Find the answer to your Linux question:
Results 1 to 4 of 4
Hi All, I found this really cool guide / info about creating an internet portal where users have to register (their MAC) with the server to use the internet. basically ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Newbie
    Join Date
    Jul 2005
    Location
    Australia (Down Under)
    Posts
    141

    Redirect Marked Packets to internal website


    Hi All,

    I found this really cool guide / info about creating an internet portal where users have to register (their MAC) with the server to use the internet.

    basically if users MAC's are in the list they get routed to the internet if not they get routed to an internal page asking them to register. It works great and works well.

    I was wondering if there are some smart people out there who could help me reverse the process.. eg if your mac is not in the list you can access the internet if it is, you are redirected to an internal page saying "youve been blocked"

    The firewall rules are as follows.

    Code:
    IPTABLES=/sbin/iptables
    
    # Create internet chain
    # This is used to authenticate users who have already signed up
    $IPTABLES -N internet -t nat
    
    # First send all traffic via newly created internet chain
    # At the prerouting NAT stage this will DNAT them to the local
    # webserver for them to signup if they aren't authorised
    # Packets for unauthorised users are marked for dropping later
    $IPTABLES -t nat -A PREROUTING -j internet
    
    ###### INTERNET CHAIN ##########
    # Allow authorised clients in, redirect all others to login webserver
    # Add known users to the NAT table to stop their dest being rewritten
    # Ignore MAC address with a * - these users are blocked
    # This awk script goes through the /var/lib/users flat file line by line
    awk 'BEGIN { FS="\t"; } { system("$IPTABLES -t nat -A internet -m mac --mac-source "$4" -j RETURN"); }' /var/lib/users
    
    # MAC address not found. Mark the packet 99
    $IPTABLES -t nat -A internet -j MARK --set-mark 99
    # Redirects web requests from Unauthorised users to logon Web Page
    $IPTABLES -t nat -A internet -m mark --mark 99 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.1
    ################################
    
    # Now that we've got to the forward filter, drop all packets
    # marked 99 - these are unknown users. We can't drop them earlier
    # as there's no filter table
    $IPTABLES -t filter -A FORWARD -m mark --mark 99 -j DROP
    
    # Do the same for the INPUT chain to stop people accessing the web through Squid
    $IPTABLES -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
    $IPTABLES -t filter -A INPUT -p udp --dport 53 -j ACCEPT
    $IPTABLES -t filter -A INPUT -m mark --mark 99 -j DROP
    
    # Enable Internet connection sharing
    $IPTABLES -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A FORWARD -i eth0 -o ppp0 -j ACCEPT
    $IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
    Id love to mark packets from MAC's that are not in the list as 99 and redirect them to an internal page. I have done everything except for successfully editing the firewall script...

    Can somebody please help .. ?

    Thanks in advance
    Linux is the OS of tomorrow, Here today!!

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    This is a simple to do, just use the '!' in your rules.

    For example, in the following 2 rule;

    Code:
    $IPTABLES -t nat -A internet -m mark --mark 99 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.1
    $IPTABLES -t filter -A FORWARD -m mark --mark 99 -j DROP
    Change to

    --mark 99 to --mark ! 99

    What the '!' is saying is NOT 99 which means anything that isn't marked as 99 will be redirected and dropped.

    [edit.. some how this didn't come through]
    Also you should be using the Mangle table instead of the NAT for marking packets.
    Last edited by Lazydog; 12-20-2010 at 02:37 PM.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Linux Engineer Kloschüssel's Avatar
    Join Date
    Oct 2005
    Location
    Italy
    Posts
    773
    It would probably work also like this, but shouldn't packets be marked in the prerouting MANGLE table and not in the prerouting NAT table?

    Look here.

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by Kloschüssel View Post
    It would probably work also like this, but shouldn't packets be marked in the prerouting MANGLE table and not in the prerouting NAT table?

    Look here.
    You are correct. For some reason the last part of my post didn't get posted. Maybe I stepped back one to many times. Sorry.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •