Iptables capture portal question and NAT

Hello there..

My question is.. Im trying to setup a wifi gateway using a debian linux box.
My /etc/network/interfaces is as follows
auto eth1
iface eth1 inet static
auto eth0
iface eth0 inet static

eth0 is the external network with access to the internet
eth1 is the imaginary wifi lan

the way i want it setup is so that any webpage that is looked up when connected to the WIFI lan (eth1) is automatically brought to the webserver on port 3000 where it displays please enter password

once the password is entered it automatically adds (using php) an IPtables rule to allow that particular ip NAT access out through eth0 and only that ip that provided the password

the capture portal is accomplished by
iptables -t nat -A PREROUTING -s -p tcp --dport 80 -j REDIRECT --to-port 3000
that just sends all traffic to the webserver sitting on port 3000 on the debian box.

once auththenticated it adds a rule similar to
iptables -t nat -A POSTROUTING -o eth0 -s -j MASQUERADE

Now my problem is.. the above doesnt work.
I need to be able to have all traffic goto the portal by default and only explicit ipaddress allowed out onto the internet
I need to be able to add and delete the specific IP address on the fly after adding in the default to the portal..

so when the time is up (1 hour or so) an at script removes the firewall rule for that particular ip address

please note .. Im only looking for IPTABLE answers i can do the php stuff. etc by myself..
also. I know there is a program called NoCatAuth.. but its not going to do what i want it to do.

many thanks
ps sorry if this description is not so clear

Who is Participating?
"iptables -t nat -A POSTROUTING -o eth0 -s -j MASQUERADE" isn't what you want to be doing.

I don't believe you'll be able to do this with firewall rules. The transparent proxy rule that you use to get "any webpage" to the auth server is going to be a problem. Even after authentication the user's web requests are still going to go to the auth page.

I think there are enough controls in Squid to do this, but I'm not sure if you can limit the session as you've asked for.

If the wireless access point can be placed in bridge mode so that you can run a DHCP server on the Linux box you could use NetReg (http://www.netreg.org/) to allow access. You'd need to add a custom function that added a FORWARD rule after the user authenticates and takes it out when times up.
If I am understanding this correctly, what you're looking to do is add an SNAT (non-MASQ) rule to the firewall after the php front end authenticates the users.  If this is what you're looking to do, yes it can be done.  But it is a bad idea to try and set it up this way in my opinion.  jlevie (above) is suggesting a proxy server such as Squid as a solution.  What you are talking about is a primary mission of a good proxy.

If you want to pursue this however, I'd suggest taking a look at http://www.unixpages.com/hls for sample code.  Pull out the SNAT line and reconfigure it for a single IP SNAT instead of an entire subnet.  You can add a rule for every user.  This will of course bog down the firewall considerably after around 10 users.

I suggest download the firewall I suggested, configuring it for transparent proxy, and configure a Squid proxy.  I never thought I'd discourage someone from coding something in php, but there is a first time for everything.  Good luck.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.