Redirect Marked Packets to internal website

[crazy01]

Hi All,

I found this really cool guide / info about creating an internet portal where users have to register (their MAC) with the server to use the internet.

basically if users MAC's are in the list they get routed to the internet if not they get routed to an internal page asking them to register. It works great and works well.

I was wondering if there are some smart people out there who could help me reverse the process.. eg if your mac is not in the list you can access the internet if it is, you are redirected to an internal page saying "youve been blocked"

The firewall rules are as follows.

Code:

IPTABLES=/sbin/iptables

# Create internet chain
# This is used to authenticate users who have already signed up
$IPTABLES -N internet -t nat

# First send all traffic via newly created internet chain
# At the prerouting NAT stage this will DNAT them to the local
# webserver for them to signup if they aren't authorised
# Packets for unauthorised users are marked for dropping later
$IPTABLES -t nat -A PREROUTING -j internet

###### INTERNET CHAIN ##########
# Allow authorised clients in, redirect all others to login webserver
# Add known users to the NAT table to stop their dest being rewritten
# Ignore MAC address with a * - these users are blocked
# This awk script goes through the /var/lib/users flat file line by line
awk 'BEGIN { FS="\t"; } { system("$IPTABLES -t nat -A internet -m mac --mac-source "$4" -j RETURN"); }' /var/lib/users

# MAC address not found. Mark the packet 99
$IPTABLES -t nat -A internet -j MARK --set-mark 99
# Redirects web requests from Unauthorised users to logon Web Page
$IPTABLES -t nat -A internet -m mark --mark 99 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.1
################################

# Now that we've got to the forward filter, drop all packets
# marked 99 - these are unknown users. We can't drop them earlier
# as there's no filter table
$IPTABLES -t filter -A FORWARD -m mark --mark 99 -j DROP

# Do the same for the INPUT chain to stop people accessing the web through Squid
$IPTABLES -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -t filter -A INPUT -p udp --dport 53 -j ACCEPT
$IPTABLES -t filter -A INPUT -m mark --mark 99 -j DROP

# Enable Internet connection sharing
$IPTABLES -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -o ppp0 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

Id love to mark packets from MAC's that are not in the list as 99 and redirect them to an internal page. I have done everything except for successfully editing the firewall script...

Can somebody please help .. ?

Thanks in advance

[Lazydog]

This is a simple to do, just use the '!' in your rules.

For example, in the following 2 rule;

Code:

$IPTABLES -t nat -A internet -m mark --mark 99 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.1
$IPTABLES -t filter -A FORWARD -m mark --mark 99 -j DROP

Change to

--mark 99 to --mark ! 99

What the '!' is saying is NOT 99 which means anything that isn't marked as 99 will be redirected and dropped.

[edit.. some how this didn't come through]
Also you should be using the Mangle table instead of the NAT for marking packets.

[Kloschüssel]

It would probably work also like this, but shouldn't packets be marked in the prerouting MANGLE table and not in the prerouting NAT table?

Look here.

[Lazydog]

It would probably work also like this, but shouldn't packets be marked in the prerouting MANGLE table and not in the prerouting NAT table?

Look here.

You are correct. For some reason the last part of my post didn't get posted. Maybe I stepped back one to many times. Sorry.