taking a look at http://www.unixpages.com/hls for sample code.  Pull out the SNAT line and reconfigure it for a single IP SNAT instead of an entire subnet.  You can add a rule for every user.  This will of course bog down the firewall considerably after around 10 users.

I suggest download the firewall I suggested, configuring it for transparent proxy, and configure a Squid proxy.  I never thought I'd discourage someone from coding something in php, but there is a first time for everything.  Good luck.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now