[Webinar] Streamline your web hosting managementRegister Today


Iptables capture portal question and NAT

Posted on 2004-09-15
Medium Priority
Last Modified: 2012-06-27
Hello there..

My question is.. Im trying to setup a wifi gateway using a debian linux box.
My /etc/network/interfaces is as follows
auto eth1
iface eth1 inet static
auto eth0
iface eth0 inet static

eth0 is the external network with access to the internet
eth1 is the imaginary wifi lan

the way i want it setup is so that any webpage that is looked up when connected to the WIFI lan (eth1) is automatically brought to the webserver on port 3000 where it displays please enter password

once the password is entered it automatically adds (using php) an IPtables rule to allow that particular ip NAT access out through eth0 and only that ip that provided the password

the capture portal is accomplished by
iptables -t nat -A PREROUTING -s -p tcp --dport 80 -j REDIRECT --to-port 3000
that just sends all traffic to the webserver sitting on port 3000 on the debian box.

once auththenticated it adds a rule similar to
iptables -t nat -A POSTROUTING -o eth0 -s -j MASQUERADE

Now my problem is.. the above doesnt work.
I need to be able to have all traffic goto the portal by default and only explicit ipaddress allowed out onto the internet
I need to be able to add and delete the specific IP address on the fly after adding in the default to the portal..

so when the time is up (1 hour or so) an at script removes the firewall rule for that particular ip address

please note .. Im only looking for IPTABLE answers i can do the php stuff. etc by myself..
also. I know there is a program called NoCatAuth.. but its not going to do what i want it to do.

many thanks
ps sorry if this description is not so clear

Question by:festerdublin1
LVL 40

Accepted Solution

jlevie earned 2000 total points
ID: 12071614
"iptables -t nat -A POSTROUTING -o eth0 -s -j MASQUERADE" isn't what you want to be doing.

I don't believe you'll be able to do this with firewall rules. The transparent proxy rule that you use to get "any webpage" to the auth server is going to be a problem. Even after authentication the user's web requests are still going to go to the auth page.

I think there are enough controls in Squid to do this, but I'm not sure if you can limit the session as you've asked for.

If the wireless access point can be placed in bridge mode so that you can run a DHCP server on the Linux box you could use NetReg (http://www.netreg.org/) to allow access. You'd need to add a custom function that added a FORWARD rule after the user authenticates and takes it out when times up.

Expert Comment

ID: 12375313
If I am understanding this correctly, what you're looking to do is add an SNAT (non-MASQ) rule to the firewall after the php front end authenticates the users.  If this is what you're looking to do, yes it can be done.  But it is a bad idea to try and set it up this way in my opinion.  jlevie (above) is suggesting a proxy server such as Squid as a solution.  What you are talking about is a primary mission of a good proxy.

If you want to pursue this however, I'd suggest taking a look at http://www.unixpages.com/hls for sample code.  Pull out the SNAT line and reconfigure it for a single IP SNAT instead of an entire subnet.  You can add a rule for every user.  This will of course bog down the firewall considerably after around 10 users.

I suggest download the firewall I suggested, configuring it for transparent proxy, and configure a Squid proxy.  I never thought I'd discourage someone from coding something in php, but there is a first time for everything.  Good luck.

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
There may be issues when you are trying to access Outlook or send & receive emails or due to Outlook crash which leads to corrupt or damaged PST file. To eliminate the corruption from your PST file, you need to repair the corrupt Outlook PST file. U…
Suggested Courses

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question