iptables question - Chains + Forward + Masquerade

Zillode · n00b Joined: 19 May 2006 Posts: 54

Hello,

I'm setting up a wireless acces point and I have some problems with iptables.

When someone connects to the (unsecured) device, he/she should get a login page (no matter what site was requested). after logging in, the person should have access to the internet (Nat - Masquerade).

I have the following questions:
- At the moment I'm forwarding all trafic to the localhost:80, this allready works
- When someone logs in I can execute an iptables command, but I dont know which yet.

I was thinking of using 2 chains: one that forwards all traffic to the login page (default for all users)
and one that has a masquerade so that people can request webpages using NAT (all mac addresses with a successfull login will be in here)
Is this a good way to solve the problem? and how can I have a 'default' chain for users (is the total sollution even possible?)

thanks

di1bert · l33t Joined: 16 May 2002 Posts: 963 Location: Oslo, Norway

Why don't you force all HTTP / HTTPS traffic through a proxy server that requires
authentication ? That way you can check what pages they're going to if need be using
sarg (it's in portage) to generate reports and only authenticated users can
browse.

What you choose to authenticate against is up to you, but NCSA is probably
the easiest....

-m

Zillode · n00b Joined: 19 May 2006 Posts: 54

thanks for the advice but because it's a public wireless (but only for students of the university) and I want them to authenticate without allot of problems. I dont want to log their traffic too. (The authentication-check is already finished too btw)

xanas3712 · Guru Joined: 15 Oct 2004 Posts: 455

if you were using the FORWARD rule to redirect traffic, couldn't you insert a rule prior to it by command when you need to allow their traffic to passthrough with iptables -I FORWARD -s useripwhologgedin -j ACCEPT?

If you only wanted to allow access to TCP on specific ports you'd have to specify with more lines like
iptables -I FORWARD -s useripwhologgedin -p tcp --dport 80 -j ACCEPT
iptables -I FORWARD -s useripwhologgedin -p tcp --dport 23 -j ACCEPT

and so on for whatever you wanted to allow..

Of course you would also need something setup to delete these rules whenever the user logs out manually by going back to the login page or times out. Otherwise that ip would just stay on the list. I'm not sure how to do that though.

Zillode · n00b Joined: 19 May 2006 Posts: 54

I didn't know there were priorities in iptables or will the last line be more important than my redirect rule that I defined earlier?

To delete them I wrote a script that arpings to all the users and checks the mac address (users logged in a separate file)

ps: I'll post the complete solution when it's ready, it might come in useful for some1 else:)

Hu · Administrator Joined: 06 Mar 2007 Posts: 23093

Rules are compared in order until a terminating target matches or until the kernel runs out of rules. For simplicity of your script, I would go with:

xanas3712 · Guru Joined: 15 Oct 2004 Posts: 455

BTW listen to Hu, he's the only reason I was able to figure this stuff out at all myself. That's a cool method. Makes a lot of sense.

Zillode · n00b Joined: 19 May 2006 Posts: 54

I agree xanas
ok cool, thanks for clearing that up Hu:)

I've got exams at the moment so it will take a moment before I post the whole thingy